March 2024

1. Governing Texts

Law No. 18-07 of 25 Ramadhan 1439 Corresponding to June 10, 2018, Relating to the Protection of Individuals in the Processing of Personal Data (only available in French here) ('Law No. 18-07') governs data protection within Algeria.

As of today, Law No. 18-07 is fully applicable and operators falling in its scope of application must comply with its requirements. As a reminder, operators had a one-year period from the creation of the Algerian data protection authority ('ANPDP') to comply with the requirements of Law No. 18-07 requirements, a period that ended on August 11, 2023.

1.1. Key acts, regulations, directives, bills

The purpose of Law No. 18-07 is to establish the rules for the protection of individuals with regard to the processing of their personal data. Law No. 18-07 is inspired to some extent by European Union and French data protection law before the entry into force of the General Data Protection Regulation (Regulation (EU 2016/679) ('GDPR').

1.2. Guidelines

The ANPDP has issued the following guidance in relation to data protection:

• guidance explaining when and to whom Law No. 18-07 is applicable (only available in French here);
• guidance on the key concepts of the Law No. 18-07 (only available in French here) ('the Concepts Guidance');
• guidance on the data controller's obligations in relation to the processing of personal data (only available in French here) ('the Obligations Guidance');
• guidance for data controllers established abroad but processes data in Algeria to notify the ANPDP (only available in French here); and
• frequently asked questions on the ANPDP's processes (only available in French here).

1.3. Case law

We have not identified any notable data protection decisions from Algerian courts or authorities.

2. Scope of Application

2.1. Personal scope

Law No. 18-07 mainly imposes obligations on data controllers and, in a more limited way, on data processors.

Please see the section on definitions below for the definitions of data controller and data processor. These definitions are very similar to the ones provided in the GDPR.

2.2. Territorial scope

Article 4 of Law No. 18-07 applies to the processing of personal data:

• carried out by a natural or legal person whose responsible person is established on the Algerian territory or on the territory of a State which legislation is recognized as equivalent to Algerian legislation in terms of personal data protection; and
• when the responsible person is established outside the Algerian territory but uses automated or non-automated means located in the Algerian territory to process the data (excluding processing for transit purposes).

2.3. Material scope

Article 4 of Law No. 18-07 applies to the processing of personal data by automatic means, in whole or in part, as well as to the non-automatic processing of personal data contained or intended to be contained in manual files.

Please see the section on definitions below for the definition of personal data.

Law No. 18-07 does not apply to personal data (Article 6 of Law No. 18-07):

• processed by a natural person for the exercise of exclusively personal or household activities, provided that these are not intended for communication to third parties or to be circulated;
• collected and processed in the interest of national defense and national security; or
• collected and processed for the purpose of prevention, prosecution, and law enforcement, as well as those contained in judicial databases, which are governed by the texts relating to their creation.

Lastly, Article 5 of Law No. 18-07 provides that the following processing activities are excluded from its scope:

• processing of personal data for the purposes of individual therapeutic or medical monitoring/follow-up of patients;
• processing activities for the purpose of carrying out studies on the basis of the data collected in the application of the previous point (i.e., patient's individual therapeutic or medical monitoring/follow-up) when these studies are carried out by the personnel ensuring the patients' monitoring and intended for their exclusive use;
• processing carried out for the purposes of reimbursement or controls by health insurance bodies; and
• processing carried out within health establishments by the doctors responsible for medical information.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main regulator for data protection in Algeria is the ANPDP.

3.2. Main powers, duties and responsibilities

Article 25 of Law No. 18-07 specifies the powers, duties, and responsibilities of the ANPDP. Accordingly, the ANPDP is responsible for ensuring that the processing of personal data is carried out in accordance with the provisions of Law No. 18-07 and is in charge of ensuring that the use of information and communication technologies does not cause a threat to the rights of individuals, public freedoms, and privacy.

