E
Eurastech Digital consulting

Morocco Data Protection Law 09-08 and CNDP: the complete guide for businesses (2026)

Soulaimane Aattar

Note — This article is informational and does not constitute legal advice. For complex cases, consult a certified DPO or a specialized attorney. We support our clients on IT implementation compliant with Law 09-08, not on legal interpretation.

TL;DR

  • Prior CNDP declaration is mandatory for every personal data processing operation in Morocco (CRM, ERP, website form, video surveillance). Procedure is free, response within 2 months, filing number must be displayed in legal notices.
  • Transfers outside Morocco (AWS, Azure, foreign SaaS) are prohibited by default: CNDP authorization required, except toward EU, Switzerland, Canada and other adequacy-recognized countries. Forcing the EU region at deployment dramatically simplifies compliance.
  • Penalties: administrative fines from MAD 10,000 to 300,000 per violation and up to 2 years of imprisonment in severe cases. Reputation impact through public CNDP decisions.

Last reviewed: April 2026.

In 2025, Morocco’s National Commission for the Control of Personal Data Protection (CNDP) stepped up enforcement. Declaration requests multiplied, formal notices hardened, and several sanctions were made public. For executives or CIOs deploying an ERP, a CRM or a web application in Morocco, the question is no longer “should we comply?” but “how do we comply without slowing the IT project?”.

This guide delivers an operational answer. It targets SMBs, mid-caps, groups, SaaS vendors and integrators processing personal data in Morocco or from its territory. It covers the legal framework, concrete obligations, the declaration procedure, cross-border transfers, penalties, and an actionable checklist for your IT projects.

Contents

  1. What is Law 09-08?
  2. Who is concerned?
  3. Law 09-08 vs GDPR: key differences
  4. The 4 key obligations for a business
  5. CNDP declaration step by step
  6. Transferring data outside Morocco
  7. CNDP compliance in a real IT project
  8. CNDP penalties and audits
  9. When to appoint a DPO
  10. Quick compliance checklist
  11. Frequently asked questions

1. What is Law 09-08?

Law 09-08, promulgated by dahir 1-09-15 of 18 February 2009, governs the processing of personal data in Morocco. Its implementing decree 2-09-165 details operational requirements. It serves two goals: protect the privacy of natural persons and facilitate international business by partially aligning Morocco with European standards of the time.

The text is modeled after European directive 95/46/EC, which preceded the General Data Protection Regulation (GDPR, 2018). This precedence explains several specificities: prior declaration remains mandatory, a DPO is not imposed, and the regime for international transfers is stricter.

Enforcement is entrusted to the CNDP, an independent administrative authority based in Rabat. It reviews declarations, handles complaints, conducts audits, and can issue sanctions. Its official site cndp.ma publishes forms, decisions and sector guidelines.

2. Who is concerned by Law 09-08?

Any company processing personal data of individuals located in Morocco is concerned, whether Moroccan or foreign, and whether acting as controller or processor.

The law applies as soon as a company processes personal data of natural persons located in Morocco. The term “processing” is deliberately broad: collection, recording, storage, consultation, transmission, archiving and deletion all qualify.

In practice, the following are concerned:

  • Any business with a website containing a form (contact, signup, newsletter)
  • Any organization using a CRM, ERP, HR tool or accounting software
  • Web and mobile app publishers with user accounts
  • Hosting providers, integrators and agencies acting as processors
  • Multinationals and foreign SaaS targeting the Moroccan market
  • Companies using video surveillance, biometrics or geolocation tools

A few examples to draw the line:

ExampleIn scope?
Brochure site with a contact formYes
Internal ERP handling payroll and HR filesYes
Mobile app with email signupYes
E-commerce store with customer accountsYes
Fully anonymous, aggregated web analyticsNo
B2B invoicing file containing no personal dataNo

The rule: if you can identify a natural person, directly or indirectly, you are in scope.

3. Law 09-08 vs GDPR: key differences

Law 09-08 mandates prior declaration and applies strict international transfer rules, while GDPR relies on post-hoc accountability and carries much heavier fines (up to 4 percent of worldwide turnover versus MAD 300,000).

