Law No. 09-08, Data Privacy for Moroccan Citizens

Law No. 09-08, Data Privacy for Moroccan Citizens

Morocco’s Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data, also known as Law No. 09-08 for short, is a data protection law that was passed in 2009. As Morocco was one of the many non-European countries to ratify the modernized Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data or the modernized Convention 108 for short, the country has made a concerted effort to afford their citizens a similar level of data protection and privacy as is afforded to residents of EU members states under the General Data Protection Regulation or GDPR. To this end, Law No. 09-08 outlines the legal framework that data controllers in Morocco must abide by when processing personal data.

What is the scope and applicability of Law No. 09-08?

Under Law No. 09-08, a data controller is defined to mean “the ‘natural or legal person, public authority, service or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Conversely, a data processor is defined to mean “the natural or legal person, public authority, the service or any other body which processes personal data on behalf of the controller. These definitions are consistent with those laid out by the General Data Protection Regulation or GDPR.

Alternatively, the territorial scope of the law comes into effect under the following circumstances:

What’s more, Law No. 09-08 defines the processing of personal data to mean “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as blocking, erasure, or destruction”. As such, the law also applies to the processing of personal data that is either wholly or partly automated, as well as the non-automated processing of personal data that is contained or intended to be contained within manual files.\

What are the responsibilities of data controllers and processors under Law No. 09-08?

In keeping the similarities between Law. No. 09-08 and the EU’s General Data Protection Regulation, Law No. 09-08 established various data protection principles that provide the legal framework for processing of personal data within Morocco. These data protection principles state that personal data should be :

In addition to these data protection principles, Law No. 09-08 also mandates that data controllers fulfill other obligations that are commonly required by comprehensive privacy laws. These obligations include providing data subjects with data processing notifications, outlining specific rules as it pertains to international data transfers, and ensuring that data controllers and processors carry out their respective operations and duties in accordance with contracts between the two parties. Notably, Law No, 09-8 places no responsibility on data controllers and processors as it pertains to data breach notifications, specific provisions regarding children’s data, or the maintaining of data processing records.

What are the rights of data subjects under Law No. 09-08?

The rights that are afforded to data subjects under Law. 09-08 include:

In terms of penalties that can be levied against data controllers and processors include a term of imprisonment of up to six months, as well as monetary penalties ranging from MAD 10,000 ($1,064) to MAD 50,000 ($5,357), depending on the scope and severity of the offense Law No. 09-08, is enforced by the National Commission for the Protection of Personal Data Protection or CDNP for short, and some common example of compliance violations include hindering the functions of the CDNP as it relates to enforcement of the law, refusing to comply with CDNP inspectors in regards to investigations of wrongdoing, and refusing to communicate certain documents as set forth by law.

While Law No. 09-08 is designed to provide Moroccan citizens the same level of privacy and data protection as the EU’s GDPR Law, Law No. 09-08 serves as the foremost means of protecting the personal privacy of Moroccan citizens. While the law does not provide data subjects with the rights to erasure or data portability in accordance with the EU’s GDPR Law, Law No. 09-08 and the former provide similar levels of protection. As such, Moroccan citizens have effectively been guaranteed their data privacy, joining the many countries that have made such guarantees in recent years.

Related Reads