Corporate Governance 2024

Last Updated May 29, 2024

Jordan

Law and Practice

Authors



Sa’ed Karajah & Partners LLP Attorneys at Law & Legal Counselors (SKP) is a pioneering law firm in Jordan, with over 25 years of legal expertise. As a trusted adviser for both local and international clients, including financial institutions, public authorities and SMEs, SKP delivers tailored advice to foster clients’ growth. Founded in 1996 by Sa'ed Karajah, the firm prioritises innovation as a catalyst for progress. Its multidisciplinary approach and sector-specific proficiency enable SKP to offer comprehensive services, bridging communication between clients and global stakeholders. From contributing to the development of key Jordanian laws to engaging in cutting-edge legal matters, SKP prioritises holistic guidance and innovative legal solutions. The firm's culture of continual learning and co-mentorship ensures the delivery of top-notch advice across various sectors. SKP recognises the intrinsic link between its work and various communities, motivating its dedication to offering pro bono legal services to disenfranchised individuals and initiatives.

The primary forms of corporate/business organisations in the Hashemite Kingdom of Jordan as set forth in the Companies Law No 22 of 1997 (CL) are:

  • General Partnership Companies (GPCs);
  • Limited Partnership Companies (LPCs);
  • Limited Liability Companies (LLCs);
  • Private Shareholding Companies (PSCs);
  • Public Shareholding Companies (PCs); and
  • Foreign Companies; and
  • Venture Capital Companies. ¬

General Partnership Companies

GPCs are companies registered by no fewer than two persons and no more than 20 persons. The most prominent feature of GPCs is that the partners are jointly and severally liable for the obligations and debts of the company. As a result, the provisions pertaining to GPCs in the CL are conservative, empowering courts to make certain decisions upon the request of partners, and regulating the liability of the partners between each other and before third parties.

Limited Partnership Companies

LPCs consist of two types of partners. The first category are general partners, who manage the company and its operations, and are thus personally liable for the debts and obligations of the company. The second category are silent or limited partners, who solely contribute to the share capital of the company without having the right to manage the company and/or its operations. Naturally, the liability of the silent partners is limited to their shares, wherein they are not personally liable for the company’s debts or obligations. However, if a silent partner begins managing the company and/or its operations, they shall be deemed personally liable for the obligations and debts incurred by the company during the time they participated in the company’s management.

Generally speaking, the CL has drawn a clear distinction between both categories of partners, granting general partners more rights, such as the exclusive right to have the company named after them and the right not to have any amendment in the LPC's articles of association without their approval, among others.

Limited Liability Companies

LLCs consist of two partners or more; however, with the approval of the Companies Controller, LLCs may be registered with only one partner. As in other jurisdictions, LLCs are one of the most prominent company types, due to the fact that the financial liability of the company is separate from the financial liability of its partners. The liability of partners in LLCs is limited to their shares in the company.

While the capital of LLCs may be as little as JOD1, there are certain objectives that necessitate a higher capital, especially commercial objectives such as import and export. Furthermore, LLCs are prohibited from resorting to public subscription to offer their shares, increase their capital or borrow money.

LLCs are generally favourable corporate structures for SMEs, as they are feasible and simple, and limit the liability of partners, making the risks associated with them less than those associated with LPCs and GPCs.

Private Shareholding Companies

PSCs consist of two shareholders or more; however, they may be registered by one shareholder upon the issuance of an approval by the Minister of Industry, Trade and Supply. Similar to LLCs, the liability of the shareholders in PSCs is separate from the company’s liability.

The capital of a PSC should not be less than JOD50,000, and the company is entitled to issue shares, bonds and other securities in the Jordanian financial market as per the applicable laws. The shares of the company may not be publicly offered.

The prominent characteristic of PSCs is their flexibility, wherein its articles of association may provide for the issuance of different types and classes of shares, which vary in nominal value and voting powers. Furthermore, the articles of association may provide for the distribution of profits and losses amongst the shareholders, the rights and priorities of the shareholders upon liquidation, the manner in which a type of share may be converted into another type, and other rights, privileges, priorities and restrictions.

Public Shareholding Companies

PCs are comprised of at least two founders, who shall subscribe to the company by shares that are subject to listing in the financial markets for the purposes of trading and transferring. In line with LLCs and PSCs, the liability of shareholders is separate from the liability of the company, with their liability being limited to their shares.

The authorised capital of PCs shall not be less than JOD500,000, and the actual subscribed capital shall not be less than JOD100,000 or 20% of the authorised capital, whichever is higher.

It is noteworthy that the activities of banking, financial companies, insurance and franchises may not be undertaken by any corporate forms other than PCs.

Foreign Companies

The CL has delineated two primary types of foreign companies:

  • foreign non-operating companies; and
  • foreign operating companies.

The former is a company that establishes a representative office for its headquarters in Jordan, for purposes of directing and co-ordinating its operations outside the Kingdom. In other terms, foreign non-operating companies are prohibited from engaging in any commercial activity inside Jordan, with its presence being merely for purposes of providing technical or scientific services outside of Jordan.

Foreign operating companies are registered for a limited period of time or exclusively for the purposes of implementing a project referred to it by means of a tender. Alternatively, operating companies may be registered permanently in Jordan by virtue of specific licences issued by the competent official authorities.

Venture Capital Companies

Venture Capital Companies are established for the purpose of direct investment or investment in high-risk companies which have a high growth potential, provided that they are not allowed to invest in companies whose shares are listed in the stock market. Venture Capital Companies aim to earn returns through selling their shares or equity in such high-risk companies.

Other

Remarkably, the CL has regulated non-profit companies and exempt companies as a feature rather than as a separate company type. To elaborate further, some of the mentioned company types may be registered as a non-profit company or as an exempt company.

Non-profit companies are companies that do not distribute any profits to their partners/shareholders, and whose activities are restricted to the health sector, educational sector, microfinance sector, investment promotions and community development trainings.

