On November 25, 2024, OneTrust DataGuidance confirmed with Mariana Abudayah, Legal Advisor at Gulf Insurance Group-Jordan, that:

"[..] the Ministry of Digital Economy and Entrepreneurship (the Ministry) announced the release of the draft Standards for Appointing and Approving the Personal Data Protection Controller (the Draft Standards) for public consultation, which ran between November 2-8, 2024.

According to the Draft Standards, a data protection officer (DPO) cannot be appointed by the data controller unless prior approval is obtained from the Ministry in the following instances:

• processing data related to critical infrastructure, such as telecommunications and electricity;
• processing and transferring sensitive personal data outside of Jordan; and/or
• the controller has more than 100 employees and processes personal data of more than 15,000 individuals, or processes sensitive personal data of more than 2,000 individuals.

Such approval will be granted, provided all requirements are met, and will be issued within two months of submitting the request. The DPO's accreditation is valid for one year, with the option to extend or renew upon the controller's request.

The Draft Standards set out the minimum requirements for a DPO, which are summarized as follows:

• possession of the appropriate academic qualifications and experience in personal data protection, or obtaining one of the internationally recognized professional certifications in the field;
• experience in risk management practices, including handling personal data breach incidents;
• good conduct and reputation, and no previous convictions for criminal offenses or crimes that undermine honor and integrity (unless their honor has been restored); and
• no prior dismissal from a position due to violations of data protection duties, based on a final court ruling or unchallenged disciplinary decision.

The DPO may be either an employee of the controller or an external party.

The controller is committed to providing the optimal conditions to assist the DPO in fulfilling their responsibilities as defined under the Personal Data Protection Law (No.24) of 2023 (the Law). This includes:

• ensuring no tasks are assigned that could conflict with the DPO's duties or compromise their independence;
• structurally positioning the DPO appropriately within the organization, if the person in charge is an individual;
• reporting to senior management, in accordance with the organizational structure;
• allocating the necessary human and financial resources for the DPO to carry out their duties;
• supporting the DPO's professional development and encouraging them to pursue relevant certifications; and
• encouraging all relevant departments and sections to facilitate the DPO's tasks and involving them in all meetings related to personal data processing.

The appointment of the DPO may be terminated under the following circumstances:

• expiration of the appointment term without renewal in accordance with the provisions of the Draft Standards;
• loss of any required conditions for the appointment;
• discovery that the appointment was based on false documents, information, or data;
• at the request of the DPO; or
• based on a decision by the council."

You can read the press release here and the draft Standards here, both only available in Arabic.