Algeria’s Data Protection Law Just Got Teeth: What Changed in 2025
Algeria’s Law 18-07 of June 10, 2018 on personal data protection established the foundational framework: the ANPDP, mandatory declarations, authorizations for sensitive data, and cross-border transfer rules. For three years after the ANPDP became operational — it appointed its chairman and members on August 11, 2022 — most businesses treated compliance as a registration exercise: file the declaration with the authority’s portal, appoint a local representative, and move on.
Law No. 11-25, adopted by Algeria’s Parliament in July 2025, changes that posture. It modernizes the 2018 framework in three material ways. First, it makes the appointment of a Data Protection Officer (DPO) mandatory, rather than optional, for all organizations that process personal data at scale. Second, it introduces mandatory Data Protection Impact Assessments (DPIAs) for high-risk processing activities — meaning organizations cannot launch new products or services that process sensitive or large-scale personal data without completing a structured risk assessment first. Third, it requires organizations to maintain detailed, internally auditable records of all processing activities — a processing register that the ANPDP can request during an inspection.
The enforcement signal was already present before the new law. In February 2024, the ANPDP announced on its official website that it was beginning its first field inspections of private-sector companies, examining processing procedures before extending the program. That announcement marked a shift from a purely declaratory approach to an active audit posture. The 2025 amendments give inspectors more legal ground to stand on.
This article walks through the three core obligations introduced by Law 11-25, describes the compliance steps required, and explains what Algerian businesses in the tech, fintech, telecom, and healthcare sectors should be doing right now.
The Three New Obligations Under Law 11-25
DPO Appointment — Who Needs One and What They Must Do
Under Law 11-25, organizations must appoint a DPO and provide the ANPDP with the DPO’s contact details. The DPO serves as the primary interface between the organization and the authority, is responsible for internal compliance monitoring, and acts as the point of contact for individuals exercising their rights (access, rectification, erasure).
The law does not define a “scale threshold” in public regulatory guidance — meaning that until the ANPDP issues sector-specific guidelines, the safest interpretation is that any organization processing personal data of Algerian residents must appoint one. Tech companies holding user accounts, fintech platforms processing payment data, healthcare providers managing patient records, and e-commerce platforms storing purchase histories are all clearly within scope.
A DPO does not need to be a full-time employee. The role can be assigned to an existing senior compliance, legal, or IT security officer — provided that officer has no conflict of interest with the data processing activities they are overseeing. For smaller organizations, the DPO function can be outsourced to a qualified external consultant, provided the ANPDP receives the external contact’s details.
DPIAs — The Pre-Launch Gate for High-Risk Products
A DPIA is a structured risk assessment that an organization must complete before launching any processing activity that is likely to result in a high risk to individuals’ rights and freedoms. Law 11-25 defines high-risk categories to include systematic profiling at scale, processing of sensitive data (health, biometric, financial), and activities involving large-scale automated decision-making.
For Algerian startups, the practical trigger is any product feature that: builds a user profile based on behavior or demographics; processes health or financial data for credit scoring, insurance, or medical decisions; uses AI to make or materially influence decisions about individuals; or involves location tracking at scale.
The DPIA must document the nature of the processing, the purposes, the necessity and proportionality of the risks, and the safeguards applied. If the DPIA concludes that residual risk is high even after mitigation, the organization must consult the ANPDP before proceeding — a prior authorization requirement that existed under Law 18-07 for sensitive data, now formalized and extended.
Processing Register — The Audit Foundation
Law 11-25 requires organizations to maintain a detailed record of all personal data processing activities. The register must capture: what categories of personal data are processed, for what purpose, on what legal basis, how long data is retained, who can access it (including third-party processors), and whether data is transferred outside Algeria.
This register is not filed with the ANPDP under normal circumstances — it is an internal document. But it becomes the primary evidence document during a field inspection. An organization that cannot produce an up-to-date register faces significant exposure. More practically, building the register forces organizations to map their data flows in detail, which typically surfaces unauthorized processing (legacy databases that no one owns), excessive retention (user data held long after the stated purpose), and undisclosed third-party transfers (analytics SDKs and marketing tools sending data to offshore servers).
Advertisement
What This Means for Algerian Tech Companies
1. Appoint Your DPO Within Q2 2026 — Don’t Wait for a Notice
The ANPDP inspection program is active. February 2024 marked the beginning of field inspections, and the program has been expanding. Companies that receive an inspection notice without a designated DPO are immediately in a non-compliant position. Appointing a DPO preemptively, even if the designation is internal, puts the organization in a defensible posture. The DPO’s contact details must be communicated to the ANPDP via the authority’s online portal at anpdp.dz. This is a one-step registration — not a lengthy process.
