The primary forms of corporate/business organisations in the Hashemite Kingdom of Jordan as set forth in the Companies Law No 22 of 1997 (CL) are:
General Partnership Companies
GPCs are companies registered by no fewer than two persons and no more than 20 persons. The most prominent feature of GPCs is that the partners are jointly and severally liable for the obligations and debts of the company. As a result, the provisions pertaining to GPCs in the CL are conservative, empowering courts to make certain decisions upon the request of partners, and regulating the liability of the partners between each other and before third parties.
Limited Partnership Companies
LPCs consist of two types of partners. The first category are general partners, who manage the company and its operations, and are thus personally liable for the debts and obligations of the company. The second category are silent or limited partners, who solely contribute to the share capital of the company without having the right to manage the company and/or its operations. Naturally, the liability of the silent partners is limited to their shares, wherein they are not personally liable for the company’s debts or obligations. However, if a silent partner begins managing the company and/or its operations, they shall be deemed personally liable for the obligations and debts incurred by the company during the time they participated in the company’s management.
Generally speaking, the CL has drawn a clear distinction between both categories of partners, granting general partners more rights, such as the exclusive right to have the company named after them and the right not to have any amendment in the LPC's articles of association without their approval, among others.
Limited Liability Companies
LLCs consist of two partners or more; however, with the approval of the Companies Controller, LLCs may be registered with only one partner. As in other jurisdictions, LLCs are one of the most prominent company types, due to the fact that the financial liability of the company is separate from the financial liability of its partners. The liability of partners in LLCs is limited to their shares in the company.
While the capital of LLCs may be as little as JOD1, there are certain objectives that necessitate a higher capital, especially commercial objectives such as import and export. Furthermore, LLCs are prohibited from resorting to public subscription to offer their shares, increase their capital or borrow money.
LLCs are generally favourable corporate structures for SMEs, as they are feasible and simple, and limit the liability of partners, making the risks associated with them less than those associated with LPCs and GPCs.
Private Shareholding Companies
PSCs consist of two shareholders or more; however, they may be registered by one shareholder upon the issuance of an approval by the Minister of Industry, Trade and Supply. Similar to LLCs, the liability of the shareholders in PSCs is separate from the company’s liability.
The capital of a PSC should not be less than JOD50,000, and the company is entitled to issue shares, bonds and other securities in the Jordanian financial market as per the applicable laws. The shares of the company may not be publicly offered.
The prominent characteristic of PSCs is their flexibility, wherein its articles of association may provide for the issuance of different types and classes of shares, which vary in nominal value and voting powers. Furthermore, the articles of association may provide for the distribution of profits and losses amongst the shareholders, the rights and priorities of the shareholders upon liquidation, the manner in which a type of share may be converted into another type, and other rights, privileges, priorities and restrictions.
Public Shareholding Companies
PCs are comprised of at least two founders, who shall subscribe to the company by shares that are subject to listing in the financial markets for the purposes of trading and transferring. In line with LLCs and PSCs, the liability of shareholders is separate from the liability of the company, with their liability being limited to their shares.
The authorised capital of PCs shall not be less than JOD500,000, and the actual subscribed capital shall not be less than JOD100,000 or 20% of the authorised capital, whichever is higher.
It is noteworthy that the activities of banking, financial companies, insurance and franchises may not be undertaken by any corporate forms other than PCs.
Foreign Companies
The CL has delineated two primary types of foreign companies:
The former is a company that establishes a representative office for its headquarters in Jordan, for purposes of directing and co-ordinating its operations outside the Kingdom. In other terms, foreign non-operating companies are prohibited from engaging in any commercial activity inside Jordan, with its presence being merely for purposes of providing technical or scientific services outside of Jordan.
Foreign operating companies are registered for a limited period of time or exclusively for the purposes of implementing a project referred to it by means of a tender. Alternatively, operating companies may be registered permanently in Jordan by virtue of specific licences issued by the competent official authorities.
Venture Capital Companies
Venture Capital Companies are established for the purpose of direct investment or investment in high-risk companies which have a high growth potential, provided that they are not allowed to invest in companies whose shares are listed in the stock market. Venture Capital Companies aim to earn returns through selling their shares or equity in such high-risk companies.
