Organic Act nº 2004-63 of July 27th 2004 on the protection of personal data.

Chapter I.- General provisions

Article 1.-

Everyone has the right to the protection of personal data related to his privacy as one of the fundamental rights guaranteed by the Constitution. The processing of personal data shall respect transparency, fairness and the respect of human dignity, in accordance with the clauses of this act.

 

Article 2.-

The provisions of this act shall apply to automatic processing of personal data as well as non-automatic processing of personal data carried out by individuals or by legal entities.

 

Article 3.-

The provisions of this act shall not apply to the processing of personal data which does not exceed private use or the family circle subject to it not being transmitted to third parties.

 

Article 4.-

Personal data means any information whatever its origin or its means relating to an individual who can be identified, directly or indirectly, with the exception of any information related to public life or considered public life by law.

 

Article 5.-

An individual is identifiable, directly or indirectly, through many facts or symbols related to his identity and to his physical, physiological, genetic, psychological, social, economical or cultural characteristics.

 

Article 6.-

According to this act, the following shall be understood :

Processing of personal data.- the automatic processing as well as non-automatic processing of personal data carried out by an individual or legal entity especially obtaining, recording, storage, organization, alteration, use, distribution, dissemination, destruction or consultation

The processing of personal data means any operation in relation to the use of such data, indexes, directories, data files or their combination.

Data file.- any structured and stable set of personal data that is accessible according to specific criteria which allow identification of a given person.

Data subject.- individuals to whom the data covered by the processing relates.

Data controller.- individuals or legal entities who determine the aims and the means of the data processing

Third parties.- any individuals or legal entities or public authority as well as their collaborators with the exception of the data subject, the recipient of a processing of personal data, the data controller, the sub-contractor as well as their collaborators.

Sub-contractor.- individuals or legal entities in charge of the processing of personal data on behalf of the data controller.

The “Instance”.-refers to The National Authority for Protection of Personal Data..

Communication.- the fact of giving, handing-over or disclosing personal data, whatever the methods and the means, to one or more people other than the data subject.

Combination.- correlating data contained in one or more data files held by other data controller

Recipient.- any individuals or legal entities who are given personal data.

 

Chapter II.- Conditions of personal data processing

 

Section I.- Formalities prior to commencing data processing

 

Article 7.-

The processing of personal data must be declared to the The National Authority for Protection of Personal Data at its head office. The Instance shall directly deliver a receipt or send a registered letter with acknowledgement on receipt or by any other means that leave a written trace.

The notification is carried out by the data controller or his legal representative.

The notification does not exempt the data controller or his legal representative from his responsibility toward third-parties.

Conditions and proceedings of the notification shall be set by decree.

The Instance shall issue its decision within one month from the date of receipt of the application. However, when the “Instance” has not given its opinion within this time limit, the application for notification shall be deemed to have been accepted.

 

Article 8.-

In the case where an authorization of the “Instance” is required by the hereby Act, the application for authorization shall specify in particular:

-The first name, the last name and residence of the data controller and in case of legal entity the company name, its head office and the identity of its legal representative;

– The purposes of the processing of personal data and its norms;

– The identities of data subjects and their residence;

– The categories of the processing, its location and date;

– The personal data and their origins;

– The people or authorities who are allowed, regarding their functions, to take cognizance of the data;

– The recipients to whom the data may be disclosed;

– The place and period of storage of the processed information;

-The steps taken to ensure confidentiality and security of processing;

– The description of the combinations by the data controller with other data files;

– The undertaking to process personal data according to the present Act.

– The statement that the conditions mentioned in Article 22 of the hereby Act are fulfilled;

In case of any change in the above conditions, the authorization of the “Instance” shall be obtained.

The application for authorization is introduced by the data controller or his legal representative.

The authorization does not exempt the data controller or his legal representative from his responsibility toward third-parties.

Conditions and proceedings of the application for authorization shall be set by decree.

 

Section II.- Obligations incumbent upon data controllers

 

Article 9.-

The processing of personal data shall be done as part of the respect of human dignity, privacy and public liberties.

The processing of personal data, whatever its origin or its methods shall not harm the human rights protected by the laws and the rules in force. In every case, it is forbidden to use personal data with the aim of infringing people's rights or damaging their reputation.

 

Article 10.-

Collecting of personal data shall be exclusively carried out for lawful, given and clear purposes.

 

Article 11.-

The processing of personal data shall be done loyally within the limits of the collecting purpose. The data controller shall also make sure of the accuracy, precision and update of the data.

