Morocco - Data Protection Overview
1. Governing Texts
The law governing privacy and data protection in Morocco is the Dahir no. 1-09-15 of 22 safar 1430 (February 18, 2009) promulgating Law no. 09-08 on the protection of individuals with regard to the processing of personal data (only available in French here) ('Law no. 09-08'). Law no. 09-08's implementing text consists of Decree 2-09-165 of May 21, 2009, issued for the application of Law no. 09-08 relating to the protection of individuals with regard to the processing of personal data (only available in French here) ('Decree no. 2-09-165').
Both of these aforementioned legal documents are referred to as the Data Protection Law.
The authority that issues data protection guidance and has enforcement powers in the field of data protection in accordance with Law no. 09-08 is the Data Protection National Commission ('CNDP').
1.3. Case law
There is no notable case law in Morocco.
2. Scope of Application
Article 2.2 of Law no. 09-08 stipulates that it is applied to the processing of personal data when carried out by a natural or legal person, public authority, service, or any other body that receives data, whether or not it is a third party.
Per Article 2.2 of Law no. 09-08, the law is applied:
- when carried out by a natural or legal person whose controller is established on Moroccan territory. A data controller who carries out an activity on Moroccan territory in the context of an installation, whatever its legal form, is considered to be established there; and
- when the data controller is not established on Moroccan territory but uses, to process personal data, automated or non-automated means located on Moroccan territory, except for processing which is used solely for transit purposes on national territory or on the territory of a State whose legislation is recognized as equivalent to that of Morocco concerning the protection of personal data.
As stipulated under Article 2.1 of Law no. 09-08, the same law applies to the processing of personal data, whether wholly or partly automated, as well as to the non-automated processing of personal data contained or intended to be contained in data files.
Notwithstanding the aforementioned, Article 2.4 of Law no. 09-08 indicates that the law does not apply to:
- the processing of personal data carried out by a natural person for the exercise of exclusively personal or domestic activities;
- personal data collected and processed in the interests of national defense and the internal or external security of the State. It applies to personal data collected and processed to prevent and combat crime and misdemeanors only in accordance with the conditions laid down by the law or regulation creating the file in question; and
- personal data collected in the application of specific legislation.
3.1. Main regulator for data protection
The CNDP is established under the authority of the Prime Minister as stipulated in Law no. 09-08 under Article 27, and Article 1 of Decree no. 2-09-165. It is composed of seven members including the President, who is appointed by the King.
3.2. Main powers, duties and responsibilities
The CNDP was established with the responsibility of implementing and ensuring compliance with the provisions of Law no. 09-08 and the texts adopted for its application. One of its main responsibilities is to give its opinion to the government on proposed legislation or regulations relating to the processing of personal data, along with laying out and enforcing such laws for the processing of personal data, as stipulated by Articles 27 and 28 of Law no. 09-08.
The main powers attributed to the CNDP pursuant to Article 30 of Law no. 09-08 and Section 4 of Decree no. 2-09-165 include:
- powers of investigation and inquiry enabling its agents, duly commissioned for this purpose by the President, to have access to the data being processed, to request direct access to the premises on which the processing is carried out, to gather and seize all information and documents necessary to fulfill the control functions, all in compliance with the terms of the commission they are executing;
- the power to order that documents of any kind or on any medium be communicated to it, within the deadlines and according to the terms of possible sanctions it sets, enabling it to examine the facts concerning the complaints referred to it;
- the power to order or carry out or cause to be carried out any modifications necessary to ensure the fair maintenance of the data contained in the file; and
- the power to order the blocking, deletion, or destruction of data, and the power to prohibit, temporarily or permanently, the processing of personal data, even those included in open data transmission networks from servers located on national territory.
4. Key Definitions
Data controller: Pursuant to Article 1.5 of Law no. 09-08, a data controller is a natural or legal person, public authority, department, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by legislative or regulatory provisions, the data controller must be indicated in the law governing the organization and operation, or in the statute, of the entity legally or statutorily competent to process the personal data in question.
Data processor: Pursuant to Article 1.6 of Law no. 09-08, a data processor is a natural or legal person, public authority, department, or other body that processes personal data on behalf of the controller.
Personal data: Pursuant to Article 1.1 of Law no. 09-08, personal data is defined as any information, of any kind and regardless of its medium, including sound and image, concerning an identified or identifiable natural person.
Sensitive data: Pursuant to Article 1.3 of Law no. 09-08, sensitive data is personal data revealing the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership of the data subject, or relating to their health, including genetic data.