Other
Remarkably, the CL has regulated non-profit companies and exempt companies as a feature rather than as a separate company type. To elaborate further, some of the mentioned company types may be registered as a non-profit company or as an exempt company.
Non-profit companies are companies that do not distribute any profits to their partners/shareholders, and whose activities are restricted to the health sector, educational sector, microfinance sector, investment promotions and community development trainings.
Exempt companies are LLCs, PSCs or PCs that are registered in Jordan but are exclusively permitted to operate outside of Jordan. As their name suggests, exempt companies benefit from tax exemptions and are therefore registered by entrepreneurs who wish to operate outside the Kingdom or incorporate a Jordanian holding company that shall own business ventures outside Jordan.
In addition, there are companies that are registered in the Hashemite Kingdom of Jordan by virtue of agreements executed between the government of Jordan and other countries, and Arabic companies, institutions or organisations arising out of the Arab League or affiliated with it.
Finally, persons specialising in specific professions or fields, such as lawyers, may establish a specific type of company called a Civil Company. Partners in such companies may agree in its articles of association on special provisions pertaining to the company, including the manner in which the company will be managed, the manner in which profits will be distributed and other details.
The principal sources of corporate governance requirements in the Hashemite Kingdom of Jordan are as follows.
The CL
The CL establishes the foundation of corporate governance requirements for companies in the Hashemite Kingdom of Jordan, promoting the accountability of the board of directors, fairness amongst shareholders, disclosure practices, transparency and responsibility. These principles include but are not limited to:
Companies Control Department
In addition to the CL, the Companies Control Department (CCD – the governing body for companies) issued the Corporate Governance Guidelines for Jordanian Companies (“Guidelines”), in partnership with the International Finance Corporation. These Guidelines are applicable to non-listed PCs, PSCs, LLCs, non-profit PSCs and non-profit LLCs.
Interestingly, while the Guidelines are typically non-binding in nature, they are founded on the principle of “obligation or interpretation of non-obligation”. In other words, said companies are expected to conform to the Guidelines; if they do not, they are obliged to clarify the reasons for non-compliance. In practice, however, the CCD does not impose any penalty measures for non-compliance without reasoning.
The Guidelines provide for a higher threshold of governance requirements than those set forth in the CL, focusing primarily on the following aspects.
Aside from the CL and the Guidelines, the Board of Commissioners of the Jordan Securities Commission (JSC) issued the Governance Instructions for PCs in 2017, outlining special governance requirements for PCs. The JSC also regularly issues circulations pertaining to corporate governance for PCs.
As the legal landscape of corporate governance continues to evolve, companies are encouraged to complement such developments by voluntarily adopting policies and procedures to further enhance their corporate governance practices.
The primary mandatory corporate governance requirements for PCs are outlined in the CL, as follows.
In addition to the abovementioned compulsory governance requirements, the Governance Instructions for PCs specify more detailed requirements, including the minimum tasks attributed to the board of directors, the minimum committees that should be established by the board of directors and the role of each of the committees respectively, as well as other provisions. Significantly, the Governance Instructions for PCs oblige PCs to prepare a governance report on a yearly basis, to be signed by the chair of the board of directors.
Distinctively, a new amendment pertaining to corporate governance was introduced to the CL on 11 November 2023, obliging PCs to represent women on their board of directors as per the percentages set forth in the relevant regulations. This new amendment not only ensures the diversity of the board of directors, but also upholds general corporate governance principles of fairness.
Another significant amendment introduced in the realm of corporate governance is the issuance of the Beneficial Ownership Register Regulations for 2022, which placed new disclosure and transparency obligations on companies. In essence, the regulations oblige all companies to disclose the natural person who is considered the ultimate beneficiary of the company. For the avoidance of doubt, the regulations set forth criteria that companies may utilise to determine the identity of the ultimate beneficiary.
Jordan’s aspirations do not fall short when it comes to developing its corporate sector’s environmental responsibility, social responsibility and governance practices (ESG). The Investment Environment Law of 2022, for example, has been constructed with a clear intention to create a lucrative environment for investors based on economic stability, provisions of equity and conscious environmental practices.
