The main objective of the 09-08 Act, which governs personal data protection (hereinafter "Act 09-08"), is to facilitate the growth of the digital economy while protecting privacy. It is also intended to encourage foreign investment, including via, offshoring and relocation. With 52,000 jobs and MAD 7.6 billion of turnover at the end of 2011, the Moroccan offshoring market is now 5 times larger than the South Africa's one and 3 to 4 times the size of the Tunisian or Egyptian offshoring market. The protection of personal data transfer constitutes a major condition for trust in the applicable legal framework and is therefore one of the conditions of the development of new technologies and of the digital economy in Morocco.

It was in light of these considerations that Act 09-08 was enacted, adding to the Moroccan legal arsenal an instrument to protect individuals against abusive usages of their personal data that could potentially harm their privacy. Moreover, since July 2011, the protection of privacy is a fundamental right set forth in Article 24 of the new constitution.

Act 09-08 applies to personal data processing when the person responsible for processing[1] being either an individual or a legal entity is established on Moroccan territory and if not established on Moroccan territory, when the person responsible for the processing uses automated or non-automated means located on Moroccan territory.

  1. What does the Act 09-08 provide?

Act 09-08 defines inter alia the rights of the data subjects (right to access the data and to object to their processing, right of information, etc.), as well as the obligations of the data controller (prior authorisation or declaration, security, and limited data storage period), as well as the rules governing the transfer of data abroad. It establishes the National Personal Data Control and Protection Commission (or "CNDP"). The Commission is responsible for applying and ensuring compliance with the provisions of Act 09-08 and its implementing texts.

  1. Implementation of a protection authority with extended powers

The CNDP was established on August 30th, 2010. This authority has the power to monitor compliance, take disciplinary measures, advise, and promote awareness, similar to the powers of the French National Data Protection Authority (known as the "CNIL").

The CNDP draws up the lists of processing and categories of processing that may take the form of simplified declarations. It defines the declarations models, requests for advice and authorisation requests, and prepares the list of those exhibits, if any, that must be included. It examines the prior formalities files. It can request copies of any relevant document and hear any person able to provide any required information.

It performs a monitoring function, with a view to verifying the lawfulness of the processing to be implemented and the compliance of the processing with the provisions of Act 09-08. Any individual whose data are processed may exercise his/her rights with the CNDP by lodging a complaint, if this person feels that (s)he has been harmed by the publication of data processing. The CNDP may also examine such questions on its own initiative in the event of a violation of the provisions of Act 09-08. It has investigation powers which it exercises in accordance with the provisions of Act 09-08, its related implementing texts as well as its own Internal Rules [Règlement Intérieur].

Finally, it has sanction powers, pursuant to which it may order administrative measures. The Act 09-08 provides also criminal penalties, in particular fines ranging from MAD 10,000 to MAD 300,000 and imprisonment terms from three months to two years.

  1. The need to achieve compliance by November 15th 2012

The entry into force of Act 09-08 has been gradual and companies have been granted a transition period to achieve compliance. Accordingly, the personal data processing implemented prior to February 23rd 2009, date of entry into force of Act 09-08, must comply with the provisions of the new law no later than November 15th 2012. In the event of failure for companies to be compliant by said date, said companies would be deemed to be in violation of Act 09-08.

  1. Measures to be taken in order to comply with the Act 09-08

Data controllers must regularize their situation with the CNDP as soon as possible :

  • by carrying out an audit of the main types of processing in order to identify them;
  • by drawing up the information notices necessary to inform the data subjects about their rights;
  • by establishing adequate data security and retention procedures;
  • by securing data transfers outside Morocco when required;
  • by determining the applicable procedure (exemption, declaration, authorisation) depending on the types of processing identified:
    • prior authorisation by the CNDP will be necessary, if the processing involves:
      • sensitive data (disclosing the racial or ethnic origins, political opinions, religion, or trade union membership of the data subject);
      • personal data used for purposes other than those for which they were collected;
      • genetic data;
      • data on infringements or condemnations (with the exception of processing by lawyers and judicial officers);
      • data containing the national identity card number of the data subject.
    • a prior declaration must be filed with the CNDP in any case where an exemption or an authorisation is not applicable.


With the opening of its Casablanca office, Baker & McKenzie makes available to you a team of experts in data privacy to assist you in complying with these new regulations and make data protection a strength that improves companies’ competitiveness.