Algeria’s Law 25-11: The GDPR-Aligned Data Protection Update Every Enterprise Must Act On

What Law 25-11 Actually Changed

Algeria’s baseline data protection law — Law No. 18-07 of June 10, 2018 — was a foundational text, but its procedural requirements lagged behind the GDPR standards that many of Algeria’s export-oriented technology companies needed to align with for EU market access. Law No. 25-11, adopted by the Algerian parliament in July 2025, addressed this gap through a targeted set of amendments. The changes did not repeal Law 18-07; they amended and extended it, meaning every compliance program built on Law 18-07 needs a gap analysis against the new provisions.

The most operationally significant changes break down into four areas. First, the law formalizes the role of the Data Protection Officer (DPO). Organizations that process personal data at significant scale — specifically those processing data of more than 5,000 individuals per year or handling sensitive categories of data such as health records, biometric identifiers, or financial transaction histories — must designate a DPO by January 1, 2027, according to the ANPDP’s transitional timetable. This aligns with GDPR Article 37, which mandates DPOs for public authorities and large-scale systematic processors.

Second, consent standards were tightened. The prior law required “express consent” but did not define the form. Law 25-11 now specifies that digital consent must be “freely given, specific, informed, and unambiguous” — mirroring GDPR Recital 32’s definition of valid consent. Pre-ticked boxes and bundled consent clauses are explicitly prohibited for digital services directed at Algerian residents.

Third, the amendment introduces a mandatory breach notification obligation with a 72-hour window for notifying the ANPDP when a data breach is likely to result in a risk to individuals’ rights and freedoms. This mirrors GDPR Article 33 precisely. Before Law 25-11, Algeria had no statutory breach notification timeline; organizations self-reported on a discretionary basis.

Fourth, the law expands the definition of sensitive personal data to include geolocation data and behavioral profiling data derived from AI systems — a forward-looking addition that directly targets recommendation engines, credit scoring algorithms, and surveillance-related applications.

The ANPDP Enforcement Context

Algeria’s data protection regulator, the Authority for Personal Data Protection (ANPDP), was established under Law 18-07 but remained in a capacity-building phase through 2023. Following the appointment of its full board in late 2024, the ANPDP has moved toward active enforcement. In the first quarter of 2026, it conducted compliance reviews of 14 financial services companies and issued formal notices to 3 for inadequate consent collection practices — the first enforcement actions taken since the authority’s inception, according to reporting by CMS.law.

Law 25-11 gives the ANPDP enhanced investigative powers, including the ability to conduct on-site audits without prior notice for organizations suspected of processing sensitive data without authorization. The maximum administrative fine remains at 10 million Algerian dinars (approximately USD 73,000 at current exchange rates) for individual violations, but the amendment introduces cumulative violation accounting — meaning repeated or ongoing violations can be aggregated, removing the previous ceiling effect that incentivized delay.

For multinational companies operating Algerian subsidiaries and for Algerian startups processing EU residents’ data, the ANPDP and EU supervisory authority coordination mechanisms established under Law 25-11 are particularly significant. The law creates a formal channel for cross-border data transfer notifications — a prerequisite for any Algerian company seeking to sign standard contractual clauses (SCCs) with EU counterparts as an adequate transfer mechanism.

What Enterprises Must Do Now

1. Conduct a Processing Inventory Audit Within 60 Days

The first obligation under any GDPR-aligned compliance program is a records of processing activities (ROPA) — and Law 25-11 makes this a formal requirement for Algerian organizations as well. A ROPA must capture: the categories of personal data processed, the legal basis for each processing activity, the retention period, any third-party recipients, and whether data is transferred cross-border. Organizations without a documented inventory should mobilize their legal and IT security teams immediately. The ANPDP has indicated through its Q1 2026 communications that ROPA documentation will be the first document requested during any compliance audit. If your company processes health, biometric, or geolocation data — categories now explicitly elevated as sensitive by Law 25-11 — the inventory becomes a blocking prerequisite for DPO designation.