Concerning environmental responsibility, Jordan’s Environmental Protection Law of 2017 classifies facilities that affect the environment based on the extent of their environmental impact, as determined by regulations established by the Ministry of Environment. Depending on their categorisation, such facilities are required to obtain operational licences and to undergo auditing and supervision to maintain environmentally safe practices. Even if a facility does not severely impact the environment, it is still required to comply with a threshold of environmental safety provisions under the law.
In promoting such practices, the Investment Environment Regulating Regulation of 2023, established by virtue of the Investment Environment Law of 2022, offers an advantageous incentive to investors that adopt environmentally conscious and green practices, whereby the volume of incentives, exemptions and additional benefits granted may be increased by 5% of the investment volume.
Regarding social responsibility, Jordanian legislation is constantly adapting to create equal and equitable opportunities for members of the community, as well as safe practices that ensure their well-being. Recent amendments to the Jordanian Labour Law and accompanying regulations aim to ensure fair labour practices for employees, focusing on combatting workplace harassment, ensuring adequate ability to provide childcare for working parents, and requiring employers – particularly within the industrial sector – to ensure the utmost safety regulations for their employees.
While such legislation establishes unmistakable compliance requirements for corporate entities, the responsibility of providing socially conscious environments ultimately falls on such entities.
Jordanian legislation is constantly developing to foster a healthier community for its citizens, taking into account environmental impact, social responsibility and the above-specified aspects of governance.
Bodies Responsible for the Management of the Company
In principle, the responsibility of managing the company is entrusted to the general manager/board of directors of the company. While there is generally no legal prohibition against electing a partner/shareholder as the general manager/member of the board of directors, general corporate governance principles dictate that segregation of powers is necessary to maintain accountability and responsibility.
Bodies Responsible for Company Governance
The principal body involved in the governance of the company is the board of directors, with nearly all mandatory corporate governance requirements being requested from the board of directors. Upholding corporate governance requirements falls within the purview of managing the company.
Furthermore, regulatory bodies such as the CCD also have a significant role in maintaining and encouraging corporate governance practices, through issuing and updating legislation pertaining thereto, and imposing penalties for non-conformity with such legislation.
The board of directors typically makes operational, administrative and financial decisions pertaining to the company, as per the general provisions of the CL and the company’s articles of association. The following decisions are reserved for the board of directors:
The board of directors for companies makes decisions in the manner set forth in the company’s articles of association. If the articles of association do not specify the method of making decisions, the board of directors shall make decisions by majority of votes.
The structure of the board of directors in LLCs, PSCs and PCs is as follows.
LLCs
In LLCs, the management can be in the form of either a board of directors or a general manager, with the general manager/board of directors being elected by a simple majority of the shareholders, for a term of up to four years. If the company is managed by a board of directors, the number of members shall be between two and seven, and board members may also be shareholders.
PSCs
In PSCs, the board of directors is comprised of two to seven members who may or may not be shareholders, for a term of up to four years, unless otherwise specified in the company's articles of association. The board is responsible for electing a chair and vice-chair from amongst its members. The chair holds a decisive vote in the event of a tie, unless stated otherwise in the articles of association. The board appoints a qualified individual as the general manager, defining their powers and responsibilities based on board-issued instructions.
PCs
In PCs, the board of directors is elected by the shareholders and is tasked with the overall management and supervision of the company's activities. The number of directors ranges from three to 13, as specified by the company's articles of association. Board members serve a term of up to four years and are elected through a secret ballot and proportional voting system, which allows shareholders to distribute their votes based on the number of shares they own.
In PSCs and PCs, the board of directors appoints a secretary, who may be one of its members or an external individual.
In LLCs, the role of the general manager or the board of directors is to manage the company’s operations as per the company’s articles of associations, which includes the preparation of the financial statement of the company in addition to the yearly report of the company reflecting the company’s activities during a specific year. Most prominently, the chair of the board of directors or the general manager has the most significant role in LLCs, as they invite the partners to the annual ordinary general assembly meeting to discuss the financial standing of the company, elect the auditor and other specific agenda items identified by the CL.
