Tunisia - Data Protection Overview
1. Governing Texts
Organic Act No. 2004-63 of 27 July 2004 on the Protection of Personal Data (available only in Arabic and French here) ('the Law') details the scope of data and sets up a national commission in charge of its enforcement.
For over a decade, Tunisian regulators have been trying hard to guarantee a high standard of protection of data for citizens. For this reason, several texts have been enacted such as the Law and Decree No. 2007-3004 of 27 November 2007 Laying Down the Conditions and Procedures for the Declaration and Authorisation of the Processing Of Personal Data (available only in Arabic and French here) ('the Decree').
Article 30 of the Constitution of Tunisia (available only in Arabic here) ('the Constitution') states that it 'protects the right to privacy, making the State responsible for: '... protect[ing] the privacy and inviolability of the home and confidentiality of correspondence, communications, and personal data…'
The law was endorsed by the constitutional embodiment of the protection of privacy, which has placed this protection at the forefront of the rights and freedoms to be guaranteed in the new Republic.
The Ministry of Justice was expected to propose a review of the framework for the protection of personal data, in particular for the Law by 2019. The review project of the Law has been under parliamentary scrutiny since 2017. A new law project is still under the study of the Tunisian Parliament ('Parliament') in collaboration with the National Authority of Data Protection ('INPDP'). However, since the former Parliament was suspended on July 25, 2021, the Project is now abandoned.
The Ministry of Justice was expected to propose a review of the framework for the protection of personal data, in particular for the Law by 2019. The review project of the Law has been under parliamentary scrutiny since 2017. A new law project is still under study by the Tunisian Parliament ('Parliament') in collaboration with the National Authority of Data Protection ('INPDP').
Tunisia's general data protection regime strongly seeks to align itself with that of the EU. It is in light of this reality that one can understand Tunisia's request to accede to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') in 2015. Convention 108 remains the only binding international treaty in data protection today. Basic Law No. 2017/33 on the Approval of the Accession of the Republic of Tunisia to Convention 108 and its additional protocol was passed by the Parliament on May 16, 2017, and published in the Official Gazette of the Republic of Tunisia on June 6, 2017.
Tunisia has also ratified the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108+'). Thus, Tunisia became the 13th country to accede to Convention 108+, ahead of several European countries.
Following the ratification of Convention 108+, Tunisia will be able to modernize its legislation without necessarily resorting to the drafting of new laws. Conventions 108 and 108+ are the only two texts open to all states at the international level that deal with privacy and personal data protection.
The INPDP will soon launch a new website and include a link to the newsletter and other national and international data protection resources. Additionally, the INPDP will soon launch a mobile application, which will enable data subjects to file complaints with the INPDP.
1.3. Case law
The INPDP has confirmed that it has no indication of the potential for case law to provide legal precedent for data protection in Tunisia. The INPDP was under the direction of the Ministry of Justice and Human Rights originally but following the split of this into two separate government departments, the Ministry of Human Rights now is responsible for the INPDP, which explains the lack of coordination between it and the Tunisian courts which are the responsibility of the Ministry of Justice.
2. Scope of Application
Article 1 of the Law states that every person has the right to the protection of personal data related to their privacy as one of the fundamental rights guaranteed by the Constitution.
Only on Tunisia territory, not applicable for foreign companies.
The processing of personal data covers all automated as well as non-automated processing of personal data carried out by a natural or legal person. In particular, activities covered include obtaining, recording, storing, organizing, altering, using, distributing, disseminating, destroying, or consulting the information.
The processing of personal data means any operation in relation to the use of such data, indexes, directories, data files, or their interconnection.
However, the processing of personal data relating to offenses, convictions, criminal prosecutions, sentencing and penalties, security measures, or previous criminal records is prohibited. Additionally, the processing of personal data that reveals, directly or indirectly, racial or genetic origins, religious, political, or philosophical beliefs, trade union membership, or health is also prohibited.
3.1. Main regulator for data protection
The INPDP is established by the provisions of the Law (Chapter VI of the Law).
3.2. Main powers, duties and responsibilities
The INPDP is financially independent and has its main office in Tunis. The INPDP budget is attached to that of the Ministry of Human Rights. However, the INPDP is pushing to have an independent budget.