Exempt companies are LLCs, PSCs or PCs that are registered in Jordan but are exclusively permitted to operate outside of Jordan. As their name suggests, exempt companies benefit from tax exemptions and are therefore registered by entrepreneurs who wish to operate outside the Kingdom or incorporate a Jordanian holding company that shall own business ventures outside Jordan.

In addition, there are companies that are registered in the Hashemite Kingdom of Jordan by virtue of agreements executed between the government of Jordan and other countries, and Arabic companies, institutions or organisations arising out of the Arab League or affiliated with it.

Finally, persons specialising in specific professions or fields, such as lawyers, may establish a specific type of company called a Civil Company. Partners in such companies may agree in its articles of association on special provisions pertaining to the company, including the manner in which the company will be managed, the manner in which profits will be distributed and other details.

The principal sources of corporate governance requirements in the Hashemite Kingdom of Jordan are as follows.

The CL

The CL establishes the foundation of corporate governance requirements for companies in the Hashemite Kingdom of Jordan, promoting the accountability of the board of directors, fairness amongst shareholders, disclosure practices, transparency and responsibility. These principles include but are not limited to:

  • the segregation of powers between the partners/shareholders and the board of directors in companies;
  • prescribing key responsibilities to the board of directors, such as the responsibility to present the audited financial statements to the shareholders/partners on a yearly basis, alongside a report of the company’s activities for the same period, for endorsement by the partners/shareholders;
  • limiting the duration of term for the board of directors;
  • restricting the board of directors from assuming positions in competing companies, unless an approval was issued by the majority of the partners/shareholders; and
  • outlining the board of directors' liability for breaching the CL or any regulations issued pursuant thereto and/or the company’s articles of association.

Companies Control Department

In addition to the CL, the Companies Control Department (CCD – the governing body for companies) issued the Corporate Governance Guidelines for Jordanian Companies (“Guidelines”), in partnership with the International Finance Corporation. These Guidelines are applicable to non-listed PCs, PSCs, LLCs, non-profit PSCs and non-profit LLCs.

Interestingly, while the Guidelines are typically non-binding in nature, they are founded on the principle of “obligation or interpretation of non-obligation”. In other words, said companies are expected to conform to the Guidelines; if they do not, they are obliged to clarify the reasons for non-compliance. In practice, however, the CCD does not impose any penalty measures for non-compliance without reasoning.

The Guidelines provide for a higher threshold of governance requirements than those set forth in the CL, focusing primarily on the following aspects.

  • General managers/board of directors:
    1. the election of the general manager/board of directors by the partners/shareholders, ensuring that they include persons of diverse ages, genders and expertise;
    2. outlining the core responsibilities of the board of directors, including safeguarding the continuity of the company and its operations, approving the company’s strategy and structure, approving the yearly audited financial statements, and appointing and evaluating the CEO;
    3. the accountability of the board of directors before the shareholders/partners and stakeholders;
    4. the capacity of the board of directors to make decisions as per the applicable laws and regulations, and in adherence to principles of integrity and ethics;
    5. the proportionality of rewards granted to the board of directors with their roles, responsibilities and performance; and
    6. in specific regards to PSCs and PCs, the Guidelines require the formation of at least two committees from within the board of directors, to assist the board with assessing commercial decisions and making recommendations thereon; the Guidelines oblige the board to directors to assess such committees at least once every two years.
  • Internal audit and compliance:
    1. the board of directors is required to establish and implement an internal audit system, which ensures accurate maintenance of financial records and the lawful use of company assets;
    2. appointing an external auditor by means of a decision from the shareholders/partners upon the recommendation of the board of directors;
    3. maintaining the auditor's objectivity, by ensuring they do not provide any other services that may compromise their independence and impartiality towards the company; and
    4. granting the external auditor extensive authority to audit the financial, administrative and operational aspect of the company.
  • Risk management:
    1. the board of directors is required to establish a framework for risk management for the company, implement it, and review it annually to ensure its relevance and applicability.
  • Conflicts of interest:
    1. the board of directors is required to establish policies and procedures to identify conflicts of interest, and to introduce measures to address such cases; and
    2. the board of directors shall be deemed the competent party responsible for managing instances of conflict of interest and unlawful or inappropriate use of the company’s assets.
  • Disclosure and transparency:
    1. the board of directors is required to create guidelines on identifying the type of information that is required to be disclosed as well as the channels of communication and transmission of information;
    2. the company should adhere to the required disclosures as per the applicable laws; and
    3. the company is required to disclose the extent to which it is adhering to the Guidelines, in addition to any circumstance that is likely to adversely affect stakeholders, details pertaining to board of directors’ rewards, and the policy of evaluating the board of directors.
  • The rights of shareholders/partners:
    1. the company must ensure that shareholders/partners regularly convene, and should utilise electronic platforms to encourage maximum attendance by shareholders/partners; and
    2. the board of directors should manage the company’s operations while taking the interests of stakeholders into account.

Aside from the CL and the Guidelines, the Board of Commissioners of the Jordan Securities Commission (JSC) issued the Governance Instructions for PCs in 2017, outlining special governance requirements for PCs. The JSC also regularly issues circulations pertaining to corporate governance for PCs.

As the legal landscape of corporate governance continues to evolve, companies are encouraged to complement such developments by voluntarily adopting policies and procedures to further enhance their corporate governance practices.

The primary mandatory corporate governance requirements for PCs are outlined in the CL, as follows.

