The Data Protection Law recognises two parties who deal with personal data:
- Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
- Data Controller: the subject or legal entity that decides on the processing of personal data.
Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.
According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:
- Legitimacy: Personal data must be collected and processed in a lawful manner;
- Consent: The data subject must give its consent for the processing of its personal data;
- Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
- Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
- Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
- Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
- Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.
Additionally, the following legal requirements should be taken into account when processing personal data:
- Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
- Personal data must not be obtained through deceptive or fraudulent means;
- In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
- Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.
Any personal data processing is subject to a prior declaration to the national Authority or its authorisation.
The controller must implement the appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised dissemination or access, in particular when the processing involves data transmission in a network, as well as against any other form of unlawful processing.
The controller as well as the persons who, in the performance of their duties, have knowledge of personal data, are required to respect professional secrecy even after having ceased to exercise their functions, under criminal sanctions.
Any person acting under the authority of the controller or that of the subcontractor who has access to personal data may only process them on the instruction of the controller, except in the case of execution of a legal obligation.
When the controller is not established on Algerian territory, he or she must notify the national authority of the identity of his or her representative installed in Algeria who, without prejudice to his personal responsibility, replaces him in all his rights and obligations resulting from the provisions of the law.
Interconnection of files containing personal data must obtain prior authorisation of the Authority.
The processing of personal data with a purpose of public interest research, study or evaluation in the field of health is authorised by the national authority, in compliance with
principles defined by this law and according to the public interest that the research, study or evaluation presents.
There is no age limit regarding the data subject. The law has mentioned however that a “child” needs the prior consent of his or her legal guardian or the judge.
Processing of personal data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of the data subject or which relates to his health including his genetic data is forbidden except when:
- the processing is necessary for the safeguard of vital interests of the data subject or of another person and if the data subject is physically or legally unable to give consent;
- the processing is carried out, with the consent of the data subject, by a foundation, association or non-profit organisation of a political, philosophical, religious or trade union nature, within the framework of its legitimate activities, provided that the processing concerns only the members of this body or the persons who maintain regular contact with it related to its purpose that the data are not communicated to third parties without the consent of the persons concerned.
- the processing relates to data clearly made public by the data subject, as long as his or her consent to the processing of the data can be inferred from his or her statements;
- the processing is necessary for the recognition, exercise or defence of legal claims and is carried out exclusively for this purpose;
- the processing of genetic data, excluding those carried out by doctors or biologists and which are necessary for the practice of preventive medicine, medical diagnostics and the administration of care or treatment.
- Personal data relating to offences, penalties and security measures can only be processed by the judicial authority, public authorities, legal persons who manage a public service and court officials within the framework of their legal powers.