Law

Law No. 18-07 of 10 June 2018 on protection of natural persons in personal data processing (“Law No. 18-07”).

Definition of Personal Data

Any information, regardless of the medium, relating to an identified or identifiable person, hereinafter referred to as "data subject", directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, genetic, biometric, mental, economic, cultural or social identity.

Definition of Sensitive Personal Data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of the data subject or relating to health, including genetic data.

Since August 2023, an independent administrative authority for the protection of personal data, known as the "National Data Protection Authority" (National Authority), is hereby established, with its headquarters in Algiers. 

The national authority is responsible for ensuring that the processing of personal data is carried out in accordance with the provisions of the law and for ensuring that the use of information and communication technologies does not threat the rights of individuals, public freedoms and privacy. 

The National Authority’s missions are the below:

• Draw up rules of good conduct and ethics applicable to the processing of personal data;
• Advise individuals and entities in the use personal data;
• Inform data subjects of their rights and data controllers of their obligations;
• Issue authorizations and receive declarations relating to the processing of personal data;
• Authorize cross-border transfers of personal data under the conditions laid down by the law;
• Publish the authorisations granted and the opinions issued in the national register referred to in Article 28 of Law No. 18-07;
• Receive claims, appeals and complaints relating to the processing of personal data and inform their authors of the action taken on them;
• Order any changes necessary to protect the personal data processed;
• Order the closure, removal or destruction of data; and
• Take administrative sanctions under the conditions defined by Article 46 of the present law No. 18-07;

According to the statistics published by the National Authority, as of 31 October 2023, only 3 months after it began operations the achievements were the below:

• 228 files relating to declarations, requests for authorisation and requests for opinions submitted by bodies processing personal data had been received; and
• 174 files are awaiting further information, 54 files have been examined, including 46 declarations, 07 requests for authorisation and 01 request for an opinion, and the authority's overall mission is continuing.

More recently (i.e. on 28 February 2024), the National Authority announced on its website that it will begin its first field inspections of companies in the private sector, in order to examine the various processing procedures before extending the operation to individuals and public companies.

The National Authority has set up a digital portal on its website enabling those concerned by the processing of personal data to create an account and fill in electronic forms with the below: 

• For prior declaration of processing operations; 
• Requests for authorisation; and 
• Requests for opinions. 

Applicants may also monitor the status of their requests.

The processing of personal data is subject to the below:

• A prior declaration must be filed with the National Authority by the data controller of a private or public entity whenever the latter is likely to receive, store and process personal data. This declaration must be renewed before any new data is processed; or
• A prior authorization of the National Authority when the processing concerns any of the following:
  • transfer of personal data abroad;
  • communication of data to a third party;
  • The interconnection of data belonging to one or more legal entities managing a public service for different purposes relating to the general interest must be authorised by the National Authority;
    • Article 3 of the law No. 18-07 define “data interconnection” as (free translation): “(…) any mechanism of connection involving the linking of processed data for a specific purpose with other processed data, whether for identical or different purposes, by the same data controller or by one or more other data controllers.”

Each natural or legal person processing personal data must designate its data controller or authorised representative and communicate the latter's contact details to the National Authority.

The form for appointing a representative is available on the portal of the National Authority's website.

The data controller shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

The data controller or its authorised representative will be considered the official contact for the National Authority.

In the case of a data officer established abroad: 

In accordance with Article 04 (point 02) of Law No. 18-07 concerning the protection of individuals with regard to the processing of personal data (free translation):

"When the data controller is not established in the Algerian territory but uses, for the purpose of processing personal data, automated or non-automated means located in the Algerian territory, excluding processing used solely for transit within the national territory.

In this case, the data controller must notify the national authority of the identity of its representative established in Algeria, who, without prejudice to their personal responsibility, replaces them in all their rights and obligations arising from the provisions of this law and the texts adopted for its implementation."

As in any case, all the forms to be filled are available on the National Authority website or at direct request by e-mail to: [email protected].

How is Personal Data collected

The law No. 18-07 applies to any public or private entity likely to receive, store and process personal data. As soon as an entity receives data, whether in digital form or not, it must comply with law No. 18-07.

Personal data is, notably, collected through direct input, cookies, social media, mobile apps, surveys, public records, purchase transactions, and by employers or institutions.

How is Personal Data processed

Personal data processing may only be processed with the express consent of the data subject (or consent of the legal representatives of a child, failing which by authorisation of the competent judge).

The data subject may withdraw his / her consent at any time. 

Personal data may only be communicated to a third party for purposes directly related to the functions of the data controller and the recipient. Such communication is subject to the prior consent of the data subject.

