The National Commission for the Protection of Personal Data (CNDP)
Conditions and modalities for appointing the members of the CNDP
The National Commission for the Protection of Personal Data created by virtue of the Article 27 of Law No. 09-08 is abbreviated as the “CNDP”.
Pursuant to Article 32 of Law No. 09-08, the CNDP is made up of seven (7) members, the chairman of which is appointed by the King and six (6) members also appointed by the King and proposed as follows:
– two members by the Prime Minister;
– two members by the president of the House of Representatives;
– two members by the president of the Chamber of advisers.
Article 3 In
addition to the president, the members of the CNDP proposed for their appointment in accordance with the provisions of article 32 of law n ° 09-08, are chosen from qualified personalities of the public or private sector.
The CNDP must include among its members personalities qualified for their competence in the legal and judicial fields, personalities showing great expertise in IT as well as personalities recognized for their knowledge of issues relating to individual freedoms.
The members of the CNDP are chosen from among personalities known for their impartiality, moral probity, expertise and competence.
In the event of vacancy, impediment or absence for any reason whatsoever of a member of the Commission, he shall be provided under the same conditions, with his replacement within 30 days of the date on which the vacancy is noted. by the president of the CNDP.
The members of the CNDP appointed to replace those whose mandate ended before its normal end, complete the mandate of the members to whom they succeed.
The president of the CNDP may delegate part of his functions to another member and to the secretary general of the CNDP. He chairs the meetings of the CNDP or delegates another member for this purpose and represents it.
Rules of operation of the CNDP
The CNDP meets when convened by its chairman, acting on his own initiative or at the request of half of the members, at a frequency specified in its internal regulations and, in any case, at the request of half of the members. less once a month.
In accordance with article 39 of the aforementioned law n ° 09-08, the CNDP establishes its internal regulations which set in particular the conditions of its operation and its organization, and this within a period of one month after its installation and communicates it. to the Prime Minister or to the governmental authority he designates, for approval and publication in the “Official Bulletin”.
The credits necessary for the accomplishment of the CNDP’s missions are entered in the budget of the Prime Minister.
The CNDP may benefit from donations and bequests from national and international public or private organizations.
The CNDP’s draft budget is prepared by the secretary general. Before its approval by the CNDP, the draft budget is submitted by the president of the CNDP to the Prime Minister.
The president of the CNDP is the authorizing officer of his budget. He is assisted by the Secretary General who is under the authorizing officer for the missions entrusted to him by Law No. 09-08.
Administration of the CNDP
The administration of the CNDP is ensured by a secretary general under the authority of its president.
The Secretary General directs the administrative and financial services of the CNDP and as such may, in addition to the powers he exercises by delegation of the President of the CNDP, sign all acts and decisions of an administrative nature. He prepares and submits for approval by the president, the draft budget of the CNDP.
The Secretary General is responsible for taking all necessary measures for the preparation and organization of the work of the CNDP. He is responsible for keeping and preserving the files and archives of the CNDP.
In order to ensure the management of the CNDP, the Secretary General has, according to Article 41 of Law No. 09-08, an administrative and technical staff made up of civil servants from public administrations or public officials, who may be placed on secondment to the CNDP, by joint decision of the government authority to which they report and the President of the CNDP.
Employment contracts are subject to the approval of the Prime Minister for staff recruited by contract.
Investigative and supervisory powers of the CNDP
For the fulfillment of the investigative and investigative powers vested in it by virtue of article 30 of law n ° 09-08, the CNDP instructs its agents regularly commissioned by the president and placed under his authority, to research and control, by report, infringements of the provisions of the aforementioned law and of the texts adopted for its application.
The control operation is subject to a CNDP decision which specifies:
1) the name and address of the data controller concerned;
2) the name of the commissioned agent or agents in charge of the operation;
3) the purpose as well as the duration of the operation.
No agent can be appointed to carry out an audit of a body in which he has, during the 5 years preceding the audit, held a direct or indirect interest, exercised functions, a professional activity or an elective mandate.
In the event of a control operation, the territorially competent public prosecutor shall be informed in advance at the latest twenty-four (24) hours before the date on which the on-site control must take place. This notice specifies the date, time, place and purpose of the check.