Many CIOs operating in Morocco also manage EU clients or subsidiaries subject to GDPR. Here are the differences that impact day-to-day practice:

AspectLaw 09-08 (Morocco)GDPR (EU)
Legal basisConsent + limited cases6 bases, including legitimate interest
Prior declarationMandatory before processingRemoved since 2018
DPONot mandatory (but recommended)Mandatory in certain cases
Maximum finesMAD 300,000 + criminal sanctions4% of worldwide turnover
Data subject rightsAccess, rectification, objection, deletionSame + portability + AI explanation
International transfersCNDP authorization requiredAdequacy decisions, SCCs, BCRs
Breach notificationMandatory, no precise deadline72 hours to the authority
Processing registerNot legally requiredRequired above certain thresholds

Two takeaways:

  1. In Morocco, prior declaration is central. Unlike GDPR which relies on ex-post accountability, CNDP wants to be informed before processing starts.
  2. International transfers are more restrictive. CNDP requires explicit authorization to host data outside the country, even toward adequacy-recognized jurisdictions.

4. The 4 key obligations for a business

Four workstreams structure compliance. The first three are legal, the fourth is technical and underpins the others.

4.1 Declare each processing to the CNDP

Prior declaration is the most visible obligation. It applies to each processing purpose: customer management, HR management, commercial prospecting, video surveillance, newsletter, etc. A single system (your ERP) can bundle multiple separate declarations.

4.2 Maintain a processing register

Although not imposed by law, the register is systematically requested during audits. It documents, for each processing operation: purpose, categories of data collected, recipients, retention period, security measures, and any transfers. Typical format: a shared spreadsheet between IT, HR and legal.

4.3 Inform data subjects

Three technical deliverables:

  • Legal notices including the CNDP filing number (displayed on site or app)
  • Privacy policy listing purposes, legal bases, rights and contact
  • Explicit consent for marketing, non-essential cookies, and sensitive data

A CNDP-compliant cookie banner (non-implicit, with granular choice) has become the norm following recent CNDP decisions.

4.4 Secure the data

Technical and organizational measures are left to the controller’s assessment, but CNDP verifies their proportionality during audits. Minimum baseline:

  • TLS encryption (HTTPS) on all flows
  • Granular access management, least-privilege principle
  • Encrypted backups, regularly tested
  • Logging of access to sensitive data
  • Documented breach response procedure

5. CNDP declaration step by step

The procedure runs online via the CNDP portal. It is free. Here are the practical steps.

Step 1 — Map the processing operations

List each purpose: customer base, HR file, newsletter, prospecting, video surveillance, etc. A mid-size company typically has between 3 and 10 distinct processing operations to declare.

Step 2 — Classify each processing

CNDP distinguishes:

  • Standard declaration — normal processing with no sensitive data
  • Simplified declaration — falls within a simplified norm published by CNDP (payroll, standard customer management, standard video surveillance)
  • Prior authorization — sensitive data (health, religion, origin, political opinions, biometrics, criminal) or international transfer

Step 3 — Create a business account on the CNDP portal

Required: trade registry, fiscal ID, ICE, headquarters address, point of contact. Account validated within 48 to 72 hours.

Step 4 — Complete the form

Key fields:

  • Identity of the data controller
  • Precise purpose
  • Categories of data collected
  • Categories of data subjects
  • Recipients (internal + external)
  • Retention period
  • Security measures
  • Transfers outside Morocco (yes/no + details)

Step 5 — Submit and track

CNDP response within 2 months (silence equals acceptance for standard and simplified declarations; silence does NOT equal acceptance for authorizations). You receive a filing number to display in your legal notices.

In practice, the actual delay observed is 4 to 8 weeks. Plan for it in the project schedule.

6. Transferring data outside Morocco

Any transfer of personal data outside Morocco is prohibited by default and requires explicit CNDP authorization, except toward a limited list of adequacy-recognized countries (EU, Switzerland, Canada, Iceland, Norway, Liechtenstein).

This is the most often underestimated point by companies migrating to the cloud. As soon as your data physically leaves Moroccan territory (AWS Paris hosting, Azure Europe, Google Cloud Belgium, US-based SaaS), you perform an international transfer.

The principle

Transfers are prohibited by default unless explicitly authorized by CNDP.

