Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Algeria - Data Protection Overview
Back

Algeria - Data Protection Overview

March 2022

1. Governing Texts

Law No. 18-07 of 25 Ramadhan 1439 Corresponding to June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data (only available in French here) ('Law No. 18-07') governs data protection within Algeria.

As of today, even though Law No. 18-07 has come into force (i.e. officially published in the official journal), operators cannot fully implement it notably because of the absence of a national data protection authority, which has not been created yet. Additionally, Article 75 of Law No. 18-07 provides for an additional one-year period from the creation of the data protection authority to comply with its requirements. Thus, the compliance period is still open.

In that regard, please note that there is no public information on when the data protection authority will be created.

1.1. Key acts, regulations, directives, bills

The purpose of Law No. 18-07 is to establish the rules for the protection of individuals with regards to the processing of their personal data. Law No. 18-07 is inspired to some extent by European Union and French data protection law before the entry into force of the General Data Protection Regulation (Regulation (EU 2016/679) ('GDPR').

1.2. Guidelines

We have not identified any guidelines from Algerian authorities in relation with data protection.

1.3. Case law

We have not identified any notable data protection decisions from Algerian courts or authorities.

2. Scope of Application

2.1. Personal scope

Law No. 18-07 mainly imposes obligations on data controllers and in a more limited way on data processors.

Please see section on definitions below for the definitions of data controller and data processor. These definitions are very similar to the ones provided in the GDPR.

2.2. Territorial scope

Article 4 of Law No. 18-07 applies to the processing of personal data:

  • carried out by a natural or legal person whose responsible person is established on the Algerian territory or on the territory of a State which legislation is recognised as equivalent to Algerian legislation in terms of personal data protection; and
  • when the responsible person is established outside the Algerian territory but uses automated or non-automated means located in the Algerian territory to process the data (excluding processing for transit purposes).

2.3. Material scope

Article 4 of Law No. 18-07 applies to the processing of personal data by automatic means, in whole or in part, as well as to the non-automatic processing of personal data contained or intended to be contained in manual files.

Please see section on definitions below for the definition of personal data.

Law No. 18-07 does not apply to personal data (Article 6 of Law No. 18-07):

  • processed by a natural person for the exercise of exclusively personal or household activities, provided that these are not intended for communication to third parties or to be circulated;
  • collected and processed in the interest of national defence and national security; or
  • collected and processed for the purpose of prevention, prosecution, and law enforcement, as well as those contained in judicial databases, which are governed by the texts relating to their creation.

Lastly, Article 5 of Law No. 18-07 provides that the following processing activities are excluded from its scope:

  • processing of personal data for the purposes of individual therapeutic or medical monitoring/follow-up of patients;
  • processing activities for the purpose of carrying out studies on the basis of the data collected in application of the previous point (i.e. patients' individual therapeutic or medical monitoring/follow-up) when these studies are carried out by the personnel ensuring the patients' monitoring and intended for their exclusive use;
  • processing carried out for the purposes of reimbursement or controls by health insurance bodies; and
  • processing carried out within health establishments by the doctors responsible for medical information.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

To date, there is no data protection authority in Algeria.

3.2. Main powers, duties and responsibilities

Even if the Algerian data protection authority has not been created yet, Article 25 of Law No. 18-07 specifies its powers, duties, and responsibilities. Accordingly, the data protection authority would be responsible for ensuring that the processing of personal data is carried out in accordance with the provisions of Law No. 18-07 and would be in charge of ensuring that the use of information and communication technologies does not cause a threat to the rights of individuals, public freedoms, and privacy.

