Tunisia Data Privacy Laws: Organic Law 2004-63 and the 2025 Reform

Tunisia's Organic Law No. 2004-63 of July 27, 2004 requires every data controller to file a prior declaration with the INPDP before processing personal data. Sensitive data and cross-border transfers require full prior authorization. Criminal penalties reach TND 50,000 and two years in prison for unauthorized processing.

Tunisia occupies a distinctive place in the history of data protection. When Organic Law No. 2004-63 on the Protection of Personal Data entered into force on July 27, 2004, Tunisia became one of the first countries on the African continent and in the Arab world to enact comprehensive personal data protection legislation. That milestone predated most comparable frameworks in the broader region by more than a decade.

The law drew directly from the French data protection model and the EU Data Protection Directive 95/46/EC, reflecting Tunisia's civil law tradition and close economic relationship with European neighbors. Twenty years later, the core framework remains in force, but Tunisia is now working through a substantial modernization process. A draft organic law introduced in February 2025 would replace Organic Law 2004-63 with a GDPR-aligned statute featuring expanded rights, stronger enforcement powers, and explicit rules for artificial intelligence and biometric data.

This guide covers the full current framework and the pending reform: the constitutional right to privacy, how the INPDP works, the registration and authorization regime, legal bases for processing, data subject rights, cross-border transfer rules, penalties, and what businesses need to know about the transition.

Quick Answer

Tunisia requires all data controllers to file a prior declaration with the INPDP before processing personal data. Certain categories, including sensitive data and cross-border transfers, require full prior authorization. Violations carry criminal penalties of up to TND 50,000 and two years in prison. A major reform bill is advancing through parliament that would shift Tunisia toward a GDPR-style administrative fine regime and introduce rights to erasure and data portability.

Constitutional Foundation

Tunisia's constitutional framework provides a two-layer guarantee for personal data protection.

2014 Constitution, Article 24 states that the state protects the right to privacy, the inviolability of the home, and the confidentiality of correspondence, communications, and personal data. This provision was adopted following the 2011 revolution and reflects a deliberate choice to anchor data rights at the highest level of the legal order.

2022 Constitution, Article 30 carries forward that guarantee in Tunisia's current constitutional text. Article 30 commits the state to protecting private life and the inviolability of correspondence, communications, and personal data. The 2022 Constitution replaced the 2014 text following President Kais Saied's consolidation of executive authority, but the personal data protection guarantee was preserved.

Because Organic Law 2004-63 has organic law status, it occupies a position in Tunisia's legislative hierarchy above ordinary legislation. Amending or repealing it requires a qualified parliamentary majority. The same status would apply to the pending replacement law.

It is worth noting that both constitutions allow for derogations from rights during states of emergency. Tunisia has maintained an emergency declaration since 2015, which human rights organizations have flagged as a potential risk to the practical exercise of privacy rights.

Organic Law 2004-63: The Core Framework

Organic Law 2004-63 regulates the automated and non-automated processing of personal data by public and private entities operating within Tunisian territory. It applies when the data controller is established in Tunisia or when processing equipment located in Tunisia is used, other than for transit purposes.

Fundamental Principles

The law establishes a set of core principles that govern all data processing:

Lawful and fair processing. Data must be collected and processed in good faith, for purposes that are specific, explicit, and legitimate.

Purpose limitation. Data collected for one defined purpose may not be used for a materially different purpose without fresh consent or a new legal basis.

Proportionality. The data collected must be adequate and relevant and must not be excessive relative to the stated purpose.

Accuracy. Controllers must ensure data is accurate and, where necessary, updated.

Retention limits. Data must not be kept longer than is necessary to accomplish the purpose for which it was collected.

Security. Controllers must implement appropriate technical and organizational measures to protect data against unauthorized access, alteration, disclosure, or destruction.

Key Definitions

Personal data (données à caractère personnel): Any information, regardless of origin or form, that allows a natural person to be identified directly or indirectly.

Sensitive data (données sensibles): Information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health status, sexual life, or genetic characteristics. Sensitive data receives heightened protection and always requires prior authorization from the INPDP.

Data controller (responsable du traitement): The natural or legal person, public authority, or other body that determines the purposes and means of processing.

Data processing (traitement des données): Any operation or set of operations performed on personal data, whether automated or manual, including collection, recording, storage, modification, use, communication, and destruction.

