Moroccan Personal Data Protection Law
View Law TextNeed Help with Moroccan Personal Data Protection Law Compliance?
Get expert guidance on implementing Morocco's data protection requirements and ensuring ongoing compliance for your organization.
Get Expert HelpOverview
The Personal Data Protection Law (Law 09-08) establishes comprehensive requirements for the protection of personal data in Morocco, enforced by the National Commission for the Control of Personal Data Protection (CNDP).
Key Facts
- Enacted in 2009
- Enforced by CNDP
- Requires registration of data processing activities
Key Principles
Lawfulness and Consent
Personal data must be processed lawfully and with proper authorization.
Requirements
- Obtain valid consent
- Identify legal basis
- Document processing grounds
- Regular compliance reviews
- Maintain consent records
Examples
- Consent mechanisms
- Legal basis documentation
- Processing records
- Compliance reports
Transparency
Organizations must be transparent about their data processing activities.
Requirements
- Clear privacy notices
- Processing purpose disclosure
- Data sharing information
- Rights notification
- Regular updates
Examples
- Privacy policies
- Data processing notices
- Rights information
- Communication records
Data Security
Implementation of appropriate security measures to protect personal data.
Requirements
- Security risk assessments
- Technical safeguards
- Staff training
- Incident response
- Regular audits
Examples
- Security protocols
- Training programs
- Incident plans
- Audit reports
Compliance Requirements
Registration Requirements
Organizations must register with the CNDP before processing personal data.
Implementation Steps
- Submit registration application
- Document processing activities
- Pay registration fees
- Maintain registration status
- Update when changes occur
Required Documentation
- Registration certificates
- Processing records
- Payment receipts
- Status updates
- Change notifications
Data Protection Measures
Implementation of appropriate technical and organizational measures.
Implementation Steps
- Conduct risk assessments
- Implement security controls
- Train staff on security
- Regular security audits
- Document security measures
Required Documentation
- Security policies
- Risk assessments
- Training records
- Audit reports
- Security documentation
International Transfer Requirements
Requirements for transferring personal data outside Morocco.
Implementation Steps
- Assess recipient country adequacy
- Implement transfer safeguards
- Obtain necessary approvals
- Document transfers
- Monitor compliance
Required Documentation
- Transfer assessments
- Safeguard documentation
- Approval records
- Transfer logs
- Monitoring reports
Enforcement & Penalties
Administrative Penalties
The National Commission for the Control of Personal Data Protection (CNDP) can impose administrative penalties for violations.
Penalty Categories
Example Cases
Criminal Penalties
Serious violations may result in criminal prosecution.