Jordan PDPL — Law No. 24 of 2023
The strictest breach clock on the planet.
We run on it by default.
Jordan's Personal Data Protection Law No. 24 of 2023 has been fully enforceable since March 17, 2025. 24 hours to notify affected data subjects. 72 hours to the Personal Data Protection Unit under MODEE. DPO registration with the national directorate. Processing records retained five years. This is the bar enterprise-procurement teams at Arab Bank, Aramex, and Deloitte expect Jordan-operated platforms to meet — and the bar we built to.
Law
PDPL No. 24 of 2023
Enforceable since
March 17, 2025
Regulator
MODEE — PDP Unit
Articles
25 total
What PDPL requires
Eight signals. Every one documented.
PDPL is not generic GDPR. The deadlines are tighter, the lawful bases are fewer, and the regulator sits under MODEE, not the EDPB. Here is how each load-bearing requirement maps to a concrete control on our side.
24-Hour Breach Notification
Jordan PDPL Article 16 requires notifying affected data subjects within 24 hours of breach discovery and the Personal Data Protection Unit within 72 hours. The strictest breach timeline of any major data protection law. GDPR's 72h-to-authority requirement is the lower bar.
DPO Registered with MODEE
Data Protection Officer appointed and registered with the Personal Data Protection Directorate under MODEE. DPO requirement triggered by core PII processing, cross-border transfers, and financial data — all three apply.
ROPA Discipline
Record of Processing Activities maintained per PDPL Article 12. Every processing activity documented: purpose, data categories, recipients, transfer destinations, retention schedule, security measures. Retained for duration plus five years minimum.
Explicit Consent Only
PDPL has no "legitimate interest" basis. Every collection point uses explicit, written or electronic consent specifying purpose and duration. Consent timestamps and version are stored alongside the record — proof of when and under which policy.
Cross-Border Transfer Disclosure
Article 13 requires informing subjects before transfer when destinations lack adequacy decisions. Jordan has issued zero adequacy decisions. Every consent point names US subprocessors by role and country, and states the adequacy gap explicitly.
Data Minimization + Retention
Applicant data auto-purged at 12 months. Contact inquiries at 6 months. Contractor PII 24 months post-deactivation. Financial records retained 7 years per Jordan Tax Law. Photo assets 12 months post-completion. No indefinite storage.
Sensitive Data Segregation
PDPL Article 6 sensitive categories — criminal record, financial status, health, biometric — handled under standalone granular consent. Background check results deleted within 90 days of decision. Never bundled into a general consent flow.
Subject Rights Implemented
Access, correction, erasure, portability, restriction, and withdrawal — every PDPL Article 7 and 8 right is a live workflow. DSAR response target 30 days. Consent withdrawal triggers deletion. Requests to privacy@steadywrk.app.
What we do
Four stages. Every record. Every time.
Compliance is not a policy document. It is what the code does when an applicant submits a form, an employer requests a demo, or a contractor deactivates. The same pipeline runs behind every data point we hold.
01
Consent at Collection
Every collection point — apply form, contact form, demo request, contractor onboarding — captures explicit consent with purpose, duration, processor disclosure, and cross-border transfer notice. Consent version and timestamp stored.
02
Process + Audit
Processing activities logged against the ROPA. Every state transition append-only. Seven-year retention as standard. Access to production systems reviewed quarterly and enforced via Clerk MFA.
03
Rights Response
DSARs acknowledged within 48 hours, completed within 30 days. Identity verification via email on file or government ID. Data located across database, auth provider, analytics, CRM, and email logs before deletion.
04
Deletion + Proof
Consent records archived to an audit log before row deletion — hash of email, consent type, version, and timestamp retained five years per Article 12. Deletion confirmation sent. Proof persists after the data is gone.
Compliance posture
PDPL vs GDPR vs US state law.
The procurement teams at Arab Bank, Aramex, and Deloitte will ask how our posture compares to the regulations their global operations run against. The short answer: PDPL is stricter on timing and narrower on lawful bases. Building to PDPL covers most of GDPR and CCPA by default.
| Dimension | Jordan PDPL | EU GDPR | US state laws |
|---|---|---|---|
Breach notification to data subjects | 24 hours from discovery | No statutory requirement — authority-only | Varies by state — often 60 to 90 days |
Breach notification to regulator | 72 hours to Personal Data Protection Unit | 72 hours to supervisory authority | State-by-state, often within 30-45 days |
Lawful basis for processing | Consent or explicit legal authorization | Six bases including legitimate interest | Notice-and-choice model (CCPA/CPRA) |
Processing records retention | Duration + 5 years minimum (Article 12) | Duration + 3 years typical | No general federal requirement |
DPO registration | Registered with Personal Data Protection Council | Internal appointment sufficient | No federal DPO requirement |
Cross-border transfer | No adequacy decisions issued — explicit consent + safeguards | SCCs, adequacy decisions, BCRs available | No general restriction |
Penalty ceiling | Up to 3% of annual revenue, doubled for repeat offenses | Up to 4% of global turnover or EUR 20M | Varies — CCPA up to USD 7,500 per violation |
- PDPL enforced since March 2025. No grace period remaining.
- Penalties scale to 3% of annual revenue; doubled for repeat offenses.
- DPO and controller registration with MODEE — not ASEZA, not Clerk.
Scope
PDPL applies to every entity processing data of individuals in Jordan, regardless of corporate structure or headquarters location. ASEZA's favorable tax regime does not create data-protection carve-outs. The Colorado corporate shield does not exempt Jordan operations. Compliance is entity-independent — and mandatory.
Procurement-ready by design.
The full security posture — subprocessors, data flow, authentication, audit trail — is one click away. DPA requests and compliance questionnaires respond within 72 hours to privacy@steadywrk.app.