Scope Exclusions

The law does not apply to data processed by individuals for purely personal or household purposes. Data processed for national security purposes falls under separate legal frameworks outside the scope of Organic Law 2004-63.

The INPDP: Structure and Powers

The Instance Nationale de Protection des Données Personnelles (INPDP) was established by Organic Law 2004-63 and became operational in 2009, a six-year gap that drew criticism from civil society. The authority is headquartered at 1, Rue Mohamed Moalla, Mutuelleville, Tunis, and holds legal personality with financial autonomy.

The INPDP is the oldest data protection authority in Africa and the Arab world. Its composition includes a president appointed by the President of the Republic and members drawn from the judiciary, government, and civil society.

Core Functions

Registration and authorization. The INPDP receives all prior declarations and evaluates authorization requests. Decisions on authorization applications are issued within one month of receipt.

Investigations and inspections. The INPDP may investigate data processing activities on its own initiative or following a complaint. It is empowered to conduct on-site inspections of both public and private entities.

Enforcement referrals. When violations are found, the INPDP refers cases to the public prosecutor. The authority itself does not impose administrative fines under the current framework; enforcement depends on criminal proceedings.

Advisory opinions. The INPDP advises the government and parliament on proposed legislation that touches on personal data.

Public awareness. The authority publishes guidance, conducts training programs, and participates in international data protection networks, including the Network of African Data Protection Authorities (RAPDP).

Institutional Challenges

The INPDP has faced persistent resource and independence concerns. Early leadership from a judicial background was cautious about proactive enforcement, and private sector compliance was low before 2015. Under president Chawki Gaddes (from 2015 onward), the authority increased its enforcement referrals and public profile. As of July 2023, approximately thirty entities were facing criminal prosecution for processing personal data without the required declaration, with hundreds of cases pending in Tunisian courts.

The pending 2025 reform bill would grant the INPDP greater administrative and financial independence, expand its quasi-judicial powers, and allow it to impose direct administrative fines rather than relying solely on criminal referrals.

The Registration and Authorization Regime

Tunisia's framework uses a tiered system of prior administrative controls on data processing.

Prior Declaration (All Processing)

Article 7 of Organic Law 2004-63 requires every data controller to file a prior declaration with the INPDP before starting any processing of personal data. The declaration must cover:

• The identity and contact details of the controller
• The purpose of the processing
• The categories of personal data involved
• The categories of data subjects
• The intended recipients of the data
• The proposed retention period
• The security measures in place
• Whether the data will be transferred abroad

Decree No. 2007-3004 of November 27, 2007 specifies the procedures and formats for declarations. The INPDP issues an acknowledgment receipt upon receiving a declaration, and processing may begin once the receipt is obtained. Failure to file a declaration before processing is a criminal offense carrying fines of TND 1,000 to TND 10,000 and imprisonment of one to four months.

Prior Authorization (Certain Categories)

Certain processing activities require full prior authorization from the INPDP rather than a simple declaration. Authorization must be obtained and granted before processing begins. Processing subject to prior authorization includes:

• Processing of sensitive personal data (racial/ethnic origin, political opinions, health, religion, genetics, trade union membership)
• Cross-border transfers of personal data
• Video surveillance systems
• Interconnection of databases with different original purposes
• Processing of genetic data
• Processing for research purposes involving personal data
• Biometric identification systems

The INPDP evaluates authorization requests and may grant authorization, refuse it, or attach conditions. The one-month decision window applies. Authorization may be withdrawn if the controller fails to comply with the conditions attached.

Processing without required authorization carries fines of TND 5,000 to TND 50,000 and imprisonment of six months to two years.

Exemptions from Declaration

Certain processing activities are exempt from the declaration requirement, including processing that is explicitly required by law and processing carried out solely for personal or household purposes.

Legal Bases for Processing

Organic Law 2004-63 requires a legal basis for data processing. Consent is the primary basis, but the law recognizes several alternatives.

Consent. Consent must be freely given, specific, and informed. The data subject must understand the purpose of the processing before consenting. Consent may be withdrawn at any time.

Contractual necessity. Processing is lawful without separate consent when it is necessary for the performance of a contract to which the data subject is a party, or to take steps at the data subject's request before entering into a contract.

Legal obligation. Processing required by law does not require the data subject's consent.

Vital interests. Processing necessary to protect the vital interests of the data subject is lawful even without consent.

Public interest. Processing necessary for the performance of a public interest task may proceed without consent.

Legitimate interests. Processing necessary for the legitimate interests of the controller or a third party is lawful, provided those interests do not override the data subject's fundamental rights and freedoms.

In practice, consent is the most commonly relied-upon basis for private sector processing in Tunisia. The 2025 reform bill would codify and clarify these bases in language closer to the GDPR framework.

Data Subject Rights

Organic Law 2004-63 grants data subjects several rights they can exercise against data controllers.

Right to information. Before or at the time of data collection, controllers must inform data subjects of: the identity of the controller, the purposes of processing, whether data provision is mandatory or optional, the consequences of refusing to provide data, the recipients of the data, and the data subject's rights.

Right of access. Data subjects may request a copy of their personal data held by a controller. The response must be provided within a reasonable period in an intelligible format. Access requests are generally free of charge.

Right of rectification. Individuals may request correction of inaccurate, incomplete, or outdated data. Corrections must be made at no cost to the data subject, and the controller must notify any recipients of the corrected data.

Right of objection. Data subjects may object to the processing of their data on legitimate grounds relating to their particular situation. They may also object, at any time and without cost, to the processing of their data for direct marketing purposes.

Right against automated decision-making. Data subjects have the right not to be subject to decisions with significant legal effects based solely on automated processing of their personal data.

Rights are exercised by submitting requests directly to the data controller. If the controller fails to respond adequately or within a reasonable period, the data subject may file a complaint with the INPDP. Decisions of the INPDP are appealable to the Court of Appeal of Tunis and, on further appeal, to the Court of Cassation.

Rights Not Yet in the Current Law

The current framework does not include an explicit right to erasure (the right to be forgotten), right to data portability, or a mandatory data breach notification requirement. These gaps have been identified as key drivers of the reform, and the 2025 draft bill would introduce all three.

Cross-Border Data Transfers

Organic Law 2004-63 places significant controls on the transfer of personal data outside Tunisia.

The General Rule

Data transfers to foreign countries are subject to prior authorization from the INPDP. This requirement applies regardless of the destination country. The INPDP assesses whether the recipient country or recipient organization provides an adequate level of data protection.

Adequacy Assessment

INPDP Decision No. 3 of September 5, 2018 established a list of countries considered to provide adequate protection for purposes of data transfers. EU member states benefit from a favorable presumption given Tunisia's close alignment with European frameworks. For transfers to non-listed countries, the INPDP evaluates the recipient's legal framework and specific safeguards on a case-by-case basis.

Mandatory Requirements

For any cross-border transfer, the controller must:

1. Obtain explicit written consent from the data subject, after informing the data subject of the absence of adequate protection in the destination country (if applicable)
2. File an authorization request with the INPDP explaining the purpose, data categories, recipient identity, and safeguards in place
3. Await INPDP authorization before the transfer begins

Transfers involving minors require additional approval from the family court.

Exceptions

Transfers may proceed without an adequacy finding when the transfer is strictly necessary for: the performance of a contract between the data subject and the controller; a contract concluded in the interest of the data subject; reasons of public interest; the establishment, exercise, or defense of legal rights; or to protect the vital interests of the data subject.

Transfers involving national security, public order, or the vital interests of the Tunisian state may be prohibited entirely, regardless of consent or authorization.

Practical Note

The authorization requirement creates a meaningful administrative step for international businesses. Organizations that transfer personal data from Tunisia as part of regular business operations should budget time for INPDP review and factor authorization renewal into their data governance calendars.

Convention 108 and Convention 108+

Tunisia's accession to the Council of Europe's data protection instruments has been a cornerstone of its alignment with international standards.

Convention 108 ratification (November 1, 2017). The Tunisian parliament unanimously ratified the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108) and its Additional Protocol No. 181 on supervisory authorities and transborder data flows. Tunisia became the 51st member of Convention 108, and one of only a small number of non-European countries to have done so at the time.

With ratification, Tunisia committed to aligning domestic law with Convention 108's requirements, including ensuring the functional independence of the INPDP in both administrative and financial terms.