The INPDP is composed of:
- its President, chosen from eminent persons known for their knowledge in the field, the current President being Mr. Chawki Gaddes;
- a member, chosen from among the members of the Assembly of the Representatives of the People, i.e. Tunisia's legislature;
- a representative of the Presidency of the Government ('the Government');
- two magistrates from the third tier of the Tunisian Court System;
- two magistrates from the Administrative Tribunal;
- a representative from the Ministry of Interior;
- a representative from the Ministry of Defence;
- a representative from the Ministry of Communication Technologies;
- a researcher from the Ministry of Higher Education and Scientific Research;
- a doctor from the Ministry of Health;
- a member of the High Committee of Human Rights and Freedoms; and
- a member, chosen from experts in communication technology.
The INPDP President and members are appointed by decree for three years.
The INPDP has the authority to:
- receive, authorize, and withdraw personal data processing prior to notification applications;
- handle complaints within its powers as specified in the Law;
- specify the appropriate steps and guarantees to ensure the protection of personal data;
- inspect the processing of personal data and access personal information as part of the execution of its mandate;
- issue opinions on any matter related to the requirements of the Law;
- develop codes of conduct for the processing of personal data;
- contribute to research, studies, and training in the field of data protection;
- conduct investigations, which includes the capability to hear statements and request access to premises being used for data processing (with the exception of embassies); and
- receive assistance for research or specific evaluations from agents of the government department in charge of communication technology, judiciary experts, or any other person the INPDP deems to be necessary.
The public prosecutor in the jurisdiction where the investigation takes place must be informed by the INPDP of any offenses that it has detected.
The INPDP is not bound by the duty of professional secrecy.
The INPDP is also mandated to investigate privacy violations and to report to the Government. It can also bring violators of the Law before the courts.
At a press conference in May 2016 in Tunis, INPDP President, Chawki Gaddes, listed some of the 'most serious' violations that INPDP has confronted. They included, among others, unlawful collection of biometric data, unlawful installation of surveillance cameras, illegal use of personal data by telemarketers, 'wild transfers' of personal data abroad through offshore data servers, and the unauthorized transfer of patients' medical data between healthcare providers.
4. Key Definitions
Personal data: This means 'any information, regardless of its origin or form, which directly or indirectly identifies a person or allows a person to become identifiable through various symbols or data except information related to public life or considered as such by the law' (Article 4 of the Law).
Sensitive data: Is defined as 'personal data that reveals, directly or indirectly, the racial and genetic origins, religious beliefs, political, philosophical and trade union membership or health, which is prohibited' (Articles 5 and 14 of the Law).
5. Legal Bases
Subject to certain exceptions, controllers must obtain a data subject's express, written consent to process their personal data. Consent is invalid if the data subject is incapable, unauthorized, or incompetent to provide consent (Article 27 of the Law).
Tunisian law does not yet provide authorization for online consent. Consent to processing in a specific form or for a specific purpose is limited to that form or purpose (Article 30 of the Law).
The data subject or their representative may withdraw consent at any time during the processing (Article 27 of the Law).
Personal data can only be processed where the obligation is incumbent only on data controllers.
The processing of personal data shall not be carried out for other purposes than that which it has been collected, except for in the following circumstances:
- if the data subject has given their consent;
- if the processing is essential for the safety of the data subject's vital interest; and
- if the processing is essential for definite scientific purposes.
Moreover, the communication of video recordings collected for surveillance purposes is prohibited, except in the following situations:
- the data subject, their heirs, or their tutor have given their consent. When the data subject is a child, the provisions of Article 28 of the Law will apply;
- communication is a necessary condition for the public authorities in order to accomplish their missions; and
- communication is a necessary condition for the conviction, discovery, or prosecution of criminal offenses.
According to Article 9 of the Law, 'the processing of personal data shall be done as part of the respect of human dignity, privacy, and public liberties. The processing of personal data, whatever its origin or its methods, shall not harm the human rights protected by the laws and the rules in force. In every case, it is forbidden to use personal data with the aim of infringing individuals' rights or damaging their reputation'.
The data controller must ensure that the collection, processing, and use of personal data is carried out for lawful, specified purposes. Additionally, the data controller must make sure the data is accurate, precise, and up to date.
7. Controller and Processor Obligations
The processing of personal data must be declared and notified to the INDPD at its head office. The INPDP is then expected to issue a receipt acknowledging that it has received prior notification by registered letter of any other means that leaves a written trace. The notification is carried out by the data controller or its legal representative. The notification does not exempt the data controller or its legal representative from its responsibilities. The INPDP is expected to issue its decision within one month from the date of receipt of the application. However, when the INPDP has not issued a decision within this time limit, the application for notification is to be deemed accepted.
