ALGERIA

Data Protection
Laws of the World
Introduction
Welcome to the 2025 edition of DLA Piper's Data Protection Laws of the
World Handbook. Since the launch of our first edition in 2012, this
comprehensive guide has been a trusted resource for navigating the
complex landscape of privacy and data protection laws worldwide. Now in
its fourteenth edition, the Handbook has grown to provide an extensive
overview of key privacy and data protection regulations across more than
160 jurisdictions. As we step into 2025, the global landscape of data
protection and privacy law continues to evolve at an unprecedented pace.
With new legislation emerging in jurisdictions around the world,
businesses face a growing need to stay informed and agile in adapting to
these changes. This year promises to bring new developments and
challenges, making the Handbook an invaluable tool for staying ahead in
this ever-changing field.

Europe
Established data protection laws in Europe continue to evolve through
active regulatory guidance and enforcement action. In the United
Kingdom, the UK government has proposed reforms to data protection
and e-privacy laws through the new Data (Use and Access) Bill (“DUAB“).
The DUAB follows the previous government’s unsuccessful attempts to
reform these laws post-Brexit, which led to the abandonment of the Data
Protection and Digital Information (No.2) Bill (“DPDI Bill“), in the run-up to
the general election. Although the DUAB comes with some bold
statements from the government that it will “unlock the power of data to
grow the economy and improve people’s lives“, the proposals represent
incremental reform, rather than radical change.

United States
In the United States, legislation on the federal and in particular state level
continues to evolve at a rapid pace. Currently, the US has fourteen states
with comprehensive data privacy laws in effect and six state laws will take
effect in 2025 and early 2026. Additionally, at the federal level, the new
administration has signaled a shift in enforcement priorities concerning
data privacy. Notably, there is a renewed focus on the regulation of
artificial intelligence (AI), with an emphasis on steering away from
regulation and promoting innovation. This includes the revocation of
previous executive orders related to AI and the implementation of new
directives to guide AI development and use.

In the realm of children's privacy, many of the new administration's

supporters in Congress have indicated a desire to make the protection of
children on social media a top priority, and new leadership at the Federal
Trade Commission (FTC) appears aligned on this goal, albeit with a
willingness to take another look at the recently adopted amendments to
the Children's Online Privacy Protection Act (COPPA) Rule. Health data

DATA PROTECTION LAWS OF THE WORLD | DLAPIPERDATAPROTECTION.COM 2

 privacy remains a critical concern, with a handful of states following
Washington state's lead in enhancing or adopting health data privacy laws.
On the international data transfer front, Executive Order (E.O.) 14117 “
Preventing Access to Americans’ Bulk Sensitive Personal Data and United
States Government-Related Data by Countries of Concern” as
supplemented by the DOJ’s final Rule will impact companies transferring
data into certain jurisdictions, such as China, Iran and Russia. Another area
of focus for companies with an EU presence will be the Trump
administration's approach to the Privacy and Civil Liberties Oversight
Board, as it is a critical pillar of the EU/UK/Swiss-US Data Privacy
Framework.

Asia, the Middle East, and Africa

Nowhere is the data protection landscape changing faster – and more
fundamentally – than in Asia, with new laws in India, Indonesia, Australia
and Saudi Arabia, as well continued new data laws and regulations in China
and Vietnam. The ever-evolving data laws, as well as the trend towards
regulating broader data categories (beyond personal data), in these
regions continue to raise compliance challenges for multi-national
businesses.

Emerging trends in data governance

Unlocking data, regulating the relentless advance of AI, creating fairer
digital markets and safeguarding critical infrastructure against the ever
growing cyber threat, continue to impact and overlap with the world of
data protection and privacy. Perhaps most notably, the EU have introduced
a raft of new laws forming part of its ambitious digital decade, which will
bring huge change to businesses operating within the EU. With the rapid
adoption of artificial intelligence enabled solutions and functionality, data
protection supervisory authorities have been closely scrutinising the
operation of AI technologies and their alignment with privacy and data
protection laws. For businesses, this highlights the need to integrate date
protection compliance into the core design and functionality of their AI
systems. In the midst of this, the privacy community found itself at the
centre of an emerging debate about the concept of ‘AI governance’. This is
not a surprising development – AI systems are creatures of data and the
principle-based framework for the lawful use of personal data that sits at
the heart of data protection law offers a strong starting point for
considering how to approach the safe and ethical use of AI. As AI
technologies advance, so will regulatory expectations. It is expected that
regulatory scrutiny and activity will continue to escalate and accelerate in
tandem with the increase in integration of powerful AI models into existing
services to enrich data. Whilst privacy professionals cannot tackle the AI
challenge alone, expect them to continue to be on the front lines
throughout 2025 and beyond.

