MOROCCO
DATA PROTECTION FACTSHEET
-
Population: 36,910,558
Capital: Rabat
Prime Minister: Aziz Akhannouch
2021 Freedom House Score: 37/100
Data protection law? Yes, with data protection authority appointed
-
Privacy enshrined in Constitution: Yes, Article 24 provides that any person has the right to the protection of their private life.
DPA legislation: In 2009, Morocco enacted Law No. 09-08 relating to the protection of individuals with regard to the processing of personal data and its corresponding implementation decree, Decree No. 2-09-165 (referred to collectively as the DP Law). The legislation — which created an independent data regulator in the Commission Nationale de Protection des Données Personnelles (CNDP) — was notably progressive for its time. However, it has more recently been criticized for lagging behind leading international standards.
Morocco also had its application to accede to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981) (Convention 108) and its additional protocol regarding supervisory authorities and trans-border data flows ratified on 28 May 2019.
Under the DP Law, data subjects have the right to:
- have their personal data corrected;
- access their personal data and the reasons for its processing;
- object to the further processing of their personal data, at any time;
- prevent processing of personal data for purposes of direct marketing; and
- object to a decision based solely on automatic processing that would significantly affect the or produce adverse legal repercussions for them.
-
ICCPR: Signed
Council of Europe Convention 108: Ratified
Council of Europe Convention 185: Ratified
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): Ratified
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Yes
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: No
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
-
Personal data is any information regardless of its nature and format, relating to an identified or identifiable person.
Sensitive data is personal data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership of the person concerned, or information relating to his, her or their health, including genetic data.
Sensitive data shall not be processed without affirmative consent from the data subject or unless an exception applies.
-
Personal data must be:
- processed fairly and lawfully;
- processed to the extent necessary, relevant, and not to excess;
- collected for specific, explicit, and legitimate purposes;
- accurate and kept current; and
- kept in a form enabling the person concerned to be identified.
Prior consent from the data subject is generally required for processing, but consent is unnecessary when the information concerns:
- compliance with a legal obligation;
- the commencement or execution of a contract to which the data subject is a party;
- the protection of the vital interests of the data subject, if he or she cannot consent;
- the performance of a task of public interest or related to the exercise of public authority; or
- the fulfilment of the legitimate interests pursued by the data controller or by the recipient, when not outweighed by the interests or fundamental rights and freedoms of the data subject.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: No
Notification to data subject in event of data breach: No
Timeframe for notification is specified: No
Exceptions exist to breach notifications: NA
Requires a data processing register: Yes
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: No
DPA report is made public: No
-
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: No
DPA is independently structured (does not exist within or receive instructions from another public body): Yes
DPA receives funding directly from the state budget/legislative body: No
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: Unclear
Number of members in DPA: 7
Maximum term length for members of the DPA (years): 10
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
-
Personal data transfers outside Morocco require prior authorisation from the CNDP. The person in charge of the processing operation can only transfer personal data to a foreign state if the state has an adequate level of privacy protection regarding the data, unless:
- The data subject has expressly consented to the transfer; or
- The transfer and subsequent processing are required for:
- compliance with a legal obligation;
- the commencement or execution of a contract to which the data subject is a party;
- the protection of the vital interests of the data subject, if he or she cannot consent;
- the performance of a task of public interest or related to the exercise of public authority; or
-
- the fulfilment of the legitimate interests pursued by the data controller or by the recipient, when not outweighed by the interests or fundamental rights and freedoms of the data subject.
-
Provides a right not to be subject to automated decision-making: Yes
Page last updated: 24 May 2022