  • To ensure their accountability, the board of directors is legally required to prepare and submit to the shareholders the company’s yearly audited financial statement as well as a yearly report reflecting the activities implemented by the company and the anticipated future activities of the company.
  • Consistent with the principles of transparency, each member of the board of directors, as well as the general manager and key executives of the PCs, are required to submit a written declaration to the board of directors detailing their ownership of shares in the company, as well as the shares held by their spouse and minor children. They must also disclose any shares they, their spouse or minor children own in other companies, particularly those in which the company has a stake. Any changes to this information must be promptly communicated to the board of directors within 15 days of occurrence. These declarations should also be submitted to the Jordanian Companies Controller.
  • Upholding transparency, a PC's board of directors is obliged to publish the financial statement of the company, its profit and losses account, a summary of the yearly report, and the report of the company’s auditor.
  • The board of directors of a PC is mandated to present to the shareholders, during the annual meeting, a comprehensive list detailing all payments received by the board members from the company, including incentives, bonuses and remunerations. This list should also encompass any privileges granted to board members, such as the use of company vehicles, as well as expenses incurred for their benefit.
  • To avoid conflicts of interest, PCs are prohibited from granting cash loans of any kind to members of their boards of directors, their children or spouses. Notably, banks are exempted from this restriction, provided that cash loans granted to banks’ board of directors, their children or spouses are subject to the same conditions that apply to other persons.
  • Members of the board of directors, general managers and/or any employees working for a PC are not allowed to have any direct or indirect interest in contracts and projects executed with and/or for the company.
  • In line with the principles of accountability and responsibility, the board of directors shall prepare a report bi-annually, which includes the financial status of the company and the implications of its operations, audited by the auditor of the company. Such report should be submitted to the Companies Controller.
  • Members of the board of directors are entitled to manage the company as per its articles of association, wherein actions executed by such members shall be considered obligatory for the company. If board members breach the applicable laws and/or the company’s articles of association, the company has the right to claim damages from them.
  • All financial and administrative aspects of the PC shall be regulated by virtue of internal by-laws and policies prepared by the company’s board of directors.
  • To maintain transparency, accountability and responsibility, members of the board of directors are prohibited from engaging – whether directly or indirectly – in transactions pertaining to the shares of the company, on the basis of information they obtain by virtue of their position or role in the company. Members are also prohibited from transmitting such information to any third party with the intent of influencing the price of the company’s shares.
  • The CL has capped the permitted rewards for members of the board of directors at 10% of the company’s profit after reducing all taxes and reserves, and at a maximum of JOD5,000 for each board member per year.

In addition to the abovementioned compulsory governance requirements, the Governance Instructions for PCs specify more detailed requirements, including the minimum tasks attributed to the board of directors, the minimum committees that should be established by the board of directors and the role of each of the committees respectively, as well as other provisions. Significantly, the Governance Instructions for PCs oblige PCs to prepare a governance report on a yearly basis, to be signed by the chair of the board of directors.

Distinctively, a new amendment pertaining to corporate governance was introduced to the CL on 11 November 2023, obliging PCs to represent women on their board of directors as per the percentages set forth in the relevant regulations. This new amendment not only ensures the diversity of the board of directors, but also upholds general corporate governance principles of fairness.

Another significant amendment introduced in the realm of corporate governance is the issuance of the Beneficial Ownership Register Regulations for 2022, which placed new disclosure and transparency obligations on companies. In essence, the regulations oblige all companies to disclose the natural person who is considered the ultimate beneficiary of the company. For the avoidance of doubt, the regulations set forth criteria that companies may utilise to determine the identity of the ultimate beneficiary.

Jordan’s aspirations do not fall short when it comes to developing its corporate sector’s environmental responsibility, social responsibility and governance practices (ESG). The Investment Environment Law of 2022, for example, has been constructed with a clear intention to create a lucrative environment for investors based on economic stability, provisions of equity and conscious environmental practices.

Concerning environmental responsibility, Jordan’s Environmental Protection Law of 2017 classifies facilities that affect the environment based on the extent of their environmental impact, as determined by regulations established by the Ministry of Environment. Depending on their categorisation, such facilities are required to obtain operational licences and to undergo auditing and supervision to maintain environmentally safe practices. Even if a facility does not severely impact the environment, it is still required to comply with a threshold of environmental safety provisions under the law.

In promoting such practices, the Investment Environment Regulating Regulation of 2023, established by virtue of the Investment Environment Law of 2022, offers an advantageous incentive to investors that adopt environmentally conscious and green practices, whereby the volume of incentives, exemptions and additional benefits granted may be increased by 5% of the investment volume.

Regarding social responsibility, Jordanian legislation is constantly adapting to create equal and equitable opportunities for members of the community, as well as safe practices that ensure their well-being. Recent amendments to the Jordanian Labour Law and accompanying regulations aim to ensure fair labour practices for employees, focusing on combatting workplace harassment, ensuring adequate ability to provide childcare for working parents, and requiring employers – particularly within the industrial sector – to ensure the utmost safety regulations for their employees.

While such legislation establishes unmistakable compliance requirements for corporate entities, the responsibility of providing socially conscious environments ultimately falls on such entities.

Jordanian legislation is constantly developing to foster a healthier community for its citizens, taking into account environmental impact, social responsibility and the above-specified aspects of governance.

Bodies Responsible for the Management of the Company

In principle, the responsibility of managing the company is entrusted to the general manager/board of directors of the company. While there is generally no legal prohibition against electing a partner/shareholder as the general manager/member of the board of directors, general corporate governance principles dictate that segregation of powers is necessary to maintain accountability and responsibility.

Bodies Responsible for Company Governance

The principal body involved in the governance of the company is the board of directors, with nearly all mandatory corporate governance requirements being requested from the board of directors. Upholding corporate governance requirements falls within the purview of managing the company.

Furthermore, regulatory bodies such as the CCD also have a significant role in maintaining and encouraging corporate governance practices, through issuing and updating legislation pertaining thereto, and imposing penalties for non-conformity with such legislation.

The board of directors typically makes operational, administrative and financial decisions pertaining to the company, as per the general provisions of the CL and the company’s articles of association. The following decisions are reserved for the board of directors:

  • electing the chairperson and vice-chairperson from among its members;
  • appointing a secretary, who can be a board member or an external individual;
  • assigning signing authority to external members, board members or employees, as needed;
  • preparing the company's annual balance sheet and financial statements;
  • submitting financial statements and reports to the general assembly and the CCD;
  • overseeing the company's day-to-day operations through the general manager;
  • ensuring compliance with laws, regulations and company policies; and
  • making strategic business decisions within the framework set by the general assembly.