 

Article 12.-

The processing of personal data shall not be carried out for other purposes than that which it has been collected for, except for the following.-

– If the data subject has given his consent;

– If the processing is essential for the safety of the data subject's vital interest;

– If the processing is essential for definite scientific purposes.

 

Article 13.-

The processing of personal data relating to offenses, convictions, criminal prosecutions, sentencing and penalties and security measures or previous criminal records is not allowed.

 

Article 14.-

The processing of personal data that reveals, directly or indirectly, the racial and genetic origins, religious beliefs, political, philosophical and trade union belonging or health is prohibited

However, the prohibition provided for the above shall not apply to the processing for which the data subject has given his explicit consent by any means that leave a written trace or if the processing relates to personal data which have become obviously public or if the processing is necessary for historical or scientific purposes or if the processing is necessary for the protection of the data subjects vital interests.

The processing of personal data related to health is governed by chapter 5 of the hereby Act.

 

Article 15.-

The processing of personal data mentioned in Article 14 of the hereby Act is subjected to the authorization given by “l'Instance Nationale de Protection des Données à Caractère personnel” with the exception of data related to health.

The” Instance” shall issue its decision within one month from the date of receipt of the application. However, when the “Instance” has not given its opinion within this time limit, the application for authorization shall be deemed to have been rejected.

The” Instance” can accept the application with imposition upon the data controller to take the necessary measures required for the protection of the data subject's interests.

 

Article 16.-

The provisions of articles 7,8,27,28,31 and 47 of the hereby Act shall not apply to the processing of personal data in relation to the employee in the work situation, providing the processing has been carried out by the employer and is necessary for the work performance and organization.

The provisions of the articles mentioned above shall not apply to the processing of data in relation to monitoring the health of the data subject.

 

Article 17.-

In all cases, it is strictly prohibited to give an advantage or a favor to a person in return for his consent to the processing of his personal data or the use of his personal data for other purposes.

 

Article 18.-

Each person who carries out directly or by a third party the processing of personal data shall take all the required steps to ensure the safety of the data processing and prevent any third party from changing, modifying or consulting it without prior authorization of the data subject.

 

Article 19.-

The required steps that shall be taken in accordance with article 18 of the hereby Act are the following :

– To prevent the facilities and equipment, used in the processing of personal data, from being placed in such conditions or sites that allow the access of non- authorized third parties;

– To prevent the media data from being read, copied, modified or shifted by non -authorized third parties;

– To prevent all non- authorized data insertion inside the information network as well as knowledge, deletion or radiation of the recorded data;

– To prevent the use of the information network by non- authorized third parties;

– To guarantee, a posteriori, the checking of the identities of people that have had an access to the information network, to the data that have been inserted in the network, to the time of this insertion as well as the person who did it;

– To prevent the data from being read, copied, modified, deleted or struck off at the time of its communication or its media transport;

– To save the data by the constitution of a stock of secured copies.

 

Article 20.-

When the data controller entrusts to third -parties some or all the processing within the framework of a sub- contracting contract, he shall choose the sub-contractor very carefully.

The sub-contractor shall observe the provisions of this Act and may act only under the data controller's authorized limitations. Furthermore, the sub-contractor shall offer all the required and appropriate technical means to carry out his assignments.

In case of violation of the provisions of this Act, the data controller and the sub-contractor shall engage their civil liabilities.

 

Article 21.-

The data controller and the sub-contractor shall rectify, complete, modify, update or delete personal data from data files if they know of any inaccuracy or insufficiency in this data.

In this case, the data controller and the sub-contractor must inform the data subject and the data beneficiary of every modification made to the personal data.

Notification shall be done within two months from the date of modification, by registered letter with acknowledgement on receipt or by any other means that leave a written trace.

 

Article 22.-

Without prejudice of the laws and rules in force, the individual or the legal representative of a legal entity who applied for the processing of personal data, as well as their employees, must fulfill the following conditions :

– To be Tunisian;

– To be resident in Tunisia;

– To be without criminal record.

These conditions shall also apply to the sub-contractor and his employees.

 

Article 23.-

Even after the end of the processing or loss of their qualities, the data controller, the sub-contractor and their employees must protect the confidentiality of personal data and the processed information, except when diffusion of information has been accepted in writing by the data subject or in all cases regulated by the law in force.

 

Article 24.-

The data controller and the sub-contractor, who intend putting an end to their activities, shall inform the “Instance” three months before the date of suspension of their activities.

In case of death or bankruptcy of the data controller or the sub-contractor or in the case of winding-up the legal entity and according to the situation, the heirs, the trustee in bankruptcy or the liquidator must inform the “Instance” within three months from the date of the event.