The persons in charge of the control must present their mission order and, where applicable, their authorization to carry out the said controls.
In application of article 66 of law n ° 09-08, each control must be the subject of a report which states the nature, day, time and place of the controls carried out. The minutes indicate the object of the operation, the members of the CNDP who took part in it, the people met, if any, their statements, the requests made by the controllers as well as any difficulties encountered.
The inventory of documents and documents of which the persons responsible for the control have taken a copy is appended to the report signed by the persons responsible for the control and by the person in charge either of the premises, or of the processing operations, or by any person designated by that person. -this.
CNDP agents may also, with the authorization of the public prosecutor, seize the material that is the subject of the offense.
The request for the aforementioned authorization must include all the information needed to justify the seizure. This is carried out under the authority and control of the public prosecutor who authorized it.
The persons in charge of the control may summon and hear any person likely to provide them with any information or justification useful for the accomplishment of their mission.
The summons, sent by registered letter or hand delivered against discharge, must reach at least seven days before the date of the hearing.
The convocation reminds the person summoned that he is entitled to be assisted by a counsel of his choice.
The refusal to respond to a summons from the persons responsible for the control must be mentioned in the report.
Opinions, authorizations and declarations
The CNDP defines models of declaration, request for opinion and request for authorization and fixes the list of appendices which, if applicable, must be attached .
Declarations, requests for opinions and requests for authorization are presented by the controller or by the person having the capacity to represent him. When the controller is a natural person or a department, the legal person or public authority to which he is responsible must be mentioned.
Declarations and requests for opinions and authorizations are sent to the CNDP:
1) either by registered letter;
2) or delivered to the secretariat of the committee against receipt;
3) or by electronic means, with acknowledgment of receipt which can be sent by the same means.
The date of the notice of receipt, receipt or electronic acknowledgment of receipt sets the starting point for the period:
– 24 hours available to the CNDP to issue the receipt of the declaration in application of article 19 of the aforementioned law n ° 09-08;
– two months to notify its opinion in accordance with article 25 of this decree. The decision by which the president renews this period is notified to the controller by letter delivered against signature;
– two months fixed by article 28 of this decree for the CNDP to grant the authorization mentioned in articles 12 and 21 of the aforementioned law n ° 09-08;
– 8 days available to the CNDP to notify its decision to submit the processing to the declaration regime in application of article 20 of the aforementioned law n ° 09-08.
The CNDP seized within the framework of subparagraph A of article 27 as well as within the framework of article 50 of the aforementioned law n ° 09-08, takes a decision within two months from the date of the day of receipt of the request for an opinion. This period may be extended by one month by reasoned decision of the President of the CNDP.
In urgent cases, this period is reduced to one month at the request of the government or parliament.Section 3
When the declaration meets the requirements of Law No. 09-08 and its implementing texts. The CNDP issues the receipt provided for in article 19 of the aforementioned law.
The CNDP can issue the receipt of the prior declaration electronically with acknowledgment of receipt by the same channel.
When the receipt is issued electronically, the controller may request a hard copy.
Pursuant to Article 21 of Law No. 09-08 referred to above, requests for prior authorizations must specify:
1) the identity and address of the controller or, if the latter this is not established on the national territory, those of its duly authorized representative;
2) the purpose (s) of the processing envisaged as well as its name and characteristics;
3) the interconnections envisaged or any other form of connection with other processing operations;
4) the personal data processed, their origin and the categories of data subjects;
5) the retention period of the processed information;
6) the service (s) responsible for carrying out the processing as well as the categories of persons who, by reason of their functions or for the needs of the service, have direct access to the recorded data;
7) the recipients authorized to receive communication of the data;
8) the function of the person or the service to which the right of access is exercised;
9) the measures taken to ensure the security of processing and data;
10) indication of the use of a subcontractor;
11) the planned transfers of personal data to a foreign country.
The data controller already declared or authorized submits a new request to the CNDP, in the event of a change affecting the information mentioned in the previous paragraph. In addition, he must inform the CNDP in the event of deletion of the processing.
