Lawzana Lawzana Logo
FIND A LAWYER
Lawzana Logo
For Lawyers
Pricing & Plans Websites for lawyers Marketing services Legal Jobs Blog
REGISTER FOR FREE

Existing user? Sign in

PDPL Hashemite Kingdom of Jordan Is Your Business Compliant?

Media, Technology and Telecoms
Hashemite Kingdom of Jordan
Updated Nov 18, 2025
  • Jordan's PDPL (Law No. 24 of 2023) is in full force with a grace period that ends in March 2025 - regulators will expect real compliance, not only plans, after that date.
  • A "Data Controller" in Jordan decides why and how personal data is processed, while a "Data Processor" acts only on documented instructions from the controller and cannot use the data for its own purposes.
  • Consent must be specific, informed, freely given, and documented; pre-ticked boxes, bundled consents, or silence are very unlikely to meet PDPL standards.
  • Individuals in Jordan gain strong rights under PDPL, including the Right to Access their data and the Right to be Forgotten (erasure), which businesses must handle through clear internal procedures and timelines.
  • Telecoms, ISPs, digital platforms, and media companies face higher regulatory scrutiny, as PDPL interacts with sector rules issued by the Telecommunications Regulatory Commission (TRC) and Audiovisual Media Commission.
  • Most medium-to-large businesses should expect to invest tens of thousands of Jordanian dinars in PDPL readiness (policies, systems, training) and should prioritize data mapping, contract updates, and consent workflows before March 2025.

How is the media, technology and telecoms sector regulated in Jordan?

Jordan regulates media, technology, and telecoms through a mix of sector-specific laws and cross-cutting rules such as the PDPL, the Cybercrime Law, and electronic transactions legislation. Any business that provides connectivity, digital content, online services, or processes customer data in Jordan will likely fall under multiple overlapping legal regimes.

Key statutes and frameworks include:

  • Telecommunications Law No. 13 of 1995 (as amended) - core framework for telecoms licensing, interconnection, spectrum, and consumer protection in telephony and internet services.
  • Audiovisual Media Law No. 26 of 2015 (and related regulations) - regulates TV, radio, and some online broadcasting/content services.
  • Personal Data Protection Law No. 24 of 2023 (PDPL) - horizontal law governing the collection, processing, transfer, and storage of personal data in Jordan, in force with a grace period until March 2025.
  • Cybercrime Law No. 17 of 2023 - addresses unlawful online content, hacking, unauthorized access, and certain speech-related offenses.
  • Electronic Transactions Law No. 15 of 2015 - governs electronic signatures, electronic records, and validity of e-contracts.
  • Payment and fintech regulation under the Central Bank of Jordan (CBJ) - for e-payment services, digital wallets, and certain fintech products.

These laws operate together: for example, a telecom operator must comply with TRC licensing conditions, PDPL data rules, and Cybercrime Law obligations for security and unlawful content. Technology and media businesses should therefore approach compliance as an integrated program rather than a set of isolated checklists.

Who are the main regulators for media, technology and telecoms in Jordan?

The main regulators in Jordan are the Telecommunications Regulatory Commission (TRC) for telecoms and internet, the Audiovisual Media Commission (AVMC) for broadcasting and certain media services, and the Ministry of Digital Economy and Entrepreneurship (MoDEE) for digital policy and PDPL oversight. The Central Bank of Jordan regulates payment services and fintech, while sectoral ministries may also have a role for specific industries.

The key institutions and their roles are:

  • Telecommunications Regulatory Commission (TRC)
    • Licenses telecom operators, ISPs, and certain data services.
    • Issues technical and consumer regulations (QoS, number portability, interconnection).
    • Imposes administrative penalties for non-compliance with telecom laws and licenses.
  • Audiovisual Media Commission (AVMC)
    • Licenses and supervises TV and radio broadcasters, and some OTT or IPTV services.
    • Monitors program content, advertising rules, and certain local content obligations.
  • Ministry of Digital Economy and Entrepreneurship (MoDEE)
    • Leads digital transformation and ICT policy.
    • Hosts or oversees the data protection authority / council created under PDPL, responsible for issuing executive regulations and guidance.
  • Central Bank of Jordan (CBJ)
    • Licenses and supervises payment service providers, e-money issuers, and certain fintech products.
    • Issues cybersecurity and data security requirements for financial institutions, which apply in parallel to PDPL.
  • Other authorities
    • Cybercrime Unit in Public Security Directorate - enforcement of the Cybercrime Law.
    • Sector ministries (health, education, tourism) may set specific rules on sensitive sectoral data and content.