In PSCs and PCs, the chair plays the pivotal role of representing the company before third parties, inviting the shareholders to the yearly ordinary general assembly meeting, and inviting the board of directors to their regular meeting. However, the general manager appointed by the board of directors is ultimately tasked with managing the company in collaboration with and under the supervision of the board.
Moreover, the secretary appointed by the board of directors is responsible for maintaining the official records of the board’s proceedings, ensuring compliance with legal and regulatory requirements, and managing communications between the board and the shareholders. The secretary also plays a critical role in organising board meetings, preparing agendas and distributing meeting materials to board members. The secretary must ensure that the board’s decisions are documented accurately, and that relevant stakeholders are informed promptly.
The composition of boards of directors is outlined in 4.1 Board Structure and 4.2 Roles of Board Members.
Generally speaking, the board of directors is elected by the partners/shareholders of the company in a general assembly meeting. Naturally, the general assembly that has the capacity to elect the board of directors also has the capacity to remove them.
Moreover, persons who have been charged with a misdemeanour or crime contravening honour, morals or public ethics, such as bribery, embezzlement, theft and/or other such crimes, are not allowed to be board members in PCs.
Under the CL, directors are required to maintain a degree of independence to ensure unbiased decision-making. The law provides that directors should avoid conflicts of interest and are prohibited from engaging in any activities that could compromise their independence.
The directors may not assume a role in another company with similar or competing objectives and/or activities, regardless of whether they are compensated, including participating in the management thereof. The CL has provided exceptions to this, upon obtaining specific approvals, depending on the case.
Moreover, the law prohibits the chair and board members from engaging in specific activities, such as contracting with the company or entering into projects with it, except for public tenders and bids open to all competitors. In such cases, specific approvals shall be required.
The principal legal duties of directors and officers under the CL include a duty of care, a duty of loyalty and a duty to act within their authority. This involves setting strategies, policies, plans and procedures aimed at achieving the company's interests and ensuring that all shareholders and related parties receive their rights and are treated in a manner that ensures justice and equality without discrimination. The board is also responsible for appointing and terminating the company's general manager, determining how its members are selected, and supervising the company's executive management. In addition, the board has financial responsibilities, including organising the company's financial, accounting and administrative matters, and preparing annual reports.
The directors have the duty to call annual general assembly meetings as well as extraordinary general assembly meetings. In specific situations, the directors are required to call an extraordinary general assembly meeting of the company if the company suffers significant losses to the extent that it becomes unable to meet its obligations to its creditors, so as to decide to liquidate the company, issue new shares or take any other decision that ensures the company's ability to fulfil its obligations.
Moreover, Article 158 of the CL prohibits the chair, board members, general manager or any employee from disclosing any confidential information or data related to the company obtained through their position or work, with violations leading to removal and compensation claims for damages caused to the company. This prohibition does not apply to legally permitted disclosures, and the general assembly's approval to exonerate the chair and board members does not absolve them of this responsibility.
Directors owe their duties primarily to the company and its shareholders. However, they are also required to consider the interests of other stakeholders, such as creditors and/or third parties acting in good faith. Actions and decisions made by the board or general manager in the company's name are binding on the company when dealing with third parties who act in good faith. Third parties are presumed to be acting in good faith unless proven otherwise, and are not required to verify the existence of any restrictions on the authority of the board or the general manager.
The board must detail the authority to sign on behalf of the company, using a form approved by the Minister of Industry, Trade and Supply based on the Companies Controller’s recommendation, and outline the powers granted to the chair and the general manager, especially if the chair is dedicated to the company's activities.
Furthermore, the CL holds the chair and board members accountable to the company, its shareholders and third parties for any violations of laws, regulations or the company's articles of association, as well as any faults in management. The general assembly's approval to discharge the board does not prevent legal action being taken against the chair and board members.
Breaches of directors' duties can be enforced by the shareholders or creditors. Consequences of a breach can include personal liability for any losses incurred by the company, removal from the board, and possible criminal charges if the breach involves fraud or other illegal activities.
