This country-specific Q&A provides an overview of Data Protection laws and regulations applicable in Morocco.
Please provide an overview of the legal and regulatory framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the relevant laws)?
The fundamental right to privacy is contained in Article 24 of the Constitution of 2011, which provides :
“Everyone has the right to the protection of his or her private life. The home is inviolable.
Searches may only be carried out under the terms and in the ways provided by the law. Private communications, in all their forms, are secret. Only the courts may authorize, under the conditions and in the forms provided for by the law, access to their contents, their total or partial disclosure or their invocation at the expense of any person.
Freedom of circulation and establishment within the national territory, and freedom to leave and return to it, in accordance with the law, shall be ensured to all”.
The Constitution affirms the principle of the right to protection of privacy and seeks to protect the rights of individuals with regard to their personal information.
Furthermore, the Constitution has established the supremacy of ratified international conventions and imposes the respect thereof at the national level.
The Moroccan legislature has established a system of legal protection for personal data by adopting the following laws:
Law No. 09-08 on the Protection of Individuals with Regard to Processing of Personal Data and its Implementing Decree No. 1-09-15 ;
Law No. 31-08 on Consumer Protection, Including Online Advertising and Spamming ;
Law No. 07-03 supplementing the Penal Code regarding the repression of offenses relating to automated data processing systems ;
Law No. 34-05 amending and supplementing Law 2-00 relating to copyright and neighboring rights.
In Morocco, the collection and processing of personal data is governed by the Law No. 09-08 on the Protection of Individuals with Regard to Processing of Personal Data and its Implementing Decree No. 1-09-15 (the “Data Protection Law”).
Data Protection Law regulates automatic and some manual processing of personal data and sensitive personal data. Processing of personal data means any operation or set of operations performed by automatic or non-automatic means and that forms part of a filing system.
The Data Protection Law regulates the collection and processing of personal data of individuals in Morocco (referred as “data subjects” in the following Q&A) and does not protect legal persons such as limited liability companies and private limited companies.
The National Control Commission for the Protection of Personal Data (Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel) (the “CNDP”) is responsible for enforcing the Data Protection Law and has also issued several binding decisions on personal data processing for different purposes.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
The data controller should take a number of measures to comply with the requirements of Data Protection Law. To ensure compliance with these requirements, the data controller should inter alia declare or obtain authorisation from the CNDP, prior to the processing of the data.
Indeed, Data Protection Law requires controllers to obtain prior authorization from CNDP before processing :
sensitive personal data;
data for purposes other than those for which it was collected;
genetic data not used by health workers for medical purposes, whether for preventive medicine, diagnosis, or care;
personal data involving offenses, convictions, or security measures not used by court officers;
the identification card number of the data subject; or
interconnected files belonging to legal persons with different main purposes or one or more legalpersons managing public services with different public interest purposes.
In the circumstances not subject to a prior authorization and in particular which do not involve the processing of above-mentioned data, a declaration (notification) to the CNDP is required before processing personal data.
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
The Data Protection Law defines personal data as information of any kind relating to an identified or identifiable natural person, regardless of its form, including sound and images. An identifiable person is one that can be identified directly or indirectly, especially by reference to (i) an identification number and (ii) one or more specific elements of the person’s physical, physiological, genetic, psychological, economic, cultural, or social identity.
Thus, sensitive personal data includes personal data revealing a natural person’s (i) racial or ethnic origin, (ii) political opinions, (iii) religious and philosophical beliefs, (iv) trade union membership, and (v) health data, including genetic data.
What are the principles related to, the general processing of personal data or PII?
The personal data must be treated fairly and lawfully by providing a list of information about the circumstances in which the data controller collects personal data, such as the categories of recipients of the personal data, whether providing the personal data is obligatory or voluntary, the possible consequences of the failure to provide personal data and the existence of the rights to access and rectify collected personal data.
Moreover, the personal data must be collected for specific, explicit and legitimate purposes which means that the controller must ensure to collect data for purposes determined by Data Protection Law (i.e to comply with a legal obligation, perform a contract with the data subject, etc.)
The collection of the personal data must also be adequate, relevant and not excessive. The controller have to ensure to collect the personal data required for the purpose of the processing in question.
