Algeria’s drive to digitise its economy has brought privacy to the forefront. In 2018, it enacted Law No. 18‑07 on the protection of natural persons in the processing of personal data. The law aimed to safeguard individual dignity and privacy by imposing strict requirements on how organisations collect, use and transfer personal data.
In July 2025, the Algerian Parliament adopted Law No. 11‑25 (sometimes referred to as “25‑11”) to modernise the 2018 framework. The amendment introduces new definitions, requires organisations to appoint a Data Protection Officer (DPO), maintain detailed processing records and conduct Data‑Protection Impact Assessments (DPIAs). It also clarifies international transfer rules and expands the ANPDP’s oversight powers.
The following sections summarise the key elements of Algeria’s privacy law and highlight how it compares with the EU’s General Data Protection Regulation (GDPR).
What is Law 18‑07 of Algeria?
Law No. 18‑07 is a comprehensive data protection law of Algeria that regulates the processing of personal data by public and private entities.
It codifies fundamental privacy principles: data must be processed lawfully and fairly, collected for specified, explicit and legitimate purposes, be adequate and not excessive, remain accurate and up to date and be retained only as long as necessary.
The law requires data controllers to notify the National Data Protection Authority (ANPDP) before beginning processing and, for certain high‑risk activities (such as transfers abroad or large‑scale interconnections of databases), to obtain prior authorisation.
Who does the Algeria data protection law 18-07 apply to?
Law No. 18-07 has a broad territorial scope. It applies to any public or private entity, whether established in Algeria or abroad, that collects, stores or processes personal data using means located in Algeria.
A foreign controller using systems in Algeria must appoint a local representative. The amendment expands the compliance obligations to include mandatory DPO appointments and detailed records of processing.
Exemptions include purely personal or household use, some health-related processing, and defence or security-related data processing.
What is personal data under the Algerian data protection law?
Personal data is defined broadly as any information relating to an identified or identifiable person. This includes direct identifiers and indirect identifiers such as identification numbers or characteristics related to a person’s physical, physiological, genetic, biometric, mental, economic, cultural or social identity.
Sensitive personal data includes information revealing religious or philosophical beliefs, trade‑union membership and health (including genetic data).
The 2025 amendment introduces specific definitions for biometric data, profiling, pseudonymisation and data breaches.
What are the business obligations under the Algerian data privacy law?
Under Law 18‑07 and its 2025 amendment, controllers and processors must:
Register or obtain prior authorisation
Controllers must file a declaration with the ANPDP before processing personal data and must renew it for any new processing. Prior authorisation is required for high-risk data processing activities.
Provide a privacy policy
Organisations must provide a privacy policy to the data subjects. It should at least contain:
- Identity of the controller (and their representative, if any).
- Purposes of processing.
- Categories of personal data concerned.
- Recipients or categories of recipients of the data.
- Data retention period.
- Rights of the data subject (access, correction, objection, withdrawal of consent).
- Whether data will be transferred abroad, and if so, the safeguards applied.
Any additional useful information, e.g., if responses are mandatory, consequences of refusal, etc could also be provided.
ANPDP recently published a sample privacy policy, helping organisations to comply with the information obligations.
Need a privacy policy for your website?
Create a privacy policy in few simple steps using CookieYes
Sign up for free14-day free trialCancel anytime
Contractual relationship
Controllers must select a processor that offers sufficient guarantees of technical and organisational security.
The processor may only act only on the controller’s instructions, and these obligations must be set out in a written contract or equivalent document for evidence purposes.
Also read:
Appoint a representative / Data Protection Officer
Each entity must designate a data controller or authorised representative and communicate the contact details to the ANPDP.
Law 11‑25 makes DPO appointments mandatory and requires organisations to keep records of processing activities and perform Data Protection Impact Assessments (DPIAs) for high‑risk processing.
Implement security measures
Controllers must adopt technical and organisational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data.
Adhere to consent and legal basis requirements
Processing generally requires the express consent of the data subject, although the law allows exceptions for legal obligations, protection of life, contractual necessity, public interest or legitimate interests. Consent must be freely given and may be withdrawn at any time.
Record‑keeping and breach notification
Law 11‑25 obliges organisations to keep detailed records of processing activities and to notify the ANPDP of any personal data breach within five days. Earlier, service providers were already required to notify both the authority and affected individuals if a breach could impact privacy.
Cross-border transfers
Personal data may only be transferred abroad if the receiving country ensures an adequate level of protection. If not, transfer is allowed by certain exceptions, like with National Authority approval, when based on the subject’s consent, necessary for public interest, legal obligations, court proceedings, performance of a contract (or pre-contract measures), judicial cooperation, or to prevent or treat disease.