For any project, you should map which regulators are relevant, which licenses or notifications are required, and how PDPL compliance interacts with your sector licenses and technical obligations.

What is the difference between a Data Controller and Data Processor under Jordan's PDPL?

Under Jordan's PDPL, a Data Controller determines the purposes and means of processing personal data, while a Data Processor processes personal data solely on behalf of and under the instructions of the controller. Controllers hold primary responsibility for compliance, but processors now face direct obligations and liability for breaching PDPL or acting beyond instructions.

Core definitions and roles

  • Data Controller
    • Decides "why" and "how" personal data is processed (purposes and essential means).
    • Usually the entity that has a direct relationship with the data subjects (customers, users, employees).
    • Bears the main responsibility to:
      • Identify lawful bases (consent or other grounds).
      • Provide privacy notices and obtain valid consent.
      • Enable data subject rights (access, erasure, etc.).
      • Ensure processors meet PDPL standards via contracts and due diligence.
  • Data Processor
    • Processes personal data only for the controller and only for the purposes documented in a binding contract.
    • Cannot decide new purposes, combine datasets for its own benefit, or re-use the data for unrelated services.
    • Must implement security measures, keep records (as prescribed in future regulations), and assist the controller with rights requests and breaches.

Practical examples in Jordan

  • Telecom operator providing mobile services: operator is the controller for subscriber data; its outsourced billing platform provider is usually a processor.
  • E-commerce platform:
    • The platform itself is normally the controller for customer accounts, browsing, and purchase history.
    • Cloud hosting provider, CRM vendor, and email marketing agency are typically processors.
  • Ad-tech scenarios: an ad network that decides profiling criteria and targeting parameters for multiple clients may be a joint controller, not only a processor.

Contracting between controllers and processors

PDPL requires that controller-processor relationships be governed by a written contract that sets clear obligations. For any service agreement involving personal data, you should build in PDPL-compliant clauses.

Typical contractual points include:

  • Scope, duration, categories of data, and processing purposes.
  • Obligation to follow only documented instructions from the controller.
  • Security and confidentiality requirements, including subcontracting conditions.
  • Assistance with data subject requests and regulatory investigations.
  • Incident reporting timelines for data breaches.
  • Restrictions on cross-border transfers unless conditions for international transfer under PDPL are met.

If your organization is a processor, you must avoid "function creep": do not use client data to build your own analytics products or training datasets unless you have a clear controller role and lawful basis for that separate processing.

How should businesses obtain and manage consent for customer data under the Jordanian PDPL?

Businesses in Jordan should obtain consent in a clear, specific, and documented manner, making sure individuals understand what data is collected and for which purposes. PDPL generally expects consent to be freely given, informed, and unambiguous, and businesses must be able to prove it if audited by the data protection authority.

What makes consent valid under PDPL?

  • Specific: consent should cover identified purposes (for example, "account management" and "marketing by email"). Blanket consent "for all purposes" is risky.
  • Informed: individuals must receive concise, understandable information about:
    • Who is the controller (legal entity and contact details).
    • What data will be collected.
    • Why it is needed and how it will be used.
    • Who it may be shared with (categories of recipients).
    • How long it will be kept or the criteria for retention.
    • What rights they have and how to exercise them.
  • Freely given: consent should not be bundled with unrelated services or made a condition for something that does not need that data.
  • Unambiguous: consent should be given through a clear affirmative action, such as ticking an unchecked box, clicking "I agree" next to specific terms, or signing a form.

When is consent needed vs other legal bases?

PDPL will generally recognize several lawful bases for processing, although consent is the most visible. You should not over-use consent where another basis is more appropriate.

