Tunisia Organic Act

Organic Act No. 2004-63 of July 27, 2004, on the Protection of Personal Data

Flag of TN
TunisiaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
July 27, 2004
Enacted
July 27, 2004
Enforcing Authority
Instance Nationale de Protection des Données Personnelles (INPDP)
Consent Model
Opt-in
Applies To
All organizations handling personal data in Tunisia

Overview

Tunisia enacted the first data protection law in the Maghreb region in 2004, establishing the INPDP as the supervisory authority. Tunisia joined the Council of Europe Convention 108 in 2017, signaling alignment with European data protection standards.

What This Means for Your Website

  • Prior notification to the INPDP is required before processing personal data
  • Consent is the primary legal basis for data collection
  • Criminal penalties include up to 2 years imprisonment
  • Sensitive data requires stricter authorization
  • Cross-border transfers are restricted to adequate-protection countries

Key Requirements

The INPDP enforces the Organic Act with fines of TND 1,000-10,000 and criminal penalties up to 2 years. Prior notification is required before processing begins. Tunisia's Convention 108 membership enhances international alignment.

How ConsentStack Handles This

ConsentStack applies consent-based processing for Tunisian visitors meeting the law's notification and consent requirements.

Penalties

TND 1,000-10,000 fines. 8 months to 2 years imprisonment. TND 5,000 plus 1 year for processing without notification. TND 10,000 plus 2 years for sensitive data.

Maximum Fine
TND 10,000 per violation

Key Requirements

  • Prior notification to INPDP required before processing
  • Consent of data subjects required for lawful processing
  • Sensitive data subject to stricter authorization
  • Data subject rights: access, rectification, opposition
  • Cross-border transfers restricted to adequate-protection countries
  • Data security measures mandatory

Notable Provisions

  • First Maghreb data protection law
  • Tunisia joined CoE Convention 108 in 2017
  • Criminal penalties including imprisonment
  • Prior notification to INPDP required

Other Middle East & North Africa Regulations

KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.

Frequently Asked Questions

Was Tunisia first in the Maghreb for data protection?

Yes. Tunisia enacted the first data protection law in the Maghreb region in 2004.

Is Tunisia aligned with European standards?

Tunisia joined the Council of Europe Convention 108 in 2017, signaling alignment with European data protection standards.

What are Tunisia's penalties?

TND 1,000-10,000 in fines plus criminal penalties of 8 months to 2 years imprisonment.

Stay compliant with Tunisia Organic Act

ConsentStack helps you implement Opt-in consent for Tunisia automatically.

Get started free