Organic Act 2004-63 Personal Data
Tunisia
2004
Privacy
Overview
Key Obligations
- Obtain explicit consent from individuals before collecting or processing personal data
- Avoid processing sensitive personal data unless authorized by the INPDP
- Notify the INPDP before beginning any personal data processing activity
- Limit data collection to legitimate, declared purposes
- Ensure data confidentiality, integrity, and accuracy
- Prohibit cross-border transfers unless the recipient country ensures adequate protection
- Provide individuals with rights to access, correct, and object to data processing
Stay ahead of risk with Signzy
Explore tools that help you onboard, monitor, and verify with confidence
Identity Verification
Use facial match and liveness checks paired with government ID verification to validate users while onboarding.
MENA API Marketplace
A comprehensive API marketplace for the Middle East and North Africa, offering localized verification and compliance solutions.
AML Screening
Screen users against Politically Exposed Persons (PEP), watchlists, sanctions lists, adverse media, and more through one-time screening and advanced monitoring.
Related Regulations
FAQ
Who enforces data protection in Tunisia?
The Instance Nationale de Protection des Données Personnelles (INPDP) is the national authority responsible for enforcing the law.
What qualifies as sensitive data under the law?
Sensitive data includes personal details related to health, religion, ethnicity, political views, and union affiliation.
Is prior approval needed for all data processing?
No. Prior notification to the INPDP is required, but specific approvals are only needed for sensitive or high-risk processing.
Can Tunisian companies transfer data abroad?
Yes, but only to countries that offer an adequate level of data protection, as determined by the INPDP.