Convention 108+ signature (May 24, 2019). Tunisia became the 30th country to sign the Protocol amending Convention 108 (Convention 108+), the modernized version that incorporates elements of GDPR-era thinking, including stronger rules on sensitive data, transparency, and data protection by design. Signing Convention 108+ represents a commitment to modernization but does not by itself constitute ratification. Full ratification requires additional domestic legislative steps.

The Convention 108+ commitments have informed the content of the 2025 draft reform bill, which explicitly cites alignment with Convention 108+ as one of its objectives.

Enforcement and Penalties

Criminal Penalty Structure

Organic Law 2004-63 relies on criminal penalties rather than administrative fines. Violations are referred by the INPDP to the public prosecutor, who initiates criminal proceedings. The penalty structure is set out in the law's enforcement chapter:

Legal entities face the same fines. In cases of recidivism, courts may impose higher penalties within the statutory ranges.

INPDP Administrative Measures

Beyond criminal referrals, the INPDP may issue formal warnings, withdraw processing authorizations it has previously granted, order the immediate cessation of unlawful data processing, and require the controller to implement specific corrective measures. These administrative measures operate independently of any criminal proceedings.

Cybercrime Overlay: Decree-Law 2022-54

Decree-Law No. 2022-54 of September 13, 2022 on combating cybercrime intersects with data protection in important ways. The decree requires telecommunications providers to retain user identity, traffic data, and metadata for at least two years. It also empowers authorities to seize personal devices and intercept communications under judicial order, with penalties reaching five years' imprisonment and fines of TND 50,000 for the most serious offenses, doubled when the victim is a public official.

Human rights organizations including Human Rights Watch and Amnesty International have criticized Decree-Law 54 for its breadth. As of late 2023, the decree had been used to prosecute journalists, lawyers, and activists rather than cybercriminals. The decree's mandatory two-year data retention requirement sits in tension with Organic Law 2004-63's retention limitation principle, and the 2025 reform bill will need to address that overlap.

Enforcement Record

Early enforcement under Organic Law 2004-63 was minimal. A 2016 INPDP press conference identified a range of systemic violations, including unlawful biometric data collection, illegal surveillance camera installations, telemarketing abuses, and unauthorized offshore data transfers. The 2017 lawsuit against OVH Tunisie for transferring customer data abroad without INPDP authorization was one of the authority's first prominent enforcement actions. By mid-2023, roughly thirty entities were facing criminal prosecution for operating without declarations, with hundreds of cases described as pending in Tunisian courts.

The 2025 Reform: A New Data Protection Law

Tunisia's data protection framework is at a turning point. Organic Law 2004-63 was a forward-looking statute in 2004, but it predates cloud computing, social media, machine learning, and the GDPR framework that has since become the global reference standard. A comprehensive replacement has been in preparation for years and formally entered the legislative process in 2025.

Legislative Status

The draft organic law on the protection of personal data (Projet de loi organique relatif à la protection des données à caractère personnel) was officially introduced to parliament on February 15, 2025. The bill comprises 123 articles organized into six chapters: general provisions, principles governing data processing, data subject rights, data processing systems, the data protection authority, and penalties and transitional provisions.

The Rights and Freedoms Committee of Tunisia's Assembly of People's Representatives began reviewing the bill's general provisions chapter in early 2025. As of early 2026, the bill remained in parliamentary committee review and had not yet been enacted into law. The legislative timeline for final passage remains uncertain.

Key Changes the Bill Would Introduce

Expanded scope for new technologies. The draft law explicitly addresses biometric identification, facial recognition technology, algorithmic profiling, and artificial intelligence-driven processing. These topics were largely absent from the 2004 text.

Right to erasure. Data subjects would be entitled to request deletion of their personal data when it no longer serves its original purpose or when consent is withdrawn.

Right to data portability. Individuals would be entitled to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

Mandatory breach notification. Controllers and processors would be required to notify the INPDP and, in serious cases, affected data subjects when a personal data breach occurs.

Turnover-based administrative fines. The bill would replace the flat criminal fine structure with fines scaled to global annual turnover, mirroring the GDPR approach. The most serious violations would attract fines representing a percentage of global revenue.

Data Protection Officers. Certain controllers and processors would be required to designate a Data Protection Officer responsible for ensuring internal compliance.

