Law 18-07 — Personal Data Protection (Algeria)

What is Algeria's Law 18-07?

Law No. 18-07 of 10 June 2018 is Algeria's primary personal-data-protection statute — the first comprehensive national framework governing how public and private entities collect, process, store, and transfer personal data of identifiable natural persons in Algeria. The law establishes the principles of lawful processing — consent, transparency, purpose limitation, data minimisation, accuracy, security — that are now standard across modern data-protection regimes globally.

The law sits alongside Algeria's broader digital and financial regulation, including the e-commerce framework under Law 18-05. Together they form the national rulebook for any business handling Algerian customer or employee data.

Supervisory authority — ANPDP

The law provides for a National Authority for the Protection of Personal Data (Autorité Nationale de Protection des Données à Caractère Personnel — ANPDP) under the umbrella of the Ministry of Justice. The Authority is mandated to issue guidance, license certain processing activities, receive data-subject complaints, investigate breaches, and impose sanctions.

Operational maturity of the Authority and the full implementation of the supporting decrees has been a recurring topic of compliance discussion since 2018. Practitioners should verify current operational status against the Authority's published material before relying on specific provisions.

Why Law 18-07 matters

For any business operating in Algeria — domestic or foreign — Law 18-07 imposes a comprehensive set of obligations around how personal data is collected, used, transferred, and secured. The law affects banks, fintechs, telecommunications providers, healthcare institutions, e-commerce platforms, payment processors, employers, and government agencies.

For multinational groups, Law 18-07 adds a new compliance layer alongside the Egyptian PDPL (Law 151 of 2020), the UAE Federal AML/CFT framework, the EU GDPR, and other regional frameworks — requiring careful jurisdictional analysis of which rules apply to which data flows. Our AML requirements primer and sanctions screening AML guide set out the AML overlay that runs in parallel.

Who must comply

Law 18-07 applies broadly to all entities — public and private, Algerian and foreign — that collect, process, store, or transfer personal data of individuals in Algeria. Banks, telecommunications providers, financial institutions, healthcare organisations, insurance companies, e-commerce platforms, employers, marketing firms, government agencies, and any other organisation handling personal data in Algeria fall within scope.

The law distinguishes between data controllers (entities determining the purposes and means of processing) and data processors (entities processing data on behalf of controllers), with distinct obligations attaching to each.

Core obligations

The law sets out a comprehensive set of obligations every covered entity must satisfy.

Lawful basis and informed consent

Personal data may only be collected and processed with the informed consent of the data subject — the law's default basis — or on another narrowly defined lawful basis where applicable. Consent must be specific, free, and informed.

Purpose limitation and data minimisation

Data must be collected for specified, explicit, and legitimate purposes, and must not be further processed in a way incompatible with those purposes. Only the data necessary for the stated purpose may be collected.

Data subject rights

Individuals have the right to be informed about processing, to access their data, to correct inaccurate or outdated data, to object to specific processing activities, and (subject to defined conditions) to request erasure of their personal data.

Sensitive data and notifications

Sensitive personal data — including health, biometric, religious, ethnic-origin, and certain other categories — attracts enhanced protections. Processing of sensitive data, or large-scale processing, typically requires prior notification to or authorisation by the ANPDP.

Cross-border transfers

Cross-border transfers of personal data out of Algeria are restricted unless the receiving country provides an adequate level of protection or specific safeguards apply. Adequacy assessments are made by the Authority, with permitted mechanisms potentially including contractual safeguards and specific authorisations.

Data Protection Officer

Many controllers — particularly those processing sensitive data or large volumes of personal data — must appoint a Data Protection Officer (DPO) responsible for advising on compliance, monitoring adherence to the law, training staff, and serving as the contact point for the Authority.

Security and documentation

Controllers must implement technical and organisational security measures appropriate to the risk of processing, maintain compliance documentation and processing records, and notify breaches to the Authority within defined timeframes.

Compliance implications for financial services

For banks, fintechs, and payment providers operating in Algeria, Law 18-07 has several specific operational consequences. Customer onboarding flows must be redesigned to capture explicit informed consent, surface clear privacy notices, and minimise data collection. KYC and AML data must be retained only for as long as necessary and made available to data subjects exercising their access rights — while balancing AML recordkeeping obligations under Algerian financial-services law.

Marketing and analytics uses of personal data require fresh consent. Cross-border data flows to global parent companies, cloud providers, or vendors require the appropriate transfer mechanism — a particular operational challenge for institutions running eKYC and screening on infrastructure outside Algeria, often delivered through unified AML screening platforms or regional MENA API marketplace infrastructure with built-in data-residency controls.

Penalties and enforcement

Law 18-07 carries both administrative and criminal penalties. Administrative fines for non-compliance can reach significant amounts per breach, with materially higher exposure for serious or repeated violations.

Criminal offences include unauthorised processing of personal data, unauthorised cross-border transfer, refusal to respond to data-subject requests, and obstruction of the National Authority — punishable by imprisonment and fines. Senior managers can be personally liable in defined circumstances, and entities may face licence restrictions and exclusion from public contracts.

Law 18-07 and regional data protection frameworks

Algeria's Law 18-07 was one of the early comprehensive data-protection statutes in North Africa, predating Egypt's Law 151 of 2020 by two years and contemporary with the EU's General Data Protection Regulation. The structural architecture — consent-based lawful processing, data-subject rights, cross-border transfer restrictions, supervisory authority — is broadly aligned with the GDPR model that has become the global reference point.

Multinational groups operating across North Africa, the Middle East, and Europe typically build a unified privacy programme that satisfies the strictest applicable framework while accommodating jurisdiction-specific requirements such as the ANPDP notification regime. Practical step-by-step guidance for regional KYC programmes is covered in our KYC in Egypt laws and automation guide and our AML compliance complete guide.