Personal Data Protection: An Overview of Algerian Regulations

In view of the central role played by digital technology, both in economic activity and in everyday life, Algeria has adopted a structured legal framework conducive to the protection of personal data and based on an approach that guarantees individuals control over the use of their data.

This legal framework is principally defined by Law No. 18-07 of June 10, 2018, relating to the protection of natural persons in the processing of personal data, which law was amended and completed by Law No. 25-11 of July 24, 2025 (“Law 18-07“).

Following a compliance phase, these regulations are now being effectively implemented, as evidenced in particular by the publication of the first decisions of the National Authority for the Protection of Personal Data (Autorité Nationale de Protection des Données à caractère Personnel – “ANPDP“), which has been fully operational since August 2023.

In view of its importance and scope, these regulations must be implemented by all economic operators acting, or wishing to act, on the Algerian market

• A structured and efficient legal framework

 Law 18‑07 lays down the rules applicable to any processing of personal data, which processing must be carried out “with due respect for human dignity, privacy and civil liberties and must not infringe the rights of individuals, their honour or their reputation” (Article 2).  

 To this end, the Law establishes several fundamental principles governing the processing of personal data: such processing must be lawful and fair, must pursue a specific purpose, must respect the proportionality of the data collected and must ensure their security and confidentiality. It also guarantees to the data subjects the protection of a number of rights: the right to information, the right of access, the right to rectification and the right to object.

More broadly, the principle of “prior consent” lies at the core of Algerian regulations: the processing of personal data may be carried out only with the express consent of the data subject (Article 7 of Law 18-07). This principle is subject only to limited exceptions (legal obligation, protection of the life or vital interests of the data subject, performance of a contract, performance of a task carried out in the public interest, or in pursuit of a legitimate interest).

Pursuant to this principle, Law 18-07 prohibits direct marketing, by any means whatsoever, using the contact details of a natural person who has not given prior consent.

This legal framework ’applies, as a matter of principle,  to operators in the public and private sectors, whether natural persons or legal entities, (i) that carry on an activity in the Algerian territory in any form whatsoever (company, permanent establishment, etc.), or (ii) that, without being established in the Algerian territory, use automated means located in Algeria to process personal data.

Law 18-07 furthermore strictly regulates the transfer abroad of collected personal data, by subjecting such transfer, in particular, to the prior authorization of the ANPDP, save for exceptions expressly set out by the Law.

Compliance with the provisions of Law 18‑07 is criminally sanctioned by penalties that may reach up to five (5) years’ imprisonment and a fine of 500,000 Algerian dinars, depending on the offences committed.

Law No. 25-11 of 24 July 2025 has finally significantly strengthened the existing legal framework by introducing new obligations and modernising certain concepts as follows:

1. Modernisation of legal concepts: Law No. 25-11 has in particular introduced the concepts of biometric data, profiling, pseudonymisation and personal data breach.
2. Strengthening of the obligations of controllers: Undertakings are henceforth required to implement structured compliance tools, including a register of processing activities and an automated log of operations enabling the traceability of processing operations to be ensured. These elements must be kept available to the ANPDP upon request.
3. Strengthening of the role of the ANPDP: The ANPDP henceforth has enhanced powers of supervision and audit, in particular through the establishment of regional divisions and the extension of its remit.

• A fully operational national authority

The ANPDP constitutes the primary and central point of contact for operators in matters relating to data protection.

In this capacity, any processing of personal data is subject to a prior notification to the ANPDP, and even to a prior authorization by said authority where the proposed processing “poses manifest risks to the respect for and protection of privacy and of the fundamental freedoms and rights of individuals”.

Within this framework, the controllers of the operators concerned must create an account on the ANPDP online platform, on which they submit their processing notifications and, where applicable, file their applications for authorization.

They must also appoint a Data Protection Officer (DPO), whose contact details are communicated to the ANPDP and who constitutes the point of contact with the latter.

In practical terms, bringing controllers into compliance entails a twofold process, combining a dematerialized phase via the online account created by the controller and a physical phase consisting in the filing of declarations or applications for authorization at the headquarters of the ANPDP in Algiers.

 Since it was established, the ANPDP has adopted several deliberations that have specifically clarified the practical arrangements for implementing the regulations in a number of sectors:

1. Data Protection Officer (Decision No. 01 of 24 December 2025): By means of this deliberation, the ANPDP specifies the role of the Data Protection Officer (DPO), who is central to the compliance framework.
2. Health data (Decision No. 01 of 25 February 2026): The ANPDP considers that negative medical test results evidencing the absence of consumption of drugs or psychotropic substances in the context of recruitment constitute health data and, are subject to the declaration regime with the ANPDP and to a retention period limited to three (3) months.
3. Video surveillance in the workplace (Decision No. 02 of 4 March 2026): Under this deliberation, the ANPDP strictly regulates the use of video surveillance, in particular by requiring a prior declaration, restricting the purpose to the security of persons and property, and imposing transparency and security obligations.
4. Biometric data – attendance control (Decision No. 03 of 6 May 2026): By this deliberation, the ANPDP regulates the use of biometric systems for monitoring attendance at work. The ANPDP thus considers that such data constitute personal data, the processing of which is permissible for human resources management purposes, subject, on the one hand, to the prior authorization of the ANPDP and, on the other hand, to compliance with information, security and confidentiality obligations. Conversely, their processing does not require the prior consent of the employees concerned. The retention period is limited to the duration of the employment relationship.

These decisions confirm the intention of the Algerian authorities to confer a relatively broad scope of application upon the regulations arising from Law 18-07 and, accordingly, to adopt a protective approach toward individuals in the context of the processing of their personal data.