Organic Law No. 2004-63 of July 27, 2004 on the Protection of Personal Data

3DJH 1989 - Journal Officiel de la République Tunisienne - 30 juillet 2004 N° 61

Organic Law No. 2004-63 of July 27, 2004, concerning the protection of personal data (1).

In the name of the People, The Chamber of Deputies having adopted, The President of the Republic promulgates the organic law whose text follows:

CHAPTER I General Provisions

Article 1. - Every person has the right to the protection of personal data relating to their private life as one of the fundamental rights guaranteed by the Constitution and which can only be withdrawn in the context of transparency, lawfulness, and respect for human dignity and in accordance with the provisions of this Law.

Art. 2. - This Law applies to the automated processing, as well as the non-automated processing of personal data carried out by natural or legal persons.

Art. 3. - This Law does not apply to the processing of personal data having purposes that do not exceed personal or family use, provided that they are not transmitted to third parties.

Art. 4. - For the purposes of this Law, personal data means all information, regardless of its origin or form, which allows, directly or indirectly, the identification of a natural person or makes them identifiable, with the exception of information linked to public life or considered as such by law.

Art. 5. - A natural person is considered identifiable if they can be identified, directly or indirectly, through several data or symbols concerning notably their identity, physical, physiological, genetic, psychological, social, economic, or cultural characteristics.

Art. 6. - For the purposes of this Law, we understand by:

• processing of personal data: operations carried out automatically or manually by a natural or legal person, having as their purpose notably the collection, recording, conservation, organization, modification, exploitation, use, dispatch, distribution, diffusion, or destruction of personal data, as well as all operations related to the exploitation of data bases, indexes, directories, files, or interconnection.
• file: a set of personal data structured and grouped capable of being consulted according to determined criteria and allowing the identification of a specific person.
• data subject: any natural person whose personal data are the subject of processing.
• data controller: any natural or legal person who determines the purposes and means of the processing of personal data.
• third party: any natural or legal person or public authority, as well as their subordinates, with the exception of the data subject, the beneficiary, the data controller, the subcontractors, and their subordinates.
• subcontractor: any natural or legal person who processes personal data on behalf of the data controller.
• The Authority: The National Authority for the Protection of Personal Data.
• communication: the act of giving, handing over, or making known personal data to one or more persons other than the data subject, in whatever form and by whatever means.
• interconnection: the act of correlating data contained in one or more files held by one or more controllers.
• beneficiary: any natural or legal person receiving personal data.

(1) Preparatory Work: Discussion and adoption by the Chamber of Deputies in its session of July 21, 2004.

CHAPTER II Conditions for the Processing of Personal Data

Section I - Preliminary Procedures for the Processing of Personal Data

Art. 7. - Any operation of processing personal data is subject to a prior declaration deposited at the headquarters of the National Authority for the Protection of Personal Data against receipt or notified by registered letter with acknowledgment of receipt or by any other means leaving a written trace. The declaration is made by the data controller or their legal representative. The declaration does not exempt from liability towards third parties. The conditions and procedures for the submission of the declaration are fixed by decree. The non-opposition of the Authority to the processing of personal data, within a period of one month from the presentation of the declaration, constitutes acceptance.

Art. 8. - In cases where this Law requires the obtaining of authorization from the Authority for the processing of personal data, the application for authorization must include notably the following information:

• the name, first name, and domicile of the data controller, and if it is a legal person, its corporate name, registered office, and the identity of its legal representative;
• the identity of the persons concerned by the personal data and their domiciles;
• the purposes of the processing and its norms;
• the categories of the processing, its location, and the date of the processing;
• the personal data for which the processing is envisaged, as well as their origin;
• the persons or authorities likely to take knowledge of these data, with regard to their function;
• the beneficiaries of the data subject to the processing;
• the location of the conservation of the personal data subject to the processing and its duration;
• the measures taken to ensure the confidentiality of the processing and its security;
• the description of the data bases to which the data controller is interconnected;
• the commitment to proceed with the processing of personal data in accordance with the provisions provided by law;
• the declaration that the conditions provided by Article 22 of this Law are met; In the event of a change occurring in the mentions listed above, the authorization of the Authority must be obtained. The application for authorization is presented by the data controller or their legal representative. The authorization does not exempt from liability towards third parties. The conditions for the presentation of the application for authorization and its procedures are fixed by decree.

