What Law 25-11 Changes for Cross-Border Data Flows
Algeria’s personal data protection framework has been in force since Law 18-07 was enacted in June 2018. At its core, the law applies to any public or private entity that collects, stores, or processes personal data using means located in Algeria — which captures SaaS companies operating in-country, fintech platforms handling payment data, and telecom companies running subscriber-linked systems. Foreign controllers with Algerian users are also in scope and must appoint a local representative.
Law No. 25-11, adopted by Algeria’s Parliament in July 2025, modernizes the 2018 framework in several dimensions simultaneously: it mandates Data Protection Officer appointments, introduces mandatory Data Protection Impact Assessments (DPIAs), and strengthens breach notification (5 days to notify the ANPDP after discovery). But for companies with international cloud dependencies, the most operationally consequential change is in the cross-border transfer chapter.
Under Law 18-07, the transfer adequacy baseline was already present: personal data transfers abroad required that the destination country provide a “sufficient level of protection of privacy and fundamental rights.” Law 25-11 tightens the application of this rule by linking it explicitly to the ANPDP’s enforcement posture, which has intensified since the authority began field inspections of private-sector companies in February 2024. Three categories of transfers now require careful analysis:
- Transfers to adequate-country destinations — permitted without separate ANPDP authorization, but the controller must document the adequacy basis in its processing register.
- Transfers to non-adequate destinations — require prior ANPDP authorization unless one of the narrowly defined exceptions applies (legal obligation, vital interest, contract performance, court proceedings).
- Transfers that endanger state security or vital national interests — unconditionally prohibited, regardless of any authorization.
The practical impact falls most heavily on Algerian companies using US-headquartered cloud platforms (AWS, Azure, Google Cloud) for personal data processing, since the United States does not appear on any ANPDP adequacy list, and on companies integrating with EU SaaS tools that process Algerian subscriber data on European infrastructure.
The ANPDP Authorization Process: What Companies Actually Do
The ANPDP’s authorization process is not a blanket approval for a company’s entire data processing footprint. Each processing activity — or category of processing activities — that involves cross-border transfers must be separately disclosed. The authority distinguishes between two tracks:
Declaration track: Covers standard personal data processing that does not trigger high-risk criteria. The controller files a declaration through the ANPDP’s online portal, describing the processing activity, the data categories involved, the purpose, and the recipients (including any foreign processors). The ANPDP registers the declaration and issues a receipt. No waiting period before the activity can begin.
Authorization track: Required for high-risk processing — defined as processing involving sensitive data (health, biometric, financial), international transfers to non-adequate countries, or file interconnections serving different public interests. The controller submits a full authorization dossier: company registration, DPIA, data flow mapping, description of safeguards (contractual clauses, encryption, access controls), and information on the foreign processor’s data governance practices. The ANPDP reviews and issues a written authorization before the processing activity can begin. Response timelines are not publicly specified, but controllers should plan for at least 30-60 days for a first-time authorization request.
Advertisement
What This Means for Algerian Tech Companies
1. Map Every Third-Party Processing Agreement That Involves a Foreign Processor
The first compliance action is a cross-border data flow inventory. For most Algerian SaaS and fintech companies, this means systematically reviewing every tool, API integration, and cloud service where personal data — customer names, contact details, payment data, health information — is sent to or stored on infrastructure outside Algeria. The inventory should capture: the processor name, the country of establishment, the data categories transferred, the purpose, and whether a Data Processing Agreement (DPA) exists. This inventory is also the foundation of the processing activities register now mandated by Law 25-11.
2. Assess Adequacy Status for Each Destination Country
Once the inventory is complete, each destination country must be assessed against the ANPDP’s current adequacy position. The EU, for example, maintains its own adequacy list — and some EU member states have bilateral data protection arrangements with North African countries — but Algeria’s ANPDP publishes its own assessment, which may differ from the EU’s. For countries not on the ANPDP’s adequate list (including the US as of mid-2025), the transfer requires either prior ANPDP authorization or reliance on one of the statutory exceptions. Companies should not assume that a processor’s ISO 27001 certification or SOC 2 compliance constitutes adequacy — technical certification and legal adequacy are distinct.