The CNDP takes a decision within two months (2) of receipt of the authorization request. However, this period may be extended once by reasoned decision of the CNDP. When the CNDP has not taken a decision within these time limits, the authorization is deemed to be granted.
Provisions specific to certain categories of processing
The conditions for processing genetic data and those relating to health
Pursuant to Article 12, paragraphs 1-a and 1-c, and Article 21, paragraph 1 of the aforementioned law n ° 09-08, processing relating to genetic data and data relating to health must be authorized by the CNDP.
The files for authorization requests for processing data relating to health sent to the CNDP must include:
1) the identity and address of the controller and the person responsible for processing, their qualifications, experience and functions, the categories of people who will be called upon to carry out the processing as well as those who will have access to the data collected;
2) in the case of research in the medical field, the research protocol or its useful elements, indicating in particular the objective of the research, the categories of persons interested, the method of observation or investigation adopted, the origin and nature of the personal data collected and the justification for using them, the duration and organization of the research, the method of data analysis;
3) where applicable, opinions previously delivered by scientific or ethical bodies;
4) the characteristics of the treatment envisaged;
5) the commitment of the controller to encode the data allowing the identification of interested persons;
6) where applicable, the scientific and technical justification for any request for exemption from the obligation to encode data allowing the identification of interested persons, and the justification for any request for exemption from the prohibition on the retention of said data. beyond the time required for the research.
Any modification of these elements is brought to the attention of the CNDP.
Further processing of personal data for historical, statistical or scientific purposes
In application of article 12 paragraph 1-b of the aforementioned law n ° 09-08, when the person in charge of the processing of personal data communicates these said data to a third party, with a view to subsequent processing to For historical, statistical or scientific purposes, said data are, prior to their communication, made anonymous or coded by said manager or by any competent body.
The results of the processing of personal data for historical, statistical or scientific purposes may not be made public in a form which allows the identification of the data subject, unless:
1) the data subject has expressly given his consent ;
2) the publication of non-anonymous and uncoded personal data is limited to data clearly made public by the data subject.
The CNDP is competent to rule on the historical, statistical or scientific nature of personal data.
1) The information to be provided by the controller, in application of article 5 of the aforementioned law n ° 09-08, can be delivered by any means, in particular by :
– electronic mail or on paper;
– posting or electronic form;
– advertisement in an appropriate medium;
– or, during an individual interview.
2) the codes, acronyms and abbreviations appearing in the documents issued by the data controller in response to a request must be explained, if necessary in the form of a lexicon.
1) Requests for the implementation of the rights provided for in articles 7 to 9 of the aforementioned law n ° 09-08 may be presented to the controller in writing, electronically or on site.
2) when they are presented in writing to the controller, they must be signed and accompanied by a photocopy of an identity document and precisely specify the subject of the request.
3) when the controller is not known to the requester, the latter may address his request to the head office of the legal person, public authority, service or body to which he belongs. The request is sent immediately to the controller.
1) When a request is presented on the spot, the interested party proving his identity to the controller, may be assisted by an advisor of his choice.
The request can also be presented by a person specially authorized for this purpose by the interested party, after proof of his mandate, his identity and the identity of the principal.
2) When the request relating to the right of access cannot be satisfied immediately in accordance with article 7 of the aforementioned law n ° 09-08, an acknowledgment of receipt is issued to its author, dated and signed with the mention of the reason for postponing the response and the controller immediately contacts the CNDP to set a response time.
3) When the request for rectification cannot be satisfied within the period of 10 days in accordance with paragraph a of article 8 of the aforementioned law n ° 09-08, a notice of receipt is issued to the applicant, dated and signed. and containing the reason for postponing the response. In this case, the data controller immediately contacts the CNDP to set a response time.
If the request is imprecise or does not contain all the elements allowing the controller to carry out the operations requested of him, the latter invites the requester to provide them before the expiry of the deadlines set in Article 7 and paragraph a of article 8 of law n ° 09-08 and the texts adopted for its application.
The request for additional information suspends the time limits mentioned in the previous paragraph.
