Law 09-08 relating to the protection of individuals with regard to the processing of personal data defines the obligations to which data controllers are subject. They must ensure that personal data is collected and processed in a fair, legitimate and transparent manner. They must, moreover.
– Respect the purpose of the processing:
Any processing of personal data must have a precise and legitimate purpose which is communicated to the persons concerned when collecting their personal data and to the CNDP when notifying the processing. The change of purpose is subject to prior authorization from the CNDP.
– Respect the principle of proportionality:
The data collected and processed must be necessary, proportional and not excessive with regard to the purpose of the envisaged processing.
– Ensure data quality:
The data controller must ensure that the personal data processed are accurate, reliable, complete and updated.
– Ensure compliance with the data retention period:
Personal data allowing the identification of the persons concerned must be kept for a limited period, not exceeding the period necessary to achieve the purpose of the processing for which they were collected. At the end of this period, the data must be destroyed.
If the data controller plans to retain personal data for statistical or historical purposes, he must request express authorization from the CNDP for this purpose.
-Ensure the exercise of rights by the person concerned:
Law 09-08 provides for a certain number of rights for the benefit of the people concerned. The data controller is required to ensure compliance with these rights, in particular by taking all measures enabling the persons concerned to assert and exercise them where applicable.
– Ensure the security and confidentiality of processing:
It is the responsibility of the data controller to take all necessary precautions to guarantee the integrity and confidentiality of the personal data in his possession with a view to protecting them against destruction or accidental loss and against any form of illicit processing. To this end, He must implement appropriate physical and logical security measures and take all necessary precautions to prevent data from being distorted, damaged, or communicated to unauthorized third parties. The data controller must ensure, through contracts and audits, that its subcontractors and third parties to whom it communicates personal data comply with all the provisions of Law 09-08.
– Notify the treatments to the CNDP:
Before implementing processing, the data controller must notify the CNDP by completing the appropriate procedure, namely:
1- An authorization request:
a) If the processing uses sensitive data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or health data, etc.
b) If there is a change of purpose, i.e. personal data is used for purposes other than those for which it was collected.
c) If the data processing relates to offences, convictions or security measures.
d) If the data processing uses the CIN number.
e) If the processing requires the interconnection of files, the purposes of which are different.
2- A prior declaration in other cases.
3- A request for data transfer abroad if personal data will be hosted or transmitted abroad.