  • Use consent especially for:
    • Direct marketing via SMS, email, or app notifications.
    • Profiling or analytics not strictly necessary for service delivery.
    • Sharing data with third parties for their independent marketing.
    • Processing sensitive data (for example, health, biometric, or financial data) where required under PDPL and sector laws.
  • Use other lawful bases (such as legal obligation or contract necessity) where:
    • You must retain or share data to comply with TRC, CBJ, tax, or AML regulations.
    • You process data because it is strictly necessary to perform a contract with the user (for example, delivering a paid service).

How to design consent flows in practice

  1. Map all consent-triggering activities:
    • Marketing communications (by channel).
    • Cookies and tracking (if you operate websites or apps targeting Jordan).
    • Location tracking, behavioral profiling, or credit scoring.
  2. Draft purpose-specific language:
    • Use short labels with links to fuller privacy notices.
    • Separate "service" consents from "marketing" consents.
  3. Implement granular choice:
    • Allow users to opt in separately for email, SMS, and push notifications.
    • Avoid pre-ticked boxes or implied consent through silence.
  4. Capture and store evidence:
    • Log who gave consent, how, when, for what purposes, and through which interface.
    • Ensure logs are exportable for potential audits by the PDPL authority.
  5. Allow easy withdrawal:
    • Provide unsubscribe links, account settings, or in-app toggles.
    • Honor withdrawals quickly and update marketing lists accordingly.

Jordan-based businesses should review all legacy consents collected before PDPL and refresh them if they do not meet the new standards, especially for ongoing marketing and profiling activities.

What new rights do individuals have over their data in Jordan (including Right to be Forgotten and Right to Access)?

Individuals in Jordan gain robust rights under PDPL, including the Right to Access their personal data and the Right to be Forgotten (erasure) in specific circumstances. Businesses must build processes to receive, verify, and respond to these requests within legally prescribed timeframes.

Core PDPL data subject rights

Although specific wording is in PDPL articles and implementing regulations, rights broadly align with international practice and include at least:

  • Right to be informed: to know who is processing their data, for what purposes, and with whom it is shared.
  • Right of access: to obtain confirmation that their data is processed, and to receive a copy of relevant personal data and key information about the processing.
  • Right to rectification: to have inaccurate or incomplete data corrected.
  • Right to erasure ("Right to be Forgotten"): to request deletion of personal data where:
    • The data is no longer needed for the original purposes.
    • Consent was withdrawn and there is no other legal basis.
    • The processing is unlawful or exceeds what PDPL allows.
  • Right to object or restrict processing: particularly for direct marketing, profiling, or decisions based solely on automated processing.
  • Right to complain to the PDPL authority or council if they believe their rights were violated.

Handling Right of Access requests

You should design a standardized workflow for access requests so that front-line staff do not improvise. Typical procedural steps include:

  1. Intake:
    • Provide a clear channel: a dedicated email address, online form, or customer service hotline.
    • Accept requests free of charge as a default, unless PDPL regulations allow a fee for manifestly excessive requests.
  2. Verify identity:
    • Use reasonable verification (for example, one-time codes to registered email/phone, or ID match for high-risk data).
  3. Locate data:
    • Search all relevant systems: CRM, billing, marketing tools, logs, and archives.
  4. Respond within deadlines:
    • PDPL is expected to set clear timelines (often 30 days, with possible extensions in complex cases).
    • Document any extension and reasons.
  5. Provide a clear response:
    • Include a copy of personal data in an understandable format.
    • Explain key processing details and inform the individual of their other rights.

Handling Right to be Forgotten requests

Erasure requests are more delicate because you must balance individual rights with other legal and regulatory obligations. The default is to delete or anonymize data unless a valid exception applies.

  • Identify the legal basis for the original processing:
    • If it relied solely on consent and consent is withdrawn, you will usually have to erase.
  • Check mandatory retention obligations:
    • TRC, CBJ, tax authorities, and AML laws may require retention for a specific period (for example, invoices, call records, transaction logs).
    • In such cases, restrict access and use the data only for compliance purposes until the retention period expires.
  • Consider legitimate interests and ongoing disputes:
    • If data is needed for legal claims, fraud prevention, or security incidents, PDPL may allow continued limited processing.
  • Implement a repeatable technical process:
    • Configure systems to erase or anonymize data across production databases, backups (when feasible), and third-party processors.
    • Notify relevant processors and partners about the erasure request, where applicable.

Given the March 2025 deadline, Jordanian businesses should prioritize building at least basic rights-handling workflows, then improve automation over time.

How does PDPL compliance intersect with telecom, digital platforms and media services in Jordan?

PDPL applies across all sectors in Jordan and sits on top of telecom and media regulations, so telecom operators, ISPs, OTT platforms, and broadcasters must comply with both PDPL and sector-specific rules. In practice, PDPL strengthens existing confidentiality, interception, and content rules already imposed by TRC and AVMC.

Telecom operators and ISPs

  • Subscriber data:
    • Core customer data (identity, contact details, billing records) falls directly under PDPL.
    • TRC rules on retention and security continue to apply in parallel.
  • Traffic and location data:
    • Highly sensitive under PDPL, often subject to strict access controls and security requirements.
    • Use for marketing or analytics typically requires explicit consent and strong safeguards.
  • Lawful interception and data disclosure:
    • Telecom operators may be obliged to provide data to law enforcement under specific legal orders.
    • PDPL will not override such obligations, but operators must ensure disclosure is strictly limited to what the order requires.

Digital platforms, apps, and cloud services

  • Platform as controller:
    • Social networks, marketplaces, ride-hailing apps, and streaming services are usually controllers for user data.
    • They must address PDPL in their terms of service, privacy policies, and product design.
  • Use of cookies and trackers:
    • Although Jordan has no detailed "cookie law" equivalent yet, PDPL consent standards apply to tracking that identifies or profiles users.
    • Transparency and consent banners for targeting cookies and SDKs are recommended, especially for ad-supported platforms.
  • Cross-border data transfers:
    • Cloud and SaaS providers often store data outside Jordan.
    • PDPL sets conditions for transferring personal data abroad, likely including adequacy, safeguards, or explicit consent; by-laws and guidance will clarify the exact mechanisms.

Media companies and content providers

  • Audience measurement and ad-tech:
    • TV, radio, and online publishers that track users or sell targeted advertising must comply with PDPL's rules on profiling and marketing consent.
  • User-generated content:
    • Platforms that host comments, forums, or videos must handle data subject rights requests related to that content, including erasure where appropriate.
  • Journalistic and public interest exemptions:
    • PDPL is expected to contain specific exemptions or balancing tests for journalistic, academic, or public interest processing, but the scope will depend on the final text and guides.

Businesses that operate across these areas must harmonize their compliance approach so that user experience is consistent across apps, websites, and offline channels, while still meeting the detailed requirements of each regulator.

What are the key PDPL compliance steps and typical costs for businesses in Jordan?

To comply with PDPL before the March 2025 grace period ends, businesses in Jordan should run a structured compliance program including data mapping, gap analysis, policy updates, contract remediation, and technical controls. Costs vary, but medium-to-large organizations should budget at least tens of thousands of Jordanian dinars, depending on complexity and reliance on external consultants or technology.

10-step roadmap to PDPL readiness

  1. Appoint a PDPL lead or committee:
    • Nominate a senior person or small team (legal, IT, compliance) to own the project.
  2. Map data processing activities:
    • Identify what personal data you collect, where it is stored, who accesses it, and who you share it with.
    • Create a data inventory and data flow diagrams.
  3. Classify controller vs processor roles:
    • Determine where you act as controller, processor, or joint controller.
    • Align your contracts and responsibilities accordingly.
  4. Review legal bases and consents:
    • Document lawful bases for each processing activity.
    • Refresh consents and adjust interfaces for PDPL requirements.
  5. Update privacy notices and policies:
    • Draft or revise external privacy notices (websites, apps, customer contracts).
    • Create internal policies for staff handling of personal data.
  6. Remediate contracts with vendors and partners:
    • Add PDPL clauses to contracts with processors and joint controllers.
    • Address cross-border transfers explicitly.
  7. Implement technical and organizational security measures:
    • Access controls, encryption, logging, backups, incident response plans.
    • Align with any sector-specific cybersecurity requirements (TRC, CBJ, etc.).
  8. Set up rights-handling procedures:
    • Define workflows for access, rectification, erasure, and objections.
    • Train customer support and internal teams on how to respond.
  9. Plan for data breaches:
    • Define breach detection, escalation, and notification procedures.
    • Align with any PDPL requirements to notify the authority and data subjects.
  10. Train staff and embed PDPL into governance:
    • Run awareness sessions for all staff and specialized training for high-risk teams (marketing, IT, HR).
    • Include PDPL compliance in risk and internal audit frameworks.

