Algeria Data Protection Law 18-07 and its Amendments

What Is Algeria’s Data Protection Law 18-07?

Algeria’s Data Protection Law No. 18‑07 is a comprehensive data protection law of Algeria that protects the privacy of individuals and regulates the collection, use, storage, and processing of personal data by public and private entities.

Effective date: August 10, 2023.

The law is enforced by the National Authority of Personal Data Protection (ANPDP).

Algeria’s Data Protection Law No. 18-07 aims to safeguard individual rights by setting strict safety standards for data collection and management. Organizations could collect data only for specified, explicit, and legitimate purposes, adhering to data minimization and purpose limitation principles. Data must be maintained accurately and up to date and be retained only as long as necessary.

The law establishes obligations for data controllers and sets restrictions on how organizations handle both digital and paper-based Personal Information. The law requires data controllers to notify the ANPDP before beginning data processing, international transfers, or large‑scale interconnections of databases to obtain prior authorization.

Who Does Algeria’s Data Protection Law 18-07 Apply To?

The Algerian Data Protection Law 18-07 applies to:

Public and private organizations operating within Algeria.
Foreign companies that process personal data of individuals located in Algeria.
Data controllers and data processors managing data on behalf of third parties.

Thus, if your organization collects or processes Personal Information of Algerian residents, this law likely applies to you.

The law has some exemptions, including data collection for personal or household use, some health-related processing, and security-related data processing.

Key Principles of Algeria’s Data Protection Framework

The Algerian Data Protection Law 18-07 and its amendments establish several core principles that data controllers and processors must respect. The main principles include:

Lawful and fair processing
Organizations must process data in a lawful manner and only for legitimate purposes. Get explicit user consent from individuals before collecting or processing personal data.
Purpose limitation
Organizations must collect data only for specific, explicit, and legitimate purposes. Don’t use personal data for purposes other than specified at the time of collection.
Data minimization
Data controllers must collect only the minimum amount of data needed to deliver the product or service.
Data safety
Organizations must protect data from loss, leaks, or misuse using adequate technical and organizational means.
Data quality and accuracy
Organizations must ensure that personal data is maintained in an accurate, complete, and up-to-date manner. Businesses must respect employees’ and clients’ rights to access, correct, or delete inaccurate information.

Data Subject Rights Under Algeria’s Data Protection Law

Algerian individuals have several rights regarding their data, including:

Right to information
Businesses must inform data subjects about data processing before collecting or processing any data, including the purpose of collection or processing, recipients, third parties to whom the data is shared, and other relevant details.
Right to access
Individuals have the right to access their personal data and the right to confirm whether their data is being processed by the controller.
Right to rectification
Individuals have the right to request the correction or erasure of inaccuracies in their data.
Right to object to processing
Individuals have the right to oppose processing, particularly for marketing purposes or in cases when processing is not essential for contractual or legal purposes.
Rights related to automated decision-making
Individuals are protected against decisions based solely on automated processing, especially when such decisions significantly impact their rights or freedoms.
Right to withdraw consent
Individuals may withdraw consent at any time.

Obligations for Businesses and Data Controllers under Law 18-07 and their Amendments

Algeria’s Data Protection Law 18‑07 and its 2025 amendment set several requirements for businesses and data controllers around personal data processing of individuals in Algeria, including:

Registration and prior authorization

Organizations often must register and obtain authorization from the National Authority of Personal Data Protection (ANPDP) before processing personal data.

Sensitive data and other high-risk data processing requires explicit approval.

Privacy Policy

Organizations must create transparent privacy policies and regularly update them. The Privacy Policy must be easily accessible to data subjects. Organizations should provide at least the following information:

Identity of the controller.
What personal data is collected?
Purposes of data collection and processing.
Third parties, to whom the data will be shared (if any).
How long will the data be retained?
Will the data be processed by automated means of processing?
Rights of the data subject.
Whether data will be transferred abroad, and if so, where, and what safeguards will be applied?
Any additional information related to the processing of personal data.

Security measures and breach notification

Organizations must adopt adequate technical and organizational measures to secure personal data. In the event of a data breach, organizations must notify the relevant authorities and affected individuals in accordance with established procedures.

Rules for cross-border data transfers

Transfers of personal data outside Algeria are strictly regulated. Personal data may only be transferred abroad if the receiving country ensures an adequate level of protection. Controllers must demonstrate that the receiving country ensures adequate data protection or obtain special authorization where required.