The personal data must be accurate and necessary and kept up-to-date. All necessary measures must be ensured that data which are inaccurate or incomplete, with regard to the purposes of their collection and further processing, are erased or rectified.
Finally, the persona data must be kept in a form enabling the person concerned to be identified and for a specified period, which means that the personal data must be encrypted and anonymized.
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII and, if so, are there are rules relating to the form, content and administration of such consent?
As a principle, the Data Protection Law requires data controller to obtain the consent of the data subjects before processing their personal data unless an exception applies (as mentioned below).
The data subject must give his consent for the processing of his personal data, freely, specifically and in an informed manner.
It should be noted that the Data Protection Law does not specify rules relating to the form of the consent, but it must leave no doubt regarding the data subject’s intent to consent (i.e : in the case of the obtention of data subject’s electronically, the consent may be sufficient if it meets all the requirements set by Data Protection Law).
However, controllers are allowed to process personal data without data subject consent in the following circumstances:
To comply with legal obligation to which the data subject or controller is subject.
To perform a contract with the data subject or pre-contractual measures at the request of the data subject.
To protect the vital interests of the data subject, if the data subject is physically or legally incapable of giving consent.
To perform a task carried out in the public interest, or in the exercise of the official authority vested in the data controller or a third party to whom the personal data is disclosed.
To pursue the data controller’s or a third party’s legitimate interests, unless the interest of the data subject or fundamental rights and freedom prevail.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection?
First, the controller must obtain the express consent of the data subjects before processing their sensitive personal data. (unless on the situations provided on the question 8)
Moreover, the controller is required to obtain a prior authorization before processing sensitive personal data.
Finally, the controller is required to ensure the respect of special security requirements when processing sensitive or health-related data.
How do the laws in your jurisdiction address children’s personal data or PII?
Moroccan law does not impose any special requirements for the processing of children’s personal data.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Data Protection Law includes derogations to its scope, exclusions to the information obligation and the necessary obtention of the data subjects’ consent requirements and the limitation to data subjects right to object.
Firstly, the Data Protection Law established the personal data processing that fall outside its scope including :
Processing by a natural person for exclusively personal or domestic activities;
Processing concerning public security, defence, and state security;
Processing authorized under another law;
Collection and processing to prevent crime in accordance with applicable legal conditions. However, the controller must notify to the CNDP his identity, the basis for processing, the purpose for processing, the category or categories of data subjects and the categories of personal data relating to the data subjects, the origin of the collected personal data, third parties to whom the data may be communicated and the measures taken to ensure the security of the processing.
In addition to the exclusions mentioned in the question 5 above, the controllers are not required to provide information about the personal data processing to data subjects when :
the processing is necessary for national defense, internal or external state security, or crime prevention;
it is impossible for the controller to provide information, particularly in cases of personal data processing for statistical, historical, or scientific purposes. The controller must notify the CNDP about the impossibility to provide information and the reasons why it is impossible;
The Moroccan law expressly authorizes the personal data recording or disclosure.
The processing is solely for journalistic, artistic, or literary purposes.
Finally, the Data Protection Law provides limitations regarding the data subjects right to object, particularly to the processing is based on a legal requirement or in case that the right to object cannot be exercised because of the Data Protection Law allowing for the processing and also for unjustified objections. Indeed, to exercise their right to object, the data subjects should justify that they have legitimate reasons to object to the processing.
In practice, the CNDP usually requires the data controller to justify the data subjects consent even for the situations excluded by the Data Protection Law.
Does your jurisdiction impose requirements of 'data protection by design' or 'data protection by default' or similar? If so, please describe the requirement and how businesses typically meet the requirement.
The Data Protection Law does not mention any of the privacy by design and privacy by default. However, on 26 March 2020, the CNDP published a press release alerting actors concerned by the Data Protection Law’s compliance to the principles of “Privacy by Design” in order to ensure compliance at the earliest possible stage rather than waiting for the final phases of their projects.
Are owners or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
The controller is not required to establish an internal register, as required in Europe by the General Data Protection Regulation (GDPR).
However, it is recommended that the controller maintain a record of the carried data processing and establish an internal dataprocessing policies to enable its employees to monitor the use and processing of personal data as well as to inform them about their obligations with regard to the data subjects’ personal data processing that the company hold.
