Sunday , 28 November 2021
Home » Regulation » The protection of individuals with regard to the processing of personal data in the light of Law 09-08
The protection of individuals with regard to the processing of personal data in the light of Law 09-08

The protection of individuals with regard to the processing of personal data in the light of Law 09-08

By Mr. Med Taher SBIHI, laureate of the Faculty of Law and Economics of Rabat and of the higher management cycle of ISCAE of Casablanca
Preamble
The surge in flows and exchanges of personal data on Moroccan territory has dictated the need to ensure the protection of human rights and fundamental freedoms, and in particular the right to privacy.
This fundamental right and this concern for the preservation of the privacy of personal life find their legs in the Moroccan Constitution which solemnly states in its article 24 that “everyone has the right to the protection of his private life”, and that “… right to information can only be limited by law, with the aim of ensuring the protection of all matters relating to national defense, internal and external security of the State, as well as the private life of individuals, and the aim of preventing the infringement of the rights and freedoms set out in this Constitution… ”(article 27 of the said Constitution).
This concern for protection was felt particularly on the occasion of the remarkable development of new Information and Communication Technologies (NICTs) and the danger that the malicious use of these new technologies was beginning to create.
In this wake, the protection of personal data has positioned itself as a backdrop and a priority within the framework of efforts to develop the computer tool in Morocco and the use made of it.
In this momentum, the law n ° 09-08 on the protection of natural persons, with regard to the processing of personal data promulgated by the dahir n° 1-09-15 of February 18, 2009, introduced, for the first time, in the Moroccan legal arsenal, a legal device which clearly reflects the concern of the public authorities in Morocco, to be in conformity with the international standards in the matter.
This concerns in particular the European general data protection regulation n ° 2016/679 of the European Parliament and of the Council of April 27, 2016, relating to the protection of individuals with regard to the processing of personal data and to the free movement of this data, designated by RGPD in French and GDPR in English.
This regulation is the new legal framework governing the protection of personal data in Europe. It replaces and repeals Directive n ° 95/46 / CE of the European Parliament and of the Council of October 24, 1995 on the matter.
The aforementioned Moroccan legal system is supplemented and clarified by a regulatory text, that is Decree 2-09-165 of May 21, 2009, adopted for the application of Law No. 09-08.
It should be remembered that the establishment of this law is part of a related body of legislation, marked in particular by Law No.31-08 enacting consumer protection measures and Law No.53-05 on electronic exchange of legal data.
After recalling the main elements of the general framework for the insertion of Law No. 09-08, we propose, in what follows, to give a brief summary about it.
Economy of law n ° 09-08
This legal framework, comprising some 67 articles, prohibited, in its first article, for information technology, from undermining the identity, rights and collective or individual freedoms of man, nor from constituting a way to divulge secrets of the privacy of citizens.
Terminology and fields of application
In its glossary, the aforementioned law 09-08 defines in particular, among 11 key concepts cited, personal data as “any information, of any nature whatsoever and regardless of its medium, including sound and ‘image, concerning a natural person identified or identifiable by reference to an identification number or to one or more specific elements of his physical, physiological, genetic, psychological, economic, cultural or social identity”.
With the exception of three limiting derogations, which fall outside the scope of the law, the latter applies to the processing of personal data, which is automated in whole or in part, as well as to the non-automated processing of personal data. contained or called to appear in manual files.
The law stipulates that personal data must be:
-Processed fairly and lawfully
-collected for explicit and legitimate purposes, adequate, relevant accurate and, if necessary, updated.
– kept in a form allowing the identification of the persons concerned.
The law also includes that the processing of personal data can only be carried out if the data subject to processing has given his consent and that the personal data, object of the processing, cannot in principle be communicated systematically to a third party.
The law further stipulates that any person contacted directly, with a view to collecting their personal data, must in principle be expressly informed beforehand by the controller.
Four rights are granted to the concerned person who can exercise them within the framework of Law 09-08, namely: the right of access to data, the right to rectify them, the right of opposition and the right of prohibition of direct marketing.
“National Commission for Personal Data” (CNDP)
A “National Commission for Personal Data” (CNDP), provided by law and set up under the Head of Government, is responsible in particular for implementing the provisions of this law and ensuring compliance with it. The decisions of the CNDP, which has internal regulations, are subject to government approval.