However, in some cases, consent is not required if the processing is necessary:

• to comply with a legal obligation to which the data subject or the data controller is obliged;
• to protect the data subject's life; 
• for the performance of a contract to which the data subject is a party or to the performance of pre-contractual measures taken at their request;
• to safeguard the vital interests of the person concerned, if they are physically or legally unable to give their consent;
• for the performance of a task carried out in the public interest. Or in the exercise of official authority vested in the data controller or the third party to whom the data is communicated; or
• for the accomplishment of a legitimate interest pursued by the data controller or the recipient, within the interest and/or fundamental rights and freedoms of the data subject.

Specific rights and protections

The person concerned by the collection of their data has a right to information, a right of access, a right of rectification and a right to object to their data being collected.

According to Article 9 of the law No. 18-07 (free translation): 

“Personal data must be:

1. processed lawfully and fairly;
2. collected for specified, explicit and legitimate purposes legitimate purposes and may not be further processed in a way that is incompatible with those purposes;
3. adequate, relevant and not excessive in relation to the purposes for which they are collected or processed;
4. accurate, complete and, where necessary, kept up to date;
5. kept in a form which permits identification of the data subjects for no longer than is the purposes for which they were collected or processed.”

According to the provisions of the law No. 18-07, the data controller may only transfer personal data to a foreign State with the authorisation of the national authority in accordance with Law No. 18-07 and if that State ensures an adequate level of protection of the privacy and fundamental rights and freedoms of individuals with regard to the processing of such data. 

However, Article 45 of the law No 18-07 provides derogations from the general provisions for transferring personal data (free translation):

“Article 45: In derogation from the provisions of Article 44 of this law [general provisions explained above], the data controller may transfer personal data to a State that does not meet the conditions specified in the said article [a sufficient level of protection for privacy and the fundamental freedoms and rights of individuals] under the following circumstances:

1. If the data subject has expressly consented to the transfer;
2. If the transfer is necessary for:
   1. Preserving the life of the data subject;
   2. Preserving public interest;
   3. Fulfilling obligations to establish, exercise, or defend a legal right;
   4. Executing a contract between the data controller and the data subject or for pre-contractual measures at the request of the data subject;
   5. Concluding or executing a contract in the interest of the data subject between the data controller and a third party;
   6. Executing a measure of international judicial cooperation;
   7. Preventing, diagnosing, or treating medical conditions.
3. If the transfer is carried out under a bilateral or multilateral agreement to which Algeria is a party.
4. With the authorization of the national authority, if the processing complies with the provisions of Article 2 of this law.”

In any case, it is forbidden to communicate or transfer personal data to a foreign country, when such transfer is likely to affect public security or the vital interests of the State.

The controller must put in place measures to ensure the integrity and protection of the data. 

These measures must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected. 

If the processing is carried out on behalf of the controller, the controller must choose a processor providing sufficient guarantees in respect of the technical and organisational security measures relating to the processing to be carried out and must ensure compliance with those measures.  

Transfer of data abroad 

The foreign State must ensure an adequate level of protection of the privacy and fundamental rights and freedoms of individuals with regard to data processing. 

The adequacy of the level of protection provided by a State is assessed in particular by the security measures applicable there.

Administrative measures 

In case of violations of the provisions of Law No. 18-07 by the controller, administrative measures are taken by the national authority: 

• warning;
• formal notice;
• provisional withdrawal for a period not exceeding one year, or definitive withdrawal of the declaration receipt or authorisation;
• a fine. 

The national authority may also impose fines on the controller which: 

• refuses, without legitimate reason, the rights of information, access, rectification or opposition;
• fails to make the required notifications to the national authority. 

Criminal sanctions 

Violation of the provisions of Law No. 18-07 is punishable by imprisonment and / or a fine. 

Article 47 to 74 of the law No. 18-07 provide that non-compliance with the Data Protection Law is punishable by a fine ranging from 20,000 DZD to 1,000,000 DZD and / or imprisonment between two months and five years.

Mandatory breach notification

Where the processing of personal data over electronic communication networks results in the destruction, loss, alteration, disclosure or unauthorised access of such data, the service provider must notify the national authority and the data subject without delay where such a breach may affect the privacy of the data subject. 

Failure by a service provider to notify the national authority or the data subject of a personal data breach is punishable by imprisonment and a fine.

Violation of the provisions of Law No. 18-07 is punishable by imprisonment and / or a fine. 

Article 47 to 74 of the law No. 18-07 provide that non-compliance with the Data Protection Law is punishable by a fine ranging from 20,000 DZD to 1,000,000 DZD and / or imprisonment between two months and five years.

Law No. 18-05 of 10 May 2018 on electronic commerce provides that the e-provider who collects personal data and builds up customer and prospect files must only collect the data necessary to conclude commercial transactions. It must: 

• collect the consent of e-consumers prior to the collection of data;
• guarantee the security of information systems and the confidentiality of data;
• comply with the relevant legislative and regulatory provisions.

Not applicable.