Page 1

Deliberation n ° 508-AU-2014 of 14/11/2014 on the model of standard declaration
concerning the processing of personal data relating to the sale
online.
The National Commission for the Control of Personal Data Protection ,
met on 14/11/2014, under the chairmanship of Mr. Saïd Ihraï;
Were present Mrs. Souad El Kohen, Messrs Driss Belmahi, Abdelaziz Benzakour,
Brahim Bouabid, Abdelmjid Rhoumija and Omar Seghrouchni.
Considering the law n ° 09-08 promulgated by the Dahir 1-09-15 of February 18, 2009, relating to the protection
of natural persons with regard to the processing of personal data (BO n °
5714 of 05/03/2009);
Considering the decree n ° 2-09-165 of May 21, 2009 taken for the application of the aforementioned law n ° 09-08 (BO
n ° 5744 of 06/18/2009);
Having regard to the internal regulations of the CNDP (approved by decision of the Prime Minister n ° 3-33-11
of March 28, 2011 / BO n ° 5932 of 04/07/2011);
Having regard to deliberation n ° 30-S-2012 of November 9, 2012, relating to the simplification of procedures
administrative processing notification to the CNDP;
Decide:
Article 1: Data controllers
Any trader, natural person or
legal, offering the online sale of goods or services.
Article 2: Data subjects
This processing concerns any natural person whose personal data
are processed as part of an online sale.
Article 3: Purposes of processing
The processing of online sales may have all or part of the following purposes:
✓ Management of customer accounts:
• Creation;
• Modification;

1

Page 2

• Deactivation and reactivation;
• Closure and deletion;
✓ Management of commercial transactions:
• Order;
• Billing;
• Delivery;
• Accounting.
✓ Customer relationship management:
• Loyalty program;
• After-sales service management;
• Claims management;
• Litigation and litigation management
• Carrying out satisfaction surveys;
• Commercial prospecting in compliance with the provisions of article 10 of law 0908 and other legal and regulatory provisions in force;
• Web metric of use and attendance concerning the online sales site
in compliance with article 8 of this deliberation.
Article 4: Data processed
In accordance with the principle of proportionality, it is not necessary to collect and process, among the data
mentioned below, than those strictly necessary for the achievement of the purposes pursued by the
controller.
The categories of data that may be collected and processed for the achievement of the purposes
described in article 3 above are:
✓ data relating to identity: name, first name, login, password, address, numbers
phone number, fax number, email, date of birth (for the protection of minors)
and internal code of the client. This must not be the credit card number or a
national identifier such as the CNI number, the CNSS identifier or the
Passport number;
✓ data relating to means of payment: method of payment, type of card
bank, credit card number, expiration date and verification codes;
✓ data relating to the commercial transaction such as the number of
transaction, details of the purchase of goods or services and delivery address;
✓ data relating to the monitoring of the commercial relationship such as requests for
after-sales services, the history of purchases and services, the return of
products, the origin of the sale (seller, representative, partner, etc.) and the exchanges and
feedback from customers and prospects;

2

Page 3

✓ data relating to people who submit opinions and comments on
goods or services, such as email and pseudonym;
✓ visitor login data may be used for metric purposes
web of use and attendance , in compliance with article 8 of this
deliberation, such as date, time, Internet address, protocol used and page
consulted.
Article 5: Data recipients
Personal data collected in the context of online sales may be
communicated to those involved in the commercial transaction, in particular subcontractors
(logistics companies, etc.), payment system managers and establishments
financial.
Recipients are required to ensure the confidentiality of the personal data they receive.
communicated.
Article 6: Data retention period
Subject to legal and regulatory provisions to the contrary, personal information
necessary for the aforementioned processing, making it possible to identify directly or indirectly
the categories of the aforementioned persons must not be kept beyond the period
necessary for the achievement of the purposes covered by this deliberation.
Bank card numbers may be kept subject to obtaining the
express consent of the data subject. However, the expiration date and the codes
verification cannot, under any circumstances, be kept after the completion of the transaction
banking.
Data relating to the web metric of use and attendance, concerning the site of
sale online, can be stored for up to six months after collection. Beyond this period,
this data must either be deleted or anonymized.
Article 7: Rights of data subjects
The controller:
1. must ensure that the data subjects' right to information is respected, in accordance with
in Article 5 of Law 09-08, by communicating the following information to them:
✓ The identity of the data controller who operates the online sales site;
✓ The purposes of the processing;
✓ The obligatory or optional nature of the answers;
✓ The nature of the data collected;

3

Page 4

✓ The recipients of the data;
✓ The planned transfers of personal data abroad;
✓ Contact details for the exercise of rights of access, rectification and
opposition;
✓ And the references of the receipt issued by the CNDP.
2.Can not carry out the processing relating to the online sale without the consent
free and informed prior of the data subject or the justification of the existence
a waiver of the consent requirement, in accordance with the provisions of the
law 09-08.

Article 8: Web metrics of use and attendance:
To analyze the use of the merchant site, the data controller can use the
connection data mentioned in article 4 after having informed users of
clear and precise manner and obtained their consents.
Article 9: Data security and confidentiality
The controller takes all appropriate precautions to preserve the
security and confidentiality of the data processed, in particular to prevent them from being
destroyed, distorted, damaged or that unauthorized third parties may take
knowledge, in accordance with the provisions of section 3 -chapter III- of law 09-08
mentioned above (Articles 23, 24, 25 and 26).
Security measures must cover both data stored on paper media
than IT.
Article 10: Transfer of data abroad
Any transfer of data abroad must be notified in advance to the Commission
National control of the protection of Personal Data, in particular in
the case of hosting or storage of data on servers located outside the
National territory.
Article 11: Interconnection and cross-checking with other files.
Interconnection and cross-checking with other files whose main purposes are
different must be the subject of a separate authorization request, in accordance with
Article 12, paragraph 1, sub-paragraph f of Law 09-08.

4

Page 5

Article 12: Method and fields of application
Any online sales processing in accordance with the terms of this deliberation must be
notified to the CNDP by means of a standard declaration request.
Any processing of personal data relating to online sales, not responding
not under the conditions set by this model, must be the subject of a request for authorization
or declaration to the Commission in the forms prescribed by Articles 12 and 15 of
the aforementioned law 09-08 and its implementing decree.
Done in Rabat, November 14, 2014
President
Said Ihrai

5