This Commission, which is composed of seven members appointed by the Head of State and which acts as an advisory body for the government and the parliament and as a source of proposals in terms of draft laws and regulations, in relation to the field of personal data protection, exercises countless powers that are related to its mission. To this end, it is granted with all relevant supervisory and investigatory powers. It is assisted by standing or ad hoc committees.
Concretely speaking, the CNDP is responsible for verifying that the processing of personal data is lawful, legal and that it does not infringe upon privacy, freedoms and fundamental human rights.
To this end, the personalities who make up the commission are known for their impartiality, their moral probity and their competence in the legal, judicial and IT fields.
The said Commission establishes the list of the categories of personal data processing which, considering the data to be processed, are not likely to infringe the rights and freedoms of the persons concerned, and for which the declaration must specify only certain elements provided in the text of the law.
It also establishes the list of non-automated processing of personal data which may be the subject of a simplified declaration.
With regard to the obligations of confidentiality and security of processing and to professional secrecy, the controller must implement the appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorized access.
The CNDP is also responsible for:
– receiving complaints from any person concerned who considers that they have been harmed by the publication of the processing of personal data, to investigate and respond to them by ordering the publication of corrections or / and referral to the public prosecutor’s office for the purposes of prosecution;
– assessing, at the request of the public authorities, in particular the judicial authorities, the elements submitted for their assessment during disputes arising from the application of the law or the texts adopted for its application;
– assisting the government in the preparation and definition of the Moroccan position during international negotiations in the field of personal data protection;
– cooperating with similar bodies controlling the processing of personal data in foreign States.
Concerning the transfer of data to a foreign country, the controller can only transfer personal data to a foreign state if this state ensures a sufficient level of protection of privacy and of fundamental rights and individual freedoms, with regard to the processing to which these data may be subject. Otherwise, the consent of the person affected by the personal data is legally required.
National register for the protection of personal data
In addition, the law establishes a national register for the protection of personal data, which is kept by the CNDP, that ensures it is made available to the public.
The procedures for entering data in the national register and for keeping it up to date are set by the government, after consulting the National Commission.
The processing of personal data relating to offenses, convictions and security measures can only be implemented by:
– courts, public authorities and legal persons managing a public service, acting within the framework of their legal powers;
– court officials, for the strict needs of performing tasks entrusted to them by law;
– the body responsible for the protection of copyright and neighboring rights referred to in Law No. 34-05 amending and supplementing Law No. 2-00 on copyright and neighboring rights.
The creation, maintenance and processing of central registers concerning persons suspected of illicit activities, offenses and administrative offenses and decisions providing for penalties, security measures, fines and ancillary sanctions, are the sole responsibility of the public services’ bodies which have specific authority, and which must comply with the procedural and data protection rules provided for by law, after consulting the CNDP.
without prejudice to the criminal sanctions, when it appears, following the implementation of the processing object of the declaration or the authorization that this processing is injurious to safety or public order or is contrary to morality, social mores or good character, the CNDP may withdraw the receipt of the declaration or the authorization, after the CNDP delivered its opinion.
Sanctions
Finally, Law 09-08 provides in its last chapter a whole system of criminal sanctions of a pecuniary nature and / or restrictive of freedom, against any person who infringes its legal or regulatory provisions or who, knowingly, does not comply with the decisions taken by the CNDP

Preamble

The surge in flows and exchanges of personal data on Moroccan territory has dictated the need to ensure the protection of human rights and fundamental freedoms, and in particular the right to privacy.
This fundamental right and this concern for the preservation of the privacy of personal life find their legs in the Moroccan Constitution which solemnly states in its article 24 that “everyone has the right to the protection of his private life”, and that “… right to information can only be limited by law, with the aim of ensuring the protection of all matters relating to national defense, internal and external security of the State, as well as the private life of individuals, and the aim of preventing the infringement of the rights and freedoms set out in this Constitution… ”(article 27 of the said Constitution).

