Law No. 09-08 Morocco

    Overview

    Law No. 09-08, enacted in Morocco in 2009, governs the protection of personal data. It establishes guidelines for data processing to safeguard individual privacy, aligning with international cooperation principles. The law applies to automated and non-automated data processing and introduces key rights for individuals, such as access, rectification, and opposition to their personal data processing. It also defines specific obligations for data controllers and processors to ensure data security and transparency.

     

    Regulation Summary

    Timeline
    • February 18, 2009 – Law promulgated.
    • March 5, 2009 – Law published in the Official Gazette.
    • March 16, 2011 – Two-year transition period ends; full enforcement begins.
    What Businesses Are Affected?
    • All businesses operating in Morocco that process personal data.
    • Foreign companies processing data using Moroccan infrastructure.
    • Public and private entities that collect and process personal data.
    Exemptions
    • Personal or household data use.
    • Processing for national security, defense, or crime prevention.
    • Journalistic, literary, or artistic activities.
    Responsibilities for Businesses
    • Obtain clear and informed consent.
    • Ensure data accuracy and allow rectifications.
    • Implement security measures to protect personal data.
    • Maintain records of processing activities.
    • Appoint a Data Protection Officer (DPO) where required.
    • Notify the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP) of data processing activities.
    Specific Website Owner Responsibilities
    • Publish a clear and accessible privacy policy.
    • Obtain consent for cookies and tracking technologies.
    • Provide mechanisms for users to exercise their rights.
    • Secure user data against unauthorized access.
    Additional Requirements
    • Cross-border data transfers require CNDP authorization.
    • Parental consent is required for processing children’s data.
    • Processing sensitive data requires explicit consent or legal justification.
    Data Subject Rights
    • Right to information & access.
    • Right to rectification & erasure (Right to be Forgotten).
    • Right to restriction & objection to processing.
    • Right to challenge automated decision-making.
    • Right to opt-out of direct marketing.
    Enforcement
    • Supervised by the CNDP.
    • Fines for entities: Between 10,000 and 100,000 MAD (~$1,000 to $10,000 USD). 
    • Fines for responsible persons: Between 20,000 and 200,000 MAD (~$2,000 to $20,000 USD). 
    • Additional penalties include imprisonment for severe violations.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596