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
The Data Protection Law does not provided any requirements to consult the CNDP, but it is recommended when the controller meet difficulties to ensure his compliance with the legal requirements.
However, the CNDP could be consulted by the data subjects and by any institution directly or indirectly concerned by the Data Protection Law.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
Do the laws in your jurisdiction require appointment of a data protection officer (or other person to be in charge of privacy or data protection at the organization) and what are their legal responsibilities?
Do the laws in your jurisdiction require businesses to providing notice to individuals of their processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
The Data Protection Law requires businesses (controllers) to provide data subjects with a notice including the following information in the documents serving the collection of personal data:
The identity of the controller or the controller’s representative;
The purpose of the processing;
Any additional information, such as:
The recipients or categories of the data processed;
If providing the data is obligatory or voluntary;
The possible consequences of a failure to provide the data;
The existence of the right of access and the right to rectify the data;
Information about the receipt delivered by the CNDP after the declaration or request for authorization for personal data processing.
It should be noted that the notice must be delivered before collecting the data subject’s personal data.
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data and, if so, what are they? (E.g. are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
The Data Protection Law drew a distinction between the controllers and the processors of personal data, in particular in terms of their obligations.
The controller is defined as the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by laws or regulations, the controller must be indicated in the law governing the organization and operation or in the statute of the entity legally or statutorily competent to process the personal data in question.
However, the processor is defined as the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller, which means that the processor should only act under the instructions of the controller.
The processor is bound by the obligations of confidentiality and security of the data processing activities pursuant to the contract governing the relationship between the controller and the processor.
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII or are there any other restrictions relating to the appointment of processors (e.g. due diligence or privacy and security assessments)?
When data processing is conducted by a processor on behalf of the controller, the controller must choose a processor providing sufficient guarantees in respect of the technical and organizational security measures relating to the processing activities. The controller must ensure the compliance with those measures by the processor.
Furthermore, the Data Protection Law requires that the performance of the processing by a processor must be governed by a contract or legal act legally binding the processor to the controller. The contract must provide in particularly that the processor shall act solely on the instructions of the controller and that the obligations of security and confidentiality laid down by the applicable law as described below and by which the controller is bound shall be incumbent on the processor.
The Data Protection Law requires controllers to implement technical and organizational measures to protect personal data against (1) the accidental or unlawful destruction, (2) the accidental loss, alteration, disclosure, or unauthorized access and (3) all the other unlawful forms of processing, especially when the processing involves data transmission in a network. Such requirements must be duplicated in the contract the processor in order to have the processor to comply with these obligations.
Moreover, sensitive or health-related data processing are subject to additional security measures. The controller have in particular to :
Deny unauthorized persons to access to the facilities used for data processing (facilities access control) ;
Prevent unauthorized reading, copying, modification, or removal of data media (data media control);
Prevent unauthorized input of the data and unauthorized inspection, modification, or deletion of stored data (storage control);
Prevent the use of automated data processing systems by unauthorized persons using data communication equipment (user control);
Ensure that persons authorized to use an automated data processing system have access only to the data covered by their access authorization by means of individual and unique user identities and confidential access modes (data access control);
Verify the entities to which they transfer data using data transmission facilities (transmission control);
Ensure it is possible to verify afterward, within an appropriate timeframe based on the sector, what data was introduced, when it was introduced, and by whom (introduction control);
Prevent unauthorized reading, copying, modification, or deletion of the data during transfer or transport (transport control).
When entering into a contract with a processor, the controller must make sure that the contract contains provisions triggering the processor’s responsibility in case the above obligations are not respected
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies. How are these terms defined and what restrictions are imposed, if any?
The Data Protection Law has not provided any specific definition of the monitoring or profiling of the data subjects.
However, an opt-in consent is required for both monitoring or profiling and the use of tracking technologies such as cookies.
Data Protection Law provides that the data subjects are entitled to access and knowledge of the logic behind any automated processing of personal data concerning them, which could consequently result in a profiling.
Please describe any laws in your jurisdiction addressing email communication or direct marketing. How are these terms defined and what restrictions are imposed, if any?
Provided that the prior consent of the data subject to receive marketing messages is given and that this processing has been previously declared to the CNDP, the data controller is allowed to send direct prospecting messages.
However, prior consent is not required for direct prospecting through the various forms of electronic messages (i) if the contact details were collected directly from the person concerned on the basis of a previous sale of products or services related to the products or services included in the prospecting message and (ii) if the recipient has the possibility of opposing, at no cost, to receive direct prospecting e-mail, is not included the cost of transmitting the refusal to use his contact details.
Please describe any laws in your jurisdiction addressing biometrics, such as facial recognition. How are these terms defined and what restrictions are imposed, if any?
The Data Protection Law defined biometric data as personal data and distinguishes between genetic data and biometric data. Genetic data is defined as sensitive data subject to the rules listed in the previous questions.
The processing of biometric data is subject to the provisions of CNDP Decision No. 478-2013 of 1 November 2013 on the conditions necessary for the use of biometric devices for access control. This decision lays down the rules for the use of biometric data and makes the installation of a biometric device subject to prior authorization by the CNDP.
However, the CNDP may authorize the use of biometric data for access control to sensitive premises and facilities under the following conditions :
The controller must justify that alternative methods of access control are not sufficiently reliable to secure the site ;
the biometric data of a limited number of persons who are regularly or temporarily present on the site for the performance of their mission must be processed ;
Biometric data cannot be used in its original form. For example, for fingerprinting, a limited number of features have to be extracted ;
The controller shall not establish a database for the storage of the collected biometric data. However, in certain specific cases, the establishment of a database could be authorized by the CNDP ;
As a general rule, the data must be recorded on a support exclusively held by the data subject, such as a smart card or magnetic card ;
The use of biometric devices must be for authentication purposes and not for identification purposes.
The case of facial recognition seems to involve a risk to privacy, and has been subject to a 7-month moratorium which came into force on 2 September 2019 and has been extended until 31 December 2020.
During this period, no authorization will be delivered by the CNDP regarding the use of this technology. The CNDP is conducting experimentation with biometric and facial recognition technologies on a case-by-case basis, as well as any solution that could contribute to reduce, directly or indirectly, the health risk related to COVID-19.
However, by thedeliberation n° D-108-EUS/2020 of 23 April 2020 relating to the definition of the use of facial recognition technologies in the context of the remote account system used by banks and payment institutions established an exception to the moratorium above-mentioned.
The CNDP enables credit institutions to implement biometric authentication systems based on facial recognition technologies for the account opening and in order to improve the customer’s digital entry. The CNDP has considered the economic impact and challenges of implementing facial recognition technologies, in particular during the state of health emergency.
In order to establish the biometric authentication systems based on facial recognition technologies, the banks and payment institutions are required to:
obtain the authorization for the processing;
Ensure the authentication phases using the services provided, immediately after its establishment, by the trusted national third-party system managing an official identity ;
Organize the architecture of the information system, based on the appropriate principles enabling the authentication phases to be easily switched to the trusted third party system (API-type architectures or others).
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does cross-border transfer of personal data or PII require notification to or authorization form a regulator?)
The Data Protection Law allows the transfer of personal data to countries providing a sufficient level of protection of privacy and fundamental rights and freedoms of individuals.
By the deliberation n° 236-2015 of 18 December 2015 modifying deliberation n° 465-2013 of 6 September 2013, the CNDP established the list of countries providing sufficient protection of privacy and fundamental rights and freedoms of individuals with regard to the processing of personal data.
The controller must notify the CNDP before transferring personal data to a country providing a sufficient level of protection regarding the established list.
Data controllers may also transfer personal data to a country not included on the list provided by the CNDP only if one of the following conditions applies:
The data subject expressly consents to the transfer
The transfer is necessary to safeguard the life of the person concerned, to preserve the public interest, to establish, exercise, or defend a right in court, perform a contract between the controller and data subject, to perform a contract between the controller and a third party in the data subject’s interest, to execute an international mutual legal assistance measure, or to prevent, diagnose, or treat medical conditions.
The transfer is covered under a bilateral or multilateral agreement to which Morocco is a party.
The CNDP expressly authorizes a transfer that provides a sufficient level of protection of the data subject’s privacy and fundamental rights and freedoms, particularly because of contractual clauses, such as a data transfer agreement, or binding corporate rules.