This concern for protection was felt particularly on the occasion of the remarkable development of new Information and Communication Technologies (NICTs) and the danger that the malicious use of these new technologies was beginning to create.
In this wake, the protection of personal data has positioned itself as a backdrop and a priority within the framework of efforts to develop the computer tool in Morocco and the use made of it.

In this momentum, the law n ° 09-08 on the protection of natural persons, with regard to the processing of personal data promulgated by the dahir n° 1-09-15 of February 18, 2009, introduced, for the first time, in the Moroccan legal arsenal, a legal device which clearly reflects the concern of the public authorities in Morocco, to be in conformity with the international standards in the matter.
This concerns in particular the European general data protection regulation n ° 2016/679 of the European Parliament and of the Council of April 27, 2016, relating to the protection of individuals with regard to the processing of personal data and to the free movement of this data, designated by RGPD in French and GDPR in English.
This regulation is the new legal framework governing the protection of personal data in Europe. It replaces and repeals Directive n ° 95/46 / CE of the European Parliament and of the Council of October 24, 1995 on the matter.

The aforementioned Moroccan legal system is supplemented and clarified by a regulatory text, that is Decree 2-09-165 of May 21, 2009, adopted for the application of Law No. 09-08.

It should be remembered that the establishment of this law is part of a related body of legislation, marked in particular by Law No.31-08 enacting consumer protection measures and Law No.53-05 on electronic exchange of legal data.

After recalling the main elements of the general framework for the insertion of Law No. 09-08, we propose, in what follows, to give a brief summary about it.

Economy of law n ° 09-08

This legal framework, comprising some 67 articles, prohibited, in its first article, for information technology, from undermining the identity, rights and collective or individual freedoms of man, nor from constituting a way to divulge secrets of the privacy of citizens.

Terminology and fields of application

In its glossary, the aforementioned law 09-08 defines in particular, among 11 key concepts cited, personal data as “any information, of any nature whatsoever and regardless of its medium, including sound and ‘image, concerning a natural person identified or identifiable by reference to an identification number or to one or more specific elements of his physical, physiological, genetic, psychological, economic, cultural or social identity”.
With the exception of three limiting derogations, which fall outside the scope of the law, the latter applies to the processing of personal data, which is automated in whole or in part, as well as to the non-automated processing of personal data. contained or called to appear in manual files.
The law stipulates that personal data must be:

-Processed fairly and lawfully
-collected for explicit and legitimate purposes, adequate, relevant accurate and, if necessary, updated.
– kept in a form allowing the identification of the persons concerned.

The law also includes that the processing of personal data can only be carried out if the data subject to processing has given his consent and that the personal data, object of the processing, cannot in principle be communicated systematically to a third party.
The law further stipulates that any person contacted directly, with a view to collecting their personal data, must in principle be expressly informed beforehand by the controller.
Four rights are granted to the concerned person who can exercise them within the framework of Law 09-08, namely: the right of access to data, the right to rectify them, the right of opposition and the right of prohibition of direct marketing.
“National Commission for Personal Data” (CNDP)

A “National Commission for Personal Data” (CNDP), provided by law and set up under the Head of Government, is responsible in particular for implementing the provisions of this law and ensuring compliance with it. The decisions of the CNDP, which has internal regulations, are subject to government approval.

This Commission, which is composed of seven members appointed by the Head of State and which acts as an advisory body for the government and the parliament and as a source of proposals in terms of draft laws and regulations, in relation to the field of personal data protection, exercises countless powers that are related to its mission. To this end, it is granted with all relevant supervisory and investigatory powers. It is assisted by standing or ad hoc committees.

