Under Moroccan Law 09-08, sensitive personal data refers to specific categories of information whose processing presents a higher risk to individuals’ fundamental rights and therefore requires stricter legal control, often including prior CNDP authorization.
Any company processing such data in Morocco must proceed with particular caution and comply with enhanced obligations supervised by the CNDP.
Table of Contents
Legal basis under Moroccan law
The concept of sensitive personal data is defined by Law 09-08 on the protection of individuals with regard to the processing of personal data.
The law recognizes that certain types of information, by their nature, may seriously affect privacy, dignity, or individual freedoms if misused.
What qualifies as sensitive personal data?
Under Law 09-08, sensitive personal data includes information that reveals or relates to:
- health and medical data
- biometric and genetic data
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- data relating to criminal convictions or security measures
These categories are interpreted broadly by the CNDP.
Health and medical data
Health data is one of the most strictly regulated categories.
This includes:
- medical records
- laboratory results
- medical certificates
- disability information
- health insurance data
Processing health data almost always requires prior CNDP authorization, except in very limited circumstances.
Biometric and genetic data
Biometric and genetic data are considered highly sensitive.
Examples include:
- fingerprints
- facial recognition data
- DNA data
- retinal or iris scans
Their use is subject to heightened scrutiny due to the irreversible nature of biometric identifiers.
Political, religious, and philosophical data
Data revealing:
- political affiliations or opinions
- religious beliefs or practices
- philosophical convictions
is classified as sensitive because of the potential impact on individual freedoms and non-discrimination principles.
Criminal records and security measures
Information relating to:
- criminal convictions
- ongoing investigations
- judicial sanctions
- security or surveillance measures
falls squarely within the sensitive data category and is subject to strict authorization requirements.
Employee data: when does it become sensitive?
Not all employee data is sensitive, but HR data becomes sensitive when it includes:
- medical leave records
- disciplinary or criminal matters
- biometric access controls
- union membership
Employers must carefully assess HR processing activities.
When is CNDP authorization required?
As a general rule, processing sensitive personal data requires prior CNDP authorization before any activity begins.
This applies regardless of:
- company size
- sector of activity
- whether the company is Moroccan or foreign
Starting processing without authorization constitutes a legal violation.
Common business activities involving sensitive data
Sensitive data is frequently processed in:
- healthcare and medical services
- insurance and social protection
- call centers with call recording involving sensitive content
- HR and payroll systems
- access control systems using biometrics
- compliance and background-check services
These activities require careful legal qualification.
Risks of improper handling of sensitive data
Improper processing may result in:
- CNDP warnings or enforcement actions
- suspension or prohibition of processing
- criminal liability for company officers
- significant reputational damage
Sensitive data violations are treated more seriously than standard compliance breaches.
Frequently Asked Questions
Is all employee data considered sensitive?
No. Only specific categories, such as health or disciplinary data, are considered sensitive.
Does consent remove the need for authorization?
Are biometric access systems allowed?
Key takeaway
Sensitive personal data under Law 09-08 is subject to strict legal protection and enhanced regulatory control.
Any business processing such data must assess its obligations carefully and obtain CNDP authorization where required.
Correct classification of sensitive data is essential to lawful and secure operations in Morocco.
Brahim Rami | Member of institute of chartered accountants in Morocco
He is a CPA and tax advisor, founder of NeoExpertise.net, a Legal and Tax firm helping foreign companies with business setup, due diligence, payroll, and tax compliance in Morocco and Africa.