The board of directors for companies makes decisions in the manner set forth in the company’s articles of association. If the articles of association do not specify the method of making decisions, the board of directors shall make decisions by majority of votes.

The structure of the board of directors in LLCs, PSCs and PCs is as follows.

LLCs

In LLCs, the management can be in the form of either a board of directors or a general manager, with the general manager/board of directors being elected by a simple majority of the shareholders, for a term of up to four years. If the company is managed by a board of directors, the number of members shall be between two and seven, and board members may also be shareholders.

PSCs

In PSCs, the board of directors is comprised of two to seven members who may or may not be shareholders, for a term of up to four years, unless otherwise specified in the company's articles of association. The board is responsible for electing a chair and vice-chair from amongst its members. The chair holds a decisive vote in the event of a tie, unless stated otherwise in the articles of association. The board appoints a qualified individual as the general manager, defining their powers and responsibilities based on board-issued instructions.

PCs

In PCs, the board of directors is elected by the shareholders and is tasked with the overall management and supervision of the company's activities. The number of directors ranges from three to 13, as specified by the company's articles of association. Board members serve a term of up to four years and are elected through a secret ballot and proportional voting system, which allows shareholders to distribute their votes based on the number of shares they own.

In PSCs and PCs, the board of directors appoints a secretary, who may be one of its members or an external individual.

In LLCs, the role of the general manager or the board of directors is to manage the company’s operations as per the company’s articles of associations, which includes the preparation of the financial statement of the company in addition to the yearly report of the company reflecting the company’s activities during a specific year. Most prominently, the chair of the board of directors or the general manager has the most significant role in LLCs, as they invite the partners to the annual ordinary general assembly meeting to discuss the financial standing of the company, elect the auditor and other specific agenda items identified by the CL.

In PSCs and PCs, the chair plays the pivotal role of representing the company before third parties, inviting the shareholders to the yearly ordinary general assembly meeting, and inviting the board of directors to their regular meeting. However, the general manager appointed by the board of directors is ultimately tasked with managing the company in collaboration with and under the supervision of the board.

Moreover, the secretary appointed by the board of directors is responsible for maintaining the official records of the board’s proceedings, ensuring compliance with legal and regulatory requirements, and managing communications between the board and the shareholders. The secretary also plays a critical role in organising board meetings, preparing agendas and distributing meeting materials to board members. The secretary must ensure that the board’s decisions are documented accurately, and that relevant stakeholders are informed promptly.

The composition of boards of directors is outlined in 4.1 Board Structure and 4.2 Roles of Board Members.

Generally speaking, the board of directors is elected by the partners/shareholders of the company in a general assembly meeting. Naturally, the general assembly that has the capacity to elect the board of directors also has the capacity to remove them.

Moreover, persons who have been charged with a misdemeanour or crime contravening honour, morals or public ethics, such as bribery, embezzlement, theft and/or other such crimes, are not allowed to be board members in PCs.

Under the CL, directors are required to maintain a degree of independence to ensure unbiased decision-making. The law provides that directors should avoid conflicts of interest and are prohibited from engaging in any activities that could compromise their independence.

The directors may not assume a role in another company with similar or competing objectives and/or activities, regardless of whether they are compensated, including participating in the management thereof. The CL has provided exceptions to this, upon obtaining specific approvals, depending on the case.

Moreover, the law prohibits the chair and board members from engaging in specific activities, such as contracting with the company or entering into projects with it, except for public tenders and bids open to all competitors. In such cases, specific approvals shall be required.

The principal legal duties of directors and officers under the CL include a duty of care, a duty of loyalty and a duty to act within their authority. This involves setting strategies, policies, plans and procedures aimed at achieving the company's interests and ensuring that all shareholders and related parties receive their rights and are treated in a manner that ensures justice and equality without discrimination. The board is also responsible for appointing and terminating the company's general manager, determining how its members are selected, and supervising the company's executive management. In addition, the board has financial responsibilities, including organising the company's financial, accounting and administrative matters, and preparing annual reports.

The directors have the duty to call annual general assembly meetings as well as extraordinary general assembly meetings. In specific situations, the directors are required to call an extraordinary general assembly meeting of the company if the company suffers significant losses to the extent that it becomes unable to meet its obligations to its creditors, so as to decide to liquidate the company, issue new shares or take any other decision that ensures the company's ability to fulfil its obligations.

Moreover, Article 158 of the CL prohibits the chair, board members, general manager or any employee from disclosing any confidential information or data related to the company obtained through their position or work, with violations leading to removal and compensation claims for damages caused to the company. This prohibition does not apply to legally permitted disclosures, and the general assembly's approval to exonerate the chair and board members does not absolve them of this responsibility.

Directors owe their duties primarily to the company and its shareholders. However, they are also required to consider the interests of other stakeholders, such as creditors and/or third parties acting in good faith. Actions and decisions made by the board or general manager in the company's name are binding on the company when dealing with third parties who act in good faith. Third parties are presumed to be acting in good faith unless proven otherwise, and are not required to verify the existence of any restrictions on the authority of the board or the general manager.

The board must detail the authority to sign on behalf of the company, using a form approved by the Minister of Industry, Trade and Supply based on the Companies Controller’s recommendation, and outline the powers granted to the chair and the general manager, especially if the chair is dedicated to the company's activities.

Furthermore, the CL holds the chair and board members accountable to the company, its shareholders and third parties for any violations of laws, regulations or the company's articles of association, as well as any faults in management. The general assembly's approval to discharge the board does not prevent legal action being taken against the chair and board members.

Breaches of directors' duties can be enforced by the shareholders or creditors. Consequences of a breach can include personal liability for any losses incurred by the company, removal from the board, and possible criminal charges if the breach involves fraud or other illegal activities.

Directors may also be required to compensate the company for any damages caused by their actions. Article 159 of the CL addresses the judicial responsibility of the chair and board members, stating that they are jointly and severally liable to shareholders for negligence or failure in managing the company. If the company is liquidated and its assets are insufficient to cover its obligations due to such negligence or failure, the court may hold the chair, board members, general manager or auditors responsible for all or part of the company's debts, as appropriate.

