A- Legal framework :
To understand the legal framework governing the protection of personal data in Morocco, we first need to clarify its nomenclature, before briefly presenting its fundamental principles, which guide procedural legal requirements.
Law no. 09-08 defines personal data as "any information of any kind and irrespective of its medium, including sound and image, concerning an identified or identifiable natural person". However, considering that the case in point concerns health data, the law qualifies them as sensitive data, requiring even greater protection.
Processing is defined in the law as any operation or set of operations, whether or not carried out using automated processes and applied to personal data, such as collection, recording and the like.
The controller is the natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
The legal framework regulating the protection of personal data in Morocco is guided by certain fundamental principles, including the obligation of consent by the data subject, the clarity of the purpose of processing, which must be determined and must not be further processed in a way incompatible with that purpose. These principles are coupled with the obligation of proportionality and the fairness of such processing, implying that the personal data collected is appropriate to the purpose of the processing and that the data subjects are duly informed.
B- Rights and obligations of the persons concerned :
Machine users will have rights relating to the collection of their personal data, which must be protected in order to comply with legal requirements. Inherent
to the first principle mentioned above, users must express their consent freely, by accepting or refusing the collection of their personal information.
These people also have a Right to Information at the time of data collection, meaning that any person whose personal data it is intended to process has the right to be informed in a precise, express and unequivocal manner of the use or storage of data concerning him or her.
They also have a right of access, recognized by article 7 of law n° 09-08. This entitles any person to access information concerning him or her, in order to verify its accuracy. This right is supplemented by the right of rectification, which enables data subjects to request the rectification of inaccurate or incomplete information concerning them.
The law also preserves the right of data subjects to object to direct marketing, enabling anyone whose personal data is processed to object, free of charge, to their data being used for marketing purposes.
This range of user rights is guaranteed by the obligations incumbent on the data controller, who must first of all obtain the express consent of the data subject before processing. The data controller is also required to file prior declarations and authorizations with the CNDP. (See below).
Finally, the person responsible is bound by obligations of confidentiality, security of processing and professional secrecy, implementing all technical and organizational measures to protect personal data, in order to prevent it from being damaged, modified or used by a third party not authorized to access it.
These measures must be reinforced in the case of sensitive data or data relating to health, in accordance with the provisions of article 24.
C- Procedural approach :
Considering that the customer will be collecting health-related data, which the law classifies as sensitive, he is required to file not a prior declaration with the CNDP, but rather a prior authorization for the collection, which can be issued by the CNDP by filling out the form at the following link: https://www.cndp.ma/images/lois/CNDP-Autorisation-Prealable.pdf .
This prior authorization takes into account the delicate nature of sensitive personal data, and enables the CNDP to monitor the protection of personal data and ensure that the data controller complies with the provisions of law no. 09-08.
However, if this data is to be transferred outside Morocco, a transfer request must be made. As a first step, the data controller must ensure that he or she has obtained a receipt of authorization for the data to be transferred, before submitting the transfer request to the CNDP.
Once the receipt has been obtained, the data controller can fill in the CNDP foreign transfer request form on the following link:
https://www.cndp.ma/images/lois/CNDP-Transfert-Etranger.pdf pursuant to articles 43 and 44 of Law 09-08
All personal data collected in this context must be destroyed as soon as the declared or authorized purpose has been achieved.
Our legal and tax team will be happy to provide you with any further information you may require.
Faithfully yours,
Ilham Taha-Bouamri
Independent chartered accountant and tax specialist
