What Law 11-25 Actually Changes for Algerian Businesses
Law No. 25-11 of 24 July 2025 amended and supplemented Algeria’s foundational data protection statute, Law 18-07 of 10 June 2018. The amendment moves Algeria closer to internationally aligned privacy practices and introduces a set of concrete obligations that most Algerian companies had not faced before: a mandatory Data Protection Officer, formal records of processing activities, Data Protection Impact Assessments for high-risk processing, prior consultation with the authority, and mandatory breach notification.
For business leaders, the practical question is no longer “is data protection a priority?” but “what does a working compliance workflow look like?” Many Algerian controllers — from banks and insurers to e-commerce platforms, hospitals, HR systems, and public-facing digital services — already process significant volumes of personal data. Law 11-25 turns those practices into a documented, auditable program.
Step 1 — Appoint a Qualified DPO and Notify the ANPDP
The amendments make DPO appointment mandatory, with skills and knowledge requirements in data protection practices and law. Organisations that collect and process personal data must designate a Data Protection Officer and provide the contact details to the Autorité Nationale de Protection des Données à Caractère Personnel (ANPDP), Algeria’s data protection authority established under Law 18-07.
Key practical questions every business should settle:
- Internal or outsourced? Small and mid-size organisations will often find an external DPO (typically a lawyer or privacy consultant on retainer) easier than a full-time hire. Larger structures with complex processing — banks, telecom operators, public administrations, large retailers — should prefer an internal DPO with direct access to executive leadership.
- Reporting line. The DPO must be able to operate independently. In practice, that means reporting to the CEO, General Secretary, or Board level — never buried inside IT or HR where conflicts of interest emerge.
- Notification. Once appointed, the DPO’s contact details must be formally communicated to the ANPDP.
Step 2 — Build the Record of Processing Activities (RoPA)
Law 11-25 requires organisations to maintain records of processing activities. This is the backbone of every other compliance step: without a map of what personal data is being processed, for what purpose, by whom, and with which recipients, you cannot run DPIAs, respond to data subject requests, or assess breaches.
A minimally viable RoPA should contain, for each processing activity: purpose of the processing (HR payroll, CRM, customer onboarding, video surveillance, etc.), categories of data subjects and categories of personal data, legal basis, recipients (including any transfers outside Algeria), retention periods, and security measures.
Build the first version as a spreadsheet if needed — the goal is completeness, not elegance. Update it at least annually and whenever new processing begins.
Advertisement
Step 3 — Run DPIAs on High-Risk Processing
The law requires Data Protection Impact Assessments for high-risk processing activities. In Algeria’s current context, these typically include large-scale processing of health data (hospitals, insurers), biometric identification (facial recognition or fingerprints for access or payments), employee monitoring (location tracking, productivity software, CCTV beyond reception areas), credit scoring and automated decision-making affecting customers, processing of data relating to minors at scale, and public-facing digital identity or KYC systems.
A DPIA documents the processing, assesses risks to data subjects, and defines mitigation measures. Where residual risk remains high, Law 11-25 foresees prior consultation with the ANPDP before launching.
Step 4 — Prepare a 5-Day Breach Response Plan
One of the most operationally demanding changes is the breach notification requirement: personal data breaches must be notified to the ANPDP within five days. A functioning plan includes a detection path (monitoring, SOC alerts, employee reporting) that reaches the DPO within hours, not days; a decision matrix distinguishing incidents (no personal data impact) from notifiable breaches; a pre-drafted notification template covering nature of the breach, categories and approximate number of data subjects, likely consequences, and containment measures; and a communication plan for data subjects when the breach is likely to result in high risk.
Organisations with no incident response playbook today should treat this as a 2026 priority. Five days is not much lead time once an incident is detected.
Step 5 — Update Contracts, Notices, and Consent Flows
Customer-facing notices, employee privacy policies, and contracts with IT vendors and cloud providers all need to be aligned with the new obligations. Practical deliverables include: website and app privacy notices referencing Law 18-07 as amended by Law 25-11; employee privacy notices describing HR, monitoring, and benefits processing; data processing clauses in vendor contracts — especially critical for cloud, SaaS, and outsourced payroll; and consent flows for marketing, cookies, and any sensitive data processing.
Organisations already working with international partners will find that alignment with GDPR-style practices significantly eases this step, because most of the required artefacts already exist in template form.
Frequently Asked Questions
What is the deadline for Algerian businesses to appoint a Data Protection Officer?
Law 25-11 of 24 July 2025 amended Law 18-07 and introduced the DPO obligation. The obligations entered into force from July 2025, so in practice Algerian data controllers should already have a DPO designated in 2026 and must notify the DPO’s contact details to the ANPDP. Organisations still without a DPO should treat this as an immediate compliance priority.
Can a single DPO cover multiple Algerian companies in the same group?
Yes — a group of companies can appoint a single DPO to cover multiple entities, as long as the DPO remains accessible to each organisation’s data subjects and can dedicate enough time to the role. For small and mid-sized companies, a shared or outsourced DPO (typically a privacy consultant or lawyer on retainer) is a practical way to meet the obligation without a full-time hire.
What happens if an Algerian company fails to notify a data breach within five days?
The ANPDP is the competent authority for data protection enforcement in Algeria under Law 18-07 as amended. Failure to comply with breach notification and other obligations exposes the organisation to administrative sanctions defined by the data protection framework. Beyond legal penalties, the reputational impact of a mishandled breach — particularly involving financial data or customers’ identity documents — often exceeds the regulatory cost.
