DATA PROTECTION FACTSHEET
President: Kais Saied
2021 Freedom House Score: 71/100
Data protection law? Yes, with data protection authority appointed
Privacy enshrined in Constitution: Yes, Tunisia updated its 1959 Constitution to include the right to personal data protection in 2002. The 2014 Constitution protects the right to privacy under Article 24.
DPA legislation: The Organic Act No. 2004-63, was passed in 2004 and established the Tunisian data protection authority, the Instance nationale de protection des données à caractère personnel (INPDP). At that time, it made Tunisia one of the most progressive regimes for personal data protection in the world.
However, under the authoritarian rule of Ben Ali, few, if any of these rights, were actually realised by the people. Although the Tunisian Jasmine Revolution of 2011 brought democratic reforms, it wasn’t until 2015 that data processors began to regularly declare their personal data processing to the INPDP, which, up until that time, had neither been functioning as an independent body, nor was it sanctioning violators of the Organic Act.
Although Tunisia enacted a new constitution in 2014, the old data protection regime remains. However, in 2007 Law and Decree No. 2007-3004 of 27 November 2007 Laying Down the Conditions and Procedures for the Declaration and Authorisation of the Processing of Personal Data was also promulgated.
During a 2018 conference, Chawki Gaddes, the president of the INPDP, emphasised the importance of modernising the law toward greater effectiveness, and to reflect new social and technological realities as well as Tunisia’s new political environment that values democracy and human rights. Given that Tunisia has signed the Council of Europe’s Convention 108, the updated Tunisian data protection law will likely reflect the principles therein.
Under Organic Act No. 2004-63, data subjects, their heirs, or their guardians have the right to:
- access all personal data concerning them;
- correct, complete, rectify, update, modify, clarify, or delete when the data is inaccurate, equivocal, or when its processing is prohibited;
- object, at any time, to the processing of personal data concerning them for valid, legitimate and serious reasons, except where the treatment is planned by law or is required by the nature of the obligation; and
- prevent personal data from being shared with third parties for advertising purposes.
However, it is important to note that organisations with a “public personality” (such as police stations, tribunals, and universities) are not bound by the obligations that generally apply to personal data processors in Tunisia. Public organisations are not required to declare data processing and therefore the rights of individuals to their data are limited in their interactions with these entities.
Council of Europe Convention 108: Ratified
Council of Europe Convention 185: No
Malabo Convention: Signed
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): Ratified
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: Yes
Judicial functions exclusion: Yes
Journalistic, literary or artistic purposes exclusion: No
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: No
Excludes foreign entities that only transit personal data through the country: No
Personal data is all information regardless of its origin or form, which directly or indirectly allows for the identification of a natural person, with the exception of information related to public life or considered as such by law.
The processing of personal data related to the following categories is prohibited:
- racial or genetic origins;
- religious beliefs;
- political opinions;
- philosophical or union activism;
- health and scientific research; and
- criminal history and proceedings, criminal prosecution, penalties, preventative measures, or judicial history.
The following principles generally apply to the processing of personal data:
- Personal data must be collected directly from the data subject.
- Personal data collected from third parties is permitted with the consent data subjects, their heirs, or their agents.
- The processing of personal data must respect human dignity, privacy and public freedoms.
- Collection of personal data shall be exclusively carried out for lawful and clear purposes.
- Personal data must be processed fairly and to the extent necessary for the purposes for which they were collected.
- The data controller must ensure that the data is accurate and current.
- The processing of personal data may not be carried out for purposes other than those for which they were collected except:
- if the data subject has given consent;
- if processing is necessary to safeguard a vital interest of the person concerned; or
- if processing is necessary for certain scientific purposes.
- Informed consent of the data subject is among the main prerequisites for the legitimate processing of personal data.
- The data subject or their agent may withdraw consent at any time during the processing.
- Personal data relating to children cannot be carried out without the consent of the child’s agent and after authorisation of the juvenile and family court judge.
- Consent provided for the processing of personal data under a specific given shall not apply to other forms or purposes.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: No
Notification to data subject in event of data breach: No
Timeframe for notification is specified: No
Exceptions exist to breach notifications: NA
Requires a data processing register: No
Register is publicly available: NA
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Unclear
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): Yes
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: Unclear
Number of members in DPA: 13
Maximum term length for members of the DPA (years): Repeatedly renewable
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: No
DPA is mandated to participate in policy formulation: Yes
The transfer of personal data is generally prohibited or subject to strict measures, including prior authorisation from the INPDP, and the explicit consent of the person in question, which is mandatory.
The international transfer of personal data is prohibited whenever it may endanger public security or Tunisia’s vital interests. Such a transfer may not occur if the foreign country does not provide an adequate level of protection. In every case, the authorisation of the INPDP is required in advance. The INPDP shall issue its decision within one month from the date of receipt of the application.
Provides a right not to be subject to automated decision-making: No