Jordan PDPL

Law No. 24 of 2023 Regarding Personal Data Protection

Flag of JO
Hashemite Kingdom of JordanOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
March 17, 2024
Enacted
September 17, 2023
Enforcing Authority
Personal Data Protection Directorate, Ministry of Digital Economy and Entrepreneurship
Consent Model
Opt-in
Applies To
All data controllers and processors operating within Jordan

Overview

Jordan's PDPL is the country's first comprehensive data protection law, published in September 2023 and effective from March 2024. It features a dual governance structure where the Personal Data Protection Council sets policy while the Directorate handles enforcement. The 24-hour breach notification requirement for data subjects is among the shortest globally. The grace period ended in March 2025.

What This Means for Your Website

  • Clear, written consent with a specified period and purpose is required for data processing
  • Consent must be in clear, plain language that is easily accessible
  • If a breach occurs, data subjects must be notified within 24 hours and the Directorate within 72 hours
  • Penalties are doubled for repeat offences
  • The Directorate can order data destruction or database cancellation as enforcement measures
  • Cross-border transfers are subject to adequacy requirements

Key Requirements

The Directorate enforces the law with penalties of JOD 1,000-10,000 per violation, doubled for repeat offences. Daily fines up to JOD 500 apply for non-compliance with notices, capped at 5% of revenue. The 24-hour breach notification to data subjects is among the most stringent globally. Consent must be written, with a specified period and purpose, using clear and plain language. The DPA is not yet fully established as of 2025.

How ConsentStack Handles This

ConsentStack applies opt-in consent collection for Jordanian visitors with clear, accessible consent language, supporting compliance with the PDPL's written consent and notification requirements.

Penalties

Daily fines up to JOD 500 (capped at 5% of revenue) for non-compliance with notices. JOD 1,000-10,000 per violation (doubled for repeat offences). Data destruction/database cancellation possible.

Maximum Fine
JOD10,000 per violation
Revenue-based
5% of annual revenue

Key Requirements

  • Clear, written consent with specified period and purpose required
  • Consent must be intelligible, easily accessible, in clear and plain language
  • 24-hour breach notification to data subjects (among shortest globally)
  • 72-hour breach notification to the Directorate
  • Data subjects have rights of access, correction, and deletion
  • Cross-border transfers subject to adequacy requirements

Notable Provisions

  • 24-hour breach notification to data subjects (among shortest globally)
  • DPA NOT FULLY ESTABLISHED as of 2025 — Council designation pending
  • Written consent with specified period and purpose required
  • Doubled penalties for repeat offences
  • Data destruction possible as enforcement measure

Other Middle East & North Africa Regulations

KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.

Frequently Asked Questions

How quickly must data subjects be notified of a breach in Jordan?

Within 24 hours — among the shortest breach notification windows globally. The Directorate must also be notified within 72 hours.

What are the penalties under Jordan's PDPL?

JOD 1,000-10,000 per violation, doubled for repeat offences. Daily fines up to JOD 500 for non-compliance with notices, capped at 5% of revenue.

Is the DPA fully operational?

Not yet as of 2025. The Personal Data Protection Council designation is still pending, though the Directorate handles day-to-day enforcement.

Stay compliant with Jordan PDPL

ConsentStack helps you implement Opt-in consent for Hashemite Kingdom of Jordan automatically.

Get started free