Algeria Sector Data Governance: Healthcare and Banking Rules Under the New Laws

Three laws, one compliance stack

Algeria’s data regime in 2026 is built from three complementary instruments. Understanding how they stack is the prerequisite to any serious compliance plan.

Law 18-07 of 10 June 2018 remains the foundation. It governs the protection of natural persons in the processing of personal data, applies to any public or private entity (Algerian or foreign) that collects or processes personal data using means located in Algeria, and establishes the National Authority for the Protection of Personal Data (ANPDP) as the enforcement body. Non-compliance is punishable by fines of DZD 20,000 to DZD 1,000,000 and imprisonment of two months to five years.

Law 25-11 of July 2025 modernized the 2018 framework. It introduces new definitions, requires the appointment of a Data Protection Officer (DPO), mandates detailed records of processing activities, and adds Data-Protection Impact Assessments (DPIAs) for higher-risk processing. It also tightens breach notification to five days.

Presidential Decree 25-320 of 30 December 2025 is the newest and most structural instrument. It establishes a national data governance framework defining data classification, cataloguing, and secure interoperability between public administrations — in explicit alignment with cybersecurity and personal data protection. It is the rulebook that tells institutions how to structure, label, share and secure the data they hold.

Together, these three instruments change the operating reality for healthcare and banking — the two sectors most intensively processing sensitive personal and financial data in Algeria.

Healthcare: the most sensitive perimeter

Health data is classified as a sensitive data category under Law 18-07 (and confirmed by Law 25-11). That includes information revealing health status, genetic data, and any medical records held in electronic or paper form. In practice, the Algerian healthcare ecosystem — the Ministry of Health, CNAS, CASNOS, public CHUs, private clinics, medical laboratories and the growing cohort of health-tech startups — is now subject to a layered obligation set.

Key obligations that apply or will apply in 2026:

• Explicit consent before processing, except under specific exemptions (public interest, medical emergency, or specific legal bases).
• Prior declaration or authorization of processing activities with the ANPDP. Sensitive data, including health data, typically requires prior authorization, not just a notification.
• Appointment of a Data Protection Officer for any institution of significant processing volume — which in practice covers all public hospitals, large private clinics and health insurance funds.
• Data Protection Impact Assessments for high-risk processing — for example, new electronic health record rollouts, population-level health databases, telemedicine platforms, or AI-assisted diagnostic tools.
• Records of processing activities, covering purpose, categories of data, recipients, transfers and retention periods.
• Breach notification to the ANPDP within five days of discovery.
• Data classification and cataloguing per Decree 25-320, particularly where data is shared across public administrations (for example between the Ministry of Health and CNAS).

The telemedicine and electronic health records (EHR) regulatory pieces are still being drafted. Algerian authorities have publicly signaled that a dedicated legal framework for EHR adoption and patient-data privacy is in development. Until it lands, health-data controllers should default to the strict reading of Law 25-11 and Decree 25-320.

Banking: transaction data, KYC, and cross-border flows

Algerian banks and fintechs process three distinct categories of regulated data, each with its own compliance implications:

1. Personal data of customers — names, national identity numbers (NIN), addresses, family data, employment data — governed squarely by Laws 18-07 and 25-11 and the ANPDP framework.
2. Transaction data — card transactions, transfers, loan histories — which is simultaneously regulated under banking secrecy rules supervised by the Bank of Algeria, data-protection law for the personal components, and cybersecurity/audit obligations under Presidential Decree 25-321 of 30 December 2025.
3. KYC and AML data — know-your-customer records, beneficial-ownership data, suspicious-transaction records — regulated by CTRF (Cellule de Traitement du Renseignement Financier) and the Bank of Algeria.

The effect of Decree 25-320 on banks is twofold. First, it reinforces data classification as an internal discipline — banks must know what data they hold, its sensitivity level and its lawful basis for processing. Second, it sets the framework for how banks exchange data with the state (tax authorities, CNAS, courts, CTRF) in a secure, catalogued way.

Cross-border data transfers remain particularly sensitive. Any transfer of personal data outside Algeria requires ANPDP authorization and compliance with specific adequacy or safeguard conditions — a significant operational constraint for banks with foreign parents (SGA, HSBC Algeria, Gulf Bank Algeria, Natixis Algérie) running centralized group IT systems abroad.

What a compliance roadmap looks like

For a CIO, DPO or compliance officer at an Algerian hospital, clinic, bank or fintech, the 2026 compliance roadmap has six concrete steps:

1. Appoint a DPO in writing. Law 25-11 makes this obligation explicit for most regulated entities. The role must have access to leadership and the authority to challenge processing decisions.
2. Build a records of processing register. Every data processing activity — its purpose, data categories, recipients, retention period — must be documented. This is the cornerstone evidence in any ANPDP inspection.
3. Conduct DPIAs on high-risk processing. New EHR systems, AI-assisted diagnostics, credit scoring models, behavioral analytics — anything that materially affects data subjects’ rights requires a documented impact assessment.
4. Implement data classification per Decree 25-320. Establish at least three tiers (public, internal, sensitive) with technical controls aligned to each.
5. Review and update consent mechanisms. Paper-based consent processes in clinics and legacy branch networks must be digitized, traceable, and auditable.
6. Align cyber audit and data governance programs. The audit mandate under Presidential Decree 25-321 and the data governance obligations under Decree 25-320 should be run as a single integrated program — not as two parallel compliance tracks.

The opportunity hidden in the obligation

Compliance-driven projects rarely excite anyone — but in the Algerian context, this stack is also a modernization forcing function. Hospitals that finally build proper EHR architectures, banks that catalog and rationalize their data estates, and fintechs that embed privacy-by-design from day one will emerge more operationally mature and more internationally compatible. The 2026 regulatory floor is also a competitive ceiling for institutions that invest ahead of the curve.

For Algerian leaders, the honest framing is this: the regulatory work is coming regardless. The question is whether to treat it as a grudging obligation or as the scaffolding for the next decade of trustworthy digital services.

Sources & Further Reading

• Data Protection and Cybersecurity Laws in Algeria — CMS Expert Guide
• Guide on Algeria Data Protection Law: 18-07 and its Amendments — CookieYes
• Data Protection Laws in Algeria — DLA Piper
• Algeria Law 18-07 Personal Data Protection: Compliance Requirements — Signzy
• IBA Healthcare and Life Sciences Law Committee Telemedicine Survey — Algeria