In these situations, the controller must submit a request to the CNDP to obtain an authorization that will allow the abroad data transfer.
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
The Data Protection Law requires controllers to implement technical and organizational measures to protect personal data against (i) the accidental or unlawful destruction, (ii) the accidental loss, alteration, disclosure, or unauthorized access, and (iii) all other unlawful forms of processing especially when the processing involves data transmission in a network.
In addition, the security measures should ensure, considering the current state of the art and the implementation costs, an appropriate level of security for the risks of processing and the nature of the data to be protected.
The Data Protection Law also requires processors, or any person acting under their authority, to process personal data in accordance with both the instructions of the controllers and the legal requirements.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
The Data Protection Law does not define the “security breach” and does not require the controller to report the security breach.
Does your jurisdiction impose specific security requirements on certain sectors or industries (e.g. telecoms, infrastructure)?
In Morocco, according to the Decree No. 2-15-712 of 22 March 2016 establishing the system for the protection of sensitive information systems of critical infrastructures establishes (the “Decree No. 2-15-712”), the sectors of vital importance in particular administrations, establishments and public enterprises and organisms disposing of a state agreement or license to perform a regulated activity ( i.e those relating to public security, the financial sector, industry, transport networks, energy production and distribution and mining, the supply and distribution of water, telecommunications and postal services, audiovisual and communications, health and justice) are required to establish special measures for the protection of sensitive data in the critical infrastructure sector.
The National Directive on Information Systems Security (DNSSI) is a document issued by the DGSSI and published on its portal in order to establish the organizational and technical security measures to be implemented by public administrations and organizations and critical infrastructures.
The compliance to the DNSSI must be established with regard to the following principles, issued from the National Cyber Security Strategy and validated by the CSSSI on 05 December 2012:
Organizational Structure ;
Information Systems Cartography ;
Establishing a budget for the information systems security ;
Control of the administrators of the entities’ information systems ;
Protection of data by following the security rules specified by the DNSSI ;
Training and awareness of system and network administrators and IT users about their rights and obligations ;
Hosting on the national territory the sensitive data of the entities.
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
The report of security breaches is not required by the law. However, the Information Systems Security Department (la Direction Générale de la Sécurité des Système d’Information) (DGSSI) provides security reports that identify vulnerabilities in terms of IT security of IT providers.
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cyber-crime, such as the payment of ransoms in ransomware attacks?
The legal requirements regarding dealing with cyber-crime are provided by the Law n° 07-03 supplementing the criminal code with regard to infractions relating to automated data processing systems, promulgated by Dahir n° 1-03-197 of 11 November 2003.
This is the first legal instrument dealing with computer-related crimes and provides for sanctions for offences as for crimes against automated data processing systems and rights violations through internet network.
The following offences are covered by the provisions of the Law No. 07-03 completing the Penal Code:
The intrusion or fraudulent maintaining in an automated data processing system;
Violations of the operation of an automated data processing system;
Voluntary data breaches; and
The association of cyber criminals.
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
In September 2011, Morocco created the Directorate General for Information Systems Security (DGSSI) under the Ministry of National Defense.
The DGSSI takes over some of the prerogatives of the National Telecommunications Regulatory Agency (ANRT) in particular those relating to cryptography and electronic certification.
The DGSSI adopted a national cybersecurity strategy aiming to provide Moroccan information systems with a defense and a capacity of resilience, in order to create the conditions of trust environment and security.
In addition, a Computer Alert and Incident Management Center (MA-CERT) attached to the DGSSI has been created and acting as a monitoring, detection and response center for computer attacks. Thus, when a Critical Infrastructure is victim of an attack, it must communicate, within 48 hours, to the ma-CERT information relating to major incidents affecting the security or functioning of its sensitive information systems.
Finally, the National Telecommunications Regulatory Agency (ANRT) have important regulatory functions, which regulate Internet service providers and international organizations concerned with cybersecurity.
Do the laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
Data Protection Law provides data subjects with a number of rights listed hereafter, that may be exercised by submitting a request to the controller who is obliged to respond according to the data subjects’ request.
(i) the right to be informed concerning the collection and processing of their personal data :
The data controller or his representative must expressly, precisely and unequivocally inform any person directly requested to collect their personal data prior to the collection of such data.