The exceptions

CNDP publishes a list of adequate countries offering an equivalent level of protection: EU member states, Switzerland, Canada, Iceland, Norway, Liechtenstein, and a few others. Transfers to these jurisdictions remain declarative rather than restrictive.

Transfers to other countries (United States, post-Brexit United Kingdom, Maghreb countries other than Morocco, etc.) require a specific authorization, accompanied by standard contractual clauses modeled after EU SCCs.

Concrete impact on technical choices

Before signing with a hosting provider, ask three questions:

  1. In which physical region is the data stored?
  2. Can the provider access the data from other countries?
  3. Can it guarantee data residency in an adequate zone?

AWS, Azure and Google Cloud all offer European regions with contractual guarantees. Forcing the region at deployment time dramatically simplifies CNDP declaration.

7. CNDP compliance in a real IT project

Here is how obligations play out in three scenarios we encounter weekly with our clients.

7.1 ERP deployment (Odoo, SAP, Microsoft Dynamics)

An ERP concentrates data on customers, suppliers, employees and sometimes patients or beneficiaries. It often triggers two separate declarations: commercial management on one hand, HR management on the other.

Key points:

  • Hosting choice (on-premise, Morocco cloud, EU cloud) before signing
  • Granular permissions within the ERP (role separation)
  • Disable unused modules that collect unnecessary data
  • Data export available to satisfy access and deletion rights

Our team supports these projects end-to-end through our ERP/CRM integration offer. We embed the CNDP dimension from the scoping phase to prevent late go-live blockers.

7.2 Web or mobile application with user accounts

An application collecting email, password, phone number or geolocation triggers a processing subject to declaration from the first signup.

Technical checklist:

  • Signup form with explicit consent (non-pre-checked box)
  • Privacy policy accessible from every screen
  • Account export and deletion APIs exposed to users
  • Authentication and sensitive-data access logs
  • Password hashing (bcrypt/argon2 minimum)
  • Compliant cookie banner (web) with granular choice

This is the baseline we systematically deliver in our web and app development offer.

7.3 Data pipeline and Business Intelligence

Data projects pose a specific challenge: multi-source aggregation can re-identify individuals even from anonymized data. CNDP considers pseudonymized data as personal.

Best practices:

  • Tag sensitive columns in the data warehouse schema
  • Mask or hash identifiers in non-production environments
  • Document automated processing (notably if predictive AI is involved)
  • Limit access to tables containing personal data (RBAC)
  • Define per-table retention and automate purging

Our data engineering and analytics offer covers this layer, with permission architecture and automated retention policies.

8. CNDP penalties and audits

Non-compliance with Law 09-08 exposes companies to administrative fines of MAD 10,000 to 300,000 per violation, up to two years of imprisonment in severe cases, and to public CNDP decisions that can damage reputation.

CNDP audits are triggered by an individual’s complaint or on CNDP’s own initiative. The procedure typically follows these steps:

  1. Written information request
  2. Desk audit or on-site inspection
  3. Formal notice with compliance deadline (30 to 90 days)
  4. Sanction if not remediated

Administrative sanctions

Fines range from MAD 10,000 to 300,000 per violation. Multiple simultaneous breaches can stack. Real exposure frequently exceeds one million dirhams for a non-compliant mid-size company.

Criminal sanctions

Articles 51 to 60 of the law foresee up to two years of imprisonment and heavier fines for serious cases: unfair collection, purpose diversion, refusal to cooperate with CNDP, unauthorized processing of sensitive data.

Reputation impact

CNDP decisions are published on its website. For a SaaS vendor or a B2B company, appearing in an adverse decision durably hurts prospect and international partner trust.

9. When to appoint a DPO

Unlike GDPR, Law 09-08 does not impose a Data Protection Officer. However, appointing a DPO (or “data protection referent”) is strongly recommended once you meet any of these thresholds:

  • More than 50 active employees
  • Processing of sensitive data (health, biometrics, minors, etc.)
  • Significant volume of personal data (e-commerce > 10,000 customers, for instance)
  • A subsidiary or client contractually requires GDPR compliance

Two models:

  • Internal DPO — employee with a mission letter. Suited for groups and mid-caps.
  • External DPO — specialized firm or shared consultant. Observed cost: MAD 500 to 2,000 per month depending on scope. Suited for SMBs.