DATA PROTECTION LAWS OF THE WORLD | DLAPIPERDATAPROTECTION.COM 3

 Disclaimer

This handbook is not a substitute for legal advice. Nor does it cover all
aspects of the legal regimes surveyed, such as specific sectorial
requirements. Enforcement climates and legal requirements in this area
continue to evolve. Most fundamentally, knowing high-level principles of
law is just one of the components required to shape and to implement a
successful global data protection compliance program.

Africa key contact

DATA PROTECTION LAWS OF THE WORLD | DLAPIPERDATAPROTECTION.COM 4
Africa key contact

Monique Jefferson
Director
monique.jefferson
@dlapiper.com
Full bio

Americas key contact

Andrew Serwin
Partner
[email protected].
com
Full bio

Asia Pacific key contact

Carolyn Bigg
Partner
[email protected]
Full bio

DATA PROTECTION LAWS OF THE WORLD | DLAPIPERDATAPROTECTION.COM 5

Europe key contacts

Andrew Dyson Ewa Kurowska-Tober John Magee

Partner Partner Partner
andrew.dyson@dlapiper. ewa.kurowska-tober [email protected]
com @dlapiper.com Full bio
Full bio Full bio

Middle East key contact

Rami Zayat
Partner
[email protected]
Full bio

Editors

James Clark Kate Lucente Lea Lurquin

Partner Partner Associate
[email protected] [email protected]. [email protected].
Full bio com com
Full bio Full bio

DATA PROTECTION LAWS OF THE WORLD | DLAPIPERDATAPROTECTION.COM 6

Algeria
LAST MODIFIED 20 JANUARY 2025

Data protection laws Law No. 18-07 of 10 June 2018 on protection of natural persons in personal data
processing (“Law No. 18-07”).

Definitions Definition of personal data

Any information, regardless of the medium, relating to an identified or identifiable

person, hereinafter referred to as "data subject", directly or indirectly, in particular by
reference to an identification number or to one or more factors specific to his or her
physical, physiological, genetic, biometric, mental, economic, cultural or social identity.

Definition of sensitive personal data

Personal data revealing racial or ethnic origin, political opinions, religious or

philosophical beliefs or trade union membership of the data subject or relating to
health, including genetic data.

National data protection Since August 2023, an independent administrative authority for the protection of
personal data, known as the "National Data Protection Authority" (National Authority),
authority
is hereby established, with its headquarters in Algiers.

The national authority is responsible for ensuring that the processing of personal data
is carried out in accordance with the provisions of the law and for ensuring that the
use of information and communication technologies does not threat the rights of
individuals, public freedoms and privacy.

The National Authority’s missions are the below:

Draw up rules of good conduct and ethics applicable to the processing of personal
data;

DATA PROTECTION LAWS OF THE WORLD | ALGERIA | DLAPIPERDATAPROTECTION.COM 7

 Advise individuals and entities in the use personal data;

Inform data subjects of their rights and data controllers of their obligations;

Issue authorizations and receive declarations relating to the processing of personal

data;

Authorize cross-border transfers of personal data under the conditions laid down
by the law;

Publish the authorisations granted and the opinions issued in the national register
referred to in Article 28 of Law No. 18-07;

Receive claims, appeals and complaints relating to the processing of personal data
and inform their authors of the action taken on them;

Order any changes necessary to protect the personal data processed;

Order the closure, removal or destruction of data; and

Take administrative sanctions under the conditions defined by Article 46 of the

present law No. 18-07;

According to the statistics published by the National Authority, as of 31 October 2023,

only 3 months after it began operations the achievements were the below:

228 files relating to declarations, requests for authorisation and requests for
opinions submitted by bodies processing personal data had been received; and

174 files are awaiting further information, 54 files have been examined, including 46
declarations, 07 requests for authorisation and 01 request for an opinion, and the
authority's overall mission is continuing.

More recently (i.e. on 28 February 2024), the National Authority announced on its
website that it will begin its first field inspections of companies in the private sector, in
order to examine the various processing procedures before extending the operation
to individuals and public companies.

Registration The National Authority has set up a digital portal on its website enabling those
concerned by the processing of personal data to create an account and fill in
electronic forms with the below:

For prior declaration of processing operations;

Requests for authorisation; and

Requests for opinions.

Applicants may also monitor the status of their requests.