Section II - Of the Data Controller of Personal Data and Their Obligations

Art. 9. - The processing of personal data must be done in the framework of respect for human dignity, private life, and public liberties. The processing of personal data, whatever its origin or form, must not bring harm to the rights of persons protected by the laws and regulations in force, and it is, in all cases, prohibited to use these data to bring harm to persons or their reputation.

Art. 10. - The collection of personal data can only be carried out for lawful, determined, and explicit purposes.

Art. 11. - Personal data must be processed fairly, and within the necessary limit with regard to the purposes for which they were collected. The data controller must also ensure that these data are exact, precise, and up to date.

Art. 12. - The processing of personal data cannot be carried out for purposes other than those for which they were collected, except in the following cases:

• if the data subject has given their consent.
• if the processing is necessary for the safeguarding of the vital interest of the data subject;
• if the processing put into place is necessary for certain scientific purposes.

Art. 13. - The processing of personal data relating to infractions, their establishment, criminal proceedings, penalties, preventive measures, or judicial antecedents is prohibited.

Art. 14. - The processing of personal data which concerns, directly or indirectly, racial or genetic origin, religious convictions, political, philosophical, or trade union opinions, or health is prohibited. However, the processing referred to in the preceding paragraph is possible when it is carried out with the express consent of the data subject given by whatever means leaving a written trace, or when these data have acquired a manifestly public aspect, or when this processing proves necessary for historical or scientific purposes, or when this processing is necessary for the safeguarding of the vital interests of the data subject. The processing of personal data relating to health is regulated by the provisions of the fifth chapter of this Law.

Art. 15. - The processing of personal data mentioned in Article 14 of this Law is subject to the authorization of the National Authority for the Protection of Personal Data, with the exception of data relating to health. The Authority must give its response concerning the application for authorization within a period not exceeding thirty days from the date of its receipt. The failure to respond within this period constitutes refusal. The Authority may decide to accept the application while imposing on the data controller the obligation to take precautions or measures it deems necessary for the safeguarding of the interest of the data subject.

Art. 16. - The provisions of Articles 7, 8, 27, 28, 31, and 47 of this Law do not apply to the processing of personal data concerning the professional situation of the employee, when said processing has been carried out by the employer and proves necessary for the functioning of work and its organization. The provisions of the articles cited in the preceding paragraph do not apply to the processing of personal data that requires the follow-up of the health status of the data subject.

Art. 17. - It is, in all cases, strictly prohibited to link the provision of a service or the granting of an advantage to a person to their acceptance of the processing of their personal data or of their exploitation for purposes other than those for which they were collected.

Art. 18. - Any person who carries out, personally or through a third party, the processing of personal data is held towards the persons concerned to take all necessary precautions to ensure the security of these data and to prevent third parties from modifying, altering, or consulting them without the authorization of the data subject.

Art. 19. - The precautions provided for in Article 18 of this Law must:

• prevent equipment and installations used in the processing of personal data from being placed in conditions or places allowing unauthorized persons access;
• prevent data supports from being read, copied, modified, or moved by an unauthorized person;
• prevent the unauthorized introduction of any data into the information system, as well as any taking of knowledge, erasure, or deletion of recorded data;
• prevent the information processing system from being used by unauthorized persons;
• guarantee that the identity of persons having access to the information system, the data they introduced into the system, the moment of this introduction, and the person who carried it out can be verified subsequently;
• prevent data from being read, copied, modified, erased, or deleted during their communication or transport of their supports;
• safeguard data by the constitution of secure backup copies;

Art. 20. - The data controller, when they entrust to third parties certain processing operations or their entirety within the framework of a subcontracting contract, must choose the subcontractor scrupulously. The subcontractor must respect the provisions of this Law and must act only within the limits authorized by the data controller; they must furthermore dispose of all necessary and appropriate technical means to accomplish the missions entrusted to them. The data controller and the subcontractor engage their civil liability in case of violation of the provisions of this Law.

