Insight

The Need for Data Protection Officers in Jordan

The Need for Data Protection Officers in Jordan: Safeguarding Privacy in a Digital Age

In today’s digital landscape, personal data has become invaluable, with organizations across Jordan and beyond collecting, processing, and storing enormous amounts of sensitive information. Considering increasing data breaches and heightened public awareness of privacy issues, the establishment of Data Protection Officers (“DPOs”) has emerged as a crucial requirement under Jordan’s Personal Data Protection Law No. (24) of 2023 (“PDPL”).

Understanding the Role of the DPO

The DPO plays a pivotal role in ensuring an organization’s compliance with data protection regulations. Their primary responsibilities include monitoring compliance, advising on data protection issues, conducting training and awareness programs, and serving as a liaison between the organization, its employees, and regulatory authorities. This role is particularly important in light of the evolving and complex legal framework governing data protection in Jordan.

Legal Mandate for DPOs in Jordan

In accordance with the Personal Data Protection Law No. (24) of 2023 and its implementing regulations, the appointment of a Data Protection Officer (DPO) may be mandatory depending on the nature of the organization’s activities. In certain sectors, organizations are required to appoint a DPO and notify the Personal Data Protection Directorate of the appointee’s name and details, which are then recorded in the Directorate’s records.

In other sectors, however, the appointment of a DPO is not only mandatory but also subject to prior accreditation. In such cases, the organization must obtain the accreditation of the Personal Data Protection Council by submitting the necessary documentation and credentials of the intended appointee to the Personal Data Protection Directorate for official review, which then is passed to the Personal Data Protection Council for approval and accreditation.

In other instances, the appointment of a DPO remains optional and may be undertaken at the organization’s discretion.

Sectors Required to Appoint a Data Protection Officer (DPO):

Pursuant to Article 11 (A) of the aforementioned Law, the appointment of a DPO is mandatory in any of the following circumstances:

  • Primary Data Processing Activity: Where the core business activity of the controller involves the regular and systematic processing of personal data.
  • Processing of Sensitive Personal Data: This includes personal data relating to health, genetics, biometrics, criminal records, or any other category classified as sensitive by the Council.
  • Processing of Data of Legally Incapable Individuals: Such as minors or persons under guardianship.
  • Processing of Financial Information: Where the data includes any form of financial information.
  • Cross-Border Data Transfers: Where data is transferred to databases or recipients located outside the Kingdom.

In addition, the Council may, by resolution, impose an obligation on a specific sector or entity to appoint a DPO.

where any of the above conditions apply, the organization is required to appoint a Data Protection Officer (DPO) and notify the Personal Data Protection Directorate accordingly. The appointed DPO shall then serve as the official liaison between the organization and the Directorate.

Sectors Required to Obtain Approval from the Personal Data Protection Council for DPO Accreditation:

In accordance with Article 3(b) of the “Standards for the Accreditation of Personal Data Protection Officers”, certain sectors are required not only to appoint a Data Protection Officer (DPO) but also to obtain formal accreditation for the appointed DPO from the Personal Data Protection Council.

The sectors subject to this requirement include:

  • Telecommunications and Information Technology.
  • Energy.
  • Water.
  • Health.
  • Transport.

Organizations operating within these sectors must submit the credentials and supporting documentation of the nominated DPO to the Personal Data Protection Directorate, which shall then refer the matter to the Council for the official approval prior to registration.

Optional Appointment of DPO

In cases that do not fall within the mandatory appointment categories outlined above, the appointment of a DPO remains optional. Organizations may elect to appoint a DPO voluntarily as a proactive compliance measure. This option is explicitly recognized by the “Standards for the Accreditation of Personal Data Protection Officers”, and is encouraged in order to:

  • Facilitate adherence to legal and regulatory obligations;
  • Enhance internal data protection governance;
  • Mitigate regulatory and reputational risks.

Registration Requirements for Data Protection Officers:

Pursuant to Article 18 (D) of the aforementioned Law, and its implementing regulations titled “Instructions for the Registry of Data Controllers, Processors, and Data Protection Officers”, a formal registration mechanism has been mandated under the supervision of the Personal Data Protection Unit (the “Unit”).

The registry is designed to operate as an official electronic system for recording and organizing key information related to data controllers, data processors, and appointed and accredited DPOs. Its primary function is to ensure regulatory oversight, facilitate transparency, and support enforcement by the Unit and Personal Data Protection Council.

Although the electronic registry has not yet been activated as of the date of this publication, we believe that entities required to appoint a Data Protection Officer (DPO) should proceed with manual registration with the Personal Data Protection Directorate to ensure compliance with the provisions of the Law.

Statutory Roles and Responsibilities of the DPO:

Under Article 11, paragraph (b) of the aforementioned Law, the DPO is entrusted with a legally defined set of duties and responsibilities that are central to the enforcement of data protection compliance within the data controller’s organization. The DPO is responsible for upholding the integrity, lawfulness, and transparency of data processing operations, and serves as the primary liaison between the organizations, data subjects, and the competent regulatory authorities.

The statutory responsibilities of the DPO include, but are not limited to, the following:

  • Compliance Oversight: Ensuring that the organization’s data processing activities comply with the PDPL and adhering to the principles of legality, transparency, and purpose limitation.
  • Risk Assessment and Mitigation: Conducting Data Protection Impact Assessments to identify, evaluate, and mitigate risks associated with data processing activities.
  • Incident Management: Overseeing data breach notifications to the regulatory authorities and affected individuals, and coordinating response efforts to minimize potential harm to individuals affected by data breaches.
  • Training and Awareness Programs: Educating employees about their data protection responsibilities and fostering a culture of privacy within the organization.
  • Responding to Inquiries: Acting as the designated point of contact for individuals seeking information about the processing of their personal data or wishing to exercise their rights under the PDPL.

The Importance of Data Protection in Jordan

As Jordan advances toward a more digitized and interconnected economy, the need for robust data protection has never been clearer. Growing public concern over privacy rights, coupled with the rising frequency of data breaches, underscores the potentially severe consequences of inadequate data governance, ranging from financial losses and regulatory penalties to reputational harm and diminished customer trust.

The appointment of a DPO enables organizations to not only meet the compliance requirements of the PDPL but also to implement best practices that promote transparency, accountability, and responsible data stewardship.

Moreover, appointing a DPO reflects alignment with international standards, most notably, the European Union’s General Data Protection Regulation (GDPR), thereby enhancing an organization’s credibility and positioning it to attract privacy-conscious stakeholders and customers in both local and global markets.

Conclusion

The need for Data Protection Officers in Jordan is driven not only by legal requirements under the PDPL but also the inevitable need to protect personal data in an increasingly digital world. By investing in DPO services, organizations can cultivate trust with their stakeholders, mitigate risks, and ensure compliance with the law, paving the way for a responsible approach to data protection.

As Jordan continues to adapt its regulatory landscape, the role of DPOs will become increasingly vital. Organizations should prioritize the appointment of qualified DPOs to navigate this complex environment and safeguard the rights and freedoms of individuals in the digital age.

 

Adv. Main Nsair

Back To Top