Morocco: Adopted CNDP guidance for data controllers on access control using biometric information including data deletion requirement

On 1 February 2023, the National Commission for the Protection of Personal Data (CNDP) issued guidance for data controllers on access control using biometric information. The guidance under Law No. 09-08 on data protection and privacy outlines requirements for the use of biometric data in access control systems by public and private entities. The guidance specifies that authorisation from the CNDP is necessary, data should be limited to extracted characteristics stored on portable media, and data must be deleted when access is no longer required. Entities are advised to inform individuals of data use, facilitate rights to access and correction, and implement security measures, including protections in third-party contracts, to safeguard biometric data.