Insights

1. Independent Supervisory Authority:
   In accordance with Organic Law No. 2004-63 of July 27, 2004, concerning the protection of personal data, an authority named the “National Authority for the Protection of Personal Data” (INPDCP) was established. This body has legal personality and financial autonomy, with its headquarters in Tunis (Article 75).
2. Applicability of Tunisian Data Protection Laws to Foreign Companies in Tunisia:
   Foreign companies operating in Tunisia are subject to Organic Law No. 2004-63 of July 27, 2004, on the protection of personal data. This law does not provide exceptions based on the nationality or legal status of the entity responsible for data processing. Article 2 specifies that this law applies to both automated and non-automated processing of personal data carried out by individuals or legal entities.
3. Application of Personal Data Protection Law to Foreign Nationals in Tunisia:
   The provisions of the aforementioned law apply to personal data regardless of the nationality of the data subjects. Article 6 defines the data subject as “Any natural person whose personal data is being processed.” Article 4 further clarifies that personal data includes all information, regardless of its origin. There is no specific regime for non-Tunisian nationals.
4. Tunisian Personal Data Protection Law and GDPR-EU (Complementarity or Risk of Contradiction?):
   Tunisian legislation has been in effect since 2004 and has not been updated, except through the ratification of the Council of Europe Convention No. 108 in 2017. This ratification brought about some modifications. Compliance with Tunisian law also supports adherence to European standards, as both the Tunisian and European regulations generally enshrine similar principles.
5. Data Transfer within the EEA:
   Organic Law No. 2004-63 of July 27, 2004, requires authorization for the transfer of personal data abroad. The INPDP has established a list of countries it considers to provide adequate protection, allowing data transfers without significant issues. However, obtaining authorization remains obligatory. The INPDP evaluates the following criteria before making a decision:

• Whether the protection is sufficient.
• Whether the legal framework of the recipient country is adequate.
• Whether the data exporter has taken necessary precautions to ensure data security.

Based on these criteria, the INPDP can issue a favorable or unfavorable decision regarding the transfer of personal data to the recipient country. These decisions can be appealed before the Tunis Court of Appeal.

6. Rules Prohibiting or Limiting the Transfer of Personal Data Outside Tunisia:
   Article 47 of the aforementioned law establishes the principle of prohibiting the transfer of personal data to third parties without the express consent of the data subject, recorded in writing. Certain rules either prohibit or limit data transfer abroad:

• Prohibitions: Article 50 prohibits the communication or transfer of personal data to a foreign country when it may harm public security or vital interests of Tunisia.
• Limitations: Article 51 stipulates that data transfer to another country can only occur if that country ensures an adequate level of protection, assessed based on the nature of the data, the purpose of processing, the duration of processing, the destination country, and the necessary precautions taken to ensure data security.

In accordance with this article, transferring data to a European Union country should not pose significant issues. Additionally, Article 52 mandates obtaining authorization from the INPDP for any personal data transfer abroad. The INPDP must decide on the authorization request within one month. If the personal data concerns a child, the request must be submitted to the family judge. This requirement is a matter of public order, and Article 90 provides for a penalty of one year of imprisonment and a fine of five thousand dinars for anyone who transfers personal data abroad without INPDP authorization.

7. Rules on Data Confidentiality and Destruction After a Certain Period:
   Article 18 requires any person processing personal data, either directly or through a third party, to take all necessary precautions to ensure data security and prevent unauthorized modification, alteration, or access. Article 19 specifies that these precautions must prevent the data from being read, copied, modified, erased, or deleted during communication or transportation. Article 23 mandates that the data controller, processor, and their agents maintain data confidentiality even after processing has ended or they have lost their status, unless the data subject has consented in writing or as required by law. Article 45 requires that personal data be destroyed once the retention period has expired, as specified in the declaration or authorization, or when the data is no longer necessary for the purpose for which it was collected. A report of destruction must be prepared by a bailiff in the presence of an expert appointed by the INPDCP. Article 74 mandates the destruction of video recordings when they are no longer needed for their intended purpose or when the data subject’s interests require their deletion, unless the recordings are necessary for criminal investigations. The INPDCP members must also maintain the confidentiality of personal data they encounter (Article 80).
8. Compliance with Registration Requirements: Specific Rules for Video Recording:
   The term “processing” encompasses various data manipulations, including video recordings. The law sets specific rules for video recording:

• Video recording is only permitted in specific locations such as public areas, entrances, parking lots, and collective workplaces.
• Video surveillance requires prior authorization from the INPDCP.
• Video recordings cannot be accompanied by sound recordings.
• The public must be clearly and permanently informed of the presence of video surveillance.

It is prohibited to share collected video recordings for surveillance purposes, except in the following cases:

• When the data subject consents.
• When the communication is necessary for the public authorities’ missions.
• When the communication is essential for detecting, discovering, or prosecuting criminal offenses.

9. INPDCP Control Mechanisms:
   The INPDCP oversees all public data processing by public bodies on three levels:

1. When providing opinions on draft regulations or establishing processing within public bodies.
2. During processing declarations or authorization requests.
3. In response to complaints filed by data subjects.

The INPDCP also has the authority to initiate proceedings and may refer cases of data protection violations to the public prosecutor.

10. Legal Recourse for Individuals Suffering Damage from Unlawful Data Processing:
    Legal recourse is available to individuals who suffer damage from unlawful data processing under the general provisions of the Code of Obligations and Contracts. Several articles address liability and compensation for damage caused to others:

• Article 82: “Any act by a person that, without legal authority, knowingly and voluntarily causes material or moral harm to another person obliges the perpetrator to repair the damage resulting from their act, provided that the act is the direct cause.”
• Article 83: “Everyone is responsible for the material or moral damage they cause, not only by their actions but also by their fault, provided that the fault is the direct cause. Any contrary stipulation is void. Fault consists of either failing to do what one was required to do or doing what one was required to abstain from, without the intention of causing harm.”

11. Application of Tunisian Data Protection Law by Authorities and Courts:
Non-compliance with national standards can trigger legal actions. In July 2023, the INPDCP referred about thirty cases to the public prosecutor for non-compliance with Article 7 by private and public entities that carried out processing without prior declaration to the INPDCP. Currently, hundreds of cases are pending in the courts, either due to complaints from data subjects or directly from INPDCP referrals. Judges generally apply data protection standards, and court rulings often align with INPDCP regulatory decisions.