Typical cost ranges in Jordanian dinars (JOD)

The table below provides indicative budget ranges for PDPL readiness in Jordan. Actual costs will depend on business size, sector, and how much work is done internally versus outsourced.

Item Small business
(< 50 employees)		 Medium business
(50-250 employees)		 Large business / Group
(250+ employees)
Initial PDPL legal gap analysis (one-off) JOD 3,000 - 7,000 JOD 7,000 - 20,000 JOD 20,000 - 50,000+
Policy drafting & contract remediation (internal + external support) JOD 2,000 - 5,000 JOD 5,000 - 20,000 JOD 20,000 - 60,000+
Technology & security upgrades (tools, licenses, configurations) JOD 5,000 - 15,000 JOD 15,000 - 60,000 JOD 60,000 - 200,000+
Staff training & awareness programs JOD 1,000 - 3,000 JOD 3,000 - 10,000 JOD 10,000 - 30,000+
Ongoing PDPL compliance monitoring (per year) JOD 2,000 - 5,000 JOD 5,000 - 15,000 JOD 15,000 - 50,000+

These figures reflect typical consulting and technology market rates in Jordan and the region; highly regulated sectors such as telecoms, banking, and large e-commerce platforms can expect to be at the higher end given complexity and scrutiny.

What penalties and enforcement risks apply for PDPL and sector non-compliance in Jordan?

PDPL and sector laws in Jordan provide for a mix of administrative fines, corrective orders, license-related measures, and, in serious cases, potential criminal liability under related laws like the Cybercrime Law. While detailed PDPL fine schedules will be fleshed out in executive regulations, businesses should assume that ignoring PDPL after March 2025 will carry material financial and reputational risk.

PDPL-related sanctions

The PDPL grants the data protection authority powers that are likely to include:

  • Warnings and corrective orders:
    • Ordering controllers or processors to stop unlawful processing.
    • Requiring changes to contracts, policies, or security measures.
  • Administrative fines:
    • Imposed for serious or repeated breaches such as processing without a lawful basis, failing to respect rights, or unlawful international transfers.
    • Exact amounts and calculation methods will depend on implementing regulations and may consider business size and gravity of breach.
  • Suspension or restriction of processing:
    • In extreme cases, the authority may restrict or suspend certain processing operations, which can effectively halt digital business models until remedied.

Telecom and media regulatory risks

  • TRC enforcement:
    • Breach of confidentiality, misuse of subscriber data, or failure to comply with security instructions can trigger fines, license conditions, or even suspension of specific services.
  • AVMC enforcement:
    • Breaches of content rules, advertising standards, or licensing terms for broadcasters and media platforms can lead to fines, program suspensions, or license revocation.

Cybercrime and related laws

  • Cybercrime Law exposure:
    • Incidents such as hacking, unlawful access, or unauthorized disclosure of stored data may trigger criminal liability in addition to PDPL sanctions.
  • Reputational and commercial risk:
    • Data breaches or public findings of PDPL violations can harm brand trust, affect partnerships with international clients, and complicate cross-border data flows.

With the March 2025 deadline, regulators are expected to shift from awareness-building to enforcement, starting with larger and higher-risk organizations in telecoms, finance, and digital platforms.

When should you hire a lawyer or expert for media, technology and data projects in Jordan?

You should involve a Jordanian media/tech and data protection expert when you launch or significantly change any data-heavy service, operate in regulated sectors such as telecoms or payments, or face complex cross-border data flows. Engaging the right expertise early usually reduces overall project risk and can avoid costly redesigns or sanctions later.

