Morocco

DATA PROTECTION FACTSHEET

DATA PROTECTION LAW IN PLACE

DATA PROTECTION AUTHORITY APPOINTED

Download the Act

Fast Facts
Domestic Law
Privacy enshrined in Constitution: Yes, Article 24 provides that any person has the right to the protection of their private life.

DPA legislation: In 2009, Morocco enacted Law No. 09-08 relating to the protection of individuals with regard to the processing of personal data and its corresponding implementation decree, Decree No. 2-09-165 (referred to collectively as the DP Law). The legislation — which created an independent data regulator in the Commission Nationale de Protection des Données Personnelles (CNDP) — was notably progressive for its time. However, it has more recently been criticized for lagging behind leading international standards.

Morocco also had its application to accede to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981) (Convention 108) and its additional protocol regarding supervisory authorities and trans-border data flows ratified on 28 May 2019.

Under the DP Law, data subjects have the right to:
- have their personal data corrected;
- access their personal data and the reasons for its processing;
- object to the further processing of their personal data, at any time;
- prevent processing of personal data for purposes of direct marketing; and
- object to a decision based solely on automatic processing that would significantly affect the or produce adverse legal repercussions for them.
International Commitments
Scope of Application

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes
Personal Data

Personal data is any information regardless of its nature and format, relating to an identified or identifiable person.

Sensitive data is personal data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership of the person concerned, or information relating to his, her or their health, including genetic data.

Sensitive data shall not be processed without affirmative consent from the data subject or unless an exception applies.
Collection and Processing
Personal data must be:
- processed fairly and lawfully;
- processed to the extent necessary, relevant, and not to excess;
- collected for specific, explicit, and legitimate purposes;
- accurate and kept current; and
- kept in a form enabling the person concerned to be identified.
Prior consent from the data subject is generally required for processing, but consent is unnecessary when the information concerns:
- compliance with a legal obligation;
- the commencement or execution of a contract to which the data subject is a party;
- the protection of the vital interests of the data subject, if he or she cannot consent;
- the performance of a task of public interest or related to the exercise of public authority; or
- the fulfilment of the legitimate interests pursued by the data controller or by the recipient, when not outweighed by the interests or fundamental rights and freedoms of the data subject.
Transparency

Notification that data is being processed: Yes

Notification to DPA in event of data breach: No

Notification to data subject in event of data breach: No

Timeframe for notification is specified: No

Exceptions exist to breach notifications: NA

Requires a data processing register: Yes

Register is publicly available: Yes

Provides for terms of service icons: No

DPA must submit at least annual report: No

DPA report is made public: No
Accountability

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: No

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: No

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Unclear

Number of members in DPA: 7

Maximum term length for members of the DPA (years): 10
Participation
Cross-border Transfer
Personal data transfers outside Morocco require prior authorisation from the CNDP. The person in charge of the processing operation can only transfer personal data to a foreign state if the state has an adequate level of privacy protection regarding the data, unless:
- The data subject has expressly consented to the transfer; or
- The transfer and subsequent processing are required for:
  - compliance with a legal obligation;
  - the commencement or execution of a contract to which the data subject is a party;
  - the protection of the vital interests of the data subject, if he or she cannot consent;
  - the performance of a task of public interest or related to the exercise of public authority; or
- - the fulfilment of the legitimate interests pursued by the data controller or by the recipient, when not outweighed by the interests or fundamental rights and freedoms of the data subject.
Automated Processing

LEARN MORE ABOUT THE METHODOLOGY

Page last updated: 24 May 2022