ALF - African Legal Factory services juridiques pour startup en Afrique > Articles > Morocco > Who will protect your personal data in Morocco in 2024? The competent authorities?

Who will protect your personal data in Morocco in 2024? The competent authorities?

20 February 2024
Posted by: André AGBEVOR
Category: Morocco Personal data

No Comments

⏩ Discover the Moroccan authorities responsible for protecting your personal data in 2024. Our comprehensive guide explains everything you need to know

Introduction

In Morocco, the protection of personal data is governed by law no. 09-08 on the protection of individuals with regard to the processing of personal data ( Loi n°09-08).

For the record, personal data is defined as any information, of whatever kind and irrespective of its medium, including sound and image, concerning an identified or identifiable natural person, referred to as the “data subject”.

As a reminder, all processing of personal data must be declared to the CNDP prior to implementation (with the exception of those excluded from the scope of law no. 09-08, or exempt from declaration to the CNDP, or subject to prior authorization).

Please note: if you are processing sensitive data, i.e. data relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data or data relating to health, genetic data or data containing the CIN, you must apply to the CNDP for authorization.

Note that if you are transferring data abroad (outside Morocco), or for example, if personal data is hosted or transmitted abroad, you must also submit a request for the transfer of data abroad to the CNDP.

Who protects your personal data in Morocco?

Law no. 09-08 stipulates that the Commission nationale de contrôle de la protection des données à caractère personnel (the CNDP or the Commission) is theauthority “responsible for implementing and ensuring compliance with the law”. [ses] provisions ” relating to the protection of personal data (articles 27 et seq.).

The CNDP is responsible for verifying that the processing of personal data is lawful and legal, and that it does not infringe privacy or fundamental rights and freedoms.

The Commission is located at the following address: Avenue Al Arz, Secteur 4, M1, Hay Riad – Rabat Morocco.

How can you enforce your rights with the CNDP?

If you feel that those responsible for processing your personal data are infringing your rights, you can send a complaint to the CNDP: it will help you to assert your rights.

You also have the right to contact any organization likely to hold your personal data (data controller) to exercise your rights of access, rectification and opposition.

You can file your complaint through the following channels:

online on the CNDP website;
by sending an email to CNDP ;
by sending a letter (you may find inspiration in the sample letter below).

Sample letter

Subject: Complaint concerning the processing of my personal data by the company [indiquer le nom de la société]

Mr. Chairman,

I have the honour of sending you a complaint regarding the processing of my personal data by [indiquer le nom de la société], a company registered in the commercial register of [indiquer le registre de commerce auprès duquel est inscrite la société] under number [indiquer le numéro du registre de commerce] and whose registered office is at [indiquer le siège social de la société].

Describe the reasons for your complaint and the steps you have taken to contact the data controller. Ex: “The company whose details are given above processes my personal data. The aforementioned company has not provided me with any means enabling me to consult my personal data in its possession, despite the correspondence I have sent it, copies of which are attached to this letter”].

I would be grateful if you could instruct your departments to oblige the company to comply with the provisions of law 09-08.

Please accept, Mr. Chairman, the assurance of my deepest respect.

Declaring personal data processing in Morocco

SEE ARTICLE

What are the CNDP’s missions?

The CNDP is responsible for the following tasks:

1. Give your opinion :

to the government or parliament on draft or proposed legislation or draft regulations relating to the processing of personal data;
to the competent authority on draft regulations creating files relating to personal data collected and processed for the purposes of preventing and punishing crimes and offences, the opinion requested, in this case, is equivalent to a declaration;
to the competent authority on draft and proposed legislation concerning the creation and processing of data relating to surveys and statistical data collected and processed by public authorities;
to the government on the modalities of the declaration prior to the processing of personal data ;
to the government on the procedures for inclusion in the national register ;
to the government on the rules of procedure and data protection for security file processing that must be registered.

2. Receive :

notification of the identity of the representative established in Morocco who replaces the data controller residing abroad;
declarations prior to the processing of personal data and issue a receipt for the declaration;
the identity of the controller of registers held for public access.

What resources does the CNDP have to carry out its missions?

The CNDP has the following powers:

powers of investigation and inquiry enabling its agents to gain access to the data being processed, to request direct access to the premises on which the processing is carried out, and to gather and seize all information and documents necessary to perform their control functions;
power to order the disclosure of documents of any kind or on any medium enabling it to examine the facts concerning the complaints referred to it;
power to order or carry out or cause to be carried out any modifications necessary to ensure that the data contained in the file is kept in good faith;
the power to order the blocking, erasure or destruction of data, and the power to prohibit, temporarily or permanently, the processing of personal data, even those included in open data transmission networks from servers located on national territory.

The CNDP exercises its powers in compliance with a disciplinary procedure that guarantees the rights of the defense, and in particular the adversarial principle specified in its internal regulations.

What is the composition of the CNDP?

The CNDP is made up of seven members:

a president appointed by His Majesty the King;
six members also appointed by His Majesty the King, on the proposal of: the Prime Minister, the President of the House of Representatives, the President of the House of Councillors.

CNDP members are appointed for a five-year term, renewable once only.

The detailed organization chart of CNDP members is available on the Commission‘s website.

How is the CNDP administered?

The Commission is managed by a Chairman. The Chairman convenes and chairs Commission meetings. Commission meetings are valid when at least two-thirds of the members are present. Decisions are taken by a majority of members present. In the event of a tie, the Chairman has the casting vote.

The Chairman is assisted in his administrative and financial duties by a Secretary General appointed by the government on the Chairman’s proposal. The General Secretary is responsible for :

manage staff recruited or seconded according to the President’s decisions;
prepare and implement the Commission’s budget ;
prepare and award National Commission contracts;
prepare working documents for Commission meetings and keep a record of its decisions;
monitor the work of the committees set up by the Commission, and provide them with the material and human resources they need to carry out their tasks.

What is the status of CNDP members?

Incompatibility rules

The duties of CNDP member are incompatible with those of the following corporate offices held within a personal data processing company: director, manager, member of the management board, sole managing director, member of the supervisory board.

A member of the CNDP may not take part in deliberations or verifications relating to a body in which he or she has held an interest, direct or indirect, or has exercised a mandate or function, if a period of five years has not elapsed between the date on which the function ceased, the mandate ended or the interest was disposed of and the date of his or her appointment to the CNDP.

Professional secrecy

Members of the CNDP are bound by professional secrecy with regard to facts, acts and information that may come to their knowledge in the performance of their duties. They are subject to the same obligation, even after the end of their term of office.

The civil servants, agents or technicians who perform functions within the National Commission or with its members are also subject to the obligation to respect professional secrecy.

Legal protection

The members, civil servants, agents and technicians of the National Commission are protected against any insult or attack on their person.

Are CNDP meetings open to the public?

Commission meetings are not open to the public. However, any person whose presence is required by the Commission may attend meetings.

For further information, please consult the following articles:

Cookie	Duration	Description
__stripe_mid		Stripe sets this cookie to process payments.
__stripe_sid		Stripe sets this cookie to process payments.
_abck		This cookie is used to detect and defend against replay attempts. This cookie manages interaction with online robots and takes appropriate action.
ak_bmsc		This cookie is used by Akamai to optimize site security by distinguishing between humans and robots.
bm_sz		This cookie is set by the Akamai Bot Manager provider. This cookie is used to manage interaction with online bots. It also contributes to fraud prevention.
cookielawinfo-checkbox-analytics		Defined by the GDPR Cookie Consent plugin, this cookie is used to record user consent for cookies in the "Analytics" category .
cookielawinfo-checkbox-functional		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Functional" category.
cookielawinfo-checkbox-indispensable		The cookie is set by the GDPR cookie consent plugin to record the user's consent for cookies in the "Indispensable" category.
cookielawinfo-checkbox-necessary		Defined by the GDPR Cookie Consent plugin, this cookie is used to record the user's consent for cookies in the "Necessary" category .
cookielawinfo-checkbox-others		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Other" category.
CookieLawInfoConsent		Saves the state of the default button for the corresponding category and the state of the CCAC. It only works in coordination with the primary cookie.
redux_blast		This cookie is necessary for the operation of certain WordPress theme elements that make the website appear in the most optimal way for the visitor's device.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also tracks site usage for the site analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_5BN1MYEN2Y		This cookie is set by Google Analytics.
_gat_gtag_UA_157972103_1		Defined by Google to distinguish users.
_gid		Installed by Google Analytics, the _gid cookie stores information about how visitors use a website, while creating an analytical report of site performance. The data collected includes the number of visitors, where they come from and the pages they visit anonymously.
CONSENT		YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
last_pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
last_pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_first_visit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_session_limit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_start_session		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.

Cookie	Duration	Description
_mcid		This is a Mailchimp functionality cookie used to evaluate UI/UX interaction with its platform.
bm_sv		This cookie is required for Akamai's cache function. A cache is used by the website to optimize the response time between the visitor and the website. The cache is usually stored on the visitor's browser. User bandwidth results are stored in this cookie to ensure that the bandwidth test is not repeated for the same user multiple times for the Akamai cache function.
cookies.js		No description available.
m		This cookie is set by stripe.
mailchimp_landing_site		This cookie is set by MailChimp to record the page the user visited for the first time.
pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
stm_lms_courses_watched		No description
wmc_current_currency		save currency settings.
wp_woocommerce_session_b80c8f798ec84ed7476594d4acafc57c		Contains a unique code for each customer, so you know where to find the basket data in the database for each customer.