2. Map Your Processing Activities Before Building the Register
A processing register built from scratch by asking “what data do we hold?” produces an incomplete document. The right methodology is a data flow audit: start at the system level (databases, CRM, analytics platforms, mobile app SDKs, payment gateways), trace what data each system ingests and exports, and then categorize each flow by data type, legal basis, and retention period. This audit takes two to four weeks for a company of 20-50 employees. The resulting register is then structured around ANPDP’s published declaration forms — which already capture the required fields — making compliance registration and internal governance use the same document.
3. Screen New Product Features for DPIA Triggers Before Development
A DPIA is cheaper to complete before a feature is built than after it is live. The trigger checklist is straightforward: does this feature process health, financial, or biometric data? Does it build behavioral profiles on more than 1,000 users? Does it use automated decision-making that affects access to services? If yes to any, a DPIA is required under Law 11-25. Build this check into the product requirements document (PRD) stage, not the legal review stage after launch.
4. Review Third-Party Data Processors — Not All SDK Vendors Are ANPDP-Compliant
Algeria’s data protection framework requires that data transfers outside Algeria — including to cloud services, SaaS analytics tools, and advertising networks — must have an authorization from the ANPDP or meet specific adequacy conditions. Many Algerian startups use Firebase, Mixpanel, Segment, or similar international tools without realizing that data flowing to those platforms may constitute an unauthorized cross-border transfer. The processing register exercise (Step 2) surfaces these flows. For each third-party processor, review whether the transfer is covered by an ANPDP authorization or whether an authorization needs to be filed.
5. Build Breach Notification Into Your Incident Response Plan
Law 11-25 and the underlying Law 18-07 require notification to the ANPDP within 5 days of discovering a personal data breach. This is a tight window that most organizations do not meet without a pre-defined process. The notification must describe the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address it. Organizations that have been through the data flow mapping exercise (Step 2) can complete this notification accurately and quickly. Those that haven’t typically spend the first 48 hours of a breach trying to understand what data was exposed — a delay that extends liability.
Building a Compliance Culture, Not Just a Compliance File
The ANPDP’s approach to enforcement — field inspections of private-sector companies, formal inspection programs announced via the authority’s website — indicates a trajectory toward active oversight, not passive registration. Algerian organizations that treat data protection as a one-time registration exercise are building toward a compliance failure.
The stronger frame is organizational: personal data protection is a quality dimension of digital products. Organizations in Algeria’s tech sector that build privacy into their products — clear consent interfaces, minimal data collection, user-facing data rights mechanisms — differentiate themselves in an increasingly competitive market for users who are becoming more aware of how their data is used. Singapore’s Personal Data Protection Commission demonstrated this when it began enforcement actions against companies with poor consent practices in 2023 and 2024: the companies that had invested in privacy-by-design practices faced minimal disruption, while those that had not faced both regulatory exposure and reputational damage.
For Algerian companies in 2026, the compliance window is still open. The five steps above are achievable in a quarter. The DPO designation, the processing register, the DPIA procedure, the third-party audit, and the breach notification protocol together constitute a comprehensive compliance posture under Law 11-25 — one that will also serve as the foundation when the ANPDP issues more specific sector guidance in the months ahead.
Frequently Asked Questions
Who exactly must appoint a DPO under Algeria’s Law 11-25?
Law 11-25 requires DPO appointment for all organizations that process personal data as a core activity at scale. This includes: companies with more than 250 employees that process employee data; organizations processing sensitive data (health, biometric, criminal records) regardless of size; public authorities processing citizen data; and any organization providing digital services to consumers. Small businesses processing only basic customer contact data for invoicing may be exempt, but the ANPDP guidance recommends a precautionary approach — if in doubt, appoint.
What are the DPO’s mandatory functions under Law 11-25?
The DPO must: maintain the organization’s register of processing activities (Article 15 of Law 11-25); advise on Data Protection Impact Assessments (DPIAs) for high-risk processing activities; serve as the primary liaison with the ANPDP for inspections, inquiries, and breach notifications; monitor compliance with the law; and train staff on data protection obligations. The DPO cannot be sanctioned for performing these functions in good faith — this independence protection is explicit in the law.
What happens during an ANPDP field inspection and how should an organization prepare?
ANPDP inspectors typically request: the register of processing activities (must be current and signed by the DPO); evidence of consent mechanisms for consumer data processing (cookie banners, subscription opt-ins, marketing consent records); documentation of the breach notification procedure; and evidence of DPO appointment. Organizations that have these four documents ready can typically conclude an inspection in 2-3 hours without incident. Organizations that cannot produce the register on request face immediate provisional measures.