In this respect, its missions are, in particular:

• to issue authorizations and receive declarations relating to the processing of personal data;
• to inform data subjects and data controllers of their rights and obligations;
• to advise persons and entities which resort to the processing of personal data or that carry out tests or experiments likely to result in such processing;
• to receive complaints, appeals, and claims relating to the implementation of the processing of personal data and to inform their authors of the action taken;
• to authorize, under the terms of Law No. 18-07, cross-border transfers of personal data;
• to order the necessary modifications for the protection of the personal data processed;
• to order that personal data be made inaccessible or their withdrawal or destruction;
• to present any suggestion that may simplify and improve the legislative and regulatory framework for the processing of personal data;
• to publish the authorizations granted and the opinions issued in the national registry referred to in Article 28 of Law No. 18-07;
• to develop cooperative relations with similar foreign authorities, subject to reciprocity;
• to impose administrative sanctions under the conditions defined in Article 46 of Law No. 18-07 (warrant, injunctions, fines, temporary, or permanent withdrawal of the receipt of authorizations, or declarations)
• to draft standards in the area of personal data protection; and
• to draft rules of good conduct and ethics applicable to the processing of personal data.

4. Key Definitions

Data controller: A natural or legal person, public or private or any other entity which, alone or jointly with others, determines the purposes and means of the processing of data (Article 3 of Law No. 18-07).

Data processor: Any natural or legal person, public or private, or any other entity that processes personal data on behalf of the data controller (Article 3 of Law No. 18-07).

Personal data: Personal data refers to any information, regardless of the medium, relating to an identified or identifiable person (referred to as the data subject), in a direct or indirect way, in particular by reference to an identification number or to one or specific elements of their physical, physiological, genetic, biometric, psychic, economic, cultural, or social identity (Article 3 of Law No. 18-07).

The Concepts Guidance gives examples of personal data, including National Identification Number (NIN), last name, first name, date of birth, telephone number, address, email addresses, blood group, biometric data, ID photo, etc.

Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership of the data subject or which relate to their health, including genetic data (Article 3 of Law No. 18-07).

Health data: Any information relating to the physical and/or mental condition of the data subject, including genetic data (Article 3 of Law No. 18-07).

Biometric data: No definition of biometric data is provided in Law No. 18-07.

Pseudonymization: No definition of pseudonymization is provided in Law No. 18-07.

Service provider: Any public or private entity that offers users of its services the possibility of communicating by means of a computer system and/or a telecommunications system or any other entity processing or storing computer data for the communication service or users (Article 3 of Law No. 18-07).

5. Legal Bases

5.1. Consent

According to Article 7 of Law No. 18-07, personal data processing cannot be carried out unless the data subject's express consent has been collected. As a consequence, unless another legal basis is available, a data controller processing personal data without the data subject's consent will be deemed unlawful.

5.2. Contract with the data subject

The data subject's consent is not required where the processing is necessary for the performance of a contract entered into by the data subject or the implementation of pre-contractual measures taken upon the request of the data subject (Article 7 of Law No. 18-07).

5.3. Legal obligations

The data subject's consent is not required to process personal where the processing is necessary to comply with a legal obligation to which the data subject or the data controller is subject (Article 7 of Law No. 18-07).

5.4. Interests of the data subject

The data subject's consent is not required to process personal data where the processing is necessary to protect the vital interests of the data subject if the latter is physically or legally incapable of providing their consent (Article 7 of Law No. 18-07).

5.5. Public interest

The data subject's consent is not required to process personal data where the processing is necessary for the performance of a task of public interest or carried out in the exercise of official authority, which may be vested upon the data controller or the third party to whom the personal data is disclosed (Article 7 of Law No. 18-07).

5.6. Legitimate interests of the data controller

The data subject's consent is not required where the processing is necessary for the fulfillment of the legitimate interest pursued by the data controller or by the recipient of personal data, provided that the interest or the fundamental rights and freedoms of the data subject are not disregarded (Article 7 of Law No. 18-07). Law No. 18-07 does not define what may constitute the data controller's or recipient's 'legitimate interest.'

5.7. Legal bases in other instances

The data subject's consent is not required to process personal data where the processing is necessary to safeguard the life of the data subject.

6. Principles

Principles applicable to personal data processing in general

Pursuant to Article 9 of Law No. 18-07, personal data should be:

• processed fairly and lawfully;
• collected for specified, explicit, and legitimate purposes and not subsequently processed in a way incompatible with those purposes;
• adequate, relevant, and not excessive in relation to the purposes for which it is collected and subsequently processed;
• accurate, complete, and, where necessary, kept up-to-date; and
• stored in a form allowing the identification of the data subjects for no longer than is necessary for the purposes for which such personal data is collected or processed.

7. Controller and Processor Obligations

Security of personal data

In a way that is similar to the GDPR, Law No. 18-07 provides that personal data shall be secured using adequate security measures.

Pursuant to Article 38 of Law No. 18-07, the data controller must implement appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

These measures must ensure a level of security that is appropriate to the risks of the processing and the nature of the data to be protected.

In addition, the data controller must be listed in a national register of personal data protection maintained by the ANPDP (Article 28 of Law No. 18-07).

7.1. Data processing notification

Pursuant to Article 12 of Law No. 18-07, data processing is subject to either:

• a prior declaration to the ANPDP; or
• the ANPDP's prior authorization.

Prior declaration

As a rule, personal data processing is subject to a prior declaration to the ANPDP, subject to exceptions outlined below. The ANPDP must deliver an acknowledgment of receipt of the declaration to the issuer within 48 hours, pursuant to Article 13 of Law No. 18-07. The data controller may implement the said processing upon receipt of the acknowledgment of receipt.

Pursuant to Article 14 of Law No. 18-07, the prior declaration must contain the following information:

• the name and address of the data controller (and, if applicable, of its representative);
• the nature, characteristics, and purpose(s) of the data processing;
• a description of the category(ies) of data subjects and of the related personal data (or category(ies) thereof);
• the recipients or categories of recipients to whom the data may be disclosed;
• the envisaged transfers of personal data to foreign countries;
• the period for which the personal data will be stored;
• the service through which the data subject may exercise, where applicable, the rights granted to them by the provisions of Law No. 18-07, as well as the measures taken to facilitate their exercise;
• a general description enabling a preliminary assessment of the appropriateness of the measures taken to ensure the confidentiality and security of the processing operation(s); and
• interconnections, or any other forms of data reconciliation as well as their assignment or subcontracting, in any form, to third parties, whether for free or against payment.

Any change of one of the above information shall be notified to the ANPDP, and in case of assignment of a data file, the assignee shall accomplish the same above formalities.

Pursuant to Article 16 of Law No. 18-07, a prior declaration is not required for processing operations the sole purpose of which is to keep a register which is available to the public for consultation or to any other person demonstrating a legitimate interest.

However, in this case, a data controller must be designated, the identity of which is made public and notified to the ANPDP, and which is responsible for the application of the provisions on the data subject rights. The data controller exempted from the declaration of the processing to the ANPDP must communicate to any person who requests so information on the name and purpose(s) of the processing, the identity of the data controller, the data processed, the recipients, and where appropriate, the intended transfers to be carried out to foreign countries.

Lastly, the ANPDP may determine a list of categories of processing that will benefit from a simplified declaration.

Authorization

Pursuant to Article 17 of Law No. 18-07, where it appears to the ANPDP, on examination of the declaration provided to it, that the processing envisaged presents manifest dangers for the respect and protection of the privacy and fundamental rights and freedoms of individuals, it shall decide to submit the processing to the formality of prior authorization.

The decision of the ANPDP must be reasoned and notified to the data controller within 10 days from the submission of the declaration.

Additionally, by way of derogation to the principle of prohibition of the processing of sensitive data, such processing may be carried out in certain cases, notably with the authorization of the ANPDP (Article 18 of Law No. 18-07).

Authorization is also necessary in case of interconnection of files belonging to one or more legal entities managing a public service and which purposes correspond to different public interests as well as interconnections of files belonging to natural persons and which main purposes are different.

In addition, prior authorization is also required in relation to the processing of personal data with a public interest research purpose, study, or evaluation in the field of health (Article 21 of Law No. 18-07)

Pursuant to Article 20 of Law No. 18-07, the request to obtain the authorization shall contain the same information as in the declaration formality.

Finally, the ANPDP shall take its decision as to whether or not to authorize a processing, within two months from the receipt of the request for authorization. In the event where the ANPDP has not taken its decision within this timeline, the authorization is deemed to be refused.

7.2. Data transfers

Article 44 of Law No. 18-07 provides that the data controller may only transfer personal data to another foreign state:

• upon authorization of the ANPDP; and
• if that state ensures an adequate level of protection of the privacy and fundamental rights and freedoms of individuals with regard to the processing to which such data are or may be subject.

The adequacy of the level of protection provided by a State is assessed by the ANPDP.

