DLA Piper Intelligence

Data Protection
Laws of the World

Law

Tunisia
Tunisia

Law n° 2004-63 dated July 27, 2004, on the Protection of Personal Data, regulates personal data, but even before that, Tunisia was already a pioneer in its region since 2002 in the field of personal data protection. This law was endorsed by the 2014 constitutional embodiment of the protection of privacy, which has placed this protection at the forefront of the rights and freedoms to be guaranteed in the new Republic.

Additionally, articles 56, 61 and 75 of the Organic Law n° 2015-26 of August 7, 2015 on the Fight Against Terrorism and the Prohibition of Money Laundering addresses the subject of personal data and when the use of personal data is permitted.

Tunisia became the 51st Member State of the Council of Europe Convention 108 on November 1, 2017.

In March 2018, it introduced a new draft law on the protection of personal data in line with the new European GDPR in Parliament.

Last modified 28 Jan 2019
Law
Tunisia

Law n° 2004-63 dated July 27, 2004, on the Protection of Personal Data, regulates personal data, but even before that, Tunisia was already a pioneer in its region since 2002 in the field of personal data protection. This law was endorsed by the 2014 constitutional embodiment of the protection of privacy, which has placed this protection at the forefront of the rights and freedoms to be guaranteed in the new Republic.

Additionally, articles 56, 61 and 75 of the Organic Law n° 2015-26 of August 7, 2015 on the Fight Against Terrorism and the Prohibition of Money Laundering addresses the subject of personal data and when the use of personal data is permitted.

Tunisia became the 51st Member State of the Council of Europe Convention 108 on November 1, 2017.

In March 2018, it introduced a new draft law on the protection of personal data in line with the new European GDPR in Parliament.

Last modified 28 Jan 2019
Definitions

Definition of personal data

Article 4 of Act n° 2004-63 of July 27, 2004 defined personal data as all information regardless of their origin or form and which directly or indirectly allows to identify or make identifiable a natural person, with the exception of information related to public life or considered as such by law.

Definition of sensitive personal data

Act n° 2004-63 of July 27, 2004 did not give a clear definition of sensitive personal data, but it listed some personal data the processing of which is either prohibited, or would question the data subject’s prior consent or the national authority’s authorization.

The processing of personal data is prohibited when involving criminal history and proceedings, criminal prosecution, penalties, preventative measures or judicial history.

In addition, the processing of personal data which directly or indirectly concerns the following is also prohibited:

  • Racial or genetic origins
  • Religious beliefs
  • Political opinions
  • Philosophical or union activism, or
  • Health and scientific research
Last modified 28 Jan 2019
Authority

The National Authority for Protection of Personal Data (the Instance) was created by Decree n° 2007-3003 of November 27th, 2007.

Last modified 28 Jan 2019
Registration

Any processing of personal data shall be subject to a prior declaration filed at the headquarters of the National Authority for Protection of Personal Data, or by any other means leaving a written record.

  • The declaration shall be made by the controller or his legal representative.
  • The declaration does not exempt third parties from liability.
  • The conditions and procedures for submitting the declaration shall be laid down by decree.
  • The Commission may object to the processing of personal data within one month from when the declaration is accepted. (Article 7 of the 2004 Act).
Last modified 28 Jan 2019
Data Protection Officers

Under Tunisian law, there is no reference to Data Protection Officers.

Last modified 28 Jan 2019
Collection & Processing

The following principles generally apply to the processing of personal data:

  • Personal data must be collected directly from the data subject.
  • Personal data collected from third parties are permitted whenever the data subject, his heirs or his agent have provided their consent.
  • The processing of personal data must respect human dignity, privacy and public liberties.
  • The collecting of personal data shall be exclusively carried out for lawful and clear purposes. 

Among the main prerequisites for the legitimate processing of personal data is the informed consent of the data subject, which means that the processing of personal data cannot be carried out without the express and written consent of the data subject. This consent shall be governed by the general rules of law if the data subject is incompetent or unauthorized or incompetent to sign.

The data subject or his agent is allowed to withdraw his consent, at any time during the processing. 

Additionally, and in the spirit of child protection, Tunisian law has provided extra protection to personal data relating to children as this kind of data cannot be carried out without the consent of the child’s agent and after authorization of the juvenile and family court judge. 

Finally, the consent provided for the processing of personal data under a specific given shall not apply to other forms or purposes.

Last modified 28 Jan 2019
Transfer

The transfer of personal data is treated in the 5th Chapter of the 2004 Act on the protection of personal data (Articles 47 to 52), and is generally prohibited or subject to strict measures, including prior authorization (submitted to the National Authority for Protection of Personal Data), and the explicit consent of the person in question, which is mandatory. The transfer of personal data to a foreign country is prohibited whenever it may endanger public security or Tunisia's vital interests.

The international transfer of personal data may not take occur if the foreign country does not provide an adequate level of protection. In every case, the authorization of the Instance is required before the transfer of personal data. The Instance shall issue its decision within one month from the date of receipt of the application.

Last modified 28 Jan 2019
Security

The National Authority for Protection of Personal Data is responsible for determining the proper measures and necessary safeguards in order to protect personal data.

Last modified 28 Jan 2019
Breach Notification

Under Tunisian Law, it is up to the person in question to make this kind of notification, or to its heirs and agents in certain circumstances.

Mandatory breach notification

The public prosecutor in the jurisdiction where the investigation takes place shall be informed by The National Authority for Protection of Personal Data of any offenses that it has detected.

Last modified 28 Jan 2019
Enforcement

The National Authority for Protection of Personal Data is legally mandated to ensure compliance with the provisions of the Law, but there is no information about cases where sanctions were applied to personal data infringements.

A draft bill on personal data is currently being considered by the Parliamentary Committee on Rights and Freedoms in the Tunisian Parliament, which revolutionizes the existing Law, and when adopted, will be in correspond to the European standards for Data Protection.

Last modified 28 Jan 2019
Electronic Marketing

Electronic Marketing is regulated under Tunisian Law by The Electronic Exchanges and Electronic Commerce Law n° 2000-83 enacted on August 9, 2000.

This law is quite comprehensive and regulates the main aspects of this field. For instance:

  • The preservation of the electronic document is as important as the preservation of the written document
  • Each person using an electronic signature device shall:
    • Take minimum precautions to avoid illegitimate use of encryption elements or personal signature equipment
    • Inform the electronic certification service provider of any fraudulent use of his electronic signature
Last modified 28 Jan 2019
Online Privacy

There is no specific mention to online privacy under the 2004 law on the Protection of Personal Data.

However, the same safeguards including restrictions and sanctions apply as well to online privacy under Tunisian Law.

Furthermore, it is prohibited to use the processing of personal data for promotional purposes unless the data subject, his heirs or his tutor gives his explicit and specific consent.

Last modified 28 Jan 2019
Contacts
Mohamed Lotfi El Ajeri
Mohamed Lotfi El Ajeri
Managing Partner
Al Ajeri Lawyers
T +(216) 71 288 251 – 71 287 238
Last modified 28 Jan 2019