What Law 25-11 Actually Changed — and Why It Matters Now
Algeria has had a data protection statute since June 2018 — Law 18-07, the foundational personal data framework that established the National Authority for the Protection of Personal Data (ANPDP). For three years, the law existed without an active enforcement body. That changed in August 2023, when ANPDP became operationally active, and the notification and compliance obligations became real.
Then, in July 2025, the Algerian legislature passed Law 25-11, amending Law 18-07 with four structural additions that materially change what enterprises must do:
- A 5-day breach notification requirement to ANPDP once a controller becomes aware of a personal data breach
- Mandatory Data Protection Officer (DPO) designation, with explicit qualification standards
- Mandatory Data Protection Impact Assessments (DPIA) for high-risk processing
- A register of processing activities (Article 41 bis 2) and an automated operations logbook (Article 41 bis 3)
Each of these obligations interacts with the others. The 5-day clock is unworkable without the register. The register surfaces the processing activities that require a DPIA. The DPO is responsible for all four.
Understanding the mechanics of each obligation — and the gap between current enterprise practice and what the law demands — is the essential first step before ANPDP’s enforcement cycle reaches private-sector organizations.
The Four Obligations in Detail
What Law 25-11 requires for breach notification
Article 41 bis 4 of the amended law states that controllers must “notify the Authority no later than five (5) days after becoming aware of a personal data breach.” Processors — cloud providers, IT outsourcers, payroll services, any vendor handling personal data on behalf of the controller — must notify the controller “immediately upon discovery.” The five-day clock runs from the controller’s awareness, not from the processor’s discovery.
This creates a practical chain: processor discovers breach → processor notifies controller immediately → controller has 5 days from their awareness to file with ANPDP. The notification to ANPDP must include the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of records concerned, likely consequences, and the measures taken or proposed to address the breach.
What the DPO designation requires
The DPO must be selected on the basis of “professional qualifications, particularly specialised knowledge of law and practices relating to data protection.” This is not satisfied by a general IT security manager. The DPO must have documented legal and technical competence, access to senior management, and organizational independence — they cannot be instructed on how to perform their data protection duties. The law does not specify whether the DPO must be an employee or can be external; external DPO services are likely to grow in response.
What DPIA requires and when it triggers
DPIA obligations apply to processing that is “likely to result in a high risk to the rights and freedoms of natural persons.” Trigger categories include systematic profiling, large-scale processing of sensitive data (health, biometrics, criminal records), and systematic monitoring of publicly accessible areas. For each qualifying activity, the enterprise must assess the necessity and proportionality of the processing, evaluate risks to data subjects, and document measures to address those risks — before the processing commences.
What the processing register and logbook require
Article 41 bis 2 requires a written or electronic register of all processing activities under the organization’s responsibility, including the purpose of processing, data categories, recipient categories, data retention periods, and a description of technical and organizational security measures. Article 41 bis 3 requires an automated logbook that records the actual operational events — access, modification, deletion — against each processing activity. The logbook is the audit trail that ANPDP will examine if a breach notification triggers a review; it is also the evidence base for meeting the 5-day notification content requirements.
Advertisement
A Four-Pillar Compliance Framework for Algerian Enterprises
1. DPO Appointment and Mandate Documentation
Do not allow the DPO role to be absorbed by the CISO or the legal team without a formal appointment. The appointment should be in writing, specify the DPO’s scope and reporting line, confirm their access to all relevant processing activities, and provide contact details for communication with ANPDP. Formalize the DPO’s mandate before ANPDP begins sector audits — an undocumented DPO will not satisfy the obligation. For enterprises that lack internal qualified candidates, external DPO services from compliance firms (several SOLTIC Algérie-affiliated practitioners have signaled availability) are a viable interim solution while training an internal successor.
2. Processing Register — Build It Top-Down, Not Bottom-Up
The most common failure mode in GDPR implementations — and the same pattern will emerge here — is building the processing register as an IT inventory exercise that starts with systems and tries to derive purposes. Start instead with business processes: what does your organization actually do with personal data? Hiring, payroll, customer management, supplier contracts, access control, analytics. Map each process to the data categories it touches, the lawful basis for processing, the retention period, and the data flows to processors. The IT inventory comes second, confirming where the data sits — not defining what the process is. A register built this way produces the DPIA trigger list automatically, because high-risk processing activities become visible at the process level.
3. Automated Logbook — Treat It as a Security Control, Not Paperwork
Article 41 bis 3’s automated logbook requirement maps almost exactly to what mature security operations teams call an audit trail or SIEM log. If your organization already runs a SIEM, you have the raw material — the task is ensuring coverage of all processing activities listed in the register, not just perimeter security events. If you do not have automated logging at the data-processing level, prioritize the highest-risk activities first: those that would trigger a DPIA (large-scale health data, biometric systems, customer analytics platforms). The logbook also feeds the breach notification content: when ANPDP asks “how many records were affected?”, the logbook is how you answer precisely rather than approximately.