A well-positioned DPO also reduces operational risk: reviews contracts, frames IT projects from kickoff, and prepares responses to complaints.

10. Quick compliance checklist

To print and validate with your CIO, DPO and legal counsel:

  • Full inventory of processing operations completed
  • CNDP declarations submitted for each processing
  • Filing numbers received and archived
  • Legal notices + privacy policy published, including filing number
  • Compliant cookie banner (granular choice, rejection possible)
  • Processor contracts include a data protection clause
  • Cross-border transfer authorization obtained if foreign hosting
  • Standard contractual clauses signed with each international recipient
  • Processing register maintained and shared across IT, HR and legal
  • Documented breach response procedure
  • Technical security measures in place: TLS, encryption, RBAC, backups
  • Logging of access to sensitive data enabled
  • Access, rectification, objection and deletion rights implemented in your tools
  • Compliance training for HR, customer support and developers completed
  • DPO (internal or external) appointed if threshold met
  • Annual review of register and declarations scheduled

Need to move faster? We deliver 72-hour CNDP audits of IT infrastructure for Moroccan and international companies operating in Morocco. Let’s talk.

11. Frequently asked questions

Is Law 09-08 equivalent to GDPR?

No. Law 09-08 predates GDPR and is lighter on several points (no DPO obligation, lower fines), but stricter on others (mandatory prior declaration, constrained international transfers). Alignment with European standards is regularly discussed but is not yet in force in 2026.

How much does a CNDP declaration cost?

The declaration is free. Only internal time (scoping, documentation, follow-up) represents a cost, generally between half a day and two days per declared processing.

What to do in case of a data breach?

Contain the incident, assess the impact, notify CNDP as soon as possible (the law sets no precise deadline but practice recommends less than 72 hours), and inform affected individuals if the risk is high. Documenting the procedure before any incident saves critical time.

Can I use AWS, Azure or Google Cloud in Morocco?

Yes, with two conditions. First: force the region to an adequate zone (EU by default). Second: include the international transfer in your CNDP declaration and attach standard contractual clauses. All three hyperscalers provide these clauses on request.

Does a simple brochure website need a CNDP declaration?

As soon as it offers a contact or newsletter form, yes. For a fully static site with no collection, no. A cookie banner rarely exempts you from declaration.

How long can customer data be retained?

The law requires keeping data as long as necessary for the purpose. In practice: 5 years after the end of the commercial relationship for billing data, 3 years for non-customer prospects, contract duration + 5 years for HR data. Document this duration in the register.

Are anonymized data concerned?

Truly anonymous data (impossible to re-identify, even by cross-referencing) falls outside scope. Pseudonymized data (replaced by a technical ID but still re-identifiable) remains personal.

Does a contact form require a declaration?

Yes. The “customer inquiry management” processing must be declared, even if the form only collects a name and an email.

Who can act as a DPO in Morocco?

Any person with the required skills: lawyers, compliance officers, independent consultants, specialized firms. No official certification is mandated, but GDPR certifications (AFNOR, IAPP) are increasingly valued.

How to respond to a CNDP audit?

Cooperate fully, designate a single point of contact, provide the processing register and declarations, document security measures. Any opposition or reluctance worsens the case. A DPO or external counsel can usefully frame the procedure.

In summary

Law 09-08 is not a roadblock. Well anticipated, it structures IT projects and reassures clients, partners and international investors, particularly European ones. Poorly anticipated, it delays go-lives, exposes to sanctions and damages reputation.

The right reflex: embed CNDP from project scoping, not at the end. A CIO who declares an ERP before kickoff saves 4 to 6 weeks of timeline compared to a reactive post-deployment declaration.

We support Moroccan and international companies on this exercise every week. If you are preparing an ERP deployment, a web application or a data platform, tell us about your compliance constraints before choosing the stack. We will deliver an integrated CNDP + technical scoping.

Request a CNDP audit of your IT infrastructure (72 hours)

This article will be updated after each significant CNDP regulatory change. Last editorial review: April 2026.

Back to blog →

Related services

Put these insights to work with our delivery team: