On Aug, 10th 2023, the Data Protection Law N°18-07 came into force in Algeria for protecting the Personal Data of people based in Algeria.

This law does apply to any public and private organization located in Algeria and/or processing personal data of Algerian data subjects.

In fact, this law does provide the same intent or synergy than GDPR at high level. So in other words, if a private organization is located outside Algeria and desires to process personal data of Algerian citizens, the current law does apply as well.

There are some differences with the EU General Data Protection Regulation (GDPR):

1) Mandatory Registration and Legal Representative: Each organization must register with the Algerian Data Protection Authority (the ANPDP for Autorité Nationale de Protection des Données à Caractère Personnel ; National Data Protection Authority in English) and appoint a local legal representative in Algeria. This rep must be based in Algeria.

Then the legal representative will have to create an account to access the ANPDP web site and provide administrative/legal details. Once the account is validated, then the organisation must submit the data processing for approval to the Algerian authority.

2) Data Protection Officer: There is no notion of Data Protection Officer in the Algerian law

3) Data subjects rights:

The Algerian law recognizes some rights to the data subjects: the right to be informed, the right to access, the right to correct/rectify, the right to oppose (only for consumers approached by sales person):, right to be forgotten/to delete/erase: these 5 rights are also existing in the GDPR.

The following rights exist in the GDPR but don’t exist in the Algerian law: right to oppose (for everything else than commercial interaction), right to portability, right to know if a an automated decision has been made.

Also, delays for responding to data subjects may vary depending of the type of right exercised.

4) International data transfers: 

By principle, transfers from Algeria to another country is forbidden, unless one of the following waivers can be used:

• With the explicit consent of the person or
• a vital interest of the person, 
• Public interest
• A compliance linked to legal rights/international legal assistance
• Existence of a contract between parties
• Prevention, diagnosis and healthcare
• Specific authorization from the ANPDP

5) Data breach:

Article 43 of Law No. 18-07 states that any personal data breach must be notified promptly (no clear deadline is indicated) to the ANPDP. And if the ANPDP deems that the data subjects must be notified, then the organisation must notify the data subjects without delay.

Sources: https://anpdp.dz/wp-content/uploads/2023/01/2.1-Loi-N%C2%B018-07-2.pdf

ANDPD website : https://anpdp.dz/fr/accueil/

For more information on how to comply with the new Algerian Data Privacy law N°18-07, contact Karine at k.i.renault@pharmarketing.net

On 12 April 2024 Korea's PIPC released “Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators”:

1. Criteria for determining the applicability of the PIPA



2. Clarification of some legal requirements introduced in the 2. amended PIPA of 2023 

Press release of the PIPC: https://www.pipc.go.kr/eng/use...

European Data Protection Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.

Many thanks to GDPR hub NOYB and to IAPP for all these valuable information!

France

Fact:

A court confirmed gamete donors' right to object under Article 21 GDPR to the transfer of their personal data from the organisation where they made their donation to a central donor register. Read more or edit on GDPRhub...

Italy

Fact:

The Italian Data Protection Authority ('DPA'), the Garante, fined the health authority of Cirie, Chivasso and Ivrea, 3 cities North East of Torino €8,400 after it disclosed the 45 recipients' multiple sclerosis diagnoses to the other recipients by sending them an email using the CC instead of the BCC feature. Read more or edit on GDPRhub...

Takeaway:

It is a very common source of error to use the CC instead of the BCC feature, and here in this situation it impacted the private life of the patients importantly; the good news is that there are several preventive actions: 1) using the secure email software provided by the health ministry if such software is available 2) train employees and external contractors (and organise an annual refresher training) 3) implement a feature to delay the actual sending of emails by 5 to 10 minutes 4) asking another employee of the organisation to review emails before they are sent.

Fact:

The Garante fined the Rhodense Territorial Social Health Authority (ASST) €4,500 after it failed to promptly act on a rectification request submitted via email instead of using a platform designated to data subjects' requests. Read more or edit on GDPRhub...

Takeaway:

This case is very interesting: the ASST didn't react to the request because they argued that the patient did not use the right platform to submit its request; instead, the patient used an official email address that was on the website of the ASST for legal communications. The Garante said that a data subject can use whatever email address is on the public website of an organisation to exercise their rights on their personal data. 

Fact:

The Garante fined the health authority of Romagna €24,000 after it unlawfully transmitted a confirmation of the data subject’s disability status to a third party without redacting information on the data subject’s HIV diagnosis. Read more or edit on GDPRhub...

Takeaway:

According to the principle of data minimisation of data privacy laws, the Health Authority of Romagna should have transmitted only the disability status, not the HIV diagnosis, as this was not needed by the third party. As mentioned above, typical preventive actions are: 1) training employees 2) implementing a delay in the sending of emails 3) asking another employee of the organisation to review documents before they are sent.

Fact:

The DPA issued a reprimand against the hospital San Giovanni-Addolorata. It held that data about the symptoms of an employee who is on sick leave are health data and forwarding such data to the hospital’s general director is unnecessary for the purposes of finding a replacement for the employee. Read more or edit on GDPRhub...

Takeaway:

As already mentioned above, per the principle of data minimisation, only the personal data needed by the recipient should be sent.

Sweden

Fact:

Sweden's data protection authority, the Integritetsskyddsmyndigheten, fined Apoteket AB, a state's drug retailer and Apohem an online pharmacy a combined SEK45 million (3 960 000 euros) for allegedly using tracking pixels on their websites and transferring the data to Meta. The two companies activated a subfunction in the pixel that triggered the unlawful data collection, according to the IMY. The companies have, among other things, transferred sensitive data on the purchase of over-the-counter medicines for the treatment of, for example, specific health problems, self-tests and the treatment of sexually transmitted diseases and sex toys. Full story

Takeaway:

Organisations must clearly inform data subjects if their personal data are retransferred to another organisation, what is the objective and the legal basis.