Data & Privacy · Tunisia

Data protection & privacy laws in Tunisia (2026)

Comprehensive lawOrganic Law No. 2004-63 of 27 July 2004 on the Protection of Personal Data; supervised by the Instance Nationale de Protection des Données Personnelles (INPDP)Country index 79 · B+

Tunisia shaded by its data & privacy status

Tunisia enacted a comprehensive personal data protection law in 2004, making it one of the first countries in Africa and the Arab world to do so. The law is enforced by the independent INPDP and is anchored in constitutional protections (Article 24, 2022 Constitution). A 2025 organic bill to replace and modernize the 2004 law—aligning it with GDPR and Convention 108+—was under parliamentary committee review as of early 2026 and had not yet been enacted.

Key points

Primary Legislation

Organic Law No. 2004-63 of 27 July 2004 establishes the comprehensive data protection regime, covering collection, use, storage, and transfer of personal data by public and private actors, with written consent and data minimization as core principles. It applies to both domestic and foreign organizations handling Tunisian personal data.

source 1 ↗source 2 ↗

Supervisory Authority — INPDP

The Instance Nationale de Protection des Données Personnelles (INPDP), established by the 2004 law and described as the oldest data protection authority in Africa and the Arab world, monitors compliance, examines controller declarations and authorization requests, investigates complaints, and issues corrective measures.

source 1 ↗source 2 ↗

Constitutional Anchor

Article 24 of Tunisia's 2022 Constitution explicitly protects the right to privacy and the protection of personal data, reinforcing the 2014 Constitution's earlier privacy provisions and providing a strong constitutional foundation for the data protection framework.

source 1 ↗source 2 ↗

Council of Europe Convention 108

Tunisia became the 51st Party to Council of Europe Convention 108 on 1 November 2017, and signed the modernized Protocol (Convention 108+) on 24 May 2019, committing to align domestic law with updated international data protection standards including on supervisory authorities and cross-border data flows.

source 1 ↗source 2 ↗

2025 Reform Bill (Pending)

A draft organic law comprising 123 articles was introduced in 2025 to replace the 2004 law, introducing GDPR-aligned rights (portability, erasure/right to be forgotten), mandatory Data Protection Impact Assessments for high-risk AI and biometric processing, and enhanced INPDP quasi-judicial enforcement powers including administrative fines. As of February 2026 the Rights and Freedoms Committee of parliament was still reviewing the bill's initial provisions.

source 1 ↗source 2 ↗

Key Obligations and Data-Subject Rights (Current Law)

Under the 2004 law, data subjects hold rights of access, rectification, and objection. Controllers must file declarations with or seek prior authorization from the INPDP depending on processing type; cross-border transfers require INPDP approval or a finding of adequate protection in the destination country.

source 1 ↗source 2 ↗

Tunisia - other topics

Crypto & Digital Assets Artificial Intelligence Digital Payments & Fintech Digital Nomad & Residency Internet & Online Safety Cybersecurity Starting a Business

Read in:Spanish French German Portuguese Hindi

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →