Data & Privacy - Algeria

Law No. 18-07 of 10 June 2018 is the comprehensive personal data protection statute. It entered into effective force on 10 August 2023 when the ANPDP became operational. It was materially amended and strengthened by Law No. 25-11 of 24 July 2025.

The ANPDP is an independent administrative authority with legal personality and financial autonomy, operating under the authority of the President of Algeria. It receives declarations, grants authorisations for high-risk processing, handles complaints, conducts inspections (field inspections of private-sector companies began February 2024), and imposes administrative sanctions.

Controllers must file a declaration with the ANPDP before commencing any personal data processing. High-risk activities — including international data transfers, large-scale database interconnections, and processing of sensitive data — require prior authorisation rather than mere notification.

Law 25-11 (July 2025) introduced mandatory appointment of Data Protection Officers (DPOs), records of processing activities, Data Protection Impact Assessments (DPIAs) for high-risk processing, mandatory breach notification to the ANPDP within five days, new definitions for biometric data, profiling, pseudonymisation and data breaches, and prior consultation with the ANPDP where a DPIA reveals unmitigated high risks.

Data subjects are granted rights of information, access, rectification, and erasure. Controllers must obtain consent for processing in most cases, and specific rules govern sensitive categories of data (health, biometric, etc.).

Non-compliance carries administrative fines ranging from 20,000 DZD to 1,000,000 DZD, and criminal penalties of imprisonment from two months to five years, applicable to both controllers and processors.