The “Instance”, in accordance with the former paragraph, shall authorize the destruction of personal data within one month from the date of its being informed.

 

Article 25.-

In case of suspension of activities for the reasons specified in the previous article, the “Instance” may decide to communicate personal data, in the two following cases.-

1) Whether the “Instance” considers it useful for historical or scientific purposes;

2) Whether the person, who gave notification, proposes to communicate all or a part of the personal data to an individual or a legal entity, after giving its identity accurately.

The “Instance”, in that case, may accept communication of the personal data to the proposed person. Effective communication shall be carried out after consent of the data subject, his tutors or his heirs received by any means that leave a written trace.

If consent is not given, within three months from the date of its formulation, the personal data must be destroyed

 

Article 26.-

In case of suspension of the activities of the data controller or the sub-contractor for the reasons mentioned in Article 24 of the hereby Act, the data subject, his heirs or each person who has an interest or the Public Prosecutor may ask the “Instance” to take appropriate steps for the conservation and protection of the personal data as well as its destruction.

The “Instance” must decide within ten days from its entitlement.

 

Section III.- The rights of the data subject

 

Sub-section I.- The consent of the data subject

 

Article 27.-

With the exception of the cases regulated by the hereby Act and the laws in force, the processing of personal data cannot be carried out without the express and written consent of the data subject. This consent shall be governed by the general rules of law if the data subject is incompetent or unauthorized or incompetent to sign.

The data subject or his tutor is allowed to withdraw his consent, at anytime during the processing.

 

Article 28.-

The processing of personal data related to a child cannot be carried out without the consent of his tutor and after authorization of the juvenile and family court judge.

The juvenile and family court judge may authorize processing even without the tutors consent when it is required in the childs best interest.

At anytime, the authorization may be withdrawn by the juvenile and family court judge.

 

Article 29.-

The processing of personal data can be carried out without the consent of the data subject in the following situations :

– When it has been proved without doubt that the processing is carried out in the data subjects own interest;

– When it is impossible to contact the data subject;

– When obtaining consent implicates disproportionate endeavor;

– When the processing of personal data is allowed by law or contract to which the data subject is a party.

 

Article 30.-

The consent given to the processing of personal data under a given form for a given purpose shall not apply to other forms or purposes.

It is prohibited to use the processing of personal data for promotional purposes unless the data subject, his heirs or his tutor gives his explicit and specific consent. This consent shall be governed by the general rules of law.

The provisions of article 28 of the hereby Act shall apply if the data subject is a child.

 

Article 31.-

After the deadline of the opposition of the “Instance” set by article 7 of the hereby Act, the data subject must be notified first, by any means that leave a written trace, as follows :

– The kind of personal data concerned by the processing;

– The purposes of the personal data processing;

– Whether replies to the questions are compulsory or optional;

          – The possible consequences of the absence of reply;

          – The name of the individual or legal entity which benefits from the data or the name of the individual or legal entity which disposes of the right of access and its residence;

          – The name and first name or the company name of the data controller and if needs be the name and residence of his representative;

          – Their right of access to the data relating to them;

          – Their right to withdraw, at anytime, their consent to the processing;

          – Their right of opposition to the processing of their personal data;

          – The period of personal data storage;

          – A synopsis of the steps taken in order to guarantee the safety of personal data;

          – When applicable, the intended transfer of personal data to another state.

Notification shall be given within one month of the scheduled date of the personal data processing, by registered letter with acknowledgement on receipt or by any other means that leave a written trace.

 

Sub-section II.- The right of access of the data subject

 

Article 32.-

In accordance with this act, the right of access shall be understood as the right of the data subject, his heirs or his tutor to consult all the personal data related to him as well as the right to correct, complete, rectify, update, modify, clarify or delete it, when it has been proved that it is inaccurate, equivocal or prohibited for processing by law.

The right of access shall also be understood as the right to obtain a copy of the personal data in clear language, in accordance with the content of the recordings and in an understandable way in the case of automatic processing.

 

Article 33.-

The data subject may not abandon his right of access beforehand.

 

Article 34.-

The right of access is done by the data subject, his heirs or his tutor in reasonable time intervals and in non excessive ways.

 

Article 35.-

The limitation of right of access of the data subject, his heirs or his tutor, to the personal data related to him is prohibited, except in the following cases :

– When the processing of personal data is carried out for scientific purposes and the data shall affect the privacy of the data subject in a limited way.

– When the purpose of the limitation of right of access is to protect the data subject or third- parties.

 

Article 36.-

When the processing of personal data is carried out by several responsible persons or by a sub-contractor, the right of access is used with each one.