Data subject: Pursuant to Article 1.1 of Law no. 09-08, this is an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
5. Legal Bases
Consent as a legal basis for processing is dealt with under Article 4 of Law no. 09-08, which states that personal data may only be processed if the data subject has unambiguously given consent to the operation at hand.
Article 4 of Law no. 09-08 introduces exceptions rendering such consent as not required, when the processing is necessary:
- to comply with a legal obligation to which the data subject or data controller is subject;
- the performance of a contract to which the data subject is a party, or the performance of pre-contractual measures taken at the data subject's request;
- to safeguard the vital interests of the data subject, if they are physically or legally incapable of giving consent;
- the performance of a task carried out in the public interest or in the exercise of official authority by the controller or the third party to whom the data is disclosed;
- to achieve the legitimate interests pursued by the controller or the recipient, provided that the interests or fundamental rights and freedoms of the data subject are not infringed.
This legal basis is provided for under Article 4(b) of Law no. 09-08, which makes the right of consent non-applicable when the processing of the data is necessary to the performance of a contract to which the data subject is a party or the performance of pre-contractual measures taken at the data subject's request.
Legal obligations as a legal basis is also sufficient for the right of consent to not be applicable towards the data subject, as established by Article 4(a) of Law no. 09-08 when the processing of the data is necessary 'to comply with a legal obligation to which the data subject or data controller is subject.'
This is also the case under Article 9 of Law no. 09-08, which states that the right of opposition is non-applicable when the processing is carried out pursuant to a legal obligation.
This legal basis is enshrined in Article 4(c) of Law no. 09-08, which states that no consent is required when the processing is necessary to safeguard the vital interests of the data subject if they are physically or legally incapable of giving consent.
There are a few instances where the public interest is considered a legal basis.
The requirement of consent presented under Article 4 of Law no. 09-08 is not required when the processing of the data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority by the controller or the third party to whom the data is disclosed, as stipulated under Article 4(d) of Law no. 09-08.
This legal basis is also present under Article 44 of Law no. 09-08 with regard to the transfer of data to a state in non-compliance with Article 43 of Law no. 09-08, which allows such transfer to take place when it is conducted to preserve the public interest.
The right of consent as introduced by Article 4 of Law no. 09-08 is also exempted when the processing of data is necessary to achieve the legitimate interests pursued by the controller or the recipient, provided that the interests or fundamental rights and freedoms of the data subject are not infringed, as indicated within Article 4(e) of the Law no. 09-08.
This is also the case under Article 3 of Law no. 09-08, indicating that the legitimate interests of the data controller is sufficient to store data for historical, statistical, or scientific purposes beyond the period allowed by the law.
Please take into account that all of the following principles provide a framework for the correct application of the law with regard to data protection. Many examples of these principles have already been mentioned throughout this guidance note, as such, below you will find summarized points concerning the latter.
Transparency: As indicated under Articles 4, 5, and 7 of Law no. 09-08, data controllers are required to provide clear and accessible information to data subjects about the processing of their personal data. As such, data subjects shall be informed about the purposes, recipients, and methods of the data processing and the rights entitled to them in relation to their personal data.
Purpose limitation: As indicated under Articles 3 and 12 of Law no. 09-08, personal data should only be collected for explicit, specified, and legitimate purposes as determined by the data controller. Data subjects should be notified if such purpose alters throughout the course of the process.
Data minimization: Only personal data perceived as adequate, relevant, and limited to what is necessary should be collected and processed pursuant to Article 3.1 of Law no. 09-08.
Accuracy and quality: As stipulated under Article 3.1 of Law no. 09-08, data controllers are held liable for ensuring the accuracy, quality, and relevance of the personal data they process. Appropriate measures should be adopted to ensure that the data is kept up to date should it be necessary.
Storage limitation: Personal data should not be stored longer than necessary for the purposes for which it was collected in the first place as stated under Article 3.2 of Law no. 09-08.
Confidentiality and security: Article 36 of Law no. 09-08 sets forth that all individuals involved with data processing are required to maintain the confidentiality and security of the data in an attempt to safeguard its contents.
Accountability: Data controllers and/or other individuals involved with the data processing are held accountable for all the aforementioned, and are also subject under the law to penalties, as can be seen in the section on penalties below, under Articles 54 and 61 of Law no. 09-08.
7. Controller and Processor Obligations
Law no. 09-08 sets forth within Article 12 the requirements with regard to data processing registration. Article 12 provides that, unless otherwise stipulated by law, the processing of personal data must be subject to:
- prior authorization when processing relates to:
- sensitive data as defined under Article 1.3 of Law no. 09-08. However, such authorization is not required for the processing carried out by an association or other non-profit-making group of a religious, philosophical, trade-union, cultural, or sporting nature:
- for data that comply with one or more of the characteristics presented under Article 1.3 of Law no. 0908 and which correspond to the purpose of the organization or group in question;
- provided that the data relates only to members of the organization and, where applicable, to data subjects who have regular contact with the organization in the course of its activities;
- and that they concern only data not communicated to third parties unless the data subjects expressly consent and the group can provide proof of this consent at the first request of the competent authority;
- the use of personal data for purposes other than those for which they were collected;
- genetic data, with the exception of data used by health personnel for medical purposes, whether for preventive medicine, diagnosis, or treatment;
- data relating to offenses, convictions, or security measures, with the exception of those implemented by court officers;
- data containing the national identity card number of the data subject; and
- the interconnection of files belonging to one or more legal entities managing a public service and having different public-interest purposes, or the interconnection of files belonging to other legal entities and having different main purposes; and
- sensitive data as defined under Article 1.3 of Law no. 09-08. However, such authorization is not required for the processing carried out by an association or other non-profit-making group of a religious, philosophical, trade-union, cultural, or sporting nature:
- a prior declaration in all other cases.
Law no. 09-08 sets forth, under Article 43, restrictions with regard to the transfer of data, requiring that such transfers do not take place when the receiving State does not have a framework ensuring appropriate protection of such data. Presented under Article 44 of Law no. 09-08 is a series of instances under which a transfer may happen or when the data subject has already approved such transfer, rendering Article 43 as non-applicable.
Law no. 09-08 does not explicitly impose restrictions on national transfers of data or localization requirements.
There is an obligation for data controllers and/or data processors to maintain data processing records under Law no. 09-08. The requirements for such records are presented under Chapter VI of Law no. 09-08, regarding the National Register for Personal Data Protections and Limits on the Creation or Use of Central Registers and Files.
As per Article 46 of Law no. 09-08, the following are included in the above-mentioned registry (only available in French here):
- files processed by public authorities;
- files processed by private individuals or bodies;
- references to published laws or regulations creating public files;
- authorizations issued in application of the present law and the texts for its application; and
- data relating to files that are necessary to enable data subjects to exercise their rights to information, access, rectification, deletion, and opposition as granted by the law.
The CNDP published, on December 14, 2020, Deliberation No. D-188-2020 governing Data Protection Impact Assessments ('DPIA') (only available in French here) ('the Deliberation').
A DPIA is used to define responsibilities in the context of regulations based on the principle of accountability. In this case, the DPIA is drawn up by the data controller, who must submit it to the authority in charge of personal data protection in the event of an inspection. In the case of sensitive processing operations, the list of which is specified by the supervisory authority, the DPIA is submitted for validation prior to any deployment of these operations.
As per the Deliberation, the following categories of processing are included in the DPIA:
- processing that infringe the provisions of Article 11 of Law no. 09- 08 on the neutrality of effects, and which enables decisions to be made on the basis of automated processing of personal data;
- large-scale processing of sensitive data which, under Article 1 of Law no. 09-08, reveal a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or health, including genetic data;
- processing that enables systematic monitoring of data subjects; and
- processing using innovative technological or organizational solutions.
This list also extends to treatments carried out:
- to comply with a legal obligation to which the data controller is subject;
- in the performance of a task carried out in the public interest or in the exercise of official public authority vested in the data controller; and
- on the foundation of a legal basis that regulates them.
Consequently, a DPIA is not necessary when the nature, scope, context, and purposes of the processing are very similar to a processing operation for which an impact analysis has already been carried out by the controller or by a third party (authorities, public bodies, groups of data controllers, etc.), and the results of such analysis can be reused and transposed.
Law no. 09-08 does not introduce any requirements for data controllers and/or processors to appoint a Data Protection Officer ('DPO').
It is however general practice in Morocco for the data controller or processor to perform the tasks of the DPO within their function.
There is no legal requirement under the applicable law to notify a data breach.
Article 3.1(e) of Law no. 09-08 requires that data that is kept in a form allowing the identification of the data subject to not be stored longer than the purposes for which they were collected.
There are no provisions regulating the processing of children's data under Law no. 09-08.
Criminal conviction data
With regard to criminal conviction data, Article 27 of Law no. 09-08 stipulates that the CNDP may give its opinion to the competent authority regarding personal data collected and processed for the purposes of preventing and combating crime. The scope of application of Law no. 09-08 further states that it shall apply to 'personal data collected and processed for the purposes of preventing and punishing crimes and offenses only under the conditions laid down by the law or regulation creating the file in question.'