Directors may also be required to compensate the company for any damages caused by their actions. Article 159 of the CL addresses the judicial responsibility of the chair and board members, stating that they are jointly and severally liable to shareholders for negligence or failure in managing the company. If the company is liquidated and its assets are insufficient to cover its obligations due to such negligence or failure, the court may hold the chair, board members, general manager or auditors responsible for all or part of the company's debts, as appropriate.
Article 160 grants the Companies Controller, the company or any shareholder the right to file a lawsuit under the provisions of Articles 157, 158 and 159. In addition, the manager or board of directors of a company may be dismissed, whether the management is an individual or a board, provided there is majority approval from partners holding more than half of the company's share capital.
In PCs, the chair and members of the board of directors are jointly and severally liable to the shareholders for any negligence or failure in managing the company. However, in the event of the company’s liquidation, if a deficit in its assets is revealed such that it cannot meet its obligations, and this deficit is due to the negligence or failure of the chair, board members, general manager or auditors in managing the company, the court may decide to hold those responsible for this deficit liable for all or part of the company’s debts, as appropriate. The court will determine the amounts to be paid and whether or not the individuals responsible for the loss are jointly liable.
Please see 4.8 Consequences and Enforcement of Breach of Directors' Duties.
The approvals and restrictions concerning payments to directors are highlighted in the company’s articles of association. The board of directors of a PC must provide a detailed declaration to the general assembly, for shareholders' review, and provide a copy to the CCD.
Companies are required to disclose the remuneration, fees and benefits payable to directors and officers in their annual financial statements submitted to the CCD.
Moreover, Article 143 of the CL provides that the board of directors of a PC must display a detailed statement at the company's headquarters at least three days before the general assembly meeting, for shareholders' review, and provide a copy to the CCD. This statement includes all compensation received by board members during the fiscal year, benefits such as housing and cars, travel and transportation expenses, detailed donations made by the company, and a list of board members, with their share ownership and membership duration.
The relationship between the company and its shareholders is governed by the company's articles of association and the CL. Shareholders have the right to vote on important matters such as the election of directors, approval of major transactions and changes to the company's constitution by virtue of the CL. The articles of association also govern the relationship between the companies and shareholders in matters including (but not limited to) the voting rights of the shareholders and the distribution of dividends and profits.
Shareholders generally do not participate in the day-to-day management of the company, which is the responsibility of the board of directors. However, they have significant influence over major decisions through their voting rights. Shareholders can direct management actions by passing resolutions in general meetings, such as approving major transactions or changes in the company’s structure and/or objectives. They can also remove and appoint directors, giving them indirect control over management decisions.
Shareholders participate in the management of matters that are discussed in ordinary general assembly and extraordinary general assembly meetings, as indicated in 5.3 Shareholder Meetings.
Shareholder meetings are required by law, with the annual general assembly meeting being the most significant. The meeting must be held within a specified period following the end of the company’s financial year. The rules governing these meetings include giving adequate notice to shareholders, providing them with relevant information, and ensuring their right to attend, speak and vote on matters. Extraordinary general assembly meetings can be convened to address significant matters indicated within the CL.
The agenda of the ordinary general assembly meeting generally includes:
The general assembly is called to an extraordinary meeting to discuss specific matters that cannot be addressed unless they are listed in the meeting invitation. These matters include:
Shareholders can bring claims against the company or its directors on various bases, including breach of fiduciary duties, mismanagement or violation of shareholders' rights. They can also file derivative suits on behalf of the company if the board fails to act against directors who have breached their duties.
Shareholders holding at least 10% of the capital of a PC, PSC or LLC, or at least one quarter of the members of the board of directors or board of managers, as applicable, may request the Companies Controller to conduct an audit of the company's affairs and records. If the Companies Controller is convinced of the validity of the request, they may appoint one or more experts for this purpose.
If the audit reveals any violations that warrant further investigation, the minister may refer the matter to an investigative committee composed of department employees to verify the violation and review the expert's report. The committee has the authority to examine relevant documents and records, re-audit specific issues if necessary, and recommend that the Companies Controller instructs the company to implement the recommendations or refer the matter to the competent court, as appropriate.
By virtue of the CL, PCs must provide the controller with a report that includes the names of the subscribers and the number of shares each of them has subscribed to, within a period not exceeding 30 days from the date of closing any subscription in the shares of the PC company.
Article 146 of the CL provides that every member elected to the board of any PC company must inform the Companies Controller in writing of the names of the companies in which they hold board memberships.
All companies must file an annual disclosure of the beneficial owner of the company, irrespective of the company type.
Companies are subject to annual and periodic financial reporting requirements. They must prepare and submit the following documents to the CCD annually, which must all be audited by a certified public accountant:
This audit must be conducted in accordance with internationally recognised and accepted accounting and auditing standards. An annual report on the company’s activities must also be prepared.
Companies are obliged to disclose their shareholders, authorised signatories and board of directors’ members to the CCD by virtue of Minutes of Meeting that identify such individuals and provide their identification documents.
Companies are required to make various filings with the companies’ registry, including their articles of association, annual financial statements, ultimate beneficial ownership forms, vocational licences, social security statements, details of directors and officers, and any changes to the company's structure or ownership.
The shareholders’ information, their percentage of shares and directors’ information are publicly available. Other mandatory filings include articles of association, financial statements, ultimate beneficial ownership forms, vocational licences and social security statements, which are only available for shareholders in the company.
Failure to make these filings can result in penalties, legal action and potential suspension of the company.
Companies must appoint an auditor to audit their financial statements by virtue of a general assembly meeting to appoint the auditor.
The auditor must be qualified, ensuring an unbiased review of the company’s financial status. As per Article 192 of the CL, the general assembly of each PC, LLC and PSC shall elect one or more auditors from among the licensed professionals for a term of one year, which is renewable, and shall determine their fees or delegate the board of directors to set the fees. The company must notify the elected auditor in writing within 14 days from the date of their election. If the general assembly of the company fails to elect an auditor, or if the elected auditor declines the appointment, is unable to perform their duties for any reason or passes away, the board of directors must nominate at least three auditors to the Companies Controller within 14 days from the date the position becomes vacant, from which the Companies Controller will select one.
Auditors must conduct the auditing in accordance with best financial international practices, and shall prepare the audited financial statements, in addition to the auditor’s report, which shall be read to and approved by the general assembly. Furthermore, the general assembly shall have the right to address questions regarding the financial statements to the auditor, who will address such inquiries.
Directors are required to establish and maintain effective risk management and internal control systems by assessing risks that could affect the company's operations and ensuring that appropriate internal controls are in place to safeguard the company’s assets and ensure compliance with laws and regulations.
The directors are required to call an extraordinary general assembly meeting of the company if the company suffers losses that exceed specific percentages of its capital (depending on the company type), so as to decide either to liquidate the company or to take any other decision that ensures the company's ability to fulfil its obligations and rectify its status.
Salem Al-Hendawi St. 23
Amman
Jordan
+962 6 562 0132
+962 6 562 0132
operations@karajahlaw.com www.karajahlaw.comCorporate Governance in Jordan: an Introduction
The Jordanian privacy and cybersecurity regulatory framework: insights for legal compliance
Jordan has recently enacted a comprehensive Personal Data Protection Law, Law No 24 of 2023 (PDPL). This law regulates the collection and processing of personal data belonging to natural persons, and establishes legal requirements for the transfer of personal data outside Jordan. The PDPL grants rights for data subjects and imposes obligations on personal data controllers and processors, establishing a comprehensive privacy law that aligns with the General Data Protection Regulation (GDPR) enacted in the European Union.
The scope of the PDPL is very broad as it does not distinguish between citizens, residents and foreigners. The PDPL refers to the Data Subject as a natural person whose personal data is being processed. Furthermore, the text of the PDPL expressly provides for the retroactive application of the law that applies to personal data even when it is collected or processed prior to the entry into force of the law.
The PDLP was enacted on 17 March 2024. All entities processing personal data must comply with the legal requirements of the law by 16 March 2025.