Article 160 grants the Companies Controller, the company or any shareholder the right to file a lawsuit under the provisions of Articles 157, 158 and 159. In addition, the manager or board of directors of a company may be dismissed, whether the management is an individual or a board, provided there is majority approval from partners holding more than half of the company's share capital.

In PCs, the chair and members of the board of directors are jointly and severally liable to the shareholders for any negligence or failure in managing the company. However, in the event of the company’s liquidation, if a deficit in its assets is revealed such that it cannot meet its obligations, and this deficit is due to the negligence or failure of the chair, board members, general manager or auditors in managing the company, the court may decide to hold those responsible for this deficit liable for all or part of the company’s debts, as appropriate. The court will determine the amounts to be paid and whether or not the individuals responsible for the loss are jointly liable.

Please see 4.8 Consequences and Enforcement of Breach of Directors' Duties.

The approvals and restrictions concerning payments to directors are highlighted in the company’s articles of association. The board of directors of a PC must provide a detailed declaration to the general assembly, for shareholders' review, and provide a copy to the CCD.

Companies are required to disclose the remuneration, fees and benefits payable to directors and officers in their annual financial statements submitted to the CCD.

Moreover, Article 143 of the CL provides that the board of directors of a PC must display a detailed statement at the company's headquarters at least three days before the general assembly meeting, for shareholders' review, and provide a copy to the CCD. This statement includes all compensation received by board members during the fiscal year, benefits such as housing and cars, travel and transportation expenses, detailed donations made by the company, and a list of board members, with their share ownership and membership duration.

The relationship between the company and its shareholders is governed by the company's articles of association and the CL. Shareholders have the right to vote on important matters such as the election of directors, approval of major transactions and changes to the company's constitution by virtue of the CL. The articles of association also govern the relationship between the companies and shareholders in matters including (but not limited to) the voting rights of the shareholders and the distribution of dividends and profits.

Shareholders generally do not participate in the day-to-day management of the company, which is the responsibility of the board of directors. However, they have significant influence over major decisions through their voting rights. Shareholders can direct management actions by passing resolutions in general meetings, such as approving major transactions or changes in the company’s structure and/or objectives. They can also remove and appoint directors, giving them indirect control over management decisions.

Shareholders participate in the management of matters that are discussed in ordinary general assembly and extraordinary general assembly meetings, as indicated in 5.3 Shareholder Meetings.

Shareholder meetings are required by law, with the annual general assembly meeting being the most significant. The meeting must be held within a specified period following the end of the company’s financial year. The rules governing these meetings include giving adequate notice to shareholders, providing them with relevant information, and ensuring their right to attend, speak and vote on matters. Extraordinary general assembly meetings can be convened to address significant matters indicated within the CL.

The agenda of the ordinary general assembly meeting generally includes:

  • discussing the director's or board's report on the company's activities, financial position and operations during the previous fiscal year, as well as future plans;
  • reviewing and approving the company’s budget, profit and loss account, and cash flows after the auditors' report;
  • electing the company’s director or board of directors in accordance with the law;
  • electing the company’s auditors and determining their remuneration; and
  • addressing any other matters related to the company that are presented by the director, board or any partner, provided the general assembly agrees to discuss them. These additional matters must not include items that are required by law to be presented only in an extraordinary meeting.

The general assembly is called to an extraordinary meeting to discuss specific matters that cannot be addressed unless they are listed in the meeting invitation. These matters include:

  • amending the company’s articles of association;
  • reducing or increasing the company’s capital and specifying the method for capital increase;
  • merging the company or its consolidation in any manner specified by law;
  • dissolving and liquidating the company;
  • dismissing the company's director or board of directors or any of its members;
  • selling the company’s assets, or acquiring at least 50% of another company;
  • any other matter that falls within the jurisdiction of the extraordinary general assembly as specified by the CL or the company’s articles of associations;
  • issuing loan bonds convertible into shares.

Shareholders can bring claims against the company or its directors on various bases, including breach of fiduciary duties, mismanagement or violation of shareholders' rights. They can also file derivative suits on behalf of the company if the board fails to act against directors who have breached their duties.

Shareholders holding at least 10% of the capital of a PC, PSC or LLC, or at least one quarter of the members of the board of directors or board of managers, as applicable, may request the Companies Controller to conduct an audit of the company's affairs and records. If the Companies Controller is convinced of the validity of the request, they may appoint one or more experts for this purpose.

If the audit reveals any violations that warrant further investigation, the minister may refer the matter to an investigative committee composed of department employees to verify the violation and review the expert's report. The committee has the authority to examine relevant documents and records, re-audit specific issues if necessary, and recommend that the Companies Controller instructs the company to implement the recommendations or refer the matter to the competent court, as appropriate.

By virtue of the CL, PCs must provide the controller with a report that includes the names of the subscribers and the number of shares each of them has subscribed to, within a period not exceeding 30 days from the date of closing any subscription in the shares of the PC company.

Article 146 of the CL provides that every member elected to the board of any PC company must inform the Companies Controller in writing of the names of the companies in which they hold board memberships.

All companies must file an annual disclosure of the beneficial owner of the company, irrespective of the company type.

Companies are subject to annual and periodic financial reporting requirements. They must prepare and submit the following documents to the CCD annually, which must all be audited by a certified public accountant:

  • the company’s audited financial statements;
  • the company's annual budget and final account;
  • the profit and loss statement;
  • necessary clarifications; and
  • a cash flow statement.

This audit must be conducted in accordance with internationally recognised and accepted accounting and auditing standards. An annual report on the company’s activities must also be prepared.

Companies are obliged to disclose their shareholders, authorised signatories and board of directors’ members to the CCD by virtue of Minutes of Meeting that identify such individuals and provide their identification documents.

Companies are required to make various filings with the companies’ registry, including their articles of association, annual financial statements, ultimate beneficial ownership forms, vocational licences, social security statements, details of directors and officers, and any changes to the company's structure or ownership.