Representative / Data Protection Officer

Organizations must appoint a Data Protection Officer (DPO) and provide the contact details to the ANPDP. Law 11‑25 makes DPO appointments mandatory.

user consent

Organizations must obtain explicit user consent prior to processing personal data.

In case of legal obligations, contractual necessity, public interest, protection of life, or legitimate interests, data could be processed without consent.

Organizations must keep records of processing activities and perform Data Protection Impact Assessments (DPIAs) for high‑risk data processing.

Contractual relationship

Data controllers must select a processor that offers a sufficient level of technical and organizational security.

The processor may only act only on the controller’s instructions, and these obligations must be set out in a written contract. Both controllers and processors must keep contracts or equivalent documents for proof of compliance.

Breach notification

Organizations must notify the ANPDP of any personal data breach within five days.

Law 11‑25 required organizations to notify both the national authority (ANPDP) and affected individuals. Before the amendments, both the authority and affected individuals had to be notified if a breach could affect individuals’ privacy.

Consent Requirements Under Algeria’s Data Protection Law

Algeria Data Protection Law 18-07 requires obtaining explicit consent of the data subject before any data collection takes place.

Consent must be voluntary, informed, specific, and separate for every purpose:

Voluntary: Individuals should provide consent freely, without any pressure or coercion. Don’t use text on a cookie notice that encourages giving consent.
Specific: The Algerian law forbids businesses from including any condition requiring consent to purposes beyond those agreed upon.
Fully informed: Obtain explicit user consent and do not use dark patterns or other misleading behavior to obtain consent. Consent is not valid if obtained without proper information. If the individual does not interact with the Cookie Banner, continues scrolling, or does not take any action, it does not mean that they give consent to collect their data.
Separate: Consent must be separate for every distinct purpose. That means businesses must obtain granular consent. Bundled or broad consent tied to unrelated services is not valid consent.

For children or people with disabilities, parents or legal representatives must provide consent.

Data subjects have the right to withdraw their consent at any time.

Enforcement of Algeria’s Data Protection Law and Penalties for Non-Compliance

The National Authority of Personal Data Protection (ANPDP) supervises compliance with the Algerian law and has the authority to:

Conduct investigations.
Issue fines.
Order the suspension of unlawful data processing activities.

The APDP may conduct audits, request proof of user consent, documentation, and evaluate how an organization safeguards data of individuals.

Failure to comply with the law or cooperate with the ANPDP may result in penalties, even without an actual data breach:

Administrative fines
Violations of Law No. 18-07 can result in significant administrative penalties, including monetary fines from 20,000 DZD to 1,000,000 DZD (~$150–$7,500).
Limitations on data processing activities
The ANPDP has the power to suspend data processing activities of organizations.
Criminal sanctions
In severe cases, such as unauthorized transfer of sensitive data or intentional misuse of personal information, the law provides for criminal sanctions, including imprisonment from 2 months to 5 years.

Algeria Data Protection Law vs GDPR: Key Differences

The Algerian law shares many GDPR-inspired principles, but it also has some differences. The main differences include:

Scope
Algeria’s Law No. 18-07 includes stricter rules regarding authorization and processing of sensitive data. The GDPR provides a more flexible legal framework for data processing.
Data‑subject rights
GDPR offers broader user rights. Algeria’s Law No. 18-07 does not provide rights to erasure and portability; the right to automated decision‑making is also limited.
International transfers
Algeria’s Law No. 18-07 has stricter rules for cross-border transfers. GDPR allows international data transfers to countries with adequate protection or with appropriate safeguards without any additional requirements, while Law No. 18-07 requires ANPDP authorization and adequacy assessments.
Penalties
Fines for non-compliance are much heavier under the GDPR and could reach up to €20 million or 4% of global annual turnover, whichever is higher. Non-compliance with Algeria’s Law No. 18-07 could result in fines up to 1,000,000 DZD (–$7,500).
Breach notification
There is a minor difference in breach notification: GDPR requires notifying the supervisory authority and individuals within 72 hours, while Algeria’s Law No. 18-07 requires notify the ANPDP within five days of knowledge of the breach.

Algeria’s Law No. 18-07 was inspired by the EU’s GDPR. Additionally, the amendment (Law No. 25-11) demonstrates a significant effort to align with the GDPR and global standards, particularly by introducing DPO and DPIA requirements and clarifying international transfers.

