Data Protection in Tunisia

Data protection laws in Tunisia

Tunisia has established itself as a regional pioneer in the protection of personal data, initiating pioneering efforts in this field as early as 2002. These initiatives were consolidated by the adoption of law no. 2004-63 of July 27, 2004, which established a legal framework regulating personal data, reinforced by its implementing decrees, in particular:

  • Decree no. 2007-3003 of November 27, 2007, setting out the operating procedures of the National Authority for Personal Data Protection; and
  • Decree no. 2007-3004 of November 27, 2007, establishing the conditions and procedures for the declaration and authorization of personal data processing.

This legislative framework was subsequently ratified and strengthened in 2022 by a constitutional consecration of privacy protection. This major step forward elevated this right to a priority among the fundamental freedoms to be guaranteed in the new Tunisian Republic, thus affirming the country's commitment to data protection and privacy as a pillar of human rights.

Tunisia has also modernized its legal arsenal in response to digital challenges. Decree-Law no. 2022-54 of September 13, 2022 introduced strict sanctions against cybercrime, while Decree-Law no. 2023-17 of March 11, 2023 regulated cybersecurity and introduced the notion of “cloud” into Tunisian law for the first time. In particular, the decree imposes mandatory periodic audits on companies carrying out automated data processing.

To accompany these reforms, several ministerial orders published in September 2023 specified the terms of application:

  • Order of the Minister of Communication Technologies of September 12, 2023, setting out the procedures and mechanisms for classifying organizations subject to a mandatory periodic audit of their information systems;
  • Order of the Minister of Communication Technologies of September 12, 2023, establishing the technical audit criteria and the methods for following up the recommendations contained in the audit report;
  • Order of the Minister of Communication Technologies of September 12, 2023, defining the procedures and conditions for granting and withdrawing the “secure” label; and
  • Order of the Minister of Communication Technologies of September 13, 2023, specifying the procedures and conditions for granting, renewing and withdrawing the “Government Cloud Service Provider (G-cloud)” and “National Cloud Service Provider (N-cloud)” labels.

Additionally, articles 56, 61 and 75 of the Organic Law n°2015-26 of August 7, 2015 on the Fight Against Terrorism and the Prohibition of Money Laundering addresses the subject of personal data and when the use of personal data is permitted.

Tunisia became the 51st Member State of the Council of Europe Convention 108 on November 1, 2017 and its Additional Protocol No.181 on supervisory authorities and transborder data flows.

In March 2018, it introduced a new draft law on the protection of personal data in line with the new European GDPR in Parliament, however the law has not yet been passed.

In Tunisia, there is a whole legal arsenal relating to the processing of personal data.

In addition to the above-mentioned texts, there are also decisions rendered by the Instance such as:

  • Decision n° 2 of October 6, 2017 on the processing of personal data in the political field;
  • Decision n° 3 of September 5, 2018 establishing the countries that represent an adequate level of protection of personal data;
  • Decision n° 4 of September 5, 2018 organizing personal health data;
  • Decision n° 5 of September 5, 2018 establishing the conditions and procedures for the installation of cameras and video surveillance; and
  • Decision n°6 of July 2, 2019 concerning control activities carried out by the National Authority for the Protection of Personal Data.

Continue reading

  • no results

Back to top