In addition to the PDPL, Jordan has enacted in 2019 the Cybersecurity Law, Law No 16 of 2019 (“Cybersecurity Law”), which focuses on protecting critical infrastructure and securing information systems. The Cybersecurity Law establishes legal requirements for reporting and mitigating cyber-incidents. Furthermore, the Electronic Crimes Law, Law No 17 of 2023 (“Electronic Crimes Law”) addresses specific cybercrimes, including unauthorised access, data theft and cyberfraud.
The PDPL, the Cybersecurity Law and the Electronic Crimes Law play a pivotal role in shaping the legal landscape in Jordan. These laws enacted a legal framework to protect the personal data of data subjects and manage and regulate cyber-attacks, and set forth legal grounds to prosecute cybercrimes. Complying with these laws is crucial, as severe penalties can result from the breach of any of the legal requirements imposed on organisations. As the regulatory framework is relatively recent, the enforcement requirements and regulatory framework are expected to evolve.
Compliance obligations related to the collection and processing of personal data
Consent and legitimate processing, transparency and accountability
Processing is defined under the PDPL as one or more operations performed by any form or means for the purpose of collecting, recording, copying, saving, storing, organising, refining, exploiting, using, sending, distributing, publishing, linking with other data, making available, transferring, displaying, anonymising, encoding, destroying, restricting, erasing, modifying, characterising or disclosing data.
Under the PDPL, the person or entity who has custody over personal data is called a data controller and is accountable for ensuring compliance with all legal obligations and for maintaining records of personal data processing activities. Processors are any person or entity that processes personal data on behalf of data controllers.
Prior to collecting or processing personal data, consent is required. Such consent must be for legitimate purposes, and may only be collected or processed as required to achieve the purpose for which it was collected. Personal data cannot be processed without prior, explicit and documented consent being given by the data subject or unless legally permitted. Consent must be informed, clear and specific to the processing purpose(s) and duration, especially when it comes to processing sensitive data.
Personal data processing without consent is permissible only in specific situations, such as for legal duties of public entities, medical necessities, protecting vital interests, legal proceedings purposes, central bank supervision, or if required by law.
Data subjects have the right to object to the processing of their personal data that is unnecessary, excessive, discriminatory or unfair, and may even revoke any consent previously granted to the data controller. The data subject is granted the right to refuse certain processing if it is unnecessary for the purposes for which the data was originally collected, or if it infringes on their rights, such as the data subject’s right to restrict processing within a specific scope. This objection should be evaluated on a case-by-case basis, taking into consideration the specific circumstances and the legitimate interests of both the data subject and the data controller/processor. If the objection is upheld, the data controller must cease the processing activities that are deemed unnecessary or unjustified. In addition, the data controller should provide clear and accessible mechanisms for data subjects to exercise this right, ensuring transparency.
Personal data accuracy and limitation
Data subjects have rights to access, correct, update, restrict, erase or transfer their personal data. These rights should be granted by virtue of mechanisms that the controller needs to put in place, whether through technological solutions or the ability to contact the controller to exercise these rights.
When processed, personal data must be accurate, relevant and kept up to date. Unless otherwise required by law or upon the request of the data subject, personal data must be deleted or transferred after the processing purpose has been completed or fulfilled.
Personal data transfer and confidentiality
Personal data may be transferred for different purposes, including transferral to service providers of the controller who would be processing personal data, or upon the request of the data subject in accordance with their right to transfer their personal data to a third party of their choice. In carrying out such transfer processes, the following considerations shall be taken into account.
Appointment of Data Protection Officer and responsibilities
Within the category of personal data lies a subset known as sensitive personal data, which requires additional protection due to the potential harm it could cause if disclosed or misused. This type of data includes identifiers such as racial or ethnic origin, political opinions, religious beliefs, financial status, health conditions, genetic data, biometric data and criminal records. Unlike general personal data, sensitive data involves greater risks, necessitating stricter protection measures.
Given the sensitive nature of personal data that may be collected and processed, controllers dealing with sensitive personal data must appoint a Data Protection Officer (DPO) to ensure the protection of the personal data collected and mitigate any harm that may ensue if a breach occurs.
