In brief: Law 09-08 governs personal data protection in Morocco. Any business processing personal data must file declarations or obtain authorizations from the CNDP, respect data subjects’ rights, and ensure data security.
With over 15 years of experience in legal and tax advisory, Upsilon Consulting’s chartered accountants support you in achieving compliance with CNDP requirements.
What Is the CNDP?
The Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP) is Morocco’s data protection authority, responsible for enforcing Law 09-08 on the protection of individuals with regard to the processing of personal data. Established in 2009, it comprises 7 members appointed by His Majesty the King.
The CNDP’s main missions include:
- Receiving declarations and prior authorization requests for personal data processing
- Informing individuals of their rights and data controllers of their obligations
- Conducting investigations and on-site inspections
- Imposing sanctions for non-compliance
Scope of Law 09-08
Law 09-08 applies to the processing of personal data, whether wholly or partly automated, as well as non-automated processing of data contained or intended to be contained in manual files.
What Is Personal Data?
Any information, of whatever nature, relating to an identified or identifiable individual. Examples: name, surname, address, national ID number (CIN), email address, phone number, geolocation data, IP address.
What Is Sensitive Data?
Sensitive data benefits from enhanced protection. It includes data revealing:
- Racial or ethnic origin
- Political opinions, religious or philosophical beliefs
- Trade union membership
- Health, including genetic data
- Biometric data
Processing of sensitive data is in principle prohibited, except in limited cases provided by law (explicit consent, necessity to protect life, processing by a religious, political, or trade union association, etc.).
Business Obligations
Purpose and Proportionality
Personal data must be:
- Collected for specified, explicit, and legitimate purposes
- Adequate, relevant, and not excessive in relation to the purposes
- Accurate and kept up to date
- Retained for a period not exceeding what is necessary for the processing purposes
Consent
Personal data processing may only be carried out if the data subject has given unambiguous consent, except where exemptions apply (performance of a contract, legal obligation, protection of life, public interest mission).
Data Security
The data controller must implement appropriate technical and organizational measures to protect data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure, or access.
Prior Declaration and Authorization
Before any personal data processing, the business must:
File a prior declaration with the CNDP for non-sensitive data processing.
Obtain prior authorization from the CNDP for:
- Processing of sensitive data
- Processing of national identity card (CIN) data
- Interconnection of files with different main purposes
- Transfer of data to a foreign country without an adequate level of protection
Data Subjects’ Rights
Law 09-08 establishes several fundamental rights for individuals whose data is processed:
Right to Information
Any person whose data is collected must be informed of: the identity of the data controller, the purpose of processing, the data recipients, and the existence of access and rectification rights.
Right of Access
Any person may obtain from the data controller confirmation of whether their data is being processed, as well as communication of the data concerning them.
Right of Rectification
Any person may require the data controller to rectify, complete, update, lock, or delete their data.
Right of Objection
Any person may object, on legitimate grounds, to the processing of their data. They may also object, free of charge, to the use of their data for commercial prospecting purposes.
International Data Transfers
The transfer of personal data to a foreign country may only take place if that country ensures a sufficient level of protection for privacy and freedoms. Failing this, CNDP authorization is required, which may be granted if sufficient safeguards are provided (standard contractual clauses, binding corporate rules).
This provision is particularly important for subsidiaries of international groups and businesses using cloud services hosted abroad.
Penalties Under Law 09-08
Administrative Sanctions
The CNDP may impose:
- A warning
- A formal notice to cease the breach within a specified period
- Temporary or permanent withdrawal of the declaration receipt or authorization
Financial Penalties
Fines are provided for breaches of the law, with amounts varying according to the severity of the breach.
Criminal Penalties
Law 09-08 provides for imprisonment and fines for the most serious offences, including:
- Processing personal data without declaration or authorization
- Misusing the purpose of processing
- Unlawful transfer of data abroad
- Obstructing the exercise of data subjects’ rights
How to Achieve Compliance
Compliance with Law 09-08 is a structured process that includes:
- Mapping all personal data processing activities in your business
- Assessing the compliance of each processing activity under the law
- Filing the necessary declarations and authorization requests
- Implementing information notices, consent procedures, and security measures
- Training your teams on data protection obligations
- Maintaining compliance over time (regulatory monitoring, updates)
Upsilon Consulting offers comprehensive CNDP compliance support tailored to the size and needs of your business. Contact us for a free assessment.
Frequently Asked Questions
Is the CNDP equivalent to the GDPR supervisory authorities in Europe?
The CNDP plays a similar role to European data protection authorities such as France’s CNIL. It is the independent authority responsible for ensuring compliance with Moroccan data protection legislation.
Does my company have to declare its data processing?
Yes. All personal data processing must be the subject of a prior declaration or prior authorization with the CNDP, under penalty of criminal sanctions.
Does Law 09-08 apply to foreign companies?
Yes, as long as they process personal data on Moroccan territory or use means located in Morocco to carry out such processing.
READ ALSO