In addition, the duty of notification applies to data processors that intend to collect personal data or transfer it abroad. It is worth noting that until 2015, it was rare to see data processors (such as private companies) engaging with the INPDP to notify their own processing of personal data in accordance with the Law, and, as a result, the application of the Decree has for years been more exceptional than normal.
Additionally, in cases where there is a lack of adequate data protection, the INPDP may require the declarant to provide additional guarantees and set a deadline for the controller to respond to the new requirements (Articles 5 and 6 of the Decree).
The declaration should contain information regarding (Article 8 of the Decree):
- the full name and address of the person in charge of the processing, the subcontractor and their agents for the natural person, and, if it is a legal person, the company name, the head office, the identity of its legal representative, and the trade registry number;
- the identities and addresses of the data subjects;
- the purposes of processing and standards;
- the categories, date, and place of the processing;
- the personal data for which processing is proposed, as well as the origin of the same;
- the recipients of the data;
- the place the data will be stored and the data retention period;
- the measures taken to ensure the confidentiality of personal data and their security;
- a description of the databases to which the controller is interconnected;
- an undertaking to process personal data in accordance with the provisions of the law; and
- a declaration that the conditions of the Tunisian nationality, the residence in Tunisia, and the absence of a criminal background are fulfilled for the person in charge of the processing, the subcontractor, and their agents.
Prior authorisation from the INPDP is required for the use of video surveillance and has to contain the same information as that required for INPDP notification in addition to the following (Article 10 of the Decree):
- the registration number in the trade register, if any, for legal persons;
- a description of places and means where installed; and
- the purpose of the use of video surveillance equipment.
Additionally, prior authorisation is also required for the following processing operations (Article 15 of the Law and Article 11 of the Decree):
- the communication of personal data to third parties in the absence of the consent of the person concerned or their heirs or guardians;
- the transfer of personal data abroad;
- the communication of personal data relating to health to persons or establishments carrying out scientific research in the field of health;
- the processing of personal data which directly or indirectly concern racial or genetic origins, religious beliefs, political, philosophical or trade union opinions or health; and
- the processing of data for historical or scientific purposes after the data controller has obtained the consent of the data subject (Article 49 of the Law).
Here, the request for prior authorisation from the INPDP must likewise contain the same information as that required for INPDP notification in addition to the following (Article 11 of the Decree):
- the registration number in the trade register, if any, for legal persons;
- the personal data intended for the transfer and their nature; and
- the country to which the personal data will be transferred.
The INPDP will issue a decision on the request for prior authorisation within one month. Failure to decide within the deadline constitutes an implied refusal (Article 12 of the Decree).
In relation to prior authorisation of data processing, the INPDP may request additional information or other documents necessary to examine the declaration or to decide on the application for authorisation. In cases where there is a lack of adequate data protection, the INPDP may require the applicant to provide additional guarantees and set a deadline for the controller to respond to the new requirements (Articles 5 and 6 of the Decree).
In this regard, the INPDP may withdraw its authorisation or prohibit the processing of personal data if the controller or processor violate their legal obligations (Article 13 of the Decree). Authorisation to process personal data may also be withdrawn by the courts (Article 100 of the Law).
Notably, provisions of the Law do not apply to the processing of personal data for solely personal or family use, provided that said data is not transmitted to third parties (Article 3 of the Law).
Organisations may notify or request authorisation from the INPDP through the declaration form and prior authorisation forms (only available to access in French and Arabic here).
To this end, prior declarations and requests for authorisation for the processing of personal data must be submitted by means of forms in paper format or in an electronic version made available to the public. The forms must be personally signed by the controller in the case of a natural person or by a legal representative for legal persons (Article 3 of the Decree). Furthermore, the declaration or the application for authorization must be filed directly with the INPDP against receipt or sent by registered letter with acknowledgment of receipt, or by any other means leaving a written record (Article 7 of the Law and Article 4 of the Decree).
The processing and the transfer of personal data relating to offenses, convictions, criminal prosecutions, sentencing and penalties, and security measures or previous criminal records is not allowed. The processing and the transfer of personal data that reveals, directly or indirectly, the racial and genetic origins, religious beliefs, political, philosophical, and trade union belonging, or health is prohibited. Data transfers outside of Tunisia are only allowed by the obtention of authorization from the INPDP.