In this respect, its missions are, in particular:

  • to issue authorisations and receive declarations relating to the processing of personal data;
  • to inform data subjects and data controllers of their rights and obligations;
  • to advise persons and entities which resort to the processing of personal data or that carry out tests or experiments likely to result in such processing;
  • to receive complaints, appeals, and claims relating to the implementation of the processing of personal data and to inform their authors of the action taken;
  • to authorise, under the terms of Law No. 18-07, cross-border transfers of personal data;
  • to order the necessary modifications for the protection of the personal data processed;
  • to order that personal data be made inaccessible, or their withdrawal or destruction;
  • to present any suggestion that may simplify and improve the legislative and regulatory framework for the processing of personal data;
  • to publish the authorisations granted and the opinions issued in the national registry referred to in Article 28 of Law No. 18-07;
  • to develop cooperative relations with similar foreign authorities, subject to reciprocity;
  • to impose administrative sanctions under the conditions defined in Article 46 of Law No. 18-07 (warrant, injunctions, fines, temporary, or permanent withdrawal of the receipt of authorisations, or declarations)
  • to draft standards in the area of personal data protection; and
  • to draft rules of good conduct and ethics applicable to the processing of personal data.

4. Key Definitions

Data controller: A natural or legal person, public or private or any other entity which, alone or jointly with others, determines the purposes and means of the processing of data (Article 3 of Law No. 18-07).

Data processor: Any natural or legal person, public or private, or any other entity that processes personal data on behalf of the data controller (Article 3 of Law No. 18-07).

Personal data: Personal data refers to any information, regardless of the medium, relating to an identified or identifiable person (referred to as the data subject), in a direct or indirect way, in particular by reference to an identification number or to one or specific elements of their physical, physiological, genetic, biometric, psychic, economic, cultural, or social identity (Article 3 of Law No. 18-07).

Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious, or philosophical beliefs or union membership of the data subject or which relate to their health, including genetic data (Article 3 of Law No. 18-07).

Health data: Any information relating to the physical and/or mental condition of the data subject, including genetic data (Article 3 of Law No. 18-07).

Biometric data: No definition of biometric data is provided in Law No. 18-07.

Pseudonymisation: No definition of pseudonymisation is provided in Law No. 18-07.

Service provider: Any public or private entity that offers users of its services the possibility of communicating by means of a computer system and/or a telecommunications system or any other entity processing or storing computer data for the communication service or users (Article 3 of Law No. 18-07).

5. Legal Bases

5.1. Consent

According to Article 7 of Law No. 18-07, personal data processing cannot be carried out unless the data subject's express consent has been collected. As a consequence, unless another legal basis is available, a data controller processing personal data without the data subject's consent will be deemed unlawful.

5.2. Contract with the data subject

The data subject's consent is not required where the processing is necessary for the performance of a contract entered into by the data subject or the implementation of pre-contractual measures taken upon the request of the data subject (Article 7 of Law No. 18-07).

5.3. Legal obligations

The data subject's consent is not required to process personal where the processing is necessary to comply with a legal obligation to which the data subject or the data controller is subject (Article 7 of Law No. 18-07).

5.4. Interests of the data subject

The data subject's consent is not required to process personal data where the processing is necessary to protect the vital interests of the data subject, if the latter is physically or legally incapable to provide their consent (Article 7 of Law No. 18-07).

5.5. Public interest

The data subject's consent is not required to process personal data where the processing is necessary for the performance of a task of public interest or carried out in the exercise of official authority, which may be vested upon the data controller or the third party to whom the personal data is disclosed (Article 7 of Law No. 18-07).

5.6. Legitimate interests of the data controller

The data subject's consent is not required where the processing is necessary for the fulfilment of the legitimate interest pursued by the data controller or by the recipient of personal data, provided that the interest or the fundamental rights and freedoms of the data subject are not disregarded (Article 7 of Law No. 18-07). Law No. 18-07 does not define what may constitute the data controller's or recipient's 'legitimate interest'.

5.7. Legal bases in other instances

The data subject's consent is not required to process personal data where the processing is necessary to safeguard the life of the data subject.

6. Principles

Principles applicable to personal data processing in general

Pursuant to Article 9 of Law No. 18-07, personal data should be:

  • processed fairly and lawfully;
  • collected for specified, explicit, and legitimate purposes, and not subsequently processed in a way incompatible with those purposes;
  • adequate, relevant, and not excessive in relation to the purposes for which it is collected and subsequently processed;
  • accurate, complete and, where necessary, kept up-to-date; and
  • stored in a form allowing the identification of the data subjects for no longer than is necessary for the purposes for which such personal data is collected or processed.