The processing of personal data is subject to the below:

DATA PROTECTION LAWS OF THE WORLD | ALGERIA | DLAPIPERDATAPROTECTION.COM 8

 A prior declaration must be filed with the National Authority by the data controller
of a private or public entity whenever the latter is likely to receive, store and process
personal data. This declaration must be renewed before any new data is processed;
or

A prior authorization of the National Authority when the processing concerns any of
the following:

transfer of personal data abroad;

communication of data to a third party;

The interconnection of data belonging to one or more legal entities managing a

public service for different purposes relating to the general interest must be
authorised by the National Authority;

Article 3 of the law No. 18-07 define “data interconnection” as (free

translation): “(…) any mechanism of connection involving the linking of
processed data for a specific purpose with other processed data, whether for
identical or different purposes, by the same data controller or by one or more
other data controllers.”

Data protection officers Each natural or legal person processing personal data must designate its data
controller or authorised representative and communicate the latter's contact details to
the National Authority.

The form for appointing a representative is available on the portal of the National
Authority's website.

The data controller shall implement appropriate technical and organisational

measures to protect personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorised disclosure or access, in particular where the
processing involves the transmission of data over a network, and against all other
unlawful forms of processing.

The data controller or its authorised representative will be considered the official
contact for the National Authority.

In the case of a data officer established abroad:

In accordance with Article 04 (point 02) of Law No. 18-07 concerning the
protection of individuals with regard to the processing of personal data (free
translation):

"When the data controller is not established in the Algerian territory but
uses, for the purpose of processing personal data, automated or non-
automated means located in the Algerian territory, excluding processing
used solely for transit within the national territory.

In this case, the data controller must notify the national authority of the

DATA PROTECTION LAWS OF THE WORLD | ALGERIA | DLAPIPERDATAPROTECTION.COM 9

 identity of its representative established in Algeria, who, without prejudice to
their personal responsibility, replaces them in all their rights and obligations
arising from the provisions of this law and the texts adopted for its
implementation."

As in any case, all the forms to be filled are available on the National Authority website
or at direct request by e-mail to: [email protected].

Collection and processing How is personal data collected

The law No. 18-07 applies to any public or private entity likely to receive, store and
process personal data. As soon as an entity receives data, whether in digital form or
not, it must comply with law No. 18-07.

Personal data is, notably, collected through direct input, cookies, social media, mobile
apps, surveys, public records, purchase transactions, and by employers or institutions.

How is personal data processed

Personal data processing may only be processed with the express consent of the data
subject (or consent of the legal representatives of a child, failing which by
authorisation of the competent judge).

The data subject may withdraw his / her consent at any time.

Personal data may only be communicated to a third party for purposes directly related
to the functions of the data controller and the recipient. Such communication is
subject to the prior consent of the data subject.

However, in some cases, consent is not required if the processing is necessary:

to comply with a legal obligation to which the data subject or the data controller is
obliged;

to protect the data subject's life;

for the performance of a contract to which the data subject is a party or to the
performance of pre-contractual measures taken at their request;

to safeguard the vital interests of the person concerned, if they are physically or
legally unable to give their consent;

for the performance of a task carried out in the public interest. Or in the exercise of
official authority vested in the data controller or the third party to whom the data is
communicated; or

for the accomplishment of a legitimate interest pursued by the data controller or

the recipient, within the interest and/or fundamental rights and freedoms of the
data subject.

DATA PROTECTION LAWS OF THE WORLD | ALGERIA | DLAPIPERDATAPROTECTION.COM 10

 Specific rights and protections

The person concerned by the collection of their data has a right to information, a right
of access, a right of rectification and a right to object to their data being collected.

According to Article 9 of the law No. 18-07 (free translation):

“Personal data must be:

a. processed lawfully and fairly;

b. collected for specified, explicit and legitimate purposes legitimate purposes and
may not be further processed in a way that is incompatible with those purposes;
c. adequate, relevant and not excessive in relation to the purposes for which they are
collected or processed;
d. accurate, complete and, where necessary, kept up to date;
e. kept in a form which permits identification of the data subjects for no longer than
is the purposes for which they were collected or processed.”

Transfer According to the provisions of the law No. 18-07, the data controller may only transfer
personal data to a foreign State with the authorisation of the national authority in
accordance with Law No. 18-07 and if that State ensures an adequate level of
protection of the privacy and fundamental rights and freedoms of individuals with
regard to the processing of such data.

However, Article 45 of the law No 18-07 provides derogations from the general
provisions for transferring personal data (free translation):

“Article 45: In derogation from the provisions of Article 44 of this law [general provisions
explained above], the data controller may transfer personal data to a State that does not
meet the conditions specified in the said article [a sufficient level of protection for privacy
and the fundamental freedoms and rights of individuals] under the following
circumstances:

1. If the data subject has expressly consented to the transfer;

2. If the transfer is necessary for:
a. Preserving the life of the data subject;
b. Preserving public interest;
c. Fulfilling obligations to establish, exercise, or defend a legal right;
d. Executing a contract between the data controller and the data subject or
for pre-contractual measures at the request of the data subject;
e. Concluding or executing a contract in the interest of the data subject
between the data controller and a third party;
f. Executing a measure of international judicial cooperation;
g. Preventing, diagnosing, or treating medical conditions.
3. If the transfer is carried out under a bilateral or multilateral agreement to which
Algeria is a party.
4. With the authorization of the national authority, if the processing complies with the
provisions of Article 2 of this law.”