The controllers are required to give a number of information to the data subjects (see question 14) unless:
the processing is necessary for national defence, internal or external state security, or crime prevention.
Providing the information proves impossible, particularly in cases of processing personal data for statistical, historical, or scientific purposes if the data controller notifies the CNDP that providing notice is impossible and about the reason for the impossibility.
Moroccan law expressly authorizes the personal data recording or disclosure.
The processing is solely for journalistic, artistic, or literary purposes.
(ii) the right of access which allows data subject to access their personal data to ensure its accuracy :
Data subjects have the right to obtain from the controller, free of charge and without delay, whether or not their data are being processed. They may also request the characteristics of the processing carried out, such as its purposes, the categories and origin of the data processed and the recipients to whom the data are transmitted.
(iii) the right to request the rectification and erasure of personal data processing which do not comply with the Data Protection Law :
The data subjects have the right to request that the controller rectify, erase, or block personal data processing that does not comply with the Data Protection Law, especially if the data subject knew that the data and the processing are incomplete or inaccurate.
Data subjects may exercise their right by contacting the controller. in the case of a request for rectification, the controller is required to reply, within a clear period of ten days, to the requests of data subjects.
In the event of refusal or non-response within the above-mentioned deadline, the data subject may submit a request for rectification to the CNDP, which will instruct one of its members to carry out all necessary investigations and ensures that rectifications are made.
(iv) the right to object to processing of their personal data :
Based on their legitimate interests, the data subjects may exercise their right to object unless the processing is based on a legal requirement or in case the right to object cannot be exercised because of the Data Protection Law allowing for the processing.
The data subjects also have the right to object to data processing for direct marketing purposes.
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
The data subjects’ privacy rights are enforceable by means of :
the CNDP, which is the authority competent to receive complaints from data subjects who consider that they have been harmed by using and processing their personal data or when they notice a violation of the Data Protection Law dispositions. The CNDP is competent to examine and follow the controller up by ordering the publication of corrective measures. The CNDP may also, when deemed necessary, bring the case before the Public Prosecutor for the purpose of legal proceedings;
Judicial recourse by referring to the public prosecutor.
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
Please refer to our answer to question 28.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws? Is actual damage required or is injury of feelings sufficient?
The data subject may bring a civil action apart from criminal proceedings and may claim compensation for the damage caused by the controller’s breaches of its legal requirements, provided that the data subject establishes the damage, harm and causal link.
How are the laws governing privacy and data protection enforced?
The application of laws concerning privacy and the protection of personal data are subject to administrative and criminal proceedings.
When a violation is established, the data subject could file a complaint before the police or the prosecutor in order to institute the criminal proceedings.
What is the range of fines and penalties for violation of these laws?
The law has established a list of violations subject to sanctions. These can be resumed as follows:
any processing violating the public order, the safety, morality and good manners;
the performance of a processing without authorization or the required declaration;
the refusal of the right of access, rectification or opposition;
any incompatibility with the purpose declared;
failure to comply with the data storage period – failure to comply with the security measures for processing;
failure to comply with the consent of the data subject, in particular in the case of direct marketing for commercial purposes, with aggravation of the sanctions in the case of sensitive data;
any transfer of personal data to a country not recognized as providing adequate protection ;
any obstacle to the exercise of the control missions of the CNDP ;
any refusal to implement the decisions of the CNDP.
Violations of Data Protection Law are punishable as an administrative or criminal offense. The Data Protection Law provides for several sanctions, such as fines and/or imprisonment and/or withdrawal of CNDP authorization.
The sanctions vary according to the degree of the offence against the natural persons responsible for processing the personal data, and without prejudice to their civil liability towards the persons who have been harmed due to the offence, shall be liable to imprisonment for three months to two years and fines between 10,000 and 300,000 dirhams. These sanctions may be doubled in the event of a recidivism.
The penalties for an offence committed by a legal person, without prejudice to the sanctions that may be applied to its directors, shall be doubled. The legal person may be liable to confiscation of its property and the closure of the institutions thereof.
Can personal data or PII owners/controller appeal to the courts against orders of the regulators?
Yes, appeal can be made before the Administrative Tribunal.