Any personal data processing is subject to a prior declaration to the national Authority or its authorisation.
The controller must implement the appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised dissemination or access, in particular when the processing involves data transmission in a network, as well as against any other form of unlawful processing.
The controller as well as the persons who, in the performance of their duties, have knowledge of personal data, are required to respect professional secrecy even after having ceased to exercise their functions, under criminal sanctions.
Any person acting under the authority of the controller or that of the subcontractor who has access to personal data may only process them on the instruction of the controller, except in the case of execution of a legal obligation.
When the controller is not established on Algerian territory, he or she must notify the national authority of the identity of his or her representative installed in Algeria who, without prejudice to his personal responsibility, replaces him in all his rights and obligations resulting from the provisions of the law.
Interconnection of files containing personal data must obtain prior authorisation of the Authority.
The processing of personal data with a purpose of public interest research, study or evaluation in the field of health is authorised by the national authority, in compliance with
principles defined by this law and according to the public interest that the research, study or evaluation presents.
There is no age limit regarding the data subject. The law has mentioned however that a “child” needs the prior consent of his or her legal guardian or the judge.
Processing of personal data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of the data subject or which relates to his health including his genetic data is forbidden except when:
- the processing is necessary for the safeguard of vital interests of the data subject or of another person and if the data subject is physically or legally unable to give consent;
- the processing is carried out, with the consent of the data subject, by a foundation, association or non-profit organisation of a political, philosophical, religious or trade union nature, within the framework of its legitimate activities, provided that the processing concerns only the members of this body or the persons who maintain regular contact with it related to its purpose that the data are not communicated to third parties without the consent of the persons concerned.
- the processing relates to data clearly made public by the data subject, as long as his or her consent to the processing of the data can be inferred from his or her statements;
- the processing is necessary for the recognition, exercise or defence of legal claims and is carried out exclusively for this purpose;
- the processing of genetic data, excluding those carried out by doctors or biologists and which are necessary for the practice of preventive medicine, medical diagnostics and the administration of care or treatment.
- Personal data relating to offences, penalties and security measures can only be processed by the judicial authority, public authorities, legal persons who manage a public service and court officials within the framework of their legal powers.
Protection of personal data is based on:
- processing that is fair and lawful;
- a collection for specific, clearly defined and legitimate purposes and shall be processed in a way that is compatible with these purposes;
- adequate data, which are relevant to the purpose of their processing and not excessive in relation to such purpose;
- accurate data, and where necessary, updated; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
- keeping data in a form that allows the identification of data subjects for no longer than it is necessary for the purpose for which they were collected or further processed;
The controller is in charge of applying these requirements to all kinds of processing of data, be it automatically or by other means.
The personal data may be processed only if:
- Personal data subject has given his or her consent;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to negotiate or amend a draft/contract at the request of the data subject;
- in order to protect the vital interests of the data subject;
- to comply with a legal obligation of the controller;
- for the performance of a legal task of public interest or in exercise of powers of the controller or of a third party to whom the data are disclosed;
- processing is necessary for the protection of the legitimate rights and interests of the controller, the recipient or any other interested party. However, in any case, the processing of personal data cannot be in clear contradiction with the data subject’s right to protection of personal life and privacy.
Processing of personal data in the framework of crime prevention and prosecution activities, in cases of a criminal offence against the public order and other violations in the field of criminal law, defence and national security, shall be performed by official authorities as stipulated in the law.
In the event, the controller or processor may carry out personal data processing for the purpose of offering business opportunities or services provided that the data were taken from a public list of data.
The controller or processor cannot process any further the data specified in this paragraph, if the data subject has expressed his or her disagreement or has objected to further processing. No additional personal data may be attached to the data specified above without the consent of the data subject.
The controller is allowed to keep the personal data in its own filing system.
Such data can only be used if the data subject gives his or her consent.
The collection of personal data which is related to a data subject solely for reasons of direct marketing is allowed only if the data subject has given his or her explicit consent.
Obligations of the Controller and Processor:
- obligation to inform;
- obligation to rectify and erase;
- obligations of the Processor.