7. Controller and Processor Obligations

Security of personal data

In a way that is similar to European Union data protection law, Law No. 18-07 provides that personal data shall be secured using adequate security measures.

Pursuant to Article 38 of Law No. 18-07, the data controller must implement appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

These measures must ensure a level of security that is appropriate to the risks of the processing and the nature of the data to be protected.

In addition, the data controller must be listed in a national register of personal data protection, maintained by the data protection authority (Article 28 of Law No. 18-07).

7.1. Data processing notification

Pursuant to Article 12 of Law No. 18-07, data processing is subject to either:

  • a prior declaration to the data protection authority; or
  • the data protection authority's prior authorisation.

Prior declaration

As a rule, personal data processing is subject to a prior declaration to the data protection authority, subject to exceptions outlined below. The data protection authority must deliver an acknowledgement of receipt of the declaration to the issuer within 48 hours, pursuant to Article 13 of Law No. 18-07. The data controller may implement the said processing upon receipt of the acknowledgement of receipt.

Pursuant to Article 14 of Law No. 18-07, the prior declaration must contain the following information:

  • the name and address of the data controller (and, if applicable, of its representative);
  • the nature, characteristics, and purpose(s)  of the data processing;
  • a description of the category(ies) of data subjects and of the related personal data (or category(ies) thereof);
  • the recipients or categories of recipients to whom the data may be disclosed;
  • the envisaged transfers of personal data to foreign countries;
  • the period for which the personal data will be stored;
  • the service through which the data subject may exercise, where applicable, the rights granted to them by the provisions of Law No. 18-07, as well as the measures taken to facilitate their exercise;
  • a general description enabling a preliminary assessment of the appropriateness of the measures taken to ensure the confidentiality and security of the processing operation(s); and
  • interconnections, or any other forms of data reconciliation as well as their assignment or subcontracting, in any form, to third parties, whether for free or against payment.

Any change of one of the above information shall be notified to the data protection authority and in case of assignment of a data file, the assignee shall accomplish the same above formalities.

Pursuant to Article 16 of Law No. 18-07, a prior declaration is not required for processing operations the sole purpose of which is to keep a register which is available to the public for consultation or to any other person demonstrating a legitimate interest.

However, in this case, a data controller must be designated, the identity of which is made public and notified to the data protection authority, and which is responsible for the application of the provisions on the data subject rights. The data controller exempted from the declaration of the processing to the data protection authority must communicate to any person who requests so information on the name and purpose(s) of the processing, the identity of the data controller, the data processed, the recipients and, where appropriate, the intended transfers to be carried out to foreign countries.

Lastly, the data protection authority may determine a list of categories of processing that will benefit from a simplified declaration.

Authorisation

Pursuant to Article 17 of Law No. 18-07, where it appears to the data protection authority, on examination of the declaration provided to it, that the processing envisaged presents manifest dangers for the respect and protection of the privacy and fundamental rights and freedoms of individuals, it shall decide to submit the processing to the formality of prior authorisation.

The decision of the data protection authority must be reasoned and notified to the data controller within ten days from the submission of the declaration.

Additionally, by way of derogation to the principle of prohibition of the processing of sensitive data, such processing may be carried out in certain cases notably with the authorisation of the data protection authority (Article 18 of Law No. 18-07).

Authorisation is also necessary in case of interconnection of files belonging to one or more legal entities managing a public service and which purposes correspond to different public interests as well as interconnections of files belonging to natural persons and which main purposes are different.

In addition, prior authorisation is also required in relation with processing of personal data with a public interest research purpose, study, or evaluation in the field of health (Article 21 of Law No. 18-07)

Pursuant to Article 20 of Law No. 18-07, the request to obtain the authorisation shall contain the same information as in the declaration formality.

Finally, the data protection authority shall take its decision as to whether or not to authorise a processing, within two months from the receipt of the request for authorisation. In the event where the data protection authority has not taken its decision within this timeline, the authorisation is deemed to be refused.