Records must be maintained as long as the legal purpose exists.
A data protection officer ('DPO') is not required by the law but is highly recommended by practice.
The data breach should be notified first to the DPO of the company if at all, then to the INPDP.
The record must be maintained as long as the legal purpose exists.
A controller may not process a minor's personal data without parental or legal guardian consent and the juvenile and the family court judge's authorization (Article 28 of the Law). In Tunisia, a minor is an individual under the age of 18.
The communication of personal data to third parties without the express consent of the data subject, their heirs, or their tutor, given by any means that leaves a written trace, is prohibited, except when the data is necessary for public authorities' missions, for public security or national defense, for criminal prosecutions or for carrying out missions in accordance with the laws and regulations in force.
Please be advised that the processing of personal data that reveals, directly or indirectly, the racial and genetic origins, religious beliefs, political, philosophical, and trade union belonging, or health is prohibited. However, the prohibition provided for the above will not apply to the processing for which the data subject has given their explicit consent by any means that leave a written trace or if the processing relates to personal data which have become obviously public, or if the processing is necessary for historical or scientific purposes or if the processing is necessary for the protection of the data subject's vital interests.
No obligation, but in practice it is highly recommended.
The data processor must observe the provisions of the Law and may act only under the data controller's authorized limitations. The data processor is bound by the same obligations as the data controller. Furthermore, the data processor must offer all the required and appropriate technical means to carry out its assignments. When the data controller entrusts, via subcontracting, to a data processor some or all the processing, it must choose the data processor very carefully. In case of violation of the provisions of the Law, the data controller and the data processor must bear any arising liability.
The legal representative of a legal entity who has applied for the processing of personal data, as well as their employees, must fulfill the following conditions:
- be Tunisian nationals (this condition is outdated in practice, even non-Tunisian directors can apply to process the data of their employees, for example);
- be a resident in Tunisia (this condition is also outdated in practice); and
- have no criminal record.
8. Data Subject Rights
Once the data subject gives their consent, they are considered informed.
According to Article 32 of the Law 'the right of access shall be understood as the right of the data subject, their heirs, or their tutor to consult all the personal data related to them as well as the right to correct, complete, rectify, update, modify, clarify, or delete, when it has been proved that it is inaccurate, equivocal, or prohibited for processing by law.
The right of access shall also be understood as the right to obtain a copy of the personal data in clear language, in accordance with the content of the recordings, and in an understandable way in the case of automatic processing.
The person responsible for the automatic processing of the personal data and the sub-contractor must take all the required technical steps to ensure that the data subject, their heirs, or their tutor may request by e-mail rectification, modification, correction, or deletion of their personal data.
The data subject, their heirs, or their tutor is entitled to ask for rectification, completion, modification, clarification, updating, and deletion of personal data related to them when the data is inaccurate, incomplete, or equivocal.
The data subject, their heirs, or their tutor can ask, for lawful reasons, to correct, complete, rectify, update, modify, or delete them, when it is proved that data is inaccurate and that they have taken cognizance of that.
The Law provides for both civil and criminal sanctions for the processing or the transfer abroad without obtaining prior authorization from the INPDP.
Articles 86 to 105 of the Law provide both criminal and civil sanctions. Processing data without fulfilling the prior notification requirements is punishable by imprisonment for one year and a fine of TND 5,000 (approx $1,620). The Law states that a penalty of two years imprisonment and a fine of TND 10,000 (approx. $3,250) are applicable for the violation of provisions on processing sensitive data. One year imprisonment and a fine of TND 10,000 (approx. $3,250) are the sanctions for the use of fraud, violence, or threats to exhort consent from a person to process their personal data. Moreover, a penalty of imprisonment for one year and a fine of TND 5,000 (approx. $1,620) are applicable to a data controller and the sub-contractor who continue the processing of personal data against the objection of the data subject.
According to Article 86 of the Law, anyone who transfers personal data to a foreign state, whenever it may jeopardize public security or Tunisia's vital interests, will be sentenced to between two-and five years imprisonment and a fine between TND 5,000 (approx. $1,620) to TND 50,000 (approx. $16,230).
There is no access to court judgments since there is no coordination between the INPDP and the Court.