Articles 49 and 50 of Law no. 09-08 present requirements regarding the processing of criminal conviction data indicating who may carry out the processing of such data.
With regard to health data, Law no. 09-08 sets forth provisions for the processing of such data. Under Article 12 of Law no. 09-08, compliance with the requirement of prior authorization is non-applicable in the event that it contains genetic data. The law also introduces a series of requirements for health data under Article 22 and Article 24 of Law no. 09-08:
- Article 22 stipulates that the processing of health data is subject to a declaration to the CNDP when such data is in compliance with the sub-provisions of Article 22; and
- Article 24 requires that data processors and/or controllers comply with a series of requirements to ensure the appropriate safeguarding of such a category of personal data.
Under Law no. 09-08, a contract is required between a data controller and processor when the latter is considered as a subcontractor pursuant to Article 23.3 of Law no. 09-08, which states that the carrying out of processing by subcontractors must be governed by a contract or legal act which binds the processor to the data controller. The processor would act only on the instructions of the controller while the obligations of the data controller are also incumbent on the processor as per the contract.
8. Data Subject Rights
Data subjects' right to be informed is stipulated under Article 5 of Law no. 09-08, which requires that any data subject directly solicited for the collection of their personal data must first be informed in an express, precise, and unequivocal manner by the data controller or their representative.
This right to be informed may not be applicable if the data subject is already aware of the following elements, as per Article 5(a-d) of Law no. 09-08:
- the identity of the data controller and, where applicable, their representative;
- the intended purpose of the data processing;
- any additional information such as:
- recipients or categories of recipients;
- whether answering the questions is compulsory or optional, as well as the possible consequences of a failure to answer;
- the existence of a right of access and rectification of personal data concerning them, insofar as, given the particular circumstance in which the data is collected, this information is necessary to ensure fair processing of the data with respect to the data subject; and
- the characteristics of the receipt for the notification to the CNDP or those of the authorization issued by the CNDP.
As per Article 6 of Law no. 09-08, the right to be informed is also not applicable:
- for personal data whose collection and processing are necessary for national defense, internal or external state security, or the prevention or suppression of crime;
- when it proves impossible to inform the data subject, particularly in the case of processing personal data for statistical, historical, or scientific purposes. In such cases, the data controller is obliged to notify the CNDP of the impossibility of informing the data subject and to give the reasons for this impossibility;
- if legislation expressly provides for the recording or communication of personal data; and
- to the processing of personal data exclusively for journalistic, artistic, or literary purposes.
The right to access is set forth under Article 7 of Law no. 09-08, indicating that data subjects have the right to obtain, free of charge and without delay, confirmation of whether their personal data is being processed, along with information about the purposes, categories of data, and recipients. They also have the right to access and receive their personal data in an intelligible form, including information about the data's origin.
The data controller can request the CNDP to set deadlines or respond to access requests and can object to manifestly abusive requests, with the burden of proof falling on the data controller.
Data subjects have the right to know the logic behind any automated processing of their personal data.
Granted by Article 8 of Law no. 09-08, data subjects are given the right to request the updating, rectification, erasure, or blocking of their personal data if its processing does not comply with the law, and the data controller must make the necessary corrections within 10 days.
If the data controller fails to respond, the data subject may request that the CNDP investigate and rectify the data, and if successful, the data subject must be informed.
All relevant third parties must also be notified of any changes made.
The right to erasure granted to data subjects under Article 8(a) of Law no. 09-08 allows for such erasure to happen when data processing does not comply with the requirements of Law no. 09-08.
Data subjects have the right to object when providing proof of identity and solely on legitimate grounds to their data being processed as set forth in Article 9 of Law no. 09-08. They have the right to object, free of charge, to their data being used for prospecting purposes, in particular for commercial purposes, by the current or future data controller. An exception to this right is when the processing is carried out in response to a legal obligation or when the application of these provisions has been excluded by an express provision of the act authorizing such processing.
There is no right to data portability granted to data subjects under Law no. 09-08.
This right is granted to data subjects under Article 11 of Law no. 09-08, which requires that no judicial decision which may bear legal effect on a data subject be taken solely on the basis of automated processing.
As per Article 11 of Law no. 09-08, this right does not include decisions taken in the context of the conclusion or performance of a contract, in respect of which the data subject has been given the opportunity to comment, or decisions made in response to requests from the data subject.