The shareholders’ information, their percentage of shares and directors’ information are publicly available. Other mandatory filings include articles of association, financial statements, ultimate beneficial ownership forms, vocational licences and social security statements, which are only available for shareholders in the company.

Failure to make these filings can result in penalties, legal action and potential suspension of the company.

Companies must appoint an auditor to audit their financial statements by virtue of a general assembly meeting to appoint the auditor.

The auditor must be qualified, ensuring an unbiased review of the company’s financial status. As per Article 192 of the CL, the general assembly of each PC, LLC and PSC shall elect one or more auditors from among the licensed professionals for a term of one year, which is renewable, and shall determine their fees or delegate the board of directors to set the fees. The company must notify the elected auditor in writing within 14 days from the date of their election. If the general assembly of the company fails to elect an auditor, or if the elected auditor declines the appointment, is unable to perform their duties for any reason or passes away, the board of directors must nominate at least three auditors to the Companies Controller within 14 days from the date the position becomes vacant, from which the Companies Controller will select one.

Auditors must conduct the auditing in accordance with best financial international practices, and shall prepare the audited financial statements, in addition to the auditor’s report, which shall be read to and approved by the general assembly. Furthermore, the general assembly shall have the right to address questions regarding the financial statements to the auditor, who will address such inquiries.

Directors are required to establish and maintain effective risk management and internal control systems by assessing risks that could affect the company's operations and ensuring that appropriate internal controls are in place to safeguard the company’s assets and ensure compliance with laws and regulations.

The directors are required to call an extraordinary general assembly meeting of the company if the company suffers losses that exceed specific percentages of its capital (depending on the company type), so as to decide either to liquidate the company or to take any other decision that ensures the company's ability to fulfil its obligations and rectify its status.

Sa’ed Karajah & Partners LLP Attorneys at Law & Legal Counselors

Salem Al-Hendawi St. 23
Amman
Jordan

+962 6 562 0132

+962 6 562 0132

operations@karajahlaw.com www.karajahlaw.com
Author Business Card

Trends and Developments


Authors



Sa’ed Karajah & Partners LLP Attorneys at Law & Legal Counselors (SKP) is a pioneering law firm in Jordan, with over 25 years of legal expertise. As a trusted adviser for both local and international clients, including financial institutions, public authorities and SMEs, SKP delivers tailored advice to foster clients’ growth. Founded in 1996 by Sa'ed Karajah, the firm prioritises innovation as a catalyst for progress. Its multidisciplinary approach and sector-specific proficiency enable SKP to offer comprehensive services, bridging communication between clients and global stakeholders. From contributing to the development of key Jordanian laws to engaging in cutting-edge legal matters, SKP prioritises holistic guidance and innovative legal solutions. The firm's culture of continual learning and co-mentorship ensures the delivery of top-notch advice across various sectors. SKP recognises the intrinsic link between its work and various communities, motivating its dedication to offering pro bono legal services to disenfranchised individuals and initiatives.

Corporate Governance in Jordan: an Introduction

The Jordanian privacy and cybersecurity regulatory framework: insights for legal compliance

Jordan has recently enacted a comprehensive Personal Data Protection Law, Law No 24 of 2023 (PDPL). This law regulates the collection and processing of personal data belonging to natural persons, and establishes legal requirements for the transfer of personal data outside Jordan. The PDPL grants rights for data subjects and imposes obligations on personal data controllers and processors, establishing a comprehensive privacy law that aligns with the General Data Protection Regulation (GDPR) enacted in the European Union.

The scope of the PDPL is very broad as it does not distinguish between citizens, residents and foreigners. The PDPL refers to the Data Subject as a natural person whose personal data is being processed. Furthermore, the text of the PDPL expressly provides for the retroactive application of the law that applies to personal data even when it is collected or processed prior to the entry into force of the law.

The PDLP was enacted on 17 March 2024. All entities processing personal data must comply with the legal requirements of the law by 16 March 2025.

In addition to the PDPL, Jordan has enacted in 2019 the Cybersecurity Law, Law No 16 of 2019 (“Cybersecurity Law”), which focuses on protecting critical infrastructure and securing information systems. The Cybersecurity Law establishes legal requirements for reporting and mitigating cyber-incidents. Furthermore, the Electronic Crimes Law, Law No 17 of 2023 (“Electronic Crimes Law”) addresses specific cybercrimes, including unauthorised access, data theft and cyberfraud.

The PDPL, the Cybersecurity Law and the Electronic Crimes Law play a pivotal role in shaping the legal landscape in Jordan. These laws enacted a legal framework to protect the personal data of data subjects and manage and regulate cyber-attacks, and set forth legal grounds to prosecute cybercrimes. Complying with these laws is crucial, as severe penalties can result from the breach of any of the legal requirements imposed on organisations. As the regulatory framework is relatively recent, the enforcement requirements and regulatory framework are expected to evolve.

Compliance obligations related to the collection and processing of personal data

Consent and legitimate processing, transparency and accountability

Processing is defined under the PDPL as one or more operations performed by any form or means for the purpose of collecting, recording, copying, saving, storing, organising, refining, exploiting, using, sending, distributing, publishing, linking with other data, making available, transferring, displaying, anonymising, encoding, destroying, restricting, erasing, modifying, characterising or disclosing data.

Under the PDPL, the person or entity who has custody over personal data is called a data controller and is accountable for ensuring compliance with all legal obligations and for maintaining records of personal data processing activities. Processors are any person or entity that processes personal data on behalf of data controllers.

Prior to collecting or processing personal data, consent is required. Such consent must be for legitimate purposes, and may only be collected or processed as required to achieve the purpose for which it was collected. Personal data cannot be processed without prior, explicit and documented consent being given by the data subject or unless legally permitted. Consent must be informed, clear and specific to the processing purpose(s) and duration, especially when it comes to processing sensitive data.

Personal data processing without consent is permissible only in specific situations, such as for legal duties of public entities, medical necessities, protecting vital interests, legal proceedings purposes, central bank supervision, or if required by law.

