The obligation of compliance, of companies holding and processing personal data of natural persons, with the provisions of the law on the protection of natural persons in the processing of personal data (law no. 18-07 of June 10, 2018), must be carried out imperatively before August 23, 2023.
The Firm is ready to assist any company in setting up this compliance policy and all the related procedures.
As a reminder, this law aims to prevent any breach of the confidentiality of personal data of natural persons in the possession of companies. It lays down a number of rules for companies in the processing of this data. These binding rules must, according to article 75 of the law, apply from August 23, 2023, one year after the installation of the Authority for the protection of personal data.
I - Glossary of fundamental terms
First of all, a brief presentation of some terms that the law has taken care to provide, is necessary:
I.1.) Personal data of natural persons:
These are the subject of protection and the law defines them as follows:
Any information, regardless of its medium, concerning an identified or identifiable person, hereinafter referred to as “data subject”, directly or indirectly, in particular by reference to an identification number or one or more specific elements of his physical, physiological, genetic, biometric, psychological, economic, cultural or social identity;
In a more prosaic and didactic way, these are in fact all information collected and held by any public or private organization on natural persons with whom it comes into contact internally or externally on the occasion of its functions or activities. These may be employees, workers and civil servants whose information is necessarily held by their employer at the time of their recruitment and career management. It may also be information held by organizations providing a public service in health, education, social benefits, taxes and more generally any public organization holding personal information on its citizens or users of the public service.
It also concerns private companies that have a relationship with the general public because of a commercial relationship of sales or services. These companies necessarily collect information on third parties that are personal data subject to protection by law.
Some of these data are qualified by law as “sensitive data” defined as follows:
“Personal data that reveal the racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of the data subject or that relate to his health including his genetic data”
I.2.) Data processing:
It is on the processing that the rules laid down by the law apply. The law organizes the processing of this data in order to make it compatible with the protection they enjoy.
Processing consists according to the law “in any operation or set of operations carried out using automated or non-automated means or processes and applied to personal data, such as collection, recording, organization, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, matching or interconnection, as well as locking, encryption, deletion or destruction”
It is important to note from the outset that if the need for the protection of personal data has been revealed by information technology and digital technology, it is no less necessary when it comes to data stored on non-digital media. The qualifiers of “automated or not” processes appear in this excerpt to remind us of this, as well as the expression “regardless of its medium” used in the definition of personal data quoted above.
This is also the unequivocal meaning of article 4 of the law which provides
Art. 4. - This law applies to the automated processing, in whole or in part, of personal data, as well as to the non-automated processing of personal data contained or intended to appear in manual files.
II - The main principles introduced by the law
II.1. The fundamental directive of the law appearing on its frontispiece states that:
“The processing of personal data, whatever its origin or form, must be done within the framework of respect for human dignity, privacy, public freedoms and must not infringe on the rights of persons, their honor and reputation”. (Art. 2.)
As a consequence of this directive, the law lays down a number of principles which it requires to be respected by the holders of personal data of natural persons:
II.2. The principle of prior consent of the natural person concerned to the processing:
Art. 7. - The processing of personal data can only be carried out with the express consent of the data subject.
No processing by the holder of the personal data of a natural person can take place without the consent of the latter, who may at any time retract and withdraw his consent.
Only exceptions exhaustively listed can override the consent of the data subject:
These are cases where the processing of personal data is required for reasons related to:
"Compliance with a legal obligation to which the data subject or the controller is subject;
- to safeguarding the life of the data subject;
- to the performance of a contract to which the data subject is party or to the performance of pre-contractual measures taken at his request;
- to safeguarding vital interests of the data subject, if he is physically or legally incapable of giving his consent;
- to carrying out a mission of public interest or falling within the exercise of public authority, with which the controller or the third party to whom the data are communicated is invested
- to achieving a legitimate interest pursued by the controller or by the recipient, subject to the interest and/or fundamental rights and freedoms of the data subject.
II.3. The principle of quality of data subject to processing
The processing cannot exceed the purpose for which it is carried out. Thus article 9 stipulates that:
Personal data must be:
a) processed fairly and lawfully;
b) collected for specified, explicit and legitimate purposes, and may not be further processed in a way incompatible with those purposes;
c) adequate, relevant and not excessive in relation to the purposes for which they are collected or processed;
d) accurate, complete and, if necessary, updated;
e) kept in a form that permits identification of data subjects for a period not exceeding that necessary for achieving the purposes for which they were collected or processed.
The law grants natural persons whose personal data are held and processed concerned a number of rights that enable them to ensure their protection
The law grants natural persons whose personal data are subject to detention and processing concerned a number of rights that enable them to ensure the protection of their data
- A right to information
- A right of access to data
- A right to rectify data if necessary
- A right to object to the processing of their data on legitimate grounds and in particular in case of use of their data for commercial prospecting
III- The institutional framework for the implementation of the law
The institutional extension of the protection rules set out by the law is the creation of the Authority for the protection of personal data, an independent administrative authority placed under the President of the Republic, for the purpose of ensuring the essential mission of guardian of the application of the legal provisions.
Thus, the processing of personal data by the public or private person who holds it can only take place on condition that it notifies beforehand the National Authority for the protection of personal data for:
- Either to declare it to him
- Either, if the type of declared processing falls within its scope, to obtain an authorization, if the National Authority considers that the declared processing presents “manifest dangers for the respect and protection of privacy and fundamental freedoms and rights of persons” (article 17).
To this end, the controller of any public or private organization must send a declaration to the aforementioned Authority, the content of which is specified by law.
It goes without saying that any public or private organization holding personal data of natural persons must designate within it a controller who will be responsible for drafting, signing and sending the declaration against acknowledgment of receipt, the electronic route being also provided if the declarant chooses it.
It is therefore easy to understand that the national authority thus has, among other prerogatives, to carry out investigations capable of ensuring compliance with it by all holders of personal data, and to sanction violations found.
By virtue of which it is endowed by law with a disciplinary power allowing it to inflict administrative sanctions against public and private organizations contravening the provisions of the law.
The controller thus exposes his organization to several types of administrative measures which are
- The warning,
- The formal notice,
- The temporary withdrawal for a period not exceeding one year, or the definitive withdrawal of the receipt of declaration or authorization,
- The fine.
The law supplements the system of sanctions with a particularly dissuasive criminal component consisting, among other criminal sanctions, in the conviction of any person who processes without having previously declared or authorized it as required by article 12 of the law.
"(…) A prison sentence from two (2) years to five (5) years and a fine from 200.000 DA to 500.000 DA, anyone who carries out or has carried out processing of personal data without respecting the conditions provided for by article 12 of this law (article 56 of the law).
It follows, in light of what has been said above, that a communiqué, already issued by the national authority for data protection, takes on its full importance in that it alerts all public and private organizations that hold personal data of natural persons and process them, that the time has come as provided by law to comply with it by declaring this processing to the National Authority for Data Protection before August 23, 2023, date of effective entry into force of the law.
A declaration form must be published for this purpose by this Authority, which they will have to fill in and send to this Authority before this date.
They would be well advised for all intents and purposes to inquire as soon as possible from this Authority about the date of availability to the public of said form from the following contact: firstname.lastname@example.org or by contacting it via the following number: 023 477 300.