Transfers are always prohibited if they endanger national security or vital state interests.
Honor data subject rights
Respond to and fulfil data subject requests promptly. While there is no fixed timeframe for responding to access or objection rights, any requests for corrections must be completed within 10 days of notification.
What are the rights of data subjects under Algeria’s data privacy law 18-07?
Individuals have several rights:
- Right to information: Controllers must inform data subjects about data processing, including the purpose of processing, recipients and other relevant details.
- Right of access: Individuals have the right to confirm whether their data is being processed by the controller and can obtain a copy of their personal data.
- Right to rectification: Data subjects can request the correction or erasure of inaccuracies in their data.
- Right to object: individuals may oppose processing, particularly for marketing purposes.
- Right to withdraw consent: consent may be withdrawn at any time.
These rights are explicitly recognised in Article 9 and related provisions.
What are the consent requirements under Algeria data protection law?
Article 7 establishes that data processing or sharing requires explicit prior consent of the data subject.
- Consent must be freely given, informed, and specific.
- Data subjects can withdraw consent at any time.
- For children or incapacitated persons, consent comes from their legal representative, or a judge’s authorisation if needed.
- Consent is not valid if obtained through coercion or without proper information
Deploy a cookie banner to obtain
cookie consent
Set up cookie consent management for your website with CookieYes
Sign up for free14-day free trialCancel anytime
When is consent not required under the law?
Consent is not necessary under specified circumstances such as compliance with a legal obligation, vital interests, performance of a contract or pre-contractual measures, public interest or exercise of official authority, etc.
Data processing must limited to the specific purposes for which the data subject consented to.
What are the penalties under Algeria data protection law?
The National Data Protection Authority (ANPDP) is responsible for enforcing the law. It advises individuals and entities, receives declarations and authorises processing, handles complaints, and can impose administrative sanctions. Administrative measures include warnings, formal notices, provisional or definitive withdrawal of declarations or authorisations, and fines.
For more serious infractions, Law No. 18‑07 provides criminal sanctions. Non‑compliance is punishable by fines between 20,000 DZD and 1,000,000 DZD and/or imprisonment of two months to five years. Failure to notify the authority of a breach can also result in imprisonment and fines.
GDPR vs Algerian data protection law (Law no. 18-07)
| Aspect | GDPR | Algeria’s Law 18‑07 |
| Scope | EU organisations and entities outside the EU providing goods/services to EU residents. | Entities processing personal data in Algeria or using means located in Algeria. |
| Effective date | May 25, 2018 | August 10, 2023 |
| Data‑subject rights | Access, rectification, erasure, restriction, portability, objection and automated decision‑making. | Information, access, rectification and objection |
| International transfers | Allowed to countries with adequate protection or with appropriate safeguards | Transfers require ANPDP authorisation and adequacy assessments |
| Enforcement authority | Supervisory Authorities | National Data Protection Authority |
| Penalties | Fines up to €20 million or 4% of global annual turnover, whichever is higher. | Fines up to 1,000,000 DZD |
| Breach notification | Notify the supervisory authority and individuals within 72 hours | Notify the ANPDP within five days of knowledge of the breach. |
While Algeria’s law is inspired by the General Data Protection Regulation, the amendment shows a continuing effort to align with global standards, especially by adding DPO and DPIA requirements and by clarifying international transfers.
Checklist for Algeria data protection compliance
Here is a quick Algeria data protection law checklist for your business:
- Fulfil the declaration and prior authorisation requirements before processing personal data
- Provide a privacy policy to consumers
- Appoint a Data Protection Officer
- Have a contractual relationship with data processors to ensure their compliance
- Implement necessary security measures to protect the personal data
- Obtain prior consent before processing data
- Comply with cross-border data transfer rules
- Keep records of processing for proof of compliance
- Report any breach to the ANPDP within five days
- Honoir and respect data subject rights
FAQ on Algeria’s Privacy Law
Yes. If your organisation uses systems/means in Algeria to process personal data (even if based abroad), you must comply with the law and appoint a local representative.
Under the 2018 law, a DPO was not explicitly required. However, Law 11‑25 makes appointing a DPO mandatory and requires controllers to maintain processing records and conduct DPIAs for high‑risk activities.
Consent must be express and informed. It is required before collecting data or transferring it to third parties, unless an exception applies (legal obligation, protection of life, contract performance, etc). Also, data subjects must be able to withdraw consent at any time.
Safna is the resident data privacy writer at CookieYes, where she breaks down privacy laws into actionable insights for businesses. The rest of her time is a mix of music, movies, and hot chocolate.