Data subjects have the right to object to the processing of their personal data that is unnecessary, excessive, discriminatory or unfair, and may even revoke any consent previously granted to the data controller. The data subject is granted the right to refuse certain processing if it is unnecessary for the purposes for which the data was originally collected, or if it infringes on their rights, such as the data subject’s right to restrict processing within a specific scope. This objection should be evaluated on a case-by-case basis, taking into consideration the specific circumstances and the legitimate interests of both the data subject and the data controller/processor. If the objection is upheld, the data controller must cease the processing activities that are deemed unnecessary or unjustified. In addition, the data controller should provide clear and accessible mechanisms for data subjects to exercise this right, ensuring transparency.

Personal data accuracy and limitation

Data subjects have rights to access, correct, update, restrict, erase or transfer their personal data. These rights should be granted by virtue of mechanisms that the controller needs to put in place, whether through technological solutions or the ability to contact the controller to exercise these rights.

When processed, personal data must be accurate, relevant and kept up to date. Unless otherwise required by law or upon the request of the data subject, personal data must be deleted or transferred after the processing purpose has been completed or fulfilled.

Personal data transfer and confidentiality

Personal data may be transferred for different purposes, including transferral to service providers of the controller who would be processing personal data, or upon the request of the data subject in accordance with their right to transfer their personal data to a third party of their choice. In carrying out such transfer processes, the following considerations shall be taken into account.

  • Personal data confidentiality must be maintained during and following any transfer. In this case, the controller must verify the recipient's protection level to ensure data security before the transfer.
  • Personal data transfers outside the controller’s organisation require the following conditions to be satisfied and must be justified by legitimate interests:
    1. the transfer of personal data requires the consent of the data subject;
    2. the transfer must serve the legitimate interests of both the controller and the recipient;
    3. the data subject must be informed about the recipient and the intended use of their personal data;
    4. personal data should not be used for marketing, unless the individual consents to such use;
    5. the controller must keep records of the personal data transferred, the purpose, and the consent obtained;
    6. the recipient has the same legal obligations imposed on the data controller; and
    7. all parties must ensure the safety and security of personal data and provide means to detect and address security breaches.
  • Personal data cannot be transferred if the recipient offers a lower level of protection than required by Jordanian law. Exceptions to the lack of data adequacy include:
    1. judicial co-operation under valid agreements;
    2. co-operation with international or regional bodies working on crime prevention;
    3. medical data transfer necessary for treatment;
    4. personal data related to epidemics, health disasters or public health;
    5. the consent of the data subject after being informed of inadequate protection; and
    6. banking operations and money transfers.

Appointment of Data Protection Officer and responsibilities

Within the category of personal data lies a subset known as sensitive personal data, which requires additional protection due to the potential harm it could cause if disclosed or misused. This type of data includes identifiers such as racial or ethnic origin, political opinions, religious beliefs, financial status, health conditions, genetic data, biometric data and criminal records. Unlike general personal data, sensitive data involves greater risks, necessitating stricter protection measures.

Given the sensitive nature of personal data that may be collected and processed, controllers dealing with sensitive personal data must appoint a Data Protection Officer (DPO) to ensure the protection of the personal data collected and mitigate any harm that may ensue if a breach occurs.

The data controller must also appoint a DPO in the following other specific situations:

  • if the main activity of the controller revolves around processing personal data;
  • if the data subject lacks legal capacity;
  • if the processing of personal data involves financial data; or
  • if processing is related to a cross-border transfer of personal data outside of Jordan.

The Personal Data Protection Council was established in accordance with the provisions of the Personal Data Protection Law (PDPL) and also has the authority to determine any other situation where the appointment of a DPO is mandatory.

The DPO shall have the responsibility to oversee data protection practices, ensure compliance, conduct periodic audits and serve as a liaison for data protection inquiries.

Obligations related to secure data handling

Secure methods must be employed for the transfer of personal data, and all parties involved must ensure personal data security and integrity. Specifically, the data controller is obliged to ensure the secure handling of personal data by:

  • protecting personal data using appropriate security measures against unauthorised access, alteration or destruction;
  • establishing and publishing procedures for handling personal data processing and responding to complaints;
  • facilitating individuals' rights to access, correct and manage their data securely; and
  • ensuring that processing is limited to the purposes for which personal data was collected.

Obligations in the event of breach of data security

In the event of a breach of data security and safety that could cause significant harm to the data subject, the data controller/processor must:

  • notify the affected individuals whose personal data has been compromised within 24 hours of discovering the breach, and provide them with necessary measures to avoid any consequences that may result from this breach; and
  • notify the regulatory unit responsible for personal data protection within the Ministry of Digital Economy and Entrepreneurship (Personal Data Unit) within 72 hours of discovering the breach about the source of the breach, its impact and effects, the individuals whose data has been compromised, and any other significant available information.

The party responsible for the breach of confidentiality and security of the personal data may be obliged to compensate the individual concerned for any harm or damage that has been caused as a consequence of such breach. The controller could be held accountable for not taking precautionary measures or for failing to abide by its legal obligations. However, responsibility could also lie with a third party, such as an individual or another organisation, that breached the organisation's security system.

If the breach of the data security was caused by a cyber-attack, organisations are also required to follow the instructions issued pursuant to the Cybersecurity Law. A cybersecurity incident is defined under the Cybersecurity Law as an act or attack that poses a risk to data, information, information systems, information networks or related infrastructure, and requires a response to stop it or mitigate its consequences or effects.

Upon receiving a complaint from the affected entity, the National Cybersecurity Centre shall take the appropriate action to address the reported cybersecurity incident and prevent its occurrence or continuation. The National Cybersecurity Centre shall manage and respond to cybersecurity reporting if it is considered to be highly severe. An incident is classified as “highly severe” if it leads to a complete disruption of essential services, involves the leakage, destruction or erasure of sensitive data, and has a significant impact on more than one piece of critical infrastructure or on more than a third of Jordan's population.

