ALF - Legal services in Africa > Articles > Morocco > Declaring personal data processing in Morocco

Declaring personal data processing in Morocco

23 January 2024
Posted by: Kelly HAZAN
Category: Morocco Personal data

MOROCCAN STARTUPS, LEARN HOW TO COMPLETE YOUR PERSONAL DATA PROCESSING DECLARATIONS!

Declaring your personal data processing operations to the CNDP is mandatory if your startup processes personal data. What is personal data processing? Which form to fill in? The aim of this article is to help you understand these regulations.

WHEN DOES MY STARTUP PROCESS PERSONAL DATA?

Startups may need to process personal data as part of their business activities, for example when running marketing campaigns, payroll, invoicing or developing an e-commerce website.

These processes often use personal data such as surname, first name, ID card number, email address, photo, telephone number, fingerprints, DNA and bank details. Such data, which identifies or renders identifiable the persons concerned (e.g. employees, customers or suppliers), must be protected, processed in proportion to the intended purpose and kept for a limited period, not exceeding the time required to achieve the purpose of the processing.

You will find below other examples of the purposes for which personal data is processed:

personnel management and payroll administration ;
access to / consultation of a contact database containing personal data (e.g. CRM software);
promotional e-mails;
shredding of documents containing personal data ;
publication / display of a photo of a person on a website ;
conservation of IP or MAC addresses ;
video surveillance recording.

What geographical scope? All personal data processing whose data controllers (e.g. start-ups carrying out the processing) or means of processing are located on Moroccan territory must comply with law 09-08 of February 18, 2009 (BO n°5714 of 05-03-2009).

WHAT SHOULD I DO IF I PROCESS PERSONAL DATA IN MOROCCO WITH REGARD TO THE CNDP?

All processing of personal data must be declared to the CNDP prior to implementation (with the exception of those excluded from the scope of law no. 09-08, or exempt from declaration to the CNDP, or subject to prior authorization).

Warning 1: if you treat sensitive data, i.e. in particular data relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data or data relating to health, genetic data or data containing the CIN, must be processed.
a request for authorization from the CNDP
. It is not a matter of declaring that personal data will be processed, but of requesting authorization from the CNDP to process sensitive data;

Warning 2: if you transfer data abroad (outside Morocco), or for example, if personal data is hosted or transmitted abroad, you must also complete
a request for the transfer of data abroad
to the CNDP.

WHAT IS THE PROCEDURE FOR DECLARING PERSONAL DATA PROCESSING?

Step 1:

Download the standard declaration form F211 or the simplified standard declaration form (in accordance with a decision) F214 prior to processing personal data and return it to the CNDP. This form must be accompanied by

a document authorizing the signatory to bind the legal entity;
a copy of the signatory’s national identity card ;
any other relevant documents.

For information on what to include in the declaration :
https://www.cndp.ma/fr/service-en-ligne/responsables-de-traitement.html

Step 2:

The CNDP issues a receipt for the declaration within 24 hours.
Within 8 days, the CNDP notifies the startup declaring its decision to submit the processing to the prior authorization regime, if it considers that the envisaged processing presents manifest dangers for the respect and protection of the privacy and fundamental rights and freedoms of the persons concerned.

Please note that if the file is incomplete, these deadlines do not start to run until the information or documents requested by the CNDP have been provided.

WHY DO YOU HAVE TO COMPLY WITH REGULATIONS?

Why do you need to comply with Law 09-08?

To avoid the financial penalties provided for under law 09-08, as well as criminal convictions!

But that’s not all: complying with the requirements of Law 09-08 sets you apart from your competitors. This gives you an extremely positive competitive edge, in terms of your company’s reputation and brand image. This demonstrates exemplary management of the personal data processed on your customer’s behalf, as well as compliance with security and confidentiality measures.

References :

Dahir n° 1-09-15 du 22 safar 1430 (18 février 2009) portant promulgation de la loi n° 09-08 relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel.

Decree 2-09-165 of May 21, 2009 implementing law no. 09-08 on the protection of individuals with regard to the processing of personal data.

Form : I would like to be assisted in my personal data protection compliance project

En remplissant ce formulaire de contact, African Legal Factory recueille et traite vos données à caractère personnel en tant que responsable de traitement afin de répondre à toutes vos interrogations. Vous disposez sur vos données d’un droit d’accès, de rectification, d’opposition, à l’effacement, à la limitation, à la portabilité et de donner des directives sur le sort de vos données après votre décès. Pour plus d’information relative au traitement de vos données personnelles veuillez consulter notre Politique de Confidentialité. [Privacy Policy]

Cookie	Duration	Description
__stripe_mid		Stripe sets this cookie to process payments.
__stripe_sid		Stripe sets this cookie to process payments.
_abck		This cookie is used to detect and defend against replay attempts. This cookie manages interaction with online robots and takes appropriate action.
ak_bmsc		This cookie is used by Akamai to optimize site security by distinguishing between humans and robots.
bm_sz		This cookie is set by the Akamai Bot Manager provider. This cookie is used to manage interaction with online bots. It also contributes to fraud prevention.
cookielawinfo-checkbox-analytics		Defined by the GDPR Cookie Consent plugin, this cookie is used to record user consent for cookies in the "Analytics" category .
cookielawinfo-checkbox-functional		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Functional" category.
cookielawinfo-checkbox-indispensable		The cookie is set by the GDPR cookie consent plugin to record the user's consent for cookies in the "Indispensable" category.
cookielawinfo-checkbox-necessary		Defined by the GDPR Cookie Consent plugin, this cookie is used to record the user's consent for cookies in the "Necessary" category .
cookielawinfo-checkbox-others		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Other" category.
CookieLawInfoConsent		Saves the state of the default button for the corresponding category and the state of the CCAC. It only works in coordination with the primary cookie.
redux_blast		This cookie is necessary for the operation of certain WordPress theme elements that make the website appear in the most optimal way for the visitor's device.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also tracks site usage for the site analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_5BN1MYEN2Y		This cookie is set by Google Analytics.
_gat_gtag_UA_157972103_1		Defined by Google to distinguish users.
_gid		Installed by Google Analytics, the _gid cookie stores information about how visitors use a website, while creating an analytical report of site performance. The data collected includes the number of visitors, where they come from and the pages they visit anonymously.
CONSENT		YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
last_pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
last_pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_first_visit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_session_limit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_start_session		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.

Cookie	Duration	Description
_mcid		This is a Mailchimp functionality cookie used to evaluate UI/UX interaction with its platform.
bm_sv		This cookie is required for Akamai's cache function. A cache is used by the website to optimize the response time between the visitor and the website. The cache is usually stored on the visitor's browser. User bandwidth results are stored in this cookie to ensure that the bandwidth test is not repeated for the same user multiple times for the Akamai cache function.
cookies.js		No description available.
m		This cookie is set by stripe.
mailchimp_landing_site		This cookie is set by MailChimp to record the page the user visited for the first time.
pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
stm_lms_courses_watched		No description
wmc_current_currency		save currency settings.
wp_woocommerce_session_b80c8f798ec84ed7476594d4acafc57c		Contains a unique code for each customer, so you know where to find the basket data in the database for each customer.