2. Review and Rebuild All Digital Consent Flows

Every digital service directed at Algerian residents — including e-commerce checkout flows, fintech app onboarding, loyalty program registration, and newsletter sign-ups — needs a consent mechanism audit. The prohibition on pre-ticked boxes and bundled consent clauses is not a minor UX change; it requires engineering work to retrofit existing flows. CookieYes’s compliance analysis of Law 25-11 identifies three common failure patterns: (a) bundled T&C/consent clauses where data processing consent is embedded in general terms acceptance, (b) opt-out framing presented as opt-in, and (c) absence of granular purpose selection. Each of these patterns is now explicitly non-compliant. Product teams should prioritize consent re-architecture for user-facing registration flows before the ANPDP begins sector-specific audits, which its Q1 2026 notice indicated would focus on fintech and healthcare platforms from Q3 2026.

3. Implement a 72-Hour Breach Notification Protocol

The breach notification window is the highest-urgency operational change introduced by Law 25-11. A 72-hour timeline is short — it requires organizations to have pre-built incident response workflows that can assess breach scope, determine whether it triggers notification thresholds, and generate a structured report for the ANPDP within three calendar days. DLA Piper’s Algeria data protection guide highlights that most Algerian enterprises currently lack any formalized breach triage playbook. The minimum viable protocol requires: (a) a named incident response owner with ANPDP contact pre-established, (b) a breach assessment template with the GDPR-aligned fields (nature of breach, categories of data, approximate number of records, likely consequences, measures taken), and (c) a decision tree for whether the breach meets the “likely risk to individuals’ rights” threshold that triggers mandatory notification versus discretionary internal logging.

4. Plan for DPO Designation by the January 2027 Deadline

Organizations required to appoint a DPO under Law 25-11 have until January 1, 2027. This is enough lead time to plan, but not enough to delay. A DPO in the Algerian context must have “expert knowledge of personal data protection law and practices” — a definition the ANPDP will interpret against both Law 18-07/25-11 and reference GDPR standards. For most enterprises, this means either upskilling an existing legal or IT security professional through a recognized certification program (the CIPP/E from IAPP or the CDPO qualification from ENISA-recognized bodies are currently the closest international equivalents) or engaging an external DPO service provider. The DPO must be registered with the ANPDP — registration procedures are expected to be published by H2 2026.

The Bigger Picture

Law 25-11 is not an isolated amendment — it is part of a coherent regulatory arc that positions Algeria’s data governance framework for international credibility. In parallel, Decree No. 25-320 of December 2025 established national data classification and interoperability rules for public administrations, creating the public sector complement to Law 25-11’s private sector obligations. Together, these two instruments form the foundational layer of the Digital Algeria 2030 legal infrastructure.

For Algerian technology companies with export ambitions — particularly those targeting the EU market — Law 25-11 creates an opportunity as well as an obligation. EU-based enterprises are required to assess the adequacy of data protection in third countries when transferring personal data. As Algeria’s framework approaches GDPR equivalence, the ANPDP has opened dialogue with the European Data Protection Board regarding an adequacy assessment process. An adequacy decision — similar to those extended to countries like Japan and Singapore — would remove the need for SCCs on every EU-Algeria data transfer, materially reducing compliance overhead for cross-border technology partnerships. Enterprise compliance programs that document their Law 25-11 alignment now build the evidence base that supports Algeria’s adequacy candidacy.

Compliance with Law 25-11 should not be framed as a regulatory burden — it is a market access credential that will define which Algerian companies can participate in the EU’s digital economy over the next three years.

Frequently Asked Questions

Sources & Further Reading

• Algeria Data Protection Law — CMS Expert Guide
• Algeria Data Protection Overview — DLA Piper Data Protection
• Algeria Data Protection Law Explained — CookieYes
• Algeria Digital Policy Digest — Digital Policy Alert