The organisation must also follow the instructions and directives of the National Cybersecurity Centre if a cybersecurity incident is classified as “moderate”. A moderate cybersecurity incident may include utilising the Centre’s response team or engaging a licensed entity to provide cybersecurity incident response services and submit a detailed report about the incident to the Centre. The qualification of an incident as “moderate” requires it to have significant but non-impactful consequences, which includes:

  • scanning and reconnaissance operations affecting data and services across multiple critical infrastructures;
  • non-impactful intrusion attempts or scans that impact critical infrastructure, security agencies, government entities or their supply chains;
  • the leakage, destruction or erasure of sensitive data;
  • malware;
  • network breaches impacting higher education institutions; and
  • the complete disruption of essential services affecting private entities.

A cybersecurity incident is considered as “low” if it involves non-impactful intrusion attempts on sensitive data and services or scanning and reconnaissance operations that impact data and services, affecting higher education institutions, or if there is no complete disruption of essential services affecting only private entities. When the cybersecurity incident is qualified as “low”, the affected entity, response teams or licensed entities are also required to intervene and handle the response.

The National Cybersecurity Centre is responsible for managing and directing the response to cyber-attacks or threats. All relevant entities impacted by a cyber-attack, regardless of their level of severity, must comply with the Centre’s directives and instructions based on the classification of the attack.

Legal penalties for non-compliance

A breach of the regulatory framework related to personal data protection can result in severe penalties, emphasising the need for compliance and proactive risk management within organisations. Under the Electronic Crimes Law, unauthorised access to information systems can lead to imprisonment of up to three years and fines of up to JOD15,000. Tampering with websites or publishing private media incurs similarly strict penalties. The PDPL provides for additional penalties, including fines of up to JOD10,000, potential licence suspension or cancellation, and the obligation to compensate affected individuals.

When a violation is identified, the Personal Data Unit issues a warning to the non-compliant party, instructing it to stop the violation and remedy its causes and effects within a specified period. If the violator does not comply within this timeframe, the Personal Data Protection Council, based on the Personal Data Unit’s recommendations, can impose various penalties, including:

  • issuing a warning of potential licence suspension or revocation;
  • actually suspending or revoking the licence, either partially or completely; or
  • imposing a daily fine of up to JOD500 for each day the violation continues, with a total limit of 3% of the violator's total annual revenue from the previous financial year.

Repeated violations can result in doubled fines and the mandatory destruction of unlawfully obtained data.

Moreover, the Personal Data Unit has the authority to publish a public statement about the confirmed violations at the violator's expense, using whatever means it sees fit. Importantly, these penalties do not prevent the affected individuals from seeking civil compensation for damages caused by the violation.

Practical recommendations for legal compliance

The following actions are recommended in order to ensure compliance.

  • Ensure that consent given by the user is specific, informed and unambiguous. Always inform the data subject about the different ways information is collected, whether generated automatically (such as through Wi-Fi use or the IP address), provided by the data subject or obtained from third-party sources.
  • Appoint a DPO if there is an intention to collect and process sensitive or financial personal data.
  • Conduct regular training for staff on data protection principles, the rights of data subjects and breach response.
  • Perform adequacy and verification assessments before transferring data internationally, to ensure that the recipient offers a level of protection equivalent to Jordanian data protection law.
  • Embed privacy protection into all aspects of the organisation by adopting a “Privacy by Design” approach. When developing new products, prioritise privacy by incorporating features that protect personal data and give users control over their information and preferences. Develop an internal privacy governance framework with designated roles and responsibilities to oversee and enforce privacy practices across the organisation.
  • Integrate contractual clauses related to cybersecurity standards and the liability of employees, suppliers and third parties in the event of a data breach. Set out clear terms and conditions with clients and third-party contractors regarding data protection and cybersecurity obligations.
  • Design cybersecurity frameworks and policies that comply with legal requirements. Implement internal policies to ensure data security.
  • Ensure transparency and clarity in data processing practices.
Sa’ed Karajah & Partners LLP Attorneys at Law & Legal Counselors

Salem Al-Hendawi St. 23
Amman
Jordan

+962 6 562 0132

+962 6 562 0132

operations@karajahlaw.com www.karajahlaw.com
Author Business Card

Law and Practice

Authors



Sa’ed Karajah & Partners LLP Attorneys at Law & Legal Counselors (SKP) is a pioneering law firm in Jordan, with over 25 years of legal expertise. As a trusted adviser for both local and international clients, including financial institutions, public authorities and SMEs, SKP delivers tailored advice to foster clients’ growth. Founded in 1996 by Sa'ed Karajah, the firm prioritises innovation as a catalyst for progress. Its multidisciplinary approach and sector-specific proficiency enable SKP to offer comprehensive services, bridging communication between clients and global stakeholders. From contributing to the development of key Jordanian laws to engaging in cutting-edge legal matters, SKP prioritises holistic guidance and innovative legal solutions. The firm's culture of continual learning and co-mentorship ensures the delivery of top-notch advice across various sectors. SKP recognises the intrinsic link between its work and various communities, motivating its dedication to offering pro bono legal services to disenfranchised individuals and initiatives.

Trends and Developments

Authors



Sa’ed Karajah & Partners LLP Attorneys at Law & Legal Counselors (SKP) is a pioneering law firm in Jordan, with over 25 years of legal expertise. As a trusted adviser for both local and international clients, including financial institutions, public authorities and SMEs, SKP delivers tailored advice to foster clients’ growth. Founded in 1996 by Sa'ed Karajah, the firm prioritises innovation as a catalyst for progress. Its multidisciplinary approach and sector-specific proficiency enable SKP to offer comprehensive services, bridging communication between clients and global stakeholders. From contributing to the development of key Jordanian laws to engaging in cutting-edge legal matters, SKP prioritises holistic guidance and innovative legal solutions. The firm's culture of continual learning and co-mentorship ensures the delivery of top-notch advice across various sectors. SKP recognises the intrinsic link between its work and various communities, motivating its dedication to offering pro bono legal services to disenfranchised individuals and initiatives.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.