7.2. Data transfers

Article 44 of Law No. 18-07 provides that the data controller may only transfer personal data to another foreign state:

  • upon authorisation of the data protection authority; and
  • if that state ensures an adequate level of protection of the privacy and fundamental rights and freedoms of individuals with regard to the processing to which such data are or may be subject.

The adequacy of the level of protection provided by a State is assessed by the data protection authority.

However, by way of derogation, Article 45 of Law No. 18-07 provides that the data controller may transfer personal data to a foreign State where the level of protection does not meet the above-mentioned criteria, subject to the following conditions:

  • if the data subject has expressly consented to their transfer;
  • if the transfer is necessary for one of the cases mentioned in Article 45(2) of Law No. 18-07, that is:
    • the safeguarding of that person's life;
    • preservation of the public interest;
    • the fulfilment of obligations to ensure the establishment, exercise, or defence of a right in a court of law;
    • the performance of a contract between the data controller and the data subject, or pre-contractual measures taken at the request of the data subject;
    • the conclusion or performance of a contract concluded or to be concluded, in the interest of the data subject, between the data controller and a third party;
    • the execution of an international judicial assistance measure; and
    • the prevention, diagnosis, or treatment of medical conditions;
  • if the transfer is made in accordance with a bilateral or multilateral agreement to which Algeria is a party; or
  • with the authorisation of the data protection authority, if the processing is carried out within the framework of Article 2 of Law No. 18-07 on the respect of human dignity, privacy and public freedoms, the rights of individuals, their honour and reputation.

Furthermore, Article 44 of Law No. 18-07 adds that it is prohibited, in all cases, to communicate or transfer personal data to a foreign country, when such transfer is likely to affect public security or the vital interests of Algeria.

7.3. Data processing records

Law No. 18-07 does not provide for an obligation for the data controller and/or data processor to maintain a data processing records.

7.4. Data protection impact assessment

We have not identified, in Law No. 18-07, any express obligation for data controllers or data processors to perform a Data Protection Impact Assessment or Privacy Impact Assessment.

7.5. Data protection officer appointment

We have not identified any obligation to appoint a data protection officer; however, in case the data controller is not established in the national territory, a representative located in Algeria must be designated, similarly to the representative required under European data protection law.

7.6. Data breach notification

Pursuant to Article 43 of Law No. 18-07, where the processing of personal data on electronic communication networks open to the public results in the destruction, loss, alteration, disclosure, or unauthorised access to such data, the service provider shall notify, without delay, the data protection authority and the data subject, where such breach may affect the data subject's privacy.

The notification of a personal data breach to the data subject is not necessary if the data protection authority considers that appropriate data protection measures have been implemented by the service provider.

In any event, service providers shall maintain a record of personal data breach and the steps taken to remedy.

7.7. Data retention

Pursuant to Article 9 of Law No. 18-07, personal data should be stored in a form which allows identification of the data subjects for no longer than necessary for the purposes for which such personal data is collected or processed.

7.8. Children's data

Pursuant to Article 8 of Law No. 18-07, the processing of personal data concerning a child can only be carried out after obtaining the consent of the child's legal representative or, if necessary, the authorisation of the competent judge. The judge may order the processing even without the consent of the legal representative, when the best interests of the child so require.

The judge may revoke the authorisation at any time.

7.9. Special categories of personal data

Under Article 18 of the Law 18-07, the processing of sensitive data is prohibited. However, there are exceptions to this basic prohibition, where:

  • the processing is necessary to protect the vital interests of the data subject, if they are physically or legally incapable to provide their consent;
  • the person concerned has given their express consent;
  • the processing is performed by a foundation, a charity, and other similar organisations in the context of their legitimate activities and the data subject has provided their consent;
  • the processing relates to data manifestly made public by the data subject, where their consent to the processing of the data can be inferred from their statements;
  • the processing is necessary for the recognition, exercise, or defence of legal claims and is carried out exclusively for that purpose; and
  • the processing concerns genetic data excluding those carried out by doctors or biologists and which are necessary for the exercise of preventive medicine, medical diagnosis, and the administration of care or treatment.

An exemption is also provided for where there is an essential public interest ground to ensure the legal or statutory functions of the data controller.

