Personal Data – Neo Expertise https://neoexpertise.net Expert Business Advisory & Accounting Firm in Morocco Fri, 09 Jan 2026 09:47:42 +0000 en-US hourly 1 https://wordpress.org/?v=7.0 https://neoexpertise.net/wp-content/uploads/2026/04/cropped-last-vr-ornage-logo-ezgif.com-gif-to-webp-converter-32x32.webp Personal Data – Neo Expertise https://neoexpertise.net 32 32 What Are Sensitive Personal Data Under Law 09-08? https://neoexpertise.net/what-are-sensitive-personal-data-under-law-09-08/?utm_source=rss&utm_medium=rss&utm_campaign=what-are-sensitive-personal-data-under-law-09-08 Fri, 09 Jan 2026 09:47:40 +0000 https://neoexpertise.net/?p=3382 Under Moroccan Law 09-08, sensitive personal data refers to specific categories of information whose processing presents a higher risk to individuals’ fundamental rights and therefore requires stricter legal control, often including prior CNDP authorization.
Any company processing such data in Morocco must proceed with particular caution and comply with enhanced obligations supervised by the CNDP.

The concept of sensitive personal data is defined by Law 09-08 on the protection of individuals with regard to the processing of personal data.

The law recognizes that certain types of information, by their nature, may seriously affect privacy, dignity, or individual freedoms if misused.

What qualifies as sensitive personal data?

Under Law 09-08, sensitive personal data includes information that reveals or relates to:

  • health and medical data
  • biometric and genetic data
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • data relating to criminal convictions or security measures

These categories are interpreted broadly by the CNDP.

Health and medical data

Health data is one of the most strictly regulated categories.

This includes:

  • medical records
  • laboratory results
  • medical certificates
  • disability information
  • health insurance data

Processing health data almost always requires prior CNDP authorization, except in very limited circumstances.

Biometric and genetic data

Biometric and genetic data are considered highly sensitive.

Examples include:

  • fingerprints
  • facial recognition data
  • DNA data
  • retinal or iris scans

Their use is subject to heightened scrutiny due to the irreversible nature of biometric identifiers.

Political, religious, and philosophical data

Data revealing:

  • political affiliations or opinions
  • religious beliefs or practices
  • philosophical convictions

is classified as sensitive because of the potential impact on individual freedoms and non-discrimination principles.

Criminal records and security measures

Information relating to:

  • criminal convictions
  • ongoing investigations
  • judicial sanctions
  • security or surveillance measures

falls squarely within the sensitive data category and is subject to strict authorization requirements.

Employee data: when does it become sensitive?

Not all employee data is sensitive, but HR data becomes sensitive when it includes:

  • medical leave records
  • disciplinary or criminal matters
  • biometric access controls
  • union membership

Employers must carefully assess HR processing activities.

When is CNDP authorization required?

As a general rule, processing sensitive personal data requires prior CNDP authorization before any activity begins.

This applies regardless of:

  • company size
  • sector of activity
  • whether the company is Moroccan or foreign

Starting processing without authorization constitutes a legal violation.

Common business activities involving sensitive data

Sensitive data is frequently processed in:

  • healthcare and medical services
  • insurance and social protection
  • call centers with call recording involving sensitive content
  • HR and payroll systems
  • access control systems using biometrics
  • compliance and background-check services

These activities require careful legal qualification.

Risks of improper handling of sensitive data

Improper processing may result in:

  • CNDP warnings or enforcement actions
  • suspension or prohibition of processing
  • criminal liability for company officers
  • significant reputational damage

Sensitive data violations are treated more seriously than standard compliance breaches.

Frequently Asked Questions

Is all employee data considered sensitive?

No. Only specific categories, such as health or disciplinary data, are considered sensitive.

Are biometric access systems allowed?

Yes, but they typically require prior CNDP authorization.

Key takeaway

Sensitive personal data under Law 09-08 is subject to strict legal protection and enhanced regulatory control.
Any business processing such data must assess its obligations carefully and obtain CNDP authorization where required.

Correct classification of sensitive data is essential to lawful and secure operations in Morocco.

brahim rami

Brahim Rami | Member of institute of chartered accountants in Morocco

He is a CPA and tax advisor, founder of NeoExpertise.net, a Legal and Tax firm helping foreign companies with business setup, due diligence, payroll, and tax compliance in Morocco and Africa.

Book Your Free Consultation
]]>