jeudi 5 novembre 2009

Data Protection law in Tunisia in 5 questions


  1. In Tunisia, do companies processing personal data need to notify the data protection authority of their data processing activities by filing a standard form with the authority?

Yes. Indeed, according to the provisions of Article 7 of law N°2004-63 dated July 27th, 2004 related to the Data protection, any processing of personal data is subject to the prior authorization of the national instance of protection of personal data.

The statement for the authorization is an application form which shall be filled by the person in charge of the personal data processing or its legal representative.

According to the provisions of Article 16 of the aforementioned law, the authorization is not required for the personal data processing concerning the professional situation of the employees, when the aforementioned treatment was made by the employer and is necessary for the functioning of the Company and for its organization.

  1. If companies do need to notify, do they need to identify by name and address the recipients of personal data disclosures or transfers? Or, is a general description of data recipients okay, for example, "companies in the same corporate group"?

The companies need to identify by name and address the recipients of personal data disclosures or transfers in so far article 8 of the Decree N°2007-3004 dated November 27th, 2007 fixing the conditions and procedures of declaration and authorization of personal data treatment states that " the declaration form prior to the personal data treatment shall comprise the following data :

-full name (i.e. first name, father name and family name) and address of the person in charge of the treatment, sub-contractor and their agents for the natural person (i.e. first name, father name and family name) and if it is a legal person, the company name, the head office, the legal representative identity and the trade registry number, in case of need,

-the concerned persons by the personal data identities and addresses (i.e. first name, father name and family name),

-treatment objectives and norms,

-the personal data treatment categories, place and date,

-the personal data which treatment is envisaged and as well as their origin,

-the persons or authorities who may deal with the data in discharge of their duties,

-the beneficiaries of the personal data treatment,

-place of conservation of personal data subject of the treatment and duration,

-the taken measures to ensure the confidentiality of personal data and safety,

-the description of data bases to which the person in charge is connected,

-the commitment to treat the personal data in conformity with the provided legal provisions,

-the declaration that the conditions of Tunisian nationality, residence in Tunisia and absence of criminal background are met by the person in charge of the personal data treatment, sub-contractor and their agents."

  1. What is the deadline for updating notifications?

The authorization is granted one (01) month after submitting a complete file if the processing of personal complies with the legislation in force.

The law does not provide renewal procedures.

The authorization is withdrawn if the person in charge of the personal data treatment or sub-contractor breach the legal obligations which he is submitted to. In this case, the instance shall decide, subsequent to an audition, the authorization withdrawal and the treatment prohibition.

Besides, it should be noted that according to the article 21 of the law N°2004-63, the person in charge of the personal data treatment or sub-contractor shall correct, complete, modify or update the files which they have, and erase the personal data of these files if they were aware of the inaccuracy or inadequacy of these data. In this case, the person in charge of the personal data treatment has to inform in writing the concerned person and the legal beneficiary about any data modification within two (02) months.

  1. Are there any special requirements for disclosures of personal data between corporate affiliates where both the disclosing and the receiving entity are based in Tunisia? My guess is that disclosures within Tunisia must be proportionate, not involve inaccurate data and respect the original purpose of collection. Note that this question is not about cross border transfers of personal data, only disclosures of personal data that occur from one company to an affiliate in Tunisia.

As a general rule and according to articles 2 and 3 of the law N°2004-63, the law regulates the manual and automated processing of personal data performed by individuals or legal entities, whatever is the legal and licit use, whatever the receiver of the data is a Tunisian subsidiary or a parent company incorporated abroad.

The law applies to any use of personal data that exceeds the personal or family use and which is transmitted to third parties.

  1. Are there any special requirements for a Tunisian company that is being taken over by a new parent company to inform the data protection authority of the transaction and the fact that it will obtain a new parent? Does the Tunisian data protection law or authority impose any special requirements for companies undergoing a merger or acquisition?

The legislation in force does not specify the case of merger or acquisition.

However, in case of retirement or cessation of activity, the person in charge of the treatment (or legal representative of the company) shall inform the national instance of protection of personal data three (03) months before the cessation date.

In case of death of the person in charge of the treatment or winding up of the company, the heirs or the liquidator (as appropriate) shall notify he national instance of protection of personal data within three (03) months as from the event.

It is relevant to note that all those involved in the personal data processing have to preserve confidentiality of the treated personal data, except in the statutory cases, after the end of the treatment or the loss of their quality,

Finally, it should be noted that the person in charge of the personal data treatment, the legal representative of the company, his agents, the sub-contractor and his agents shall be Tunisian citizens, residents in Tunisia and without criminal record.

2 commentaires:

Anonyme a dit…

interesting read. I would love to follow you on twitter.

Joy... a dit…

@ Anonyme : I've no twitter. On facebook I'am Tunisian Lawyer.
You can also mail me on tunisian.lawyer@gmail.com