At a time marked by the surge of big data and the omnipresence of information systems, the issue of personal data protection simply cannot be overlooked by companies. In Morocco Law no. 09-08 and CNDP mandate a strict framework in the processing of such data. Besides, it is important for many small and medium-sized companies to take into account the European RGPD in order to be able to keep up their business. Let us explain why this is important.

The processing of data pertaining to natural persons by companies applies to a large number of operations: human resources management; billing; access checks; video-surveillance; marketing campaigns; web-site or mobile application use, etc. Through these operations, countless personal data, such as persons’ names, their particulars, their national identity card numbers, their photos, and any other information deemed useful to any company’s business, may indeed be recorded.

Observing Moroccan Laws

While these operations are often indispensable to the work performed by each company, they must not entail any breach of the private life and the rights of the persons concerned. It is to this end, indeed, that Law 09-08 has been adopted and CNDP (or, the National Commission for the Control of Personal Data Protection) has been established. Thus, according to this commission, "all processing operations for which the persons or entities are responsible or any processing that takes place within the territory of Morocco, whether they be the property of a Moroccan entity or a foreign principal--subcontracting, relocation, etc.-- are required to comply with Law 09-08, dated February 18, 2009 (BO no. 5714, dated March 5, 2009)."

The Requirements of the Law

Pursuant to this law, companies must inform CNDP before actually engaging in any personal data processing and, if the need should arise, secure the necessary authorizations in that regard. They must ensure that the data is collected and processed in a fair, legitimate, and transparent way, by seeing to their exactitude and their update. Moreover, the data must be necessary, proportional, and not excessive in relation to the intended aim of the processing operation. Besides, the aim must be precise and legitimate. Furthermore, it must be communicated to the person concerned at the time of information gathering, as well as to CNDP at the time notification of such processing is made to that authority.

In addition, "personal data allowing the identification of the persons concerned must be preserved for a limited time, not exceeding the time necessary for the fulfilment of the aim for which they have been collected. At the expiry of this time, the data must be destroyed." If the company wishes to keep them further, it must make an express application to CNDP.  

The Rights of Persons

Law no. 09-08 provides for a certain number of rights that are enjoyed by the persons whose data is being collected. It is incumbent on the company to do all it can to guarantee them and to allow for an actual exercise of them. The person in charge of the processing must likewise "take all the necessary precautions to guarantee the integrity and the confidentiality of personal data in their possession so as to protect them against any destruction, accidental loss, and any other forms of illicit processing." They must thus see to it that their subcontractors and any third parties that have access to information comply with the provisions of Law 09-08. Also, companies are strongly recommended to consult with CNDP in order to check whether they fully abide by the legal frame in force.

Small and Medium-sized Companies' Observance of the General Data Protection Regulations

Aside from the Moroccan Law—which should soon be evolved to be on a par with international regulations—numerous small and medium-sized companies are also concerned by European Union regulations. In fact, RGPD (or, the General Data Protection Regulations), which came into force in May 2018, are also applicable to countries outside Europe when the collection of data applies to European residents.  

As a result, many Moroccan companies are concerned by these regulations: they operate mainly in the off-shoring sector (call centres and other sub-contractors); tourism (hotels); as well as telecom and banking, notably. Additionally, web-sites that are visited by MRE (members of the Moroccan expatriate community) or any European nationals must comply with RGPD.

In the event of non-compliance, financial sanctions can be stiff: up to 20 million Euros or up to 4% of the global turnover (whichever is higher) are levied. Besides, the risk for small and medium-sized Moroccan companies can be serious indeed: they stand to lose their European clients if they do not comply with the regulations in question. 

The CNDP

The CNDP, or the National Commission for the Control of Personal Data Protection was created by Law n°09-08 dated February 18, 2009, relative to the protection of natural persons, with regards to the processing of personal data. Its main task is to check that the processing of personal data is lawful and legal; that it does not breach private life or infringe upon the fundamental liberties and rights of any human being. 

It offers a number of on-line services and informs companies about the steps to take in that regard: https://www.cndp.ma

The RGPD

The General Data Protection Regulations (RGPD) is the text of reference in the area of the protection of personal data within the European Union. The regulations, which came into force on May 25, 2018, replace the directives on the protection of personal data (95/46/CE), which were adopted back in 1995. 

For further information or simply to see how to comply with the regulation, check the EU website at the following site (https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr_fr) or, the CNIL website in France at: (https://www.cnil.fr/fr/comprendre-le-rgpd)

Advice on how to comply: 

• Make a diagnosis of the situation: Gain more information about the local and international regulation(s) which are applicable to the company and then audit the processes so as to study their conformity.
• Implement a conformity plan: Raise the awareness of the salaried staff and review all procedures and contracts to make them conformant with the regulations. Follow up on the plan over time and see to it that all new projects match expectations. 
• Appoint a Data-protection Officer (DPO): Made mandatory by RGPD in certain cases, DPO is tasked with the implementation of a compliance (process) with the European regulations. The officer may be a salaried staff member that has been trained for the function or an external service provider who is entrusted with the task of following up on the company’s projects.