Right of access
In application of article 7 of law n ° 09-08, any person proving his identity, has the right to be informed, on the data concerning him being processed, either by contacting directly to the controller, or by sending the latter a written request for access to information, signed and dated, whatever the medium:
The written request must contain: the name, first name, date of birth, as well as ” a photocopy of the identity card.
The request for access to information also contains and insofar as the requester has this information:
1) all the relevant elements concerning the data, such as their nature, the circumstances or the origin of the knowledge of the processing of these data;
2) designation of the authority or service concerned.
If several data controllers jointly manage one or more files, the right of access to information may be exercised with each of them, unless one of them is considered responsible for the all treatments.
If the requested person is not authorized to communicate the requested information, he or she must send the request to the appropriate party as soon as possible.
Pursuant to Article 8 of Law No. 09-08, any person proving their identity has the right to rectify their personal data, either by contacting the data controller directly, or by addressing the CNDP a written request for rectification signed and dated, whatever the medium:
The written request must contain: name, first name, date of birth, as well as a photocopy of the applicant’s identity card and clearly state the object of the rectification.
The request for rectification of information also contains and insofar as the requester has this information:
– all the relevant elements concerning the contested data, such as their nature, the circumstances or the origin of the knowledge of the contested data, as well as any rectifications desired;
– the designation of the authority or service concerned.
When a person makes a request to rectify or delete data concerning him, the controller or the CNDP must inform him in writing of the measures taken.
The heir of a deceased person who wishes to update the data concerning the deceased must, at the time of his request, in addition to proof of his identity, provide proof of his quality of heir by producing a notarial deed. or a family record book.
Right to object
When personal data is collected in writing from the data subject, the data controller asks the latter, on the document used as a medium for collecting the data, if he wishes exercise the right
of opposition provided for in article 9 of the aforementioned law n ° 09-08.
The person concerned must be able to express their choice before the final validation of their answers.
When personal data are collected from the data subject other than in writing, the data controller asks the latter, before the end of the collection, whether he wishes to exercise the right of opposition. In this case, the controller must keep proof that the data subject has had the opportunity to exercise their right of opposition.
The controller with whom the right of opposition has been exercised, informs without delay of this opposition any other controller that he has made the recipient of the personal data which is the subject of the opposition.
Transfer of personal data to a foreign country
Requests for the transfer of personal data to a foreign country offering a sufficient level of protection within the meaning of Article 43 of Law No. 09-08 referred to above must contain the following information:
1) the name and address of the person providing the data;
2) the name and address of the recipient of the data;
3) the name and full description of the file;
4) the categories of personal data transferred;
5) the persons concerned and their approximate number;
6) the purpose of the data processing carried out by the recipient;
7) the mode and frequency of the planned transfers;
8) the date of the first transfer.
When, by virtue of article 44 of the aforementioned law n ° 09-08, the data controller envisages a transfer of personal data to a country which does not appear in the list fixed by the CNDP provided for in article 43 of the same law and that he invokes to justify this transfer one of the exemptions provided for in the first and second paragraph of article 44 of the aforementioned law n ° 09-08, he indicates to the CNDP, in addition to the information provided for in the previous article, the specific case of exemption that he invokes in support of his request.
When in application of the 3rd paragraph of article 44 of the aforementioned law n ° 09-08, the controller envisages a transfer of personal data which requires the express authorization of the CNDP, he specifies to the CNDP, in addition the information provided for in article 44 of this decree, the measures or the device intended to guarantee a sufficient level of protection of the private life as well as of the fundamental rights and freedoms of the persons.
Regarding transfer authorizations, the CNDP decides, in accordance with the procedure governing authorizations, provided for by the aforementioned law n ° 09-08 and these implementing texts.
Any modification of the information mentioned in articles 46, 47 and 48 of this decree must be brought to the attention of the CNDP within 8 working days.
The transfer, provided for within a group of companies or to the address of several recipients for the same categories of data and the same purposes, may be the subject of a joint declaration.
The Minister of Industry, Trade and New Technologies and the Minister of Economy and Finance are responsible, each in his area, for the execution of this decree, which will be published in the Official Bulletin.