1.    Difference Between Personal Data and Sensitive Personal Data.

Personal Data: Any information related to a natural person that can directly or indirectly identify them. Examples include:

• Name

• Home Address

• Phone Number

• Email Address

Sensitive Personal Data: Any data that can directly or indirectly identify a person whose disclosure or misuse could cause harm to the data subject. This includes:

• Ethnic or racial origin
• Political opinions and affiliations
• Religious beliefs
• Financial information
• Health, physical, mental, or genetic data
• Biometric data
• Criminal record
• Any other data determined by the Council

________________________________________
2.    When Did the Law Come into Effect?

The Personal Data Protection Law No. (24) of 2023 came into effect on March 17, 2024, and applies to data controllers processing personal data, even if the data was collected and processed before the law’s enforcement.
A 12-month compliance period is granted for adherence to the law and related regulations. However, this grace period does not apply to data collected after the law’s enactment or to newly established companies, which must comply immediately.

________________________________________

3.    Geographical Scope of the Law.

The law applies to the processing of personal data of citizens and residents within the territory of Jordan.

________________________________________
4.    Material Scope of the Law.

The law applies to the processing of personal data of natural persons and does not cover legal entities such as companies and institutions.

________________________________________
5.    Requests That a Data Subject Can Submit to the Controller

• Request access to their data and obtain a copy.
• Request correction, modification, or updating of their data.
• Object to processing.
• File a complaint.
• Withdraw prior consent.

________________________________________
6.    Who is a Data Protection Officer (DPO), and What Are Their Qualifications?

A Data Protection Officer (DPO) is a natural person appointed by the data controller in specific cases outlined in Article 11 of the law. The DPO serves as a liaison between the controller and the Personal Data Protection Directorate.
A detailed guidance document will be issued soon to clarify the qualifications and responsibilities of the DPO.
The DPO can be:

• An internal staff member of the same organization (controller).
• An external individual is appointed as an independent DPO.

________________________________________
7.    What Actions Can the Directorate Take Against Law Violators?

• The Directorate issues a warning to the violator, requiring them to cease the violation and rectify its consequences within a specified period.
• The Directorate may publicly disclose violations at the violator’s expense through appropriate means.

________________________________________
8.    Steps to Help Entities Comply with the Law

• Appoint a Data Protection Officer (DPO).
• Register in the Personal Data Processing Register.
• Obtain prior consent from data subjects before processing their data.
• Implement security, technical, and organizational measures to protect data.
• Enable data subjects to exercise their rights.
• Notify authorities in case of a data breach.
• Establish mechanisms for handling data-related complaints.
• Ensure that contracts with third parties comply with legal obligations.
• Follow regulations for data transfers within and outside the Kingdom.
• Correct inaccurate or incomplete data.

________________________________________
9.    What Happens to Personal Data After Its Purpose Is Fulfilled?

Personal data must not be retained after its intended purpose is fulfilled unless otherwise required by law.

________________________________________
10.    What Is the Concept of Data Minimization?

Data minimization is a globally recognized data protection principle, ensuring that only the minimum necessary personal data is collected and processed to achieve the intended purpose.

________________________________________
11.    Is the Right to Object to Processing Absolute or Restricted?

The right to object is restricted to certain cases, as stated in Article 4(b)(6) of the law. A data subject may object to processing or profiling if:

• It is not necessary for the purpose for which the data was collected.
• It exceeds the requirements of the processing purpose.
• It is discriminatory, unfair, or unlawful.

________________________________________
12.    Are Entities Exempt from Prior Consent Also Exempt from the Law?

No. Entities exempt from prior consent and data subject notification are still subject to the law. They must comply with all legal provisions except for prior consent requirements, including:

• Appointing a Data Protection Officer.
• Registering in the Personal Data Processing Register.
• Implementing security and organizational measures.
• Notifying authorities in case of data breaches.

________________________________________
13.    Can Data Be Transferred Outside Jordan?

Yes, data can be transferred and stored outside Jordan under conditions specified in Articles 14 and 15 of the law. This requires the recipient country, organization, or entity to provide an adequate level of data protection.
The Personal Data Protection Council will issue a list of approved countries, organizations, and entities with sufficient data protection standards.

________________________________________