Law No. 18-07 also provides for specific rules for the processing of data relating to offences, sentences, and precautionary measures (Article 10 of Law No. 18-07) as well as for processing activities that produce legal effects on individuals (Article 11 of Law No. 18-07).

Accordingly, personal data relating to offences, sentences, and precautionary measures, may only be processed by the judicial authority, public authorities, legal persons who manage a public service, and judicial officers within the scope of their legal powers.

7.10. Controller and processor contracts

Pursuant to Article 39 of Law No. 18-07, the carrying out of a processing by a data processor shall be governed by a contract or legal act binding on the data processor with regard to the data controller.

Such contract or legal act shall set out, in particular, that the data processor shall act only on the instructions of the data controller, and that the obligations set out in the first paragraph of Article 38 of Law No. 18-07 shall also apply to the data processor (implementation of appropriate technical and organisational security measures).

For evidentiary purposes, the elements of the contract or legal act relating to data protection and the requirements relating to the security measures shall be recorded in writing or in another equivalent form.

8. Data Subject Rights

8.1. Right to be informed

Before the processing of any personal data, data subjects must be provided with information, in an express and unambiguous form, by the data controller, in relation with the following:

  • the identity of the data controller and, where applicable, of their representative;
  • the purposes of the processing; and
  • any additional relevant information, including the recipient, the obligation to respond, and its consequences, as well as their rights and the transfer of data abroad (Article 32 of Law No. 18-07).

The obligation to inform is not applicable in certain cases mentioned in Article 33 of Law No. 18-07:

  • when it is impossible to inform the data subject, especially in the case of processing personal data for statistical, historical, or scientific purposes; in such a case, the data controller must notify the data protection authority of the impossibility of informing the data subject and present the reason for this impossibility;
  • if the processing is required by law; and
  • if the processing is carried out exclusively for journalistic, artistic, or literary purposes.

8.2. Right to access

Pursuant to Article 34 of Law No. 18-07, the data subject has the right to obtain from the data controller:

  • confirmation of whether or not personal data relating to them is being processed;
  • the purposes of the processing, the categories of data concerned, and the recipients; and
  • communication, in an intelligible form, of the data being processed, as well as any available information on the origin of the data.

However, the data controller may object to manifestly unreasonable requests.

8.3. Right to rectification

Pursuant to Article 35 of Law No. 18-07, data subjects have the right to obtain the updating, rectification, erasure, or blocking of personal data whose processing does not comply with Law No. 18-07. This may be justified in particular by the incomplete or inaccurate nature of the data or by the fact that the processing of the data is prohibited by law. The data controller is obliged to make the necessary rectifications at no cost to the applicant within ten days of the request being made. Moreover, data subjects have the right to have any updating, rectification, erasure, or blocking of personal data notified to third parties to whom personal data has been communicated, in cases where it is not impossible.

8.4. Right to erasure

The right to rectification provides for a possibility to request the erasure of the personal data.

8.5. Right to object/opt-out

Pursuant to Article 36 of Law No. 18-07, data subjects have the right to object to the processing of their personal data based on legitimate reasons. Additionally, they may object to the use of their personal data for prospecting purposes, in particular for a commercial one.

This right is not available in case the processing relies on a legal obligation or in case it is expressly waived by a legal act authorising the processing.

8.6. Right to data portability

Law No. 18-07 does not provide for an express right to data portability, however the data subjects right to access provides for a possibility to obtain the communication, in an intelligible form, of the data processed.

8.7. Right not to be subject to automated decision-making

Article 11 of Law No. 18-07 specifies that no decision having legal effect on a person may be made solely on the basis of automated data processing, intended to define the profile of the data subject or to evaluate certain aspects of their personality.

8.8. Other rights

Law No. 18-07 does not provide for other data subject rights.

9. Penalties

Law 18-07 provides for penalties detailed below:

 

Nature of the non-compliance

 

Article of Law 18-07

Applicable sanction

Breach of Article 2 of Law 18-07 (general principles of human dignity, privacy, public freedoms, etc.)