How to Ensure Compliance With Algeria’s Data Protection Law?

Read these practical steps to achieve compliance with the Algeria’s Law No. 18-07 and its amendments:

Fulfill the declaration and prior authorization requirements with the ANPDP.
Provide a clear Privacy Policy.
Obtain explicit prior consent before processing data.
Map personal data flows.
Appoint a data protection officer (where required)
Maintain records of all data processing activities.
Establish procedures for data subject requests.
Implement adequate security measures to protect personal data.
Have a contractual relationship with data processors.
Conduct Data Protection Impact Assessments (DPIAs) for high‑risk data processing.
Regularly perform audits of data security and access controls.
Train staff on data protection practices.
Comply with cross-border data transfer requirements.
Report any breach to the ANPDP within five days.

How can CookieScript Help to Comply With Algeria’s Data Protection Law?

CookieScript is a reliable CMP that help you create cookie banners, manage cookies and consents on your website, and comply with Algeria’s Law No. 18-07 and other privacy laws.

CookieScript offers a full compliance solution and an easy-to-use integration, providing essential features and functionalities such as:

Cookie banner
Cookie policy
Cookie Scanner
Cookie banner customization
Consent recordings
GTM template
Language support
Third-party cookie blocking, and others.
Integrations with CMS platforms like WordPress, Shopify, Wix, etc.
Google Consent Mode v2 integration
IAB TCF v2.2 integration
Google Tag Manager integration
Certification by Google
CookieScript API

An important feature is geo-targeting that determines the user location. A user in Algeria needs to see a cookie notice, compliant with Algeria’s Law No. 18-07, while a user in France needs a GDPR-compliant one. CookieScript geo-targeting feature ensures users are presented with the right Cookie Banner.

In 2024, CookieScript CMP was ranked by users on G2 as the best CMP for small and medium-sized companies.

CookieScript also offers one of the best pricing plans on the market, starting with just €8 /month/domain for the entry-level (Lite Plan). The Plus pricing plan includes all features and costs €19 /month/domain. CookieScript also has a FREE pricing plan and a free trial of the Plus plan.

Frequently Asked Questions

What is the main data protection law in Algeria?

Algeria’s primary data protection regulation is Law No. 18-07, which governs the collection and processing of personal data. It establishes rights for individuals and obligations for businesses. On July 24, 2025, Algeria officially enacted Law No. 25-11, amending and supplementing Law No. 18-07. Use CookieScript to comply with Law No. 18-07.

Does the Algerian Data Protection Law apply to foreign companies?

Yes. The Law No. 18-07 applies to any organization—local or foreign—that processes personal data of individuals located in Algeria, even if the company operates from outside the country. Use CookieScript CMP to comply with Algeria Data Protection Law.

Does Algeria Data Protection Law allow cross-border data transfers?

Cross-border transfers are allowed, but they are heavily regulated. Organizations must either ensure the receiving country provides adequate protection or obtain explicit authorization from the national authority ANPDP before transferring data abroad.

What are the penalties for violating Algeria’s data protection law?

Penalties range from administrative fines up to 1,000,000 DZD (–$7,500) and limitations on data processing activities to criminal sanctions. Severe violations—such as unlawful disclosure or unauthorized sensitive data processing—may result in imprisonment from 2 months to 5 years. Use CookieScript CMP to comply with Algeria Data Protection Law and avoid penalties.

What are the key principles of Algeria’s data protection law?

Algeria’s Data Protection Law 18-07 and its amendments establish these core principles: lawful and fair processing, purpose limitation, data minimization, data safety, and data quality and accuracy.

Do companies operating in Algeria need a Data Protection Officer (DPO)?

While not mandatory for all organizations, appointing a DPO is recommended—especially for businesses handling large-scale or sensitive data. The national authority ANPDP may require one, depending on the nature of the data processing. Use CookieScript CMP to comply with Algeria Data Protection Law and avoid penalties.

How to ensure compliance with Algeria’s data protection law?

Businesses must register with the ANPDP, provide a clear Privacy Policy, obtain explicit prior consent before processing data, map personal data flows, maintain records of all data processing activities, implement adequate security measures to protect personal data, have a contractual relationship with data processors, conduct DPIAs, regularly perform audits of data security and access controls, and train staff on data protection practices.

Privacy laws

Menu