Data Privacy Tool
You may also be interested in our Data Privacy Scorebox to assess your organisation's level of data protection maturity.
Law No 09-08 dated on 18 February 2009 relating to protection of individuals with regard to the processing of personal data and its implementation Decree n° 2-09-165 of 21 May 2009 ("Law").
Definition of personal data
Pursuant to article 1 of the Law,the personal data is defined as any information regardless of their nature, and format, relating to identified or identifiable person.
Definition of sensitive personal data
Personal data which reveal the racial or ethnic origin, political opinions, religious or philosophical beliefs or union membership of the person concerned or relating to his health, including his genetic data (article 1.3 of the Law).
Data Protection National Commission (Commission Nationale de Protection des Données Personnelles).
The processing of Personal Data is subject:
- to a prior authorization from the Data Protection National Commission (Commission Nationale de Protection des Données Personnelles) when the processing concerns:
- sensitive data (e.g. revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, including genetic data)
- using personal data for purposes other than those for which they were collected
- genetic data, except for those used by health personnel and that respond to medical purposes
- data relating to offenses, convictions or security measures, except for those used by the officers of the court, and
- data which includes the number of the national identity card of the concerned person, or
- to a prior declaration to be filed with the Personal Data Protection Commission.
The declaration and authorization includes a commitment that the personal data will be treated in accordance with the Law.
The prior declaration and authorization shall include, but is not limited to, the following information:
- the name and address of the person in charge of the processing and, if applicable, its representative
- the name, characteristics and purpose(s) of the processing envisaged
- a description of the category or categories of data subjects, and the data or categories of personal data relating thereto
- the recipients or categories of recipients to whom the data are likely to be communicated
- the envisaged transfers of data to foreign states
- the data retention time
- the authority with which the Data subject may exercise, if any, the rights granted to him by law, and the measures taken to facilitate the exercise of these rights
- a general description allowing a preliminary assessment of the appropriateness of the measures taken to ensure the confidentiality and security of processing, and
- overlap, interconnections, or any other form of data reconciliation and their transfer, subcontracting, in any form, to third parties, free of charge or for consideration.
The personal data must be :
- treated fairly and lawfully;
- collected for specific, explicit and legitimate purposes;
- adequate, relevant and not excessive;
- accurate and necessary and kept up-to-date; and
- kept in a form enabling the person concerned to be identified.
As a general rule, the processing of a personal data must be subject to the prior consent of the concerned person.
However, the processing of personal data can be performed without the approval of the concerned person provided that the information relates to the:
- compliance with a legal obligation to which the concerned person or the person in charge of the processing are submitted
- execution of a contract to which the concerned person is party or in the performance of pre-contractual measures taken at the request of the latter
- protection of the vital interests of the concerned person, if that person is physically or legally unable to give its consent
- performance of a task of public interest or related to the exercise of public authority, vested in the person in charge of the processing or the third party to whom the data are communicated
- fulfilment of the legitimate interests pursued by the person in charge of the processing or by the recipient, subject not to disregard the interests or fundamental rights and freedoms of the concerned person.
The personal data must be subject to prior authorization from the National Commission before any transfer to a foreign state.
Furthermore, the person in charge of the processing operation can transfer personal data to a foreign state only if the said state ensures under its applicable legal framework an adequate level of protection for the privacy and fundamental rights and freedoms of individuals regarding the processing to which these data is or might be subject.
However, the data processor can transfer personal data to any foreign state which does not satisfy the conditions mentioned above (i.e. ensure an adequate level of protection of privacy and fundamental rights and freedoms of individuals), if the person to whom the data relates has expressly consented to the transfer.
Article 23 of the Law provides that the data processor is required to implement all technical and organizational measures to protect personal data in order to prevent it being damaged, altered or used by a third party who is not authorized to have access, as well as against any form of illicit processing.
In addition, the data processor who carries out processing on his own behalf must choose a subcontractor that provides sufficient guarantees with regard to the technical and organizational measures relating to the processing to be carried out while ensuring compliance with these measures.
The Data Protection National Commission ensures compliance with the provisions of the Law.
Article 50 to 64 provides that non-compliance with the provisions of the Law is punishable by a fine ranging from MAD 10,000 to MAD 600,000 and/or imprisonment between three months and four years.
When the offender is a legal person, and without prejudice to the penalties which may be imposed on its officers, penalties of fines shall be doubled.
In addition, the legal person may be punished with one of the following penalties:
- the partial confiscation of its property
- seizure of objects and things whose production, use, carrying, holding or selling is an offence, and
- the closure of the establishment(s) of the legal person where the offense was committed.
Direct prospecting by means of an automated calling machine, a fax machine, e-mails or a similar technology , which uses, in any form whatsoever, an individuals' data without their express prior consent to receive direct prospecting is prohibited.
However, direct prospecting via e-mails may be authorized if the recipient details have been received directly from him.
Unwanted emails can only be sent without consent in the following cases:
- the contact details were provided in the course of a sale
- the marketing relates to a similar product, and
- the recipient was given a method to opt-out of the use of their contact details for marketing when they were collected.
General Data Protection principles apply.