However, by way of derogation, Article 45 of Law No. 18-07 provides that the data controller may transfer personal data to a foreign State where the level of protection does not meet the above-mentioned criteria, subject to the following conditions:

• if the data subject has expressly consented to their transfer;
• if the transfer is necessary for one of the cases mentioned in Article 45(2) of Law No. 18-07, that is:
  • the safeguarding of that person's life;
  • preservation of the public interest;
  • the fulfillment of obligations to ensure the establishment, exercise, or defense of a right in a court of law;
  • the performance of a contract between the data controller and the data subject or pre-contractual measures taken at the request of the data subject;
  • the conclusion or performance of a contract concluded or to be concluded, in the interest of the data subject, between the data controller and a third party;
  • the execution of an international judicial assistance measure; and
  • the prevention, diagnosis, or treatment of medical conditions;
• if the transfer is made in accordance with a bilateral or multilateral agreement to which Algeria is a party; or
• with the authorization of the ANPDP if the processing is carried out within the framework of Article 2 of Law No. 18-07 on the respect of human dignity, privacy, and public freedoms, the rights of individuals, their honor, and reputation.

Furthermore, Article 44 of Law No. 18-07 adds that it is prohibited, in all cases, to communicate or transfer personal data to a foreign country when such transfer is likely to affect public security or the vital interests of Algeria.

7.3. Data processing records

Law No. 18-07 does not provide for an obligation for the data controller and/or data processor to maintain data processing records.

7.4. Data protection impact assessment

We have not identified, in Law No. 18-07, any express obligation for data controllers or data processors to perform a Data Protection Impact Assessment or Privacy Impact Assessment.

7.5. Data protection officer appointment

We have not identified any obligation to appoint a data protection officer; however, in case the data controller is not established in the national territory, a representative located in Algeria must be designated, similarly to the representative required under European data protection law.

7.6. Data breach notification

Pursuant to Article 43 of Law No. 18-07, where the processing of personal data on electronic communication networks open to the public results in the destruction, loss, alteration, disclosure, or unauthorized access to such data, the service provider shall notify, without delay, the ANPDP and the data subject, where such breach may affect the data subject's privacy.

The notification of a personal data breach to the data subject is not necessary if the ANPDP considers that appropriate data protection measures have been implemented by the service provider.

In any event, service providers shall maintain a record of personal data breaches and the steps taken to remedy them.

7.7. Data retention

Pursuant to Article 9 of Law No. 18-07, personal data should be stored in a form which allows identification of the data subjects for no longer than necessary for the purposes for which such personal data is collected or processed.

7.8. Children's data

Pursuant to Article 8 of Law No. 18-07, the processing of personal data concerning a child can only be carried out after obtaining the consent of the child's legal representative or, if necessary, the authorization of the competent judge. The judge may order the processing even without the consent of the legal representative when the best interests of the child so required.

The judge may revoke the authorization at any time.

7.9. Special categories of personal data

Under Article 18 of the Law No. 18-07, the processing of sensitive data is prohibited. However, there are exceptions to this basic prohibition, where:

• the processing is necessary to protect the vital interests of the data subject if they are physically or legally incapable of providing their consent;
• the person concerned has given their express consent;
• the processing is performed by a foundation, a charity, and other similar organizations in the context of their legitimate activities, and the data subject has provided their consent;
• the processing relates to data manifestly made public by the data subject, where their consent to the processing of the data can be inferred from their statements;
• the processing is necessary for the recognition, exercise, or defense of legal claims and is carried out exclusively for that purpose; and
• the processing concerns genetic data excluding those carried out by doctors or biologists and which are necessary for the exercise of preventive medicine, medical diagnosis, and the administration of care or treatment.

An exemption is also provided for where there is an essential public interest ground to ensure the legal or statutory functions of the data controller.

Law No. 18-07 also provides for specific rules for the processing of data relating to offences, sentences, and precautionary measures (Article 10 of Law No. 18-07) as well as for processing activities that produce legal effects on individuals (Article 11 of Law No. 18-07).

Accordingly, personal data relating to offenses, sentences, and precautionary measures may only be processed by the judicial authority, public authorities, legal persons who manage a public service, and judicial officers within the scope of their legal powers.