4. Breach Response Playbook — Operate the 5-Day Clock Before You Need It
The 5-day notification window will only be workable if you have run a tabletop exercise against it before a real breach. The playbook should define: who declares a breach (CISO? DPO? both?), who drafts the ANPDP notification, what data from the logbook feeds the notification, who approves and submits, and what the processor notification chain looks like. TÜV Rhineland’s analysis of Law 25-11 notes that the processor-to-controller-to-authority chain requires pre-agreed contractual timelines with each processor — add “processor notification SLA” to every data processing agreement renewed after July 2025.
The Enforcement Trajectory: What ANPDP Will Look for First
ANPDP’s administrative sanctions toolkit — formal warnings, notices to comply, authorization withdrawal — is designed for escalating intervention. The first wave of enforcement in comparable regimes (Morocco’s CNDP, Tunisia’s INPDP) targeted the most visible and verifiable obligations: DPO appointment (or absence), the existence of a processing register, and whether breach notifications were filed timely when incidents became public. Private-sector organizations in financial services, telecommunications, and e-commerce faced the earliest scrutiny because their data volumes made them high-profile.
Algerian enterprises in those sectors should assume they are in the first wave. The digitalpolicyalert.org Africa data protection roundup notes that Algeria’s Law 25-11 amendment brings it to a level of obligation density comparable to South Africa’s POPIA and Kenya’s DPA — both of which moved to active enforcement within 18 months of their major amendments.
Criminal sanctions (2 months to 10 years imprisonment; DZD 5,000 to DZD 10,000,000 in fines) apply to deliberate violations — not technical non-compliance. The practical risk for most enterprises is administrative: an ANPDP audit revealing no processing register, no DPO, and no DPIA documentation for high-risk activities produces a formal notice, a remediation deadline, and potential authorization suspension for the processing activities in question. The cost of that disruption — not the fine — is the real business risk.
The Structural Lesson: Obligations Are Security Controls in Disguise
Every obligation under Law 25-11 is also a security control. The DPO builds organizational accountability. The processing register surfaces data flows that security teams may not have known existed. The automated logbook creates the audit trail that forensic investigators need when a breach occurs. The 5-day notification window forces investment in detection capability — because you cannot notify what you have not detected.
Enterprises that treat these obligations as bureaucratic compliance exercises will spend months building paper artifacts that do not survive contact with a real incident. Enterprises that treat them as security controls will find that compliance and resilience reinforce each other. The Algerian regulatory environment is now sufficiently developed — with ANPDP operational, criminal sanctions on the books, and a growing enforcement ecosystem of compliance professionals — that the cost of inaction exceeds the cost of building the framework correctly.
Frequently Asked Questions
Does Law 25-11’s 5-day breach notification apply to all organizations or only large enterprises?
Law 25-11 applies to all controllers processing personal data in Algeria — there is no size threshold. Both public institutions and private enterprises that collect, store, or process personal data about individuals are subject to the 5-day notification obligation to ANPDP when a breach occurs. The DPO designation requirement similarly applies broadly, though ANPDP is likely to prioritize enforcement against high-volume processors in financial services, telecoms, and e-commerce in its first audit cycles.
What is the difference between a DPIA and a processing register under Algerian law?
The processing register (Article 41 bis 2) is a comprehensive inventory of all personal data processing activities an organization conducts — their purpose, data categories, recipient categories, retention periods, and security measures. It is always required. A DPIA goes deeper for specific high-risk processing activities: it assesses the necessity and proportionality of the processing, evaluates risks to data subjects, and documents mitigation measures. The register identifies which activities require a DPIA; the DPIA documents the risk assessment for each qualifying activity.
What happens if an enterprise misses the 5-day notification deadline?
Missing the 5-day deadline exposes the organization to ANPDP’s administrative enforcement pathway, which begins with a formal notice to comply and can escalate to authorization withdrawal — meaning ANPDP can suspend the organization’s right to process the relevant personal data. In cases of deliberate concealment or willful violation, criminal sanctions apply: 2 months to 10 years imprisonment and fines of DZD 5,000 to DZD 10,000,000. The most immediate practical consequence is that a late or missing notification, once discovered, will trigger a full audit of the organization’s compliance posture.
Sources & Further Reading
🔗 Related Intelligence
Law 25-11: Algeria’s Data Protection Upgrade — The Enterprise Compliance Checklist
Government Data Breach Response: A Playbook for Algeria’s Public Institutions
Algeria’s Decree 26-07: A 90-Day Implementation Roadmap for Public-Sector Cyber Units
Algeria’s Data Protection Law (18-07): What Every Business Must Know in 2026