Article 54

Imprisonment from two to five years and a fine from DZD 200,000 (approx. €1,270) to DZD 500,000 (approx. €3,160)

Breach of Article 7 of Law 18-07 in relation to the existence of a legal basis for processing

Article 55

Imprisonment from one to three years and a fine from DZD 100,000 (approx. €630) to DZD 300,000 (approx. €1,900)

Processing despite the exercise by a data subject of their right to object

Article 55

Imprisonment from one to three years and a fine from DZD 100,000 (approx. €630) to DZD 300,000 (approx. €1,900)

Breach of Article 12 of Law 18-07 (declaration and authorisation formalities)

Article 56

Imprisonment from two to five years and a fine from DZD 200,000 (approx. €1,270) to DZD 500,000 (approx. €3,160)

False declarations or continuation of the data processing activity despite the withdrawal of the receipt for the declaration or the withdrawal of the authorisation

Article 56

Imprisonment from two to five years and a fine from DZD 200,000 (approx. €1,270) to DZD 500,000 (approx. €3,160)

Processing of sensitive data without the express consent of the data subject in the absence of any legal exception

Article 57

Imprisonment from two to five years and a fine from DZD 200,000 (approx. €1,270) to DZD 500,000 (approx. €3,160)

 

 

Processing or use of personal data for purposes other than those for which they were declared or authorised

Article 58

Imprisonment from six months to one year and a fine from DZD 60,000 (approx. €380) to DZD 100,000 (approx. €630), or by one of these two penalties only

Collection of personal data through fraudulent, unfair, or unlawful means

Article 59

Imprisonment from one to three years and a fine from DZD 100,000 (approx. €630) to DZD 300,000 (approx. €1,900)

Allowing unauthorised persons to access personal data

Article 60

Imprisonment from two to five years and a fine from DZD 200,000 (approx. €1,270) to DZD 500,000 (approx. €3,160)

Obstruction to the action of the data protection authority

Article 61

Imprisonment from six months to two years and a fine from DZD 60,000 (approx. €380) to DA 200,000 (approx. €1,270) or one of these two penalties only

Access to the national register without authorisation

Article 63

Imprisonment from one to three years and a fine from DZD 100,000 (approx. €630) to DZD 300,000 (approx. €1,900)

Denial without legitimate reasons by the data controller of the data subjects rights

Article 64

Imprisonment from two months to  two years and a fine from DA 20,000 (approx. €130) and DZD 200,000 (approx. €1,270), or one of these two penalties only

Breach by the data controller of its obligations pursuant to Articles 38 and 39 of Law 18-07

Article 65

Fine from DZD 200,000 (approx. €1,270) and DZD 500,000 (approx. €3,160)

Storage of personal data for longer periods than provided for in the legislation, or in the declaration or authorisation

Article 65

Fine from DZD 200,000 (approx. €1,270) and DZD 500,000 (approx. €3,160)

Failure by a service provider to notify the data protection authority or the data subject of a personal data breach

Article 66

Imprisonment from one year to three years and a fine from DZD 100,000 (approx. €630) to DZD 300,000 (approx. €1,900), or one of these two penalties only

 

Breach of the provisions on international data transfers

Article 67

Imprisonment from one to five years and a fine from DA 500,000 (approx. €3,160) to DZD 1 million (pprox.. €6,330)

Processing of personal data related to offences, sentences, and precautionary measures in case not authorised by law

 

Article 68

Imprisonment from six months to three years imprisonment and a fine from DZD 60,000 (pprox.. €380) to DZD 300,000 (pprox.. €1,900)

The fact for a data controller,  data processor, or any person in charge of the processing of personal data, to cause or facilitate, even by negligence, thepprox.e or fraudulent use of the data processed or received, or to communicate them to unauthorised third parties

Article 69

Imprisonment from one year to five years and a fine from DZD 100,000 (pprox.. €630) to DZD 500,000 (pprox.. €3,160)

 

Provisions of the Algerian Criminal Code (only available in French here) may also be applicable. Accordingly, the erasure of all or part of the data may be ordered and there may be proceedings for the seizure or destruction of the object of the offense.

9.1 Enforcement decisions

In the absence of a national data protection authority, there is no relevant enforcement decision.