Article 10 of the Law no. 09-08 introduces a ban on direct prospection when the latter is used by means of automatic calling machines, fax machines, electronic mail, or similar technology to which the data subject has not given prior consent. Under Article 10 of Law no. 09-08, direct prospection is defined as the sending of any message intended to promote, directly or indirectly, goods, services, or the image of a data subject selling goods or providing services.
However, as per Article 10 of Law no. 09-08, direct prospection is authorized by e-mail if the data subject's details have been collected directly from them in compliance with the provisions set forth by Law no. 09-08.
Penalties for non-compliance with Law 09-08 are provided for by Articles 52 and Article 65 of Law no. 09-08:
- Article 51 states that when the processing operation is prejudicial to public safety and is contrary to the principle of morality and decency, the CNDP may revoke the authorization.
- Article 52 states that a penalty is enforced when there is a failure to comply with the declaration or authorization requirement found under Article 12 of Law no. 09-08, resulting in a fine ranging from MAD10,000 to MAD100,000 (approx. $1,025 to $10,250).
- Article 53 states that any data controller who refuses the rights of access, rectification, or opposition as provided by Law no. 09-08 is liable for a fine ranging between MAD20,000 and MAD200,000 (approx. $2,050 to $20,505) per offense.
- Article 54 states that whoever is in violation of Article 3 of Law no. 09-08 is subject to a potential jail sentence ranging from three months to one year, and/or a fine ranging from MAD20,000 to MAD200,000 (approx. $2,050 to $20,505).
- Article 55 states that any person who retains personal data beyond the period authorized by the law or the authorization shall be liable to a jail sentence ranging from three months to one year and/or a fine ranging from MAD20,000 to MAD200,000 (approx. $2,050 to $20,505). This does not apply to data of historical, statistical, or scientific nature.
- Article 56 states that any person in breach of Article 4 of Law no. 09-08 with regard to consent shall also be liable to a potential jail sentence ranging from three months to one year and/or a fine ranging from MAD20,000 to MAD200,000 (approx. $2,050 to $20,505).
- Article 57 states that anyone who, without the express consent of the data subjects, processes personal data which reveals information, as stipulated under Article 1.3 of Law no. 09-08, is liable to imprisonment ranging between three months to one year and/or a fine between MAD50,000 and MAD300,000 (approx. $5,125 to $30,755). The aforementioned also applies to personal data relating to offenses, convictions, or security measures.
- Article 58 states that anyone in non-compliance to Articles 23 and 24 of Law no. 09-08 is liable to a jail sentence ranging from three months to one year and/or a fine ranging from MAD20,000 to MAD200,000 (approx. $2,050 to $20,505).
- Article 59 states that anyone who processes personal data despite the clear opposition by the data subject who is in compliance with Law no. 09-08 is liable to a jail sentence ranging from three months to one year and/or a fine ranging from MAD20,000 to MAD200,000 (approx. $2,050 to $20,505).
- Article 60 states that anyone who transfers personal data to a foreign country in breach of Articles 43 and 44 of Law no. 09-08 is liable to a jail sentence ranging from three months to one year and/or a fine ranging from MAD20,000 to MAD200,000 (approx. $2,050 to $20,505).
- Article 61 states that any data controller or processor who causes or facilitates the improper or fraudulent use of the data processed or received, even through negligence, is liable to a jail sentence ranging from three months to one year and/or a fine ranging from MAD20,000 to MAD200,000 (approx. $2,050 to $20,505).
- Article 62 states that anyone who commits any of the breaches stipulated below is liable to a jail sentence ranging from three to six months and/or a fine ranging from MAD10,000 and MAD50,000 (approx. $1,025 to $ 5,125):
- hinders the exercise of the CNDP's control missions;
- refuses to receive inspectors and refuses to allow them to carry out their duties; or
- refuses to send or transmit requested documents as required by the law.
- Article 63 states that anyone found in non-compliance and who refuses to apply the decisions as requested by the CNDP is liable to imprisonment ranging from three months to one year and/or a fine between MAD10,000 and MAD100,000 (approx. $1,025 to $10,250).
- Article 64 states that when an entity is in non-compliance with one of the aforementioned Articles of this section of Law no. 09-08, such fines are doubled. They shall also potentially be liable for partial asset confiscation, confiscation under Article 89 of the Penal Code (only available in French here), or even the closure of the entity itself.
- Article 65 states that anyone who repeats an offense as stipulated under Law no. 09-08 when convicted of non-compliance must have their sanctions doubled. This is only applicable when the repetition happens within one year after the pronouncement of the first decision rendering them liable.