Population: 11,818,618

Capital: Tunis

President: Kais Saied

2021 Freedom House Score: 71/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, Tunisia updated its 1959 Constitution to include the right to personal data protection in 2002. The 2014 Constitution protects the right to privacy under Article 24.

DPA legislation: The Organic Act No. 2004-63, was passed in 2004 and established the Tunisian data protection authority, the Instance nationale de protection des données à caractère personnel (INPDP). At that time, it made Tunisia one of the most progressive regimes for personal data protection in the world.

However, under the authoritarian rule of Ben Ali, few, if any of these rights, were actually realised by the people. Although the Tunisian Jasmine Revolution of 2011 brought democratic reforms, it wasn’t until 2015 that data processors began to regularly declare their personal data processing to the INPDP, which, up until that time, had neither been functioning as an independent body, nor was it sanctioning violators of the Organic Act.

Although Tunisia enacted a new constitution in 2014, the old data protection regime remains. However, in 2007 Law and Decree No. 2007-3004 of 27 November 2007 Laying Down the Conditions and Procedures for the Declaration and Authorisation of the Processing of Personal Data was also promulgated.

During a 2018 conference, Chawki Gaddes, the president of the INPDP, emphasised the importance of modernising the law toward greater effectiveness, and to reflect new social and technological realities as well as Tunisia’s new political environment that values democracy and human rights. Given that Tunisia has signed the Council of Europe’s Convention 108, the updated Tunisian data protection law will likely reflect the principles therein.

Under Organic Act No. 2004-63, data subjects, their heirs, or their guardians have the right to:

• access all personal data concerning them;
• correct, complete, rectify, update, modify, clarify, or delete when the data is inaccurate, equivocal, or when its processing is prohibited;
• object, at any time, to the processing of personal data concerning them for valid, legitimate and serious reasons, except where the treatment is planned by law or is required by the nature of the obligation; and
• prevent personal data from being shared with third parties for advertising purposes.

However, it is important to note that organisations with a “public personality” (such as police stations, tribunals, and universities) are not bound by the obligations that generally apply to personal data processors in Tunisia. Public organisations are not required to declare data processing and therefore the rights of individuals to their data are limited in their interactions with these entities.

ICCPR: Signed

Council of Europe Convention 108: Ratified

Council of Europe Convention 185: No

Malabo Convention: Signed

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): Ratified

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: Yes

Judicial functions exclusion: Yes

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: No

Excludes foreign entities that only transit personal data through the country: No

Personal data is all information regardless of its origin or form, which directly or indirectly allows for the identification of a natural person, with the exception of information related to public life or considered as such by law.

The processing of personal data related to the following categories is prohibited:

• racial or genetic origins;
• religious beliefs;
• political opinions;
• philosophical or union activism;
• health and scientific research; and
• criminal history and proceedings, criminal prosecution, penalties, preventative measures, or judicial history.

The following principles generally apply to the processing of personal data:

• Personal data must be collected directly from the data subject.
• Personal data collected from third parties is permitted with the consent data subjects, their heirs, or their agents.
• The processing of personal data must respect human dignity, privacy and public freedoms.
• Collection of personal data shall be exclusively carried out for lawful and clear purposes.
• Personal data must be processed fairly and to the extent necessary for the purposes for which they were collected. 
• The data controller must ensure that the data is accurate and current.
• The processing of personal data may not be carried out for purposes other than those for which they were collected except:
  • if the data subject has given consent;
  • if processing is necessary to safeguard a vital interest of the person concerned; or
  • if processing is necessary for certain scientific purposes.
• Informed consent of the data subject is among the main prerequisites for the legitimate processing of personal data.
• The data subject or their agent may withdraw consent at any time during the processing.
• Personal data relating to children cannot be carried out without the consent of the child’s agent and after authorisation of the juvenile and family court judge.
• Consent provided for the processing of personal data under a specific given shall not apply to other forms or purposes.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: No

Notification to data subject in event of data breach: No

Timeframe for notification is specified: No

Exceptions exist to breach notifications: NA

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Unclear

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Unclear

Number of members in DPA: 13

Maximum term length for members of the DPA (years): Repeatedly renewable

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: No

DPA is mandated to participate in policy formulation: Yes

The transfer of personal data is generally prohibited or subject to strict measures, including prior authorisation from the INPDP, and the explicit consent of the person in question, which is mandatory.

The international transfer of personal data is prohibited whenever it may endanger public security or Tunisia’s vital interests. Such a transfer may not occur if the foreign country does not provide an adequate level of protection. In every case, the authorisation of the INPDP is required in advance. The INPDP shall issue its decision within one month from the date of receipt of the application.

Provides a right not to be subject to automated decision-making: No