Concretely speaking, the CNDP is responsible for verifying that the processing of personal data is lawful, legal and that it does not infringe upon privacy, freedoms and fundamental human rights.

To this end, the personalities who make up the commission are known for their impartiality, their moral probity and their competence in the legal, judicial and IT fields.

The said Commission establishes the list of the categories of personal data processing which, considering the data to be processed, are not likely to infringe the rights and freedoms of the persons concerned, and for which the declaration must specify only certain elements provided in the text of the law.

It also establishes the list of non-automated processing of personal data which may be the subject of a simplified declaration.

With regard to the obligations of confidentiality and security of processing and to professional secrecy, the controller must implement the appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorized access.

The CNDP is also responsible for:

– receiving complaints from any person concerned who considers that they have been harmed by the publication of the processing of personal data, to investigate and respond to them by ordering the publication of corrections or / and referral to the public prosecutor’s office for the purposes of prosecution;

– assessing, at the request of the public authorities, in particular the judicial authorities, the elements submitted for their assessment during disputes arising from the application of the law or the texts adopted for its application;
– assisting the government in the preparation and definition of the Moroccan position during international negotiations in the field of personal data protection;
– cooperating with similar bodies controlling the processing of personal data in foreign States.

Concerning the transfer of data to a foreign country, the controller can only transfer personal data to a foreign state if this state ensures a sufficient level of protection of privacy and of fundamental rights and individual freedoms, with regard to the processing to which these data may be subject. Otherwise, the consent of the person affected by the personal data is legally required.

National register for the protection of personal data

In addition, the law establishes a national register for the protection of personal data, which is kept by the CNDP, that ensures it is made available to the public.

The procedures for entering data in the national register and for keeping it up to date are set by the government, after consulting the National Commission.

The processing of personal data relating to offenses, convictions and security measures can only be implemented by:

– courts, public authorities and legal persons managing a public service, acting within the framework of their legal powers;

– court officials, for the strict needs of performing tasks entrusted to them by law;

– the body responsible for the protection of copyright and neighboring rights referred to in Law No. 34-05 amending and supplementing Law No. 2-00 on copyright and neighboring rights.

The creation, maintenance and processing of central registers concerning persons suspected of illicit activities, offenses and administrative offenses and decisions providing for penalties, security measures, fines and ancillary sanctions, are the sole responsibility of the public services’ bodies which have specific authority, and which must comply with the procedural and data protection rules provided for by law, after consulting the CNDP.

without prejudice to the criminal sanctions, when it appears, following the implementation of the processing object of the declaration or the authorization that this processing is injurious to safety or public order or is contrary to morality, social mores or good character, the CNDP may withdraw the receipt of the declaration or the authorization, after the CNDP delivered its opinion.

Sanctions
Finally, Law 09-08 provides in its last chapter a whole system of criminal sanctions of a pecuniary nature and / or restrictive of freedom, against any person who infringes its legal or regulatory provisions or who, knowingly, does not comply with the decisions taken by the CNDP

louboutin pas cher louboutin pas cher louboutin pas cher louboutin pas cher louboutin pas cher louboutin pas cher pandora outlet pandora outlet pandora outlet pandora outlet pandora outlet pandora outlet stone island outlet stone island outlet stone island outlet stone island outlet peuterey outlet peuterey outlet peuterey outlet peuterey outlet woolrich outlet woolrich outlet woolrich outlet moncler outlet moncler outlet moncler outlet golden goose pas cher golden goose pas cher golden goose pas cher golden goose pas cher golden goose pas cher golden goose pas cher golden goose outlet golden goose outlet golden goose outlet golden goose outlet golden goose outlet golden goose outlet nike tn pas cher stone island outlet stone island uk stone island stone island outlet supreme outlet supreme outlet online
LTE.ma 2021 - ISSN : 2458-6293 Powered By NESSMATECH