Art. 21. - The data controller and the subcontractor must correct, complete, modify, or update the files they possess, and erase the personal data of these files if they have had knowledge of the inaccuracy or insufficiency of these data. In this case, the data controller and the subcontractor must inform, the data subject and the beneficiary in a legitimate manner of any modification brought to the personal data they received previously. The notification is carried out within a period of two months, from the date of the modification, by registered letter with acknowledgment of receipt or by whatever means leaving a written trace.

Art. 22. - Without prejudice to the laws and regulations in force, the natural person or the legal representative of the legal person wishing to carry out the processing of personal data and their agents must meet the following conditions:

• be of Tunisian nationality;
• be resident in Tunisia;
• have no criminal record. These conditions apply equally to the subcontractor and their agents.

Art. 23. - The data controller, the subcontractor, and their agents, even after the end of the processing or the loss of their quality, must preserve the confidentiality of personal data and the information processed, with the exception of those whose diffusion has been accepted in writing by the data subject or in the cases provided by the legislation in force.

Art. 24. - The data controller of personal data or the subcontractor who envisages to cease their activity definitively must inform the Authority three months before the date of the cessation of activity. In the event of death of the data controller or the subcontractor or their bankruptcy or in case of dissolution of the legal person, the heirs, the bankruptcy trustee, or the liquidator, according to the situation, must inform the Authority within a period not exceeding three months from the date of the occurrence of the fact. The Authority, within a period not exceeding one month from the date of its information in accordance with the preceding paragraph, authorizes the destruction of personal data.

Art. 25. - The Authority may decide the communication of personal data in case of cessation of activity for the reasons indicated in the preceding article, and this, in the following two cases:

1. if it judges that these data are useful for exploitation for historical and scientific purposes;
2. if the person who made the notification proposes to communicate all the personal data or a part to a natural or legal person by determining with precision their identity. In this case, the Authority may decide to accept the communication of personal data to the proposed person. The effective communication is carried out only after obtaining the agreement of the data subject, their tutor, or their heirs received by whatever means leaving a written trace. In case of non-obtention of this agreement, within a period of three months from the date of its formulation, the personal data must be destroyed.

Art. 26. - In case of cessation of the activity of the data controller or the subcontractor for the reasons indicated in Article 24 of this Law, the data subject, their heirs, or any person having an interest or the public ministry can, at any time, ask the Authority to take all appropriate measures for the conservation and protection of personal data, as well as their destruction. The Authority must render its decision within a period of ten days from the date of its seizure.

Section III - Rights of the Data Subject

Subsection I - Of Consent

Art. 27. - Excluding the cases provided by this Law or the laws in force, the processing of personal data can only be carried out with the express and written consent of the data subject; if the latter is incapable, interdicted, or incapable of signing, the consent is regulated by the general rules of law. The data subject or their tutor can, at any time, retract.

Art. 28. - The processing of personal data concerning a child can only be carried out after obtaining the consent of their tutor and the authorization of the family judge. The family judge can order the processing even without the consent of the tutor when the superior interest of the child requires it. The family judge can, at any time, revoke their authorization.

Art. 29. - The processing of personal data is not subject to the consent of the data subject when it proves manifestly that this processing is carried out in their interest and that their contact proves impossible, or when the obtaining of their consent implies disproportionate efforts, or if the processing of personal data is provided by law or a convention in which the data subject is a party.

Art. 30. - Consent to the processing of personal data under a determined form or for a determined purpose does not apply to other forms or purposes. It is prohibited to use the processing of personal data for advertising purposes unless express and particular consent of the data subject, their heirs, or their tutor. The consent in this regard is subject to the general rules of law. When the data subject is a child, the provisions of Article 28 of this Law apply.

