Last modified 20 March 2026

Data Protection in Algeria

Data protection laws in Algeria

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Algeria

Law No. 18-07 of 10 June 2018 on protection of natural persons in personal data processing, as amended and supplemented notably by law No. 25-11 of 24 July 2025 (“Law No. 18-07”).

This recent amendment marks a further step in Algeria’s progressive alignment of its data protection framework with international standards, particularly the GDPR, through the introduction of stronger accountability, risk-based, and governance requirements.

Related resources

Definitions

Definitions in Algeria

Definition of personal data

Any information, regardless of the medium, relating to an identified or identifiable person, hereinafter referred to as "data subject", directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, genetic, biometric, mental, economic, cultural or social identity.

Definition of sensitive personal data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of the data subject or relating to health, including genetic data.

Related resources

Authority

National data protection authority in Algeria

Since August 2023, an independent administrative authority for the protection of personal data, known as the "National Data Protection Authority" (National Authority), is hereby established, with its headquarters in Algiers.

The national authority is responsible for ensuring that the processing of personal data is carried out in accordance with the provisions of the law and for ensuring that the use of information and communication technologies does not threat the rights of individuals, public freedoms and privacy.

The National Authority’s missions are the below:

Draw up rules of good conduct and ethics applicable to the processing of personal data;
Advise individuals and entities in the use personal data;
Inform data subjects of their rights and data controllers of their obligations;
Issue authorisations and receive declarations relating to the processing of personal data;
Authorize cross-border transfers of personal data under the conditions laid down by the law;
Publish the authorisations granted and the opinions issued in the national register referred to in Article 28 of Law No. 18-07;
Receive claims, appeals and complaints relating to the processing of personal data, and inform their authors of the action taken on them;
Order any changes necessary to protect the personal data processed;
Order the closure, removal or destruction of data; and
Take administrative sanctions under the conditions defined by Article 46 of the present law No. 18-07.

According to the statistics published by the National Authority, as of 31 October 2023, only 3 months after it began operations the achievements were the below:

228 files relating to declarations, requests for authorisation and requests for opinions submitted by bodies processing personal data had been received; and
174 files are awaiting further information, 54 files have been examined, including 46 declarations, 07 requests for authorisation and 01 request for an opinion, and the authority's overall mission is continuing.

On 28 February 2024, the National Authority announced on its website that it will begin its first field inspections of companies in the private sector, in order to examine the various processing procedures before extending the operation to individuals and public companies.

The National Authority is now empowered to rely on regional branches dedicated to inspection and audit activities, strengthening its enforcement capabilities across the national territory.

Related resources

Registration

Registration in Algeria

The National Authority has set up a digital portal on its website enabling those concerned by the processing of personal data to create an account and fill in electronic forms with the below:

For prior declaration of processing operations;
Requests for authorisation; and
Requests for opinions.

Applicants may also monitor the status of their requests. The processing of personal data is subject to the below:

A prior declaration must be filed with the National Authority by the data controller of a private or public entity whenever the latter is likely to receive, store and process personal data. This declaration must be renewed before any new data is processed; or
A prior authorization of the National Authority when the processing concerns any of the following:
- transfer of personal data abroad;
- communication of data to a third party;
- The interconnection of data belonging to one or more legal entities managing a public service for different purposes relating to the general interest must be authorised by the National Authority.

Article 3 of the law No. 18-07 defines “data interconnection” as (free translation): “(…) any mechanism of connection involving the linking of processed data for a specific purpose with other processed data, whether for identical or different purposes, by the same data controller or by one or more other data controllers.”

Since 2025, data controllers and subcontractors-processors are required to maintain detailed records of processing activities, including:

identity and contact details of the controller and, where applicable, the data protection officer;
purposes and legal basis of processing;
categories of data subjects and personal data;
recipients, including international transfers;
retention periods;
security measures implemented.

Subcontractors-processors must also maintain records of processing carried out on behalf of controllers.

These records must be made available to the National Authority upon request.

Related resources

Data protection officers

Data protection officers in Algeria

Controllers and any public authority responsible for the prevention and detection of offences, investigations, inquiries and prosecutions, as well as the enforcement and execution of sentences, or any body or entity exercising public authority and exercising law enforcement powers for the purposes of the prevention and detection of offences, investigations, inquiries, criminal prosecutions, and the enforcement and execution of sentences, must appoint a Data Protection Officer (DPO).

The DPO must be selected on the basis of professional qualities and expertise in data protection law and practices.

The DPO shall:

inform and advise on compliance obligations;
monitor compliance with applicable data protection rules and internal policies;
advise on data protection impact assessments; and
act as the contact point with the National Authority.

The form for appointing a representative is available on the portal of the National Authority's website.

The data controller or its authorised representative will be considered the official contact for the National Authority.

In the case of a data officer established abroad, in accordance with Article 04 (point 02) of Law No. 18-07 concerning the protection of individuals with regard to the processing of personal data (free translation): "When the data controller is not established in the Algerian territory but uses, for the purpose of processing personal data, automated or non- automated means located in the Algerian territory, excluding processing used solely for transit within the national territory. In this case, the data controller must notify the national authority of the identity of its representative established in Algeria, who, without prejudice to their personal responsibility, replaces them in all their rights and obligations arising from the provisions of this law and the texts adopted for its implementation."

Related resources

Collection and processing

Collection and processing in Algeria

How is personal data collected

Law No. 18-07 applies to any public or private entity likely to receive, store and process personal data. As soon as an entity receives data, whether in digital form or not, it must comply with law No. 18-07.

Personal data is, notably, collected through direct input, cookies, social media, mobile apps, surveys, public records, purchase transactions, and by employers or institutions.

How is personal data processed

Personal data processing may only be processed with the express consent of the data subject (or consent of the legal representatives of a child, failing which by authorisation of the competent judge).

The data subject may withdraw his / her consent at any time.

Personal data may only be communicated to a third party for purposes directly related to the functions of the data controller and the recipient. Such communication is subject to the prior consent of the data subject.

However, in some cases, consent is not required if the processing is necessary, namely:

to comply with a legal obligation to which the data subject or the data controller is obliged;
to protect the data subject's life;
for the performance of a contract to which the data subject is a party or to the performance of pre-contractual measures taken at their request;
to safeguard the vital interests of the person concerned, if they are physically or legally unable to give their consent;
for the performance of a task carried out in the public interest; or in the exercise of official authority vested in the data controller or the third party to whom the data is communicated; or
for the accomplishment of a legitimate interest pursued by the data controller or the recipient, within the interest and/or fundamental rights and freedoms of the data subject.

Specific rights and protections

The person concerned by the collection of their data has a right to information, a right of access, a right of rectification and a right to object to their data being collected.

According to Article 9 of the law No. 18-07 (free translation):

“Personal data must be:

processed lawfully and fairly;
collected for specified, explicit and legitimate purposes legitimate purposes and may not be further processed in a way that is incompatible with those purposes;
adequate, relevant and not excessive in relation to the purposes for which they are collected or processed;
accurate, complete and, where necessary, kept up to date;
kept in a form which permits identification of the data subjects for no longer than is the purposes for which they were collected or processed.”

Judicial and other decisions

Court decisions requiring an assessment of a person’s conduct may not be based solely on the automated processing of personal data involving the evaluation of certain aspects of their personality.

No other decision having legal effects on an individual may be taken solely on the basis of automated data processing designed to characterize an individual or to evaluate certain aspects of their personality, including profiling.

The law now explicitly recognizes the concept of profiling, defined as any use of personal data intended to evaluate or predict aspects relating to a natural person (performance, behavior, preferences, etc.), and implicitly introduces stricter requirements regarding transparency, proportionality and the limitation of decisions based solely on automated processing.

Data Protection Impact Assessment

Where a type of processing, in particular involving the use of new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, the controller must, prior to processing, assess the impact of the processing operations to be carried out on personal data, taking into account the nature, scope, context and purposes of the processing.

The assessment must include, at a minimum, a general description of the processing operations to be carried out, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks, safeguards, security measures and mechanisms capable of ensuring the protection of personal data and providing evidence of compliance with the provisions of this Act, having regard to the rights and legitimate interests of the data subjects and other persons.

Related resources

Transfer of personal data

Transfer of personal data in Algeria

According to the provisions of the law No. 18-07, the data controller may only transfer personal data to a foreign State with the authorisation of the national authority in accordance with Law No. 18-07 and if that State ensures an adequate level of protection of the privacy and fundamental rights and freedoms of individuals with regard to the processing of such data.