INPDP independence and powers. The reformed authority would have greater administrative and financial independence, expanded quasi-judicial powers to issue binding decisions and impose direct fines, and the authority to conduct regular audits of high-risk processing activities.

Five-year review cycle. The bill mandates a periodic legislative review every five years to keep the framework current as technology evolves.

EU adequacy pathway. An explicit goal of the reform is achieving an EU adequacy decision, which would allow personal data to flow between Tunisia and EU member states without the current individual transfer authorization requirements. This has direct economic implications for Tunisia's significant IT outsourcing industry, which relies heavily on data flows with European clients.

What Remains in Force Until Passage

Until the bill is enacted and any grace period expires, Organic Law 2004-63 remains the applicable law in full. Organizations currently compliant with the 2004 framework should track parliamentary progress and begin gap analyses against the 2025 draft's requirements.

Business Compliance Under the Current Framework

Step 1: Map Your Processing Activities

Inventory all personal data processing activities your organization conducts in Tunisia, or involving personal data of Tunisian residents. Identify the data categories, purposes, legal bases, recipients, retention periods, and security measures for each activity.

Step 2: File Prior Declarations

For each processing activity not subject to an authorization requirement, file a prior declaration with the INPDP before the activity begins. Declarations must be in writing in Arabic or French and may be submitted at the INPDP's headquarters or by any means leaving a written record.

Step 3: Obtain Prior Authorizations

For processing activities involving sensitive data, cross-border transfers, video surveillance, biometric systems, database interconnection, genetic data, or research, submit an authorization request to the INPDP. Allow for the one-month statutory review period. Do not commence the activity until authorization is granted and in hand.

Step 4: Implement Consent Mechanisms

Build consent collection procedures that are specific, informed, and freely given. Maintain documented records of consent. Provide clear mechanisms for data subjects to withdraw consent and honor withdrawal promptly.

Step 5: Respond to Data Subject Rights

Establish internal procedures to handle access, rectification, and objection requests. Respond within a reasonable period and at no cost to the data subject. Train staff on how to recognize and process these requests.

Step 6: Apply Security Controls

Adopt technical and organizational security measures appropriate to the sensitivity of the data and the risk profile of your processing activities. Document security measures as part of the declaration process.

Step 7: Monitor the Reform

Conduct a gap analysis against the 2025 draft bill. Identify areas requiring adjustment, particularly breach notification procedures, DPO designation requirements, cross-border transfer mechanisms under the new framework, and erasure request workflows.

A Note for International Organizations

Organizations incorporated outside Tunisia but using processing equipment physically located in Tunisian territory are subject to Organic Law 2004-63. This includes servers and cloud infrastructure located in Tunisia. The same declaration and authorization requirements apply regardless of the controller's country of incorporation.

Recent Developments: 2022 to 2026

2025 draft organic law (February 2025). The most significant development in Tunisia's data protection landscape is the 123-article reform bill introduced to parliament in February 2025. Committee review is ongoing. The bill's passage would fundamentally reshape the compliance landscape.

Decree-Law 2023-17 on cybersecurity and cloud computing (March 11, 2023) established certification requirements for cloud service providers operating in Tunisia, including mandatory IT security audits for data-processing organizations and certification processes for G-cloud and N-cloud infrastructure providers.

Decree-Law 2022-54 enforcement. By late 2023, Decree-Law 54 was being applied in dozens of cases. Human Rights Watch documented its use against critics and journalists rather than cybercriminals, raising concerns from international human rights bodies.

Biometric identity card and passport project. The INPDP participated in ministerial working sessions in November 2023 on a proposed national biometric identity card and passport program, a project with material data protection implications given the sensitive-data authorization requirements under the existing law.

RAPDP participation. Tunisia continues to participate in the Network of African Data Protection Authorities (RAPDP) and has contributed to regional discussions on harmonizing data protection frameworks across the African continent.

EU adequacy objective. Tunisia's aspiration to achieve an EU adequacy decision is a stated driver of the 2025 reform bill. The current framework is considered insufficient for such a decision; the GDPR-aligned draft law is designed in part to close that gap and protect Tunisia's IT outsourcing sector's access to European data flows.

For comparison with a neighboring market, see the guide to Morocco data privacy laws. For the broader international context, see the overview of world data privacy laws and the detailed guide to EU GDPR. For Tunisia's recording consent rules, see Tunisia recording laws.