7.10. Controller and processor contracts

Pursuant to Article 39 of Law No. 18-07, the carrying out of a processing by a data processor shall be governed by a contract or legal act binding on the data processor with regard to the data controller.

Such contract or legal act shall set out, in particular, that the data processor shall act only on the instructions of the data controller, and that the obligations set out in the first paragraph of Article 38 of Law No. 18-07 shall also apply to the data processor (implementation of appropriate technical and organizational security measures).

For evidentiary purposes, the elements of the contract or legal act relating to data protection and the requirements relating to the security measures shall be recorded in writing or in another equivalent form.

8. Data Subject Rights

8.1. Right to be informed

Before the processing of any personal data, data subjects must be provided with information, in an express and unambiguous form, by the data controller, in relation to the following:

• the identity of the data controller and, where applicable, of their representative;
• the purposes of the processing; and
• any additional relevant information, including the recipient, the obligation to respond, and its consequences, as well as their rights and the transfer of data abroad (Article 32 of Law No. 18-07).

The Obligations Guidance states that when personal data has not been collected from the data subject, the data controller must, before recording the data or communicating it to a third party, provide the data subject with the information referred to above.

The obligation to inform is not applicable in certain cases mentioned in Article 33 of Law No. 18-07:

• when it is impossible to inform the data subject, especially in the case of processing personal data for statistical, historical, or scientific purposes; in such a case, the data controller must notify the ANPDP of the impossibility of informing the data subject and present the reason for this impossibility;
• if the processing is required by law; and
• if the processing is carried out exclusively for journalistic, artistic, or literary purposes.

8.2. Right to access

Pursuant to Article 34 of Law No. 18-07, the data subject has the right to obtain from the data controller:

• confirmation of whether or not personal data relating to them is being processed;
• the purposes of the processing, the categories of data concerned, and the recipients; and
• communication, in an intelligible form, of the data being processed, as well as any available information on the origin of the data.

However, the data controller may object to manifestly unreasonable requests. The Obligations Guidance emphasizes that the data controller may ask the ANPDP for response times to legitimate access requests and may object to requests that are manifestly abusive, in particular, due to their number and repetitive nature. The burden of proof of the manifestly abusive nature of the request falls on the data controller.

8.3. Right to rectification

Pursuant to Article 35 of Law No. 18-07, data subjects have the right to obtain the updating, rectification, erasure, or blocking of personal data whose processing does not comply with Law No. 18-07. This may be justified, in particular, by the incomplete or inaccurate nature of the data or by the fact that the processing of the data is prohibited by law. The data controller is obliged to make the necessary rectifications at no cost to the applicant within 10 days of the request being made. Moreover, data subjects have the right to have any updating, rectification, erasure, or blocking of personal data notified to third parties to whom personal data has been communicated in cases where it is not impossible.

The Obligations Guidance also mentions that in the event that the data controller refuses the request for updating, rectification, erasure, or blocking or in the event that the controller does not respond within 10 days of their referral, it is possible that the concerned person or their heirs submit this request to the ANPDP.

8.4. Right to erasure

The right to rectification provides for the possibility to request the erasure of personal data.

8.5. Right to object/opt-out

Pursuant to Article 36 of Law No. 18-07, data subjects have the right to object to the processing of their personal data based on legitimate reasons. Additionally, they may object to the use of their personal data for prospecting purposes, in particular for a commercial one.

This right is not available in case the processing relies on a legal obligation or in case it is expressly waived by a legal act authorizing the processing.

8.6. Right to data portability

Law No. 18-07 does not provide for an express right to data portability, however the data subjects right to access provides for a possibility to obtain the communication, in an intelligible form, of the data processed.

8.7. Right not to be subject to automated decision-making

Article 11 of Law No. 18-07 specifies that no decision having legal effect on a person may be made solely on the basis of automated data processing intended to define the profile of the data subject or to evaluate certain aspects of their personality.

8.8. Other rights

Law No. 18-07 does not provide for other data subject rights.

9. Penalties

Law No. 18-07 provides for penalties detailed below:

Provisions of the Algerian Criminal Code (only available in French here) may also be applicable. Accordingly, the erasure of all or part of the data may be ordered and there may be proceedings for the seizure or destruction of the object of the offense.

9.1 Enforcement decisions

We have not identified any public enforcement decision from the ANPDP as Law No. 18-07 recently became fully applicable.