Typical triggers for legal or expert support

  • New digital product or platform:
    • Launching apps, OTT services, marketplaces, or AI-based products that collect or analyze user data.
  • Telecom or media licensing:
    • Applying for TRC licenses, MVNO arrangements, satellite services, or AVMC broadcasting/streaming licenses.
  • Cross-border data strategy:
    • Using regional or global cloud hosting, offshoring customer service, or integrating with foreign analytics and ad-tech providers.
  • High-risk processing:
    • Large-scale profiling, credit scoring, location tracking, biometrics, or handling health or financial data.
  • Vendor and partnership contracts:
    • Negotiating data processing agreements, joint controllership arrangements, and data-sharing partnerships.
  • Incident or investigation:
    • Data breaches, cyber incidents, or inquiries from TRC, AVMC, CBJ, or the PDPL authority.

What kind of expertise to look for

  • Local legal counsel with:
    • Experience in telecoms, IT, and media regulation.
    • Hands-on PDPL implementation experience and familiarity with upcoming executive regulations.
  • Technical and cybersecurity specialists:
    • To design and validate security controls, logging, and incident response consistent with PDPL and sector standards.
  • Privacy and compliance consultants:
    • To run data mapping, DPIAs (where required), training, and change management.

For larger projects, it is efficient to form a mixed team including legal, IT, business, and compliance stakeholders, with external experts guiding structure and detailed implementation.

What are the practical next steps for businesses before March 2025 in Jordan?

Before the PDPL grace period ends in March 2025, businesses in Jordan should prioritize a focused, risk-based compliance plan rather than aiming for perfection. Start with high-risk processing, customer-facing activities, and contracts that affect large numbers of users or sensitive data.

Immediate 90-day action plan

  1. Confirm PDPL accountability:
    • Formally appoint an internal owner for PDPL compliance and brief senior management on key obligations and risks.
  2. Perform a high-level data inventory:
    • Identify main systems holding personal data (CRM, HR, billing, marketing, analytics, cloud platforms).
    • Note any cross-border data flows.
  3. Fix obvious consent and notice gaps:
    • Update website/app privacy notices to reflect PDPL requirements.
    • Correct any pre-ticked boxes and unclear consents for marketing and tracking.
  4. Stabilize contracts with key processors:
    • Prioritize cloud providers, payment gateways, telecom partners, and marketing platforms for PDPL clause updates.
  5. Set up basic rights-handling channels:
    • Create an email or form for data rights requests.
    • Draft internal guidance for verifying identity and responding to access and erasure requests.
  6. Prepare for incidents:
    • Define what counts as a data breach, how staff should escalate, and who decides on notifications.

Medium-term enhancements (6-12 months)

  • Complete detailed data mapping and classification.
  • Conduct risk assessments for high-risk processing and implement stronger security controls.
  • Roll out structured training across the organization, especially to IT, product, marketing, HR, and customer support teams.
  • Integrate PDPL compliance into your broader governance, risk, and audit programs.

Taking visible and documented steps toward PDPL compliance before March 2025 will not only reduce enforcement exposure but also build trust with users, partners, and regulators in Jordan's evolving media, technology, and telecoms landscape.

Need Legal Guidance?

Connect with experienced corporate lawyers in your area for personalized advice.

Free consultation • No obligation

Connect with Expert Lawyers

Get personalized legal advice from verified professionals in your area

Akef Aldaoud & Partners Law Firm Logo
Since 1990
11 lawyers
Banking & Finance Intellectual Property Media, Technology and Telecoms +1 more
Call Now

All lawyers are verified, licensed professionals with proven track records

Disclaimer:
The information provided on this page is for general informational purposes only and does not constitute legal advice. While we strive to ensure the accuracy and relevance of the content, legal information may change over time, and interpretations of the law can vary. You should always consult with a qualified legal professional for advice specific to your situation.

We disclaim all liability for actions taken or not taken based on the content of this page. If you believe any information is incorrect or outdated, please contact us, and we will review and update it where appropriate.