Morocco's Law 09-08: protecting personal and banking data
A clear guide to Law 09-08 on the protection of personal data in Morocco: its core principles, the role of the CNDP, and what it means in practice when handling banking data and choosing treasury software.
What is Law 09-08?
Law No. 09-08 on the protection of individuals with regard to the processing of personal data is Morocco's reference text for digital privacy. Enacted in 2009 by Dahir No. 1-09-15, it sets out a framework inspired by the European standards of the time and applies to any processing of personal data, whether automated or manual, carried out on Moroccan territory.
Personal data is any information relating to an identified or identifiable natural person: name, address and phone number, but also bank details, account identifiers or transaction history. As soon as a company collects, records, stores or shares such information, it becomes a data controller and must comply with the law's obligations.
Oversight is entrusted to the CNDP, the national commission for the control of personal data protection. As an independent authority, it processes filings, issues recommendations, audits processing activities and can be approached by anyone who believes their rights have been disregarded.
The core principles you must respect
Law 09-08 rests on a few structuring principles. The first is purpose limitation: data may only be collected for specified, explicit and legitimate purposes, and must not be reused in a way incompatible with those purposes. You do not collect banking data as a precaution, but for a precise and stated use.
Next come fairness and lawfulness of collection, data minimisation (gathering only what is strictly necessary), accuracy (keeping data up to date and correcting it where needed) and limited storage duration: information must not be kept beyond the time required for the purpose, subject to legal archiving obligations.
The consent of the data subject is, in principle, the foundation for processing, save for exceptions provided by law such as a legal obligation or the performance of a contract. Finally, the controller must guarantee the security and confidentiality of the data through technical and organisational measures that prevent any unauthorised access, loss or disclosure.
The rights of data subjects
The law grants every individual a set of rights enforceable against the controller. The right to information requires disclosing, at the point of collection, who is processing the data, for what purpose, and which recipients will have access.
These are complemented by the right of access (confirming that one's data is being processed and obtaining a copy), the right to rectification (correcting inaccurate or incomplete data) and the right to object, on legitimate grounds, to a given processing activity. In banking and finance, exercising these rights assumes the company can precisely locate a person's data and correct it without delay.
CNDP formalities and transfers outside Morocco
Before implementing a processing activity, the controller must, in principle, complete a prior formality with the CNDP. Depending on the nature of the data and the purpose, this may be a simple declaration or a request for authorisation, particularly for processing involving sensitive data.
One point deserves particular attention for cloud software: transferring data to a foreign country is regulated. It requires that the destination country ensures an adequate level of protection and, where applicable, an authorisation from the CNDP. Hosting banking data on servers located outside Morocco is therefore not a legally trivial choice.
The law also provides for administrative and criminal sanctions in the event of a breach. Without detailing amounts, bear in mind that failing to meet these obligations exposes a company to proceedings and reputational harm, in addition to the damage caused to individuals.
What it changes for banking and financial data
Treasury data is among the most sensitive a company holds: account statements, bank identifiers, payment schedules, and customer and supplier balances. It reveals financial health, commercial relationships and sometimes information about natural persons such as directors, employees or individual customers. As such, it calls for heightened vigilance.
In practice, this means restricting access to authorised staff only, logging who consults the data, encrypting file exchanges and setting coherent retention periods. When a bank statement is imported into a management tool, you should know where it is stored, who can read it and how long it is kept.
Choosing treasury software that fits your data policy
Compliance with Law 09-08 starts with the organisation itself: as the data controller, the company declares its processing, informs individuals and secures access. Tool choices come to support this effort, notably through data location and access control.
It is in this spirit that Tresoria offers a Morocco-based hosting option as well as an on-premise installation option, so that treasury data can remain under the company's direct control and within national borders. This is a hosting and organisational posture that supports your compliance; it is not a substitute for the obligations that fall on you: CNDP filing, informing individuals and managing consent remain your responsibility.
In practice, ask any vendor three simple questions: where the data is hosted, who can access it, and how long it is retained. Aligned with the principles of Law 09-08, these questions are often enough to tell a serious partner from a less serious solution.
See Tresoria on your own accounts
A thirty-minute demo, with your statements. No commitment.
Request a demo