The data controller must also appoint a DPO in the following other specific situations:
The Personal Data Protection Council was established in accordance with the provisions of the Personal Data Protection Law (PDPL) and also has the authority to determine any other situation where the appointment of a DPO is mandatory.
The DPO shall have the responsibility to oversee data protection practices, ensure compliance, conduct periodic audits and serve as a liaison for data protection inquiries.
Obligations related to secure data handling
Secure methods must be employed for the transfer of personal data, and all parties involved must ensure personal data security and integrity. Specifically, the data controller is obliged to ensure the secure handling of personal data by:
Obligations in the event of breach of data security
In the event of a breach of data security and safety that could cause significant harm to the data subject, the data controller/processor must:
The party responsible for the breach of confidentiality and security of the personal data may be obliged to compensate the individual concerned for any harm or damage that has been caused as a consequence of such breach. The controller could be held accountable for not taking precautionary measures or for failing to abide by its legal obligations. However, responsibility could also lie with a third party, such as an individual or another organisation, that breached the organisation's security system.
If the breach of the data security was caused by a cyber-attack, organisations are also required to follow the instructions issued pursuant to the Cybersecurity Law. A cybersecurity incident is defined under the Cybersecurity Law as an act or attack that poses a risk to data, information, information systems, information networks or related infrastructure, and requires a response to stop it or mitigate its consequences or effects.
Upon receiving a complaint from the affected entity, the National Cybersecurity Centre shall take the appropriate action to address the reported cybersecurity incident and prevent its occurrence or continuation. The National Cybersecurity Centre shall manage and respond to cybersecurity reporting if it is considered to be highly severe. An incident is classified as “highly severe” if it leads to a complete disruption of essential services, involves the leakage, destruction or erasure of sensitive data, and has a significant impact on more than one piece of critical infrastructure or on more than a third of Jordan's population.
The organisation must also follow the instructions and directives of the National Cybersecurity Centre if a cybersecurity incident is classified as “moderate”. A moderate cybersecurity incident may include utilising the Centre’s response team or engaging a licensed entity to provide cybersecurity incident response services and submit a detailed report about the incident to the Centre. The qualification of an incident as “moderate” requires it to have significant but non-impactful consequences, which includes:
A cybersecurity incident is considered as “low” if it involves non-impactful intrusion attempts on sensitive data and services or scanning and reconnaissance operations that impact data and services, affecting higher education institutions, or if there is no complete disruption of essential services affecting only private entities. When the cybersecurity incident is qualified as “low”, the affected entity, response teams or licensed entities are also required to intervene and handle the response.
The National Cybersecurity Centre is responsible for managing and directing the response to cyber-attacks or threats. All relevant entities impacted by a cyber-attack, regardless of their level of severity, must comply with the Centre’s directives and instructions based on the classification of the attack.
Legal penalties for non-compliance
A breach of the regulatory framework related to personal data protection can result in severe penalties, emphasising the need for compliance and proactive risk management within organisations. Under the Electronic Crimes Law, unauthorised access to information systems can lead to imprisonment of up to three years and fines of up to JOD15,000. Tampering with websites or publishing private media incurs similarly strict penalties. The PDPL provides for additional penalties, including fines of up to JOD10,000, potential licence suspension or cancellation, and the obligation to compensate affected individuals.
When a violation is identified, the Personal Data Unit issues a warning to the non-compliant party, instructing it to stop the violation and remedy its causes and effects within a specified period. If the violator does not comply within this timeframe, the Personal Data Protection Council, based on the Personal Data Unit’s recommendations, can impose various penalties, including:
Repeated violations can result in doubled fines and the mandatory destruction of unlawfully obtained data.
Moreover, the Personal Data Unit has the authority to publish a public statement about the confirmed violations at the violator's expense, using whatever means it sees fit. Importantly, these penalties do not prevent the affected individuals from seeking civil compensation for damages caused by the violation.
Practical recommendations for legal compliance
The following actions are recommended in order to ensure compliance.
Salem Al-Hendawi St. 23
Amman
Jordan
+962 6 562 0132
+962 6 562 0132
operations@karajahlaw.com www.karajahlaw.com