3. File ANPDP Authorizations for US and Other Non-Adequate Processors Before the Grace Period Ends
Companies that are currently transferring personal data to non-adequate-country processors without authorization are in a position of technical non-compliance. Law 25-11 does not specify a formal transition grace period for existing processing relationships. The ANPDP’s enforcement calendar — which began with field inspections in 2024 and is expected to intensify through 2026 — means that companies relying on informal tolerance should file authorization requests for their most material data flows as a priority. The authorization dossier should be prepared with legal counsel and should include a DPA with the foreign processor that binds it to Law 18-07/25-11 standards, or at minimum to GDPR-equivalent standards as a contractual safeguard.
4. Update Contracts with Foreign SaaS and Cloud Providers
Law 25-11 requires that where personal data is processed by a third-party processor (including a foreign one), the controller must hold a written data processing agreement that specifies the processing purpose, the data categories, the security measures, the processor’s obligations on sub-processing, and the procedures for breach notification. Many commercial SaaS agreements and cloud provider terms of service do not, out of the box, contain the specific provisions required by Algerian law. Legal and procurement teams should identify which foreign processor contracts require amendment and open renegotiation cycles — using the leverage of the authorization process (which requires documented contractual safeguards) to secure compliant terms.
Where the ANPDP’s Enforcement Attention Is Focused
The ANPDP’s first field inspection cycle, announced in February 2024, prioritized public-sector entities and large private-sector operators in telecom, banking, and insurance — sectors with the largest personal data processing footprints. The second phase, extending into 2026, is expected to include medium-sized private companies and tech operators, particularly those with international data flows.
Criminal penalties under Law 18-07 — as reinforced by Law 25-11 — range from two months to five years imprisonment and fines of 20,000 to 1,000,000 DZD. The administrative track includes warnings, formal notices, and the suspension or permanent withdrawal of the processing authorization, which for a SaaS company could mean a regulatory order to cease data collection entirely. Beyond the legal risk, the reputational signal of an ANPDP enforcement action in a market where B2B trust depends on data governance posture is material.
The compliance investment required is real but manageable: a data flow inventory, an authorization filing for the two or three highest-risk transfer relationships, and updated processor contracts. Companies that complete these steps during 2026 build a compliance foundation that also positions them well for the expanding GDPR-alignment expectations of EU partners — a commercial advantage as Algerian tech companies increasingly target regional and European clients.
Frequently Asked Questions
Q: Do Algerian companies using Google Workspace or Microsoft 365 need ANPDP authorization?
These platforms process data on infrastructure located partly in the EU and partly in the US. Since the US is not on the ANPDP’s adequacy list, the US-processing component of these services falls under the authorization track for any personal data processed. Algerian companies should review the data residency options offered by these providers (EU-only data residency is available on certain enterprise tiers) and file an ANPDP authorization covering the remaining international transfer components.
Q: What constitutes a “vital national interest” that prohibits transfer absolutely?
Law 18-07 and Law 25-11 do not provide a precise definition. The prohibition is interpreted broadly: transfers that could expose personal data of Algerian citizens to foreign government access in ways that compromise national security, public order, or critical infrastructure integrity. Legal counsel with ANPDP engagement experience should assess whether specific processing activities fall near this boundary before filing an authorization that could trigger scrutiny.
Q: Can a company start transferring data while the ANPDP authorization request is under review?
No. The authorization track requires a prior written authorization before the processing activity begins. Controllers must obtain the ANPDP’s written approval before commencing any processing activity that falls in the high-risk/cross-border category. Initiating processing before authorization is a violation independent of whether the ANPDP would ultimately have approved the activity.
