Is Your Organization Ready for Jordan’s Personal Data Protection Law? Time to Act Now.

Sameer Ahirrao -

The global privacy landscape is shifting rapidly, and Jordan has made a bold move to protect its citizens’ personal data. With the introduction of Jordan’s Personal Data Protection Law No. 24 of 2023 (PDPL), businesses operating in or interacting with the Jordanian market must now re-evaluate their data handling practices. The clock is ticking, and the time to act is now.

What is Jordan’s PDPL?

Passed in September 2023, Jordan's PDPL is the country’s first comprehensive data protection law. It establishes a legal framework for the collection, processing, storage, and transfer of personal data. Much like the EU’s GDPR, it aims to strike a balance between individuals’ privacy rights and the digital economy’s data-driven growth.

Key highlights of the PDPL include:

1) Consent-first approach: Data subjects must give explicit, informed consent before their personal data is processed.

2) Rights of data subjects: Includes the right to access, correct, erase, and object to the processing of their data.

3) Data controller obligations: Controllers must implement technical and organizational safeguards, conduct impact assessments, and report breaches.

4) Cross-border data transfer restrictions: Personal data can only be transferred to countries that provide adequate protection, unless exemptions apply.

5) Creation of a Data Protection Board: A supervisory authority to monitor compliance and issue fines.

Who Does the Law Apply To?

The PDPL applies to:

  • All organizations established in Jordan that process personal data.
  • Foreign entities that process the data of Jordanian residents, regardless of their physical location.

This extraterritorial scope means international businesses serving Jordanian users or collecting data from them online must comply, much like with the GDPR.

Why Should You Take This Seriously?

Non-compliance with the PDPL could result in significant administrative penalties, reputational damage, and operational disruption. Jordan’s government is taking a firm stance on enforcement, and the Data Protection Board will have the authority to investigate complaints and enforce compliance.

Moreover, privacy is now a business differentiator. Customers are increasingly choosing brands that respect their data. A proactive approach not only keeps you compliant but also earns user trust.

Steps to Take Now

If your organization handles personal data from Jordanian citizens or operates in Jordan, here’s what you should prioritize:

1. Audit Your Data Processing Activities

- Map out what personal data you collect, where it is stored, how it's used, and whether it’s shared or transferred.

2. Review Consent Mechanisms

- Ensure that consent requests are clear, granular, and documented. Silence or pre-ticked boxes are no longer acceptable.

3. Update Privacy Policies

- Revise privacy notices to meet PDPL requirements: clear explanation of rights, purposes of processing, and contact details of the data controller.

4. Implement Security Controls

- Adopt appropriate technical and organizational measures to protect data, such as encryption, access controls, and incident response plans.

5. Establish Breach Response Procedures

- Create internal mechanisms to detect, investigate, and report data breaches within the required timeframes.

6. Train Your Team

- Educate employees, especially those handling personal data, on the principles of data protection and the requirements of Jordan’s PDPL.

7. Prepare for Data Subject Requests

- Set up procedures to respond to access, correction, and deletion requests from individuals within the legally mandated timelines.

8. Appoint a Data Protection Officer

- Depending on the scale and nature of your data processing, The Controller shall appoint a Data Protection Officer under PDPL.

How Ardent Privacy’s TurtleShield Helps You Comply with Jordan’s PDPL

Complying with Jordan’s new Personal Data Protection Law No. 24 of 2023 (PDPL) can seem daunting, but with the right tools in place, it doesn’t have to be. Ardent Privacy’s TurtleShield platform is designed to simplify and automate the core compliance requirements of modern data protection laws, including Jordan’s PDPL.

Here’s how TurtleShield aligns with key PDPL obligations:


1. Data Discovery & Mapping

Privacy Challenges: Organizations must understand what personal data they hold, where it’s stored, and how it flows through their systems.

How TurtleShield Helps: TurtleShield’s intelligent data discovery engine automatically scans across structured and unstructured sources, cloud, on-premise, emails, and databases, to identify and classify personal data. It builds a dynamic data inventory, giving you complete visibility into personal data processing activities.

2. Consent & Purpose Validation

Privacy Challenges: Data must be processed only after obtaining informed, explicit consent and only for lawful, specified purposes.

How TurtleShield Helps: TurtleShield tracks data lineage and tags each data point with consent status and lawful basis for processing. It ensures that only consent-backed data is used and flags any mismatches between purpose and use, helping organizations stay purpose-limited and consent-compliant.

3. Data Minimization & Access Control

Privacy Challenges: Only necessary data should be collected, and access must be restricted to authorized personnel.

How TurtleShield Helps: TurtleShield DM (Data Minimization) helps you reduce the data and focus on enterprise-centric data. It can provide you detailed insights to get rid of non-essential data, reducing cost of security and storage and building confidence of business owners and data custodians.

4. Privacy Notices & Subject Rights Automation

Privacy Challenges: Individuals must be informed about their rights and organizations must fulfill data subject requests like access, correction, and deletion.

How TurtleShield Helps: TurtleShield DSAR solution is designed to streamline the complex process of managing Data Subject Access Requests (DSARs) while ensuring compliance with Jordan's Privacy regulation. With features and innovative tools, it helps organizations address privacy challenges effectively and efficiently.

5. Cross-Border Data Transfer Controls

Privacy Challenges: Transfers of personal data outside Jordan must be restricted to countries offering adequate protection or follow specific safeguards.

How TurtleShield Helps: TurtleShield identifies cross-border data flows and validates if transfers meet PDPL adequacy or exemption criteria. It offers customizable templates for Standard Contractual Clauses (SCCs) and Data Transfer Impact Assessments (DTIAs) to ensure lawful international transfers.

Final Thoughts

Jordan’s Personal Data Protection Law No. 24 of 2023 is a landmark step in the region’s digital transformation. Whether you're a local business, a multinational company, or a startup engaging with Jordanian users, compliance is urgent and necessary. Early adopters who align with the law will not only avoid penalties but also position themselves as privacy-conscious leaders in the market. The time to act is now.