Art. 31. - After the expiration of the period fixed by Article 7 of this Law for the opposition of the Authority, it is necessary to inform the data subjects concerned by the collection of personal data of the following, beforehand and by whatever means leaving a written trace:

• the nature of the personal data concerned by the processing;
• the purposes of the processing of personal data;
• the obligatory or facultative nature of their response;
• the consequences of the failure to respond;
• the name of the natural or legal person benefiting from the data, or of the one who possesses the right of access and their domicile;
• the name and first name of the data controller or their corporate name and, if the case arises, their representative and their domicile;
• their right of access to the data concerning them;
• their right to retract, at any time, on the acceptance of the processing;
• their right to oppose the processing of their personal data;
• the duration of the conservation of the personal data;
• a summary description of the measures put into place to guarantee the security of the personal data;
• the country towards which the data controller intends, if the case arises, to transfer the personal data. The notification is carried out by registered letter with acknowledgment of receipt or by whatever means leaving a written trace within a period of one month at least before the date fixed for the processing of personal data.

Subsection II - The Right of Access

Art. 32. - For the purposes of this Law, we understand by right of access, the right of the data subject, their heirs, or their tutor to consult all the personal data concerning them, as well as the right to correct, complete, rectify, update, modify, clarify, or erase them when they prove inaccurate, equivocal, or when their processing is prohibited. The right of access also covers the right to obtain a copy of the data in a clear language and conforming to the content of the registers, and in an intelligible form when they are processed with the aid of automated procedures.

Art. 33. - One cannot waive beforehand the right of access.

Art. 34. - The right of access is exercised by the data subject, their heirs, or their tutor at reasonable intervals and in a non-excessive manner.

Art. 35. - The limitation of the right of access of the data subject, their heirs, or their tutor to the personal data concerning them is only possible in the following cases:

• when the processing of personal data is carried out for scientific purposes and on condition that these data do not affect the private life of the data subject except in a limited way;
• if the motive sought by the limitation of the right of access is the protection of the data subject themselves or third parties.

Art. 36. - When there are several data controllers of personal data or when the processing is carried out by a subcontractor, the right of access is exercised before each of them.

Art. 37. - The data controller of automated personal data and the subcontractor must put into place the necessary technical means to allow the data subject, their heirs, or their tutor to send by electronic means their request for rectification, modification, correction, or erasure of personal data.

Art. 38. - The access request is presented by the data subject or their heirs or their tutor in writing or by whatever means leaving a written trace. The data subject, their heirs, or their tutor can ask in the same manner to obtain copies of the data within a period not exceeding one month from the said request. In the case where the data controller or the subcontractor refuses to allow the data subject, their heirs, or their tutor to consult the requested personal data, or delays access to these data, or refuses to deliver a copy of these data, the data subject, their heirs, or their tutor can present a request to the Authority within a maximum period of one month from the date of the refusal. The Authority, after the hearing of the two parties and the accomplishment of necessary investigations, can order the consultation of the requested information or the delivery of a copy of these information or the approval of the refusal, and this, within a period not exceeding one month from the date of its seizure. The data subject, their heirs, or their tutor can present to the Authority, if the case arises, a request to take all appropriate measures to prevent the destruction or dissimulation of personal data. The Authority must rule on the request within a period of seven days from the date of the introduction of the request. The destruction or dissimulation of these data is prohibited from the presentation of the request.

Art. 39. - In case of litigation on the accuracy of personal data, the data controller and the subcontractor must mention the existence of this litigation until a decision is rendered.

Art. 40. - The data subject, their heirs, or their tutor, can ask to rectify the personal data concerning them, to complete them, to modify them, to clarify them, to update them, to erase them when they prove inaccurate, incomplete, or ambiguous, or to ask for their destruction when their collection or their use was carried out in violation of this Law. They can furthermore ask, without fees and after the accomplishment of the required procedures, the delivery of a copy of the personal data and indicate what has not been realized concerning these data. In this case, the data controller or the subcontractor must deliver them a copy of the requested data within a period not exceeding one month from the date of the presentation of the request. In case of refusal, explicit or implicit, of the request, the Authority can be seized within a period not exceeding one month from the date of the expiration of the period mentioned in the preceding paragraph.

Art. 41. - The Authority is seized of any litigation relating to the exercise of the right of access. Under reserve of the specific periods provided by this Law, the Authority must render its decision within a period of one month from the date of its seizure.

Subsection III - The Right of Opposition

Art. 4...