 

Article 37.-

The person responsible for the automatic processing of the personal data and the sub-contractor must take all the required technical steps to ensure that the data subject, his heirs or his tutor may request by e-mail rectification, modification, correction or deletion of their personal data.

 

Article 38.-

The right of access is submitted by the data subject, his heirs or his tutor by any means that leave a written trace. The data subject, his heirs or his tutor may receive a copy of the personal data at their request. The data controller must answer the request within one month.

In case the data subject, his heirs or his tutor are not allowed, by the data controller or the sub-contractor, the right to consult their personal data or when the access is postponed or when there is a refusal to give them a copy of the personal data, the data subject, his heirs or his tutor shall notify the “Instance” within one month of the refusal.

The “Instance”, after hearing the two parties and making all the required investigations, may give the right of consultation of the personal data or the issue of a copy or may approve of the refusal within one month from the application.

The data subject, his heirs or his tutor may ask the “Instance” to take all the required steps in order to avoid any risk of concealment or the disappearance of personal data.

The Instance shall issue its decision within seven days from the application.

Dating from the application, concealment or the disappearance of personal data is prohibited.

 

Article 39.-

In the case of any litigation concerning the accuracy of personal data, the person responsible for the processing or the sub-contractor must mention the litigation until it has been decided upon.

 

Article 40.-

The data subject, his heirs or his tutor is entitled to ask for rectification, completion, modification, clarification, updating and deletion of personal data related to him when the data is inaccurate, incomplete or equivocal. The data subject, his heirs or his tutor is also entitled to ask for destruction of the data when their collection or use has been carried out in violation of the hereby Act.

Furthermore, and after the accomplishment of required procedures, the data subject, his heirs or his tutor is entitled to ask for a copy, with no additional costs, and indicates what it has not been carried out.

In that case, the person responsible of processing or the sub-contractor must give him a copy of the requested data within one month of the application.

In case of explicit or implicit refusal, the “Instance” may be notified within one month from expiry of the time mentioned in the above paragraph.

 

Article 41.-

All litigation related to the right of access is notified to the “Instance”.

Subject to specific terms mentioned by the hereby Act, the “Instance” shall issue its decision within one month of the application.

 

Sub-section IIII.- The right of objection of the data subject

 

Article 42.-

At anytime, the data subject, his heirs or his tutor has the right to object to the processing of personal data related to him for good, legitimate and serious reasons, except when the processing is scheduled by law or is required by the nature of the commitment.

Furthermore, the data subject, his heirs or his tutor have the right to object to the communication to third parties of personal data related to him, in order to exploit it for promotional purpose.

The objection immediately suspends the processing.

 

Article 43.-

All litigation related to the right to object are notified to the “'Instance Nationale de Protection des Données à Caractère Personnel”.

The “Instance” shall issue its decision within the time set by article 41 of the hereby Act.

The juvenile and family court judge shall decide on any litigation related to the right of objection when the data subject is a child

 

Chapter III.- The collection, conservation, deletion and destruction of personal data

Article 44.-

Personal data must be collected directly from the data subject.

Personal data collected from third- parties are admitted whenever the data subject, his heirs or his tutor have already given their consent. The consent is not required whenever collection of personal data obtained from third parties is regulated by law or whenever the collection from the data subject would involve disproportionate efforts or whenever the said collection shall not flagrantly affect the data subjects lawful interests or whenever the data subject has died.

The provisions of article 28 of the hereby Act shall apply if the data subject is a child.

 

Article 45.-

Personal data must be destroyed as soon as its preservation term expires, as specified in the notification or authorization or by special laws or whenever the purposes of the collection of personal data have been realized or have become of no use to the data controller. A minute shall be written by a bailiff in the presence of an expert appointed by the “Instance”.

The data controller is responsible for the experts fees and the bailiffs fees.

 

Article 46.-

Personal data communicated or susceptible to be communicated to the entities endorsed in article 53 of the hereby Act may not be destroyed or removed without the opinion of the said entities and the authorization from the “'Instance Nationale de Protection des Données à Caractère Personnel”.

The Instance shall issue its decision within one month from the date of receipt of the application.

 

Chapter IV.- The communication and transfer of personal data

Article 47.-

The communication of personal data to third parties without the express consent of the data subject, his heirs or his tutor, given by any means that leaves a written trace, is prohibited, except when the data is necessary for public authorities missions, for public security or national defense, for criminal prosecutions or for carrying out missions in accordance with the laws and regulations in force.

The “Instance” may authorize the communication of personal data in case of written and explicit refusal of data subject, his heirs or his tutor whenever the communication is necessary for the protection of the data subject's life, or for scientific or historic researches, or for the performance of a contract at which the data subject is a part under the condition that the part whose personal data are communicate shall commit to take all required guarantees for the protection of data and linked rights, in accordance with the directives of the “Instance” and also under the condition that personal data shall not be used on other purposes for which they have been communicated.

The provisions of article 28 of the hereby Act shall apply if the data subject is a child.

 

Article 48.-

The authorization applying shall be submitted to the “Instance” within one month from the date of the data subject's refusal to communicate his personal data to third parties.

The “Instance” shall issue its decision within one month from the date of receipt of the application.

The “Instance” shall inform the applicant within fifteen days from the date of its decision by registered letter with acknowledgement on receipt or any other means that leave a written trace.

 

Article 49.-

The personal data processed for specific aims may be communicated for being processed later for historical or scientific purposes, under the condition of the data subject's consent, his heir or his tutor and the authorization of the “'Instance Nationale de Protection des Données à Caractère Personnel”.

According to the cases, the “Instance” shall decide to remove or to leave the data susceptible to identify the data subject.

The provisions of article 28 of the hereby Act shall apply if the data subject is a child.

 

Article 50.-

In any cases, the transfer of personal data to a foreign State is prohibited whenever it may endanger public security or Tunisia's vital interests.

 

Article 51.-

The transfer to a foreign State of personal data which are under processing or bound to be under processing may not take place if this State does not provide an adequate level of protection, in reference with the kind and the purposes of the data and the period of its processing and the foreign State where the data shall be transferred and the precautions which have been taken for data safety. In every cases, the transfer of personal data must be carried out in accordance with the conditions set by the hereby Act.

 

Article 52.-

In every case, the authorization of the “Instance” is required before the transfer of personal data.

The “Instance” shall issue its decision within one month from the date of receipt of the application.

The application is introduced before the juvenile and family court judge whenever the personal data subject to transfer refers to a child.

 

Chapter V.- Some specific categories of processing

Section 1.- Processing of personal data carried out by public entities

 

Article 53.-

Provisions of this section shall apply when processing of personal data is carried out by public authorities, local government and administrative public institutions, on the occasion of public security or national defense or criminal prosecutions or when the processing is necessary to execute their missions, in accordance with laws and rules in force.

Furthermore, provisions of this section shall apply to the processing of personal data carried out by health public institutions and public institutions not mentioned in the former paragraph whenever they use prerogatives of public power in order to accomplish their mission.

 

Article 54.-

The provisions of articles 7,8,13, 27, 28, 37, 44 and 49 of the hereby Act shall not apply to the processing of personal data carried out by the entities mentioned in the former article.

The processing of personal data carried out by the entities mentioned in the first paragraph of article 53 of the hereby Act is not subject to the provisions of articles 14, 15 and 42 and to the provisions of the fourth section of the fifth chapter of the hereby Act.

 

Article 55.-

The entities mentioned in article 53 of the hereby Act must rectify, complete, modify, update or delete personal data if the data subject, his tutor or his heirs have reported, by any means that leave a written trace, the inaccuracy or insufficiency of the data.

 

Article 56.-

The right of access cannot be exercised if the processing of personal data is carried out by entities mentioned in the article 53 of the hereby Act.

However, as far as the processing of personal data carried out by the entities mentioned in the second paragraph of article 53 of the hereby Act, is concerned the data subject, his tutor or his heirs can ask, for lawful reasons, to correct, complete, rectify, update, modify or delete them, when it is proved that data is inaccurate and that they have taken cognizance of that.

 

Article 57.-

Communication of personal data to private entities by the entities mentioned in article 53 of the hereby Act, without the express consent of the data subject by any means that leave a written trace, is prohibited.

The provisions of article 28 of the hereby Act shall apply if the data subject is a child. The specific laws in force regulate the other communications.

 

Article 58.-

The data subject, his tutor or his heirs have the right to object to the processing of personal data carried out by the entities mentioned in the second paragraph of article 53 of the hereby Act if the processing is contrary to the requirements of the said Act .

 

Article 59.-

All the litigations related to the application of the second paragraph of article 56 and article 58 of the hereby Act are notified to the “Instance” by the data subject, his tutor or his heirs.

The “Instance” must decide within one month from its entitlement.

 

Article 60.-

In the case of dissolution or merger of the entities mentioned in article 53 of the hereby Act, the supervisory authority must take all the required measures for preservation and protection of the data processed by the dissolved or merged entity.

The supervisory authority may decide to destroy personal data or to communicate them for historical or scientific purposes.

In every case, an administrative minute is reported.

 

Article 61.-

The entities mentioned in article 53 of the hereby Act must destroyed personal data if its time's storage has lapsed or if the purpose for which they have been processed has been realized or if personal data is not anymore necessary to the followed activity, in accordance with laws on force. An administrative minute is reported.

 

Section II.- Processing of personal data related to health

 

Article 62.-

Without prejudice to article 14 of the hereby Act, personal data related to health may be processed in the following cases.-

1- When the data subject, his heirs or his tutor has given his consent prior to the processing. The provisions of article 28 of the hereby Act shall apply if the data subject is a child;

2- When the processing is required for the realization of purposes authorized by law and by-laws;

3- When the processing is necessary for the development and protection of public health, among other researches related to illnesses;

4- When the processing is salutary for the data subject's health or is required to follow-up his health condition, for preventive or therapeutic purposes;

5- When the processing is carried out for scientific research concerning health.

 

Article 63.-

Personal data processing related to health must be carried out exclusively by doctors or by people bound by their duties to professional confidentiality.

The doctors may communicate personal data in their possession to people or entities who do scientific researches related to health, referring to a notification and after prior authorization from the “'Instance Nationale de Protection des Données à Caractère Personnel”.

The “Instance” shall issue its decision within one month from the application.

 

Article 64.-

The processing shall not exceed the required time for the realization of the purpose for which it has been carried out.

 

Article 65.-

When its gives authorization mentioned in the second paragraph of article 63 of the hereby Act, the “Instance” may set the precautions and measures that must be taken to guarantee the protection of personal data related to health.

The “Instance” may prohibit the spread of personal data related to health.

 

Section II1.- Processing of personal data for scientific research purpose

 

Article 66.-

The collection or recording of personal data for scientific purposes must be exclusively processed or used for scientific purposes.

 

Article 67.-

In case where scientific research allows it, the personal data must not reveal the identity of the data subject. Data related to the situation of an identified or identifiable natural person must be distinctly recorded and may not be gathered with the others data related to this person except when they are necessary for research purposes.

 

Article 68.-

The spread or dissemination of personal data which are under processing as part of scientific research is prohibited, unless the data subject, his heirs or his tutor have given their consent, by any means that leave a written trace or unless it is necessary for presentation of the results of research related to existing events at that time.

The provisions of article 28 of the hereby Act shall apply if the data subject is a child.

 

Section IV.- Processing of personal data for the purpose of video surveillance

 

Article 69.-

Without prejudice to the legislation in force, a prior authorization of the The National Authority for Protection of Personal Data. is required for the use of video surveillance means.

The Instance shall issue its decision within one month from the date of receipt of the application.

 

Article 70.-

The use of the video surveillance means mentioned in the previous article must be restricted to the following places :

1- Places opened to the public and their entrances;

2- Car parks, stations, public transport means, seaports, airports;

3- Places of collective work.

 

Article 71.-

The use of video surveillance means in the places mentioned in the previous article must be necessary to ensure people's security, prevention of accidents, protection of real estate and personal property or supervision of the entrances and exits from these places. In every case, video recordings may not been supported by soundtracks.

 

Article 72.-

The public must always be clearly informed of the presence of video surveillance means.

 

Article 73.-

The communication of video recordings collected for surveillance purpose is prohibited, except in the following situations :

1- The data subject, his heirs or his tutor have given their consent. When the data subject is a child, the provisions of article 28 of the hereby Act shall apply;

2- The communication is a necessary condition for the public authorities in order to accomplish their missions;

3- The communication is a necessary condition for the conviction, discovery or prosecution of criminal offenses.

Article 74.-

Video recordings must be destroyed when they are not any more necessary for their specific purposes or for the data subject's interests and if they are not any more necessary for research and prosecutions of criminal offences.

 

Chapter VI

“L'Instance Nationale de Protection des Données à Caractère Personnel”

Article 75.-

The “'Instance Nationale de Protection des Données à Caractère Personnel”, which is a legal entity, is established by the provisions of this Act. The Instance is financially independent. Its main office is in Tunis.

The budget of the Instance is attached to the budget of the Ministry of Human Rights.

Its operating methods shall be set by decree.

Article 76.-

The “'Instance Nationale de Protection des Données à Caractère Personnel” shall have the following assignments :

– It shall authorize and receive notification relating to personal data processing or shall withdraw them according to the present Act;

– It shall receive claims within its competence according to the present Act;

– It shall specify the necessary guarantees and the appropriate steps for the protection of personal data;

– It shall access the processing of personal data in order to check them and shall collect the important information for the execution of its mission;

– It shall give its opinion on any matter linked with the requirements of this Act;

– It shall develop rules of conduct concerning the processing of personal data;

– It shall contribute to research, training and studies in the field of personal data protection and all other activities in relation to its mission.

 

Article 77.-

The “Instance” conducts investigations by hearing statements from specific people and by ordering access to the places and premises used for the processing of personal data with the exception of buildings destined for occupancy. The “Instance” may be assisted, in order to do research and specific evaluations, by sworn agents from the Ministry in charge of communication technology or by judiciary experts or by any other person that the “Instance” judges useful.

The public prosecutor in the jurisdiction where the investigation takes place shall be informed by the “Instance”of any offenses that it has detected.

The duty of professional confidentiality is not opposed to the “Instance”.

 

Article 78.-

The “Instance” shall be composed as follows :

A President chosen among the eminent persons known for their knowledge in the field;

– A member chosen among the members of the “Chambre des Députés”;

– A member chosen among the members of the “Chambre des Conseillers”;

– A representative of the Prime Ministry;

– Two magistrates from the third degree;

– Two magistrates from the “Tribunal Administratif”;

– A representative from the Ministry of Interior;

– A representative from the Minister of Defence;

– A representative from the Ministry in charge with communication technology;

– A researcher from the Ministry in charge with Scientific Research;

– A doctor from the Ministry in charge with Public Health;

– A member from the “Comité Supérieur des Droits de l'Homme et des libertés Fondamentales”;

– A member chosen among experts in communication technology.

The President and the Members of the “Instance” are appointed by decree for three years.

 

Article 79.-

It is prohibited for the President and the Members of the “Instance” to hold any direct or indirect interest inside a firm relating to the personal data processing, whether automatic or non-automatic.

 

Article 80.-

The President and the Members of the “Instance” are bound by a duty of confidentiality in respect of the personal data and the information of which they have knowledge by virtue of their functions, even after the end of their term of office, except for other provisions made by the law.

 

Article 81.-

The “Instance” may decide after fair proceedings with the data controller or the sub-contractor to withdraw authorization or to prohibit processing in the case of non respect of the duties provided by the present Act.

The proceedings of withdrawal or prohibition shall be set by decree.

 

Article 82.-

The decisions of the “Instance” shall be reasoned and notified to the parties by a bailiff.

The decisions of the “Instance” shall be appealed before the “Cour d'Appel de Tunis” within one month of their notification. In this case, the “Code de procedure Civile et Commerciale” is the applicable law.

Given that the appeal is not suspenseful, the decisions of the “Instance” shall be executed.

If the execution can make irreversible damage, a summary judgment of the “Premier Président de la Cour d'Appel de Tunis” may ordain a provisional suspension of proceedings until the decision of the “Cour d'Appel de Tunis”is made,. The decision of provisional suspension of proceedings is not susceptible in any way to appeal. The court in charge of the file must decide within three months from seizure of jurisdiction.

The judgments of the “Cour d'Appel de Tunis” may appeal before the “Cour de Cassation”

 

Article 83.-

The applicant shall submit the assessment expenses and notification of the decisions expenses as well as other required expenses determined by the President of the “Instance”.

 

Article 84.-

State personal property and real estate required for the execution of missions of the “Instance” can be given by allocation. In the case of winding-up of the “Instance”, its properties shall be transmitted to the State which proceeds to the enforcement of the “Instance” duties and covenants in accordance with current legislation.

 

Article 85.-

The “Instance” shall present to the President of the Republic an annual report.

 

Chapter VII.- The sanctions

Article 86.-

A penalty of two to five years imprisonment and a fine of five thousand to fifty thousand Dinars are applicable to the violation of the provisions of article 50 of the hereby Act.

The attempt is also punishable.

 

Article 87.-

A penalty of two years imprisonment and a fine of ten thousand Dinars are applicable to violation of the provisions of article 13 of the hereby Act and the first paragraph of article 14, the first paragraph of article 28, the first paragraph of article 63 and articles 70 and 71 of the hereby Act.

The same penalty is also applicable to the violation of the provisions of the first paragraph of article 27 and the articles 31, 44 and 68 of the hereby Act.

 

Article 88.-

A penalty of one year imprisonment and a fine of ten thousand Dinars are applicable to a person who uses fraud, violence and threats to exhort consent from a person for the processing of his personal data.

 

Article 89.-

A penalty of one year imprisonment and a fine of five thousand Dinars are applicable to a person who intentionally communicates personal data in order to make a profit for himself or for a third party or to harm the data subject.

 

Article 90.-

A penalty of one year imprisonment and a fine of five thousand Dinars are applicable to whoever :

– Does intentionally a processing of personal data without the notification required by article 7 of the hereby Act or the authorization required by articles 15 and 69 of the hereby Act or continues to do the processing of personal data after the forbiddance of the processing or the withdrawal of the authorization;

– Spreads personal data related to health despite the forbiddance of the “Instance” referred to in the second paragraph of article 65 of the hereby Act;

– Transfers personal data abroad, without the authorization of the “Instance”;

– Communicates personal data without the consent of the data subject or the agreement of the “Instance” in the cases ruled by the hereby Act.

 

Article 91.-

A penalty of one year imprisonment and a fine of five thousand Dinars are applicable to the data controller and the sub-contractor who continue the processing of personal data despite the objection of the data subject according to the article 42 of the hereby Act.

 

Article 92.-

A penalty of eight months imprisonment and a fine of three thousand Dinars are applicable to the data controller and the sub-contractor who intentionally limit or hamper the right of access in cases which are not regulated by article 35 of the hereby Act.

 

Article 93.-

A penalty of three months imprisonment and a fine of three thousand Dinars are applicable to whoever, for the occasion of processing, spreads intentionally personal data in a way that detracts the data subject or his privacy.

A penalty of three months imprisonment and a fine of three thousand Dinars are applicable when the spread has been done without the intention of detracting.

At the request of the data subject, the court of justice shall command to publish an excerpt of the judgment in one or several Tunisian newspapers selected by the data subject. Publication expenses shall be supported by the convicted.

Prosecution may be set only on the request of the data subject.

The withdrawal shall stop the prosecution, the trial or the execution of the sentence.

 

Article 94.-

A penalty of eight months imprisonment and a fine of one thousand Dinars are applicable to whoever shall infringe the provisions of articles 12,18, and 19 and the first and second paragraphs of article 20 and articles 21,37,45,64 and 74 of the hereby Act.

The same penalties are also applicable to whoever collects personal data for illegitimate aims or against the law and order purposes or does intentionally the processing of inaccurate, not updated or unnecessary personal data.

 

Article 95.-

A fine of ten thousand Dinars is applicable to whoever shall not respect the guarantees and measures set by the “Instance”in accordance with the provisions of the second paragraph of article 47 and the first paragraph of article 65 of the hereby Act.

 

Article 96.-

A fine of five thousand Dinars is applicable to whoever :

– Hamper the work of the The National Authority for Protection of Personal Data. by preventing its investigations or by refusing to give it the required documents;

– Communicate in bad faith to the “Instance” or notice intentionally to the data subject inaccurate information.

 

Article 97.-

Except for the cases regulated by law, article 254 of the Criminal Code is applicable to the data controller, the sub-contractor, their agents, the President of the “Instance” and its members who reveal the content of personal data.

 

Article 98.-

A fine of one thousand Dinars is applicable to the data controller, the sub-contractor, the trustee in bankruptcy or the liquidator who infringes the provisions of article 24 of the hereby Act.

 

Article 99.-

A fine of one thousand Dinars is applicable to the data controller or the sub-contractor who infringes the provisions of article 39 of the hereby Act.

 

Article 100.-

In addition to the sentences regulated by former articles of the hereby Act, the court of justice may, in each case, withdraw the authorization of data processing or suspend it.

 

Article 101.-

In case the offender is a legal entity, the penalties mentioned above are applicable personally to the legal or de facto manager responsible for the offenses.

 

Article 102.-

The offenses mentioned in this chapter are certified by judiciary police officers provided for in numbers 1 to 4 of article 10 of the Criminal Proceedings Code and by sworn on oath officers of the Ministry in charge with communication technology; the minutes are prepared in accordance to the proceedings of the Criminal Proceedings Code.

 

Article 103.-

The penal mediation may be considered with reference to the offenses mentioned in the second paragraph of article 87 and articles 89 and 91 of the hereby Act, in accordance with the ninth chapter of the fourth book of the Criminal Proceedings Code.

 

Miscellaneous

 

Article 104.-

The rules opposite to the hereby Act shall be abrogated in particular articles 38, 41 and 42 of the act n°2000-83 of 9 August 2000 on interchange and electronic trade.

 

Article 105.-

The persons who have carried out a processing of personal data at the date of the promulgation of the present Act are given a one year duration to comply with its rules, starting from its coming into force.

The present Act shall be published in the “Journal Officiel de la République Tunisienne” and executed as a State Act.

 

Tunis, July 27th 2004

Zine El Abidine Ben Ali  

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.