DATA PROTECTION LAWS OF THE WORLD | ALGERIA | DLAPIPERDATAPROTECTION.COM 11

 In any case, it is forbidden to communicate or transfer personal data to a foreign
country, when such transfer is likely to affect public security or the vital interests of the
State.

Security The controller must put in place measures to ensure the integrity and protection of
the data.

These measures must ensure a level of security appropriate to the risks presented by
the processing and the nature of the data to be protected.

If the processing is carried out on behalf of the controller, the controller must choose
a processor providing sufficient guarantees in respect of the technical and
organisational security measures relating to the processing to be carried out and must
ensure compliance with those measures.

Transfer of data abroad

The foreign State must ensure an adequate level of protection of the privacy and
fundamental rights and freedoms of individuals with regard to data processing.

The adequacy of the level of protection provided by a State is assessed in particular by

the security measures applicable there.

Breach notification Administrative measures

In case of violations of the provisions of Law No. 18-07 by the controller, administrative
measures are taken by the national authority:

warning;

formal notice;

provisional withdrawal for a period not exceeding one year, or definitive withdrawal
of the declaration receipt or authorisation;

a fine.

The national authority may also impose fines on the controller which:

refuses, without legitimate reason, the rights of information, access, rectification or

opposition;

fails to make the required notifications to the national authority.

Criminal sanctions

Violation of the provisions of Law No. 18-07 is punishable by imprisonment and / or a

fine.

DATA PROTECTION LAWS OF THE WORLD | ALGERIA | DLAPIPERDATAPROTECTION.COM 12

 Article 47 to 74 of the law No. 18-07 provide that non-compliance with the Data
Protection Law is punishable by a fine ranging from 20,000 DZD to 1,000,000 DZD and
/ or imprisonment between two months and five years.

Mandatory breach notification

Where the processing of personal data over electronic communication networks

results in the destruction, loss, alteration, disclosure or unauthorised access of such
data, the service provider must notify the national authority and the data subject
without delay where such a breach may affect the privacy of the data subject.

Failure by a service provider to notify the national authority or the data subject of a
personal data breach is punishable by imprisonment and a fine.

Enforcement Violation of the provisions of Law No. 18-07 is punishable by imprisonment and / or a
fine.

Article 47 to 74 of the law No. 18-07 provide that non-compliance with the Data
Protection Law is punishable by a fine ranging from 20,000 DZD to 1,000,000 DZD and
/ or imprisonment between two months and five years.

Electronic marketing Law No. 18-05 of 10 May 2018 on electronic commerce provides that the e-provider
who collects personal data and builds up customer and prospect files must only collect
the data necessary to conclude commercial transactions. It must:

collect the consent of e-consumers prior to the collection of data;

guarantee the security of information systems and the confidentiality of data;

comply with the relevant legislative and regulatory provisions.

Online privacy Not applicable.

Data protection lawyers

DATA PROTECTION LAWS OF THE WORLD | ALGERIA | DLAPIPERDATAPROTECTION.COM 13

 Lamia Naamoune Rafik Nedjar
Associate Associate
L&P Partners L&P Partners
[email protected] [email protected]
View bio

For more information About us

DATA PROTECTION LAWS OF THE WORLD | ALGERIA | DLAPIPERDATAPROTECTION.COM 14

For more information About us

To learn more about DLA Piper, visit dlapiper.com or contact: DLA Piper is a global law firm with lawyers located in
more than 40 countries throughout the Americas,
Carolyn Bigg Europe, the Middle East, Africa and Asia Pacific,
Partner positioning us to help companies with their legal
Global Co-Chair Data, Privacy and needs around the world.
Cybersecurity Group
[email protected]
Full bio

John Magee
Partner
Global Co-Chair Data, Privacy and
Cybersecurity Group
[email protected]
Full bio

Andrew Serwin
Partner
Global Co-Chair Data, Privacy and
Cybersecurity Group
[email protected]
Full bio

dlapiper.com

This publication is for general information only. The information presented is not legal advice, and your use of it does not create a lawyer-client relationship. All legal matters are unique
and any prior results described in this publication do not guarantee a similar outcome in future matters. DLA Piper is a global law firm operating through DLA Piper LLP (US) and
affiliated entities. For further information, please refer to dlapiper.com. Attorney Advertising. Copyright © 2025 DLA Piper LLP (US). All rights reserved.