EU law regulations on data protection to affect Moroccan subcontractors

In Morocco, the collection and processing of personal data is regulated by Law No. 09-08 relating to the protection of individuals with regard to the automatic processing of personal data, which was promulgated by Dahir (royal decree) No. 1-09-15 on February 18, 2009. Furthermore, the kingdom’s data protection legal framework is based on the Council of Europe’s Convention No. 108 of January 28, 1981. This came into force in Morocco by virtue of Dahir No. 1-14-150 on August 22, 2014, which enacted Law No. 46-13 in approval of the Council of Europe convention. The law is enforceable and represents changes in respect to the protection of personal data. Furthermore, it conforms to international and European standards. Nevertheless, while the Data Protection Authority (Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel, CNDP) is trying to popularise compliance, most companies are continuing to process personal data without complying with the law.

GDPR: On April 27, 2016 the EU adopted Regulation No. 679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Known as the General Data Protection Regulation (GDPR) it will enter into force on May 25, 2018 and repeal Directive No. 46 of 1995. The GDPR is likely to have an influence over Moroccan companies. This is because the geographical scope of the GDPR has been extended, and may cover companies which are not established on European soil when processing personal data relating to:

• The supply of goods or services to persons concerned within the EU zone, whether or not payment is required of such persons; or

• The monitoring of the conduct of such persons, insofar as this takes place within the EU.

OFFSHORING: Moreover, the GDPR is extended to subcontractors, which include Moroccan companies operating in the offshoring sector. This marks a change in that, previously, Directive No. 46 of 1995 limited the subcontractor’s obligation to process the data of the controller only on the instructions of the latter and with technical and organisational measures to secure this data. The GDPR extends the obligations of the subcontractors, who must, inter alia:

• Provide sufficient guarantees for the implementation of technical and organisational measures ensuring that processing procedures are compliant with the requirements of the GDPR;

• Not recruit another subcontractor unless the data controller authorises it in writing;

• Notify the data controller of any personal data violations, as soon as possible after having been made aware; and

• Designate a data protection officer. For companies which process personal data in the context of the offer of a product or service to individuals within the EU – such as a hotel or any other commercial site – the GDPR imposes new obligations, such as:

• Ensuring that the processing operations are compliant with the GDPR;

• Implementing appropriate technical and organisational measures, by design or by default, ensuring compliance with the basic principles of the protection of personal data, e.g., minimising the data processed;

• Notifying the data protection authority within 72 hours of any personal data violations; and

• Designating a data protection officer. Companies in breach of the GDPR can risk penalties of up to €20m or 4% of the global turnover of the data controller – whichever is highest. Therefore, it is important for Moroccan companies processing personal data in relation to EU citizens to ensure they comply with the GDPR before its entry into force. The CNDP is currently making strong efforts to help Moroccan companies in this compliance process before the May 2018 deadline.