Back to articles
Data Protection GDPR INPDP 2026 Reform

Personal Data Protection: Tunisia Prepares Its GDPR Reform

Personal Data Protection: Tunisia Prepares Its GDPR Reform

For more than twenty years, data protection in Tunisia has rested on organic law n° 2004-63. A pioneering text in its time — Tunisia was the first Arab country to adopt such legislation — but structurally insufficient against the digital economy of 2026.

The bill under examination this year marks a break: it transposes most of the principles of the European General Data Protection Regulation, with immediate effect on every business that collects or processes data in Tunisia.

Why the 2004 law no longer suffices

The INPDP (National Authority for the Protection of Personal Data) acknowledged as much in its 2025 report: the current framework suffers from three major weaknesses.

  • Negligible sanctions: fines cap at levels that have no deterrent effect on major platforms.
  • Limited investigatory powers: difficulty in monitoring foreign operators targeting the Tunisian market.
  • No regime for international data transfers, a central issue for European group subsidiaries.

The result is de facto GDPR alignment for export-oriented businesses, but a legal vacuum for the domestic market.

The main contributions of the 2026 bill

1. Reinforced consent and data subject rights

The new text requires free, specific, informed and unambiguous consent. Pre-ticked boxes, unread terms and conditions and bundled consents become invalid.

Data subject rights are considerably expanded:

  • Right of access within a maximum of one month.
  • Right to portability of data to another provider.
  • Right to erasure ("right to be forgotten"), subject to legal retention obligations.
  • Right to object to automated profiling.

2. Reinforced obligations for businesses

Data controllers will have to appoint a Data Protection Officer (DPO) as soon as they process data at large scale or sensitive data. Keeping a register of processing activities becomes mandatory.

Businesses will also have to conduct a Data Protection Impact Assessment (DPIA) before any high-risk processing and notify any data breach to the INPDP within 72 hours.

3. Deterrent sanctions

This is perhaps the most striking change. Administrative fines could reach a percentage of worldwide turnover — a direct inspiration from the European GDPR. Criminal sanctions for intentional breaches are also reinforced.

The INPDP sees its powers of investigation, on-site inspection and sanction considerably expanded, with renewed budgetary autonomy.

4. International transfers: finally a clear framework

The text lays down a structured framework for data transfers outside Tunisia:

  • Countries recognised as offering an adequate level of protection.
  • Standard contractual clauses published by the INPDP.
  • Binding corporate rules for international groups.

Who is concerned?

Contrary to a common belief, the law does not target only large tech companies. Concerned are:

  • All e-commerce operators, whether based in Tunisia or targeting Tunisian residents.
  • Financial institutions, insurance, mutual societies.
  • Clinics, medical practices and laboratories (health data = sensitive data).
  • Recruitment firms and outsourced HR services.
  • Schools, universities and training bodies.
  • Local authorities and public administration.

In practice, any organisation holding a customer, prospect or patient file is concerned.

Concrete impact for Tunisian businesses

If the text is adopted in its current form, businesses will need to undertake within 12 months:

  • A mapping of data processing activities.
  • An update of privacy policies on websites and applications.
  • A review of contracts with service providers (processors, hosts, SaaS tools).
  • The appointment of an internal or external DPO, depending on size and sector.
  • Staff training, particularly for sales and HR teams.

Firm note: Many Tunisian businesses think they are compliant because they have copied a privacy policy found online. That is not compliance. The new law will require real documentation of processing, legal bases and security measures. Anticipating from 2026 spares you the stress of an inspection or complaint in 2027.

Our firm advises Tunisian businesses and subsidiaries of foreign groups on their compliance roadmap: data processing mapping, privacy policy drafting, processor contracts, responses to data subject requests and relations with the INPDP.

Related legal resources

Business law serviceCompliance, contracts and internal policies for businesses.
Legal consultationQuick assessment of your GDPR / INPDP compliance level.
Business lawyer in KairouanLocal page for compliance work and vendor contracts.
CallWhatsApp