Morocco: National Commission for the Protection of Personal Data adopted Deliberation No. 32-2015 establishing the model declaration for the processing of personal data in the context of customer management

On 13 February 2015, the National Commission for the Protection of Personal Data (CNDP) issued Deliberation No. 32-2015 establishing the model declaration for the processing of personal data in the context of customer management. The deliberation outlines specific requirements for data controllers, including permissible purposes such as contract management, invoicing, customer account administration, and loyalty programme operation. It stipulates the categories of personal data that may be collected, encompassing customer identity details, transaction data, commercial relationship information, payment records, and customer feedback. The deliberation mandates that data retention periods must not exceed the duration necessary for managing commercial relationships, whilst ensuring compliance with legal obligations. Additionally, the deliberation specifies access controls, security measures, and obligations regarding customer information rights, requiring data controllers to disclose their identity, data processing purposes, recipients, and the CNDP notification receipt number.