As per Article 8, The Controller shall adhere to the following obligations:

• Taking necessary measures to protect the Data under its custody and any Data received from any other person.
• Implementing security, technical, and organisational measures that ensure the protection of Data against any breaches, unauthorised disclosure, alteration, addition, destruction, or Processing, as directed by the Council in instructions issued for this purpose.
• Establishing mechanisms and procedures for processing complaints related to Data, responding to them in accordance with the provisions of this law, regulations, and instructions issued accordingly, and publishing them on its official website and available media.
• Providing means to enable the Data Subject to exercise their rights in accordance with the provisions of this law.
• Correcting incomplete or inaccurate Data if it is found to be incorrect or inaccurate before commencing the Processing, except for Data collected for preventing or detecting crimes.
• Enabling the Data Subject to object to the Processing, withdrawing consent, accessing and updating their Data, and providing suitable means for enabling them to do so securely.

As per Article 12, The Processor shall comply with the following:

• Conduct and carry out the Processing in accordance with the requirements and conditions stipulated in this law, as well as the regulations and instructions issued pursuant to it.
• Not exceed the specified purpose and duration of the Processing.
• Erase the Data upon the expiration of the Processing period, or transferring it back to the Controller.

The Processing is lawful and permissible without obtaining Consent or informing the Data Subject in the following cases:

1) Processing carried out directly by a competent public entity to the extent necessary for the performance of its legally assigned tasks according to the enacted legislation or through other entities contracted with the public entity, provided that the contract includes compliance with all obligations and conditions stipulated in this law, regulations, and instructions issued pursuant to the Law.

2) If it is necessary for preventive medical purposes, medical Profiling, or the provision of healthcare by a licensed practitioner of any medical profession.

3) If it is necessary for protecting the life or vital interests of the Data Subject.

4) If it is necessary to prevent a crime or to disclose it by a competent authority or to prosecute crimes committed in violation of the law.

5) If it is required or permitted by any legislation or executed by a decision of the competent court.

6) If it is necessary for entities under the supervision and oversight of the Jordanian Central Bank to conduct their functions as determined by the Jordanian Central Bank, including the transfer and exchange of Data within and outside the Kingdom of Jordan.

7) If it is in accordance with the regulations pursuant to this law.

8) If it is necessary for scientific or historical research purposes, provided that it does not involve making any decision or action concerning a specific individual.

9) If it is necessary for statistical purposes, national security requirements, or for the public interest.

10) If the data being processed is made publicly available by the Data Subject.

Any processing activity must fulfil the following requirements to be considered lawful:

1) The purpose of the processing must be lawful, specific, and transparent;

2) It must align with the purpose for which the data was collected;

3) It must be conducted via legal means;

4) It must be based on accurate, truthful, and updated data;

5) It must not lead to direct identification of the data subject after fulfilling its purpose;

6) It must not cause harm to the data subject or directly or indirectly affect their rights;

7) It must be carried out to ensure the confidentiality and integrity of the data collected and prevent any unauthorized alterations.

In the event of a serious data security breach that could cause harm to data subjects, the controller must take the following actions:

1) Notify all affected data subjects within 24 hours of discovering the breach, providing details on the incident and the measures they can take to mitigate any negative consequences.

2) Notify the Unit within 72 hours of discovering the breach, including information on the source of the breach, affected data subjects, the mechanisms involved, and any other relevant details.

In case of gross negligence or misconduct, the responsible Controller shall be liable to compensate the affected Data Subject.

The data controller must appoint a Data Protection Officer in the following cases:

1) If the primary activity of the controller involves personal data processing;

2) When processing sensitive personal data;

3) When processing data of individuals who lack the legal capacity to consent;

4) When processing financial information;

5) When transferring collected data outside Jordan;

In any case, determined by the Council requiring the appointment of a Data Protection Officer.

Personal data must not be transferred to any third party outside Jordan, including a recipient, if the level of protection they provide is lower than that required by the PDPL, except in the following circumstances:

1) It is necessary for regional or international judicial cooperation under international agreements or treaties to which Jordan is a party.

2) It is necessary for cooperation between international or regional agencies engaged in combating crimes or prosecuting criminals.

3) It is necessary for the exchange of medical data concerning a data subject when required for their treatment.

4) It is necessary for the exchange of data related to epidemics, health crises, or other matters affecting public health in Jordan.

5) The data subject has explicitly consented to the transfer after being informed that the destination does not provide an adequate level of protection.

6) It is necessary for the transfer of funds outside Jordan.

The PDPL provides all data subjects with the following rights:

1) Right to Access: Data subjects have the right to access and obtain a copy of all personal data collected about them by a controller.

2) Right to Withdraw Consent: Data subjects have the right to withdraw previously provided consent for data processing at any time.

3) Right to Correction: All data subjects have the right to request that any data collected on them be corrected, amended, edited, or updated owing to the data becoming obsolete or out of date since it was collected.

4) Right to Erasure: All data subjects have the right to request that a controller erase and delete all data collected on them.

5) Right to Limit Processing: All data subjects have the right to request that any data processing they consent to be strictly limited to a specific scope.

6) Right to Object: All data subjects have the right to object to both processing and profiling if they are unnecessary for the purpose for which data was collected or if they are excessive to these purposes while also being discriminatory, prejudiced, and in violation of other provisions of Jordanian law.

7) Right to Data Portability: All data subjects have the right to request that their data be transferred from the possession of one data controller to another.

8) Right to Be Notified: All data subjects have the right to be notified of any data breaches or violations that may compromise their data's security and integrity.

Data subjects must be free from any financial or contractual consequences of exercising any of the aforementioned rights.