However, Article 45 of the law No 18-07 provides derogations from the general provisions for transferring personal data (free translation):

“Article 45: In derogation from the provisions of Article 44 of this law [general provisions explained above], the data controller may transfer personal data to a State that does not meet the conditions specified in the said article [a sufficient level of protection for privacy and the fundamental freedoms and rights of individuals] under the following circumstances:

If the data subject has expressly consented to the transfer;
If the transfer is necessary for:
1. Preserving the life of the data subject;
2. Preserving public interest;
3. Fulfilling obligations to establish, exercise, or defend a legal right;
4. Executing a contract between the data controller and the data subject or for pre-contractual measures at the request of the data subject;
5. Concluding or executing a contract in the interest of the data subject between the data controller and a third party;
6. Executing a measure of international judicial cooperation;
7. Preventing, diagnosing, or treating medical conditions.
If the transfer is carried out under a bilateral or multilateral agreement to which Algeria is a party.
With the authorization of the national authority, if the processing complies with the provisions of Article 2 of this law.”

In any case, it is forbidden to communicate or transfer personal data to a foreign country, when such transfer is likely to affect public security or the vital interests of the State.

Related resources

Security

Security in Algeria

The controller or subcontractor-processor must also implement appropriate technical and organizational measures to ensure an appropriate level of protection against risks, in particular for processing operations involving sensitive and biometric data, taking into account the state of the art, the cost of implementing the processing, its nature, scope, context and purposes.

Transfer of data abroad

The foreign State must ensure an adequate level of protection of the privacy and fundamental rights and freedoms of individuals with regard to data processing.

The adequacy of the level of protection provided by a State is assessed in particular by the security measures applicable there.

Additional safeguards apply to transfers carried out in the context of criminal investigations or law enforcement cooperation, including assessment of:

the level of protection in the recipient country;
the existence of supervisory authorities;
the necessity and proportionality of the transfer.

Related resources

Breach notification

Breach notification in Algeria

Where the processing of personal data over electronic communication networks results in the destruction, loss, alteration, disclosure or unauthorised access of such data, the service provider must notify the national authority and the data subject within a maximum period of five (5) days after becoming aware of the breach.

Where the breach is likely to result in a high risk to individuals, the data subject must also be informed in clear and simple terms.

Failure by a service provider to notify the national authority or the data subject of a personal data breach is punishable by imprisonment and a fine.

Related resources

Enforcement

Enforcement in Algeria

Administrative measures

In cases of violation of the provisions of Law No. 18-07 by a controller, the following administrative measures may be taken by the national authority:

warning;
formal notice;
provisional withdrawal for a period not exceeding one year, or definitive withdrawal of the declaration receipt or authorisation;
a fine.

The national authority may also impose fines on a controller which:

refuses, without legitimate reason, the rights of information, access, rectification or opposition;
fails to make the required notifications to the national authority.

Criminal sanctions

Violation of the provisions of Law No. 18-07 is punishable by imprisonment and / or a fine.

Article 47 to 74 of the law No. 18-07 provide that non-compliance with the Data Protection Law is punishable by a fine ranging from 20,000 DZD to 1,000,000 DZD and / or imprisonment between two months and five years.

Specific rules apply to processing carried out for law enforcement purposes (prevention, investigation and prosecution of criminal offences), including exemptions from consent and possible restrictions to data subject rights.

Related resources

Electronic marketing

Electronic marketing in Algeria

Law No. 18-05 of 10 May 2018 on electronic commerce provides that the e-provider who collects personal data and builds up customer and prospect files must only collect the data necessary to conclude commercial transactions. It must:

collect the consent of e-consumers prior to the collection of data;
guarantee the security of information systems and the confidentiality of data;
comply with the relevant legislative and regulatory provisions.

Related resources

Online privacy

Online privacy in Algeria

Not applicable.

Related resources

Key contacts

Data protection lawyers in Algeria

Lamia Naamoune

Associate

L&P Partners

Algiers

Email Full bio

Rafik Nedjar

Associate

L&P Partners

Law No. 18-07 of 10 June 2018 on protection of natural persons in personal data processing, as amended and supplemented notably by law No. 25-11 of 24 July 2025 (“Law No. 18-07”).

Quick links

Data Protection in Algeria

Data protection laws in Algeria

Continue reading