Declaration and prior authorization are the two regimes through which Law 09-08 governs every processing of personal data in Morocco. Declaration to the CNDP is the ordinary formality; authorization is the exception reserved for higher-risk processing. Picking the right regime is not paperwork: it is what keeps an offence off your director's personal record.
Bottom line: declare by default, and switch to prior authorization the moment one of the law's triggers appears (sensitive data, genetic data, the CIN/CNIE number, offence data, file interconnection, re-purposing beyond the original finality, or transfer to a country not deemed adequate). When in doubt, under-classifying costs more than over-declaring.
This is the most misunderstood call in Moroccan compliance. Many companies file a generic declaration, consider the matter closed, and never realise that everyday processings (payroll, banking KYC, cloud hosting) actually belong in the authorization track. This guide gives you the decision table, the side-by-side timelines, the penalty bands correctly distinguished, and a method to classify each processing without getting it wrong.
What is the default rule, and why is declaration the baseline?
Article 12 of Law 09-08 (promulgated by Dahir 1-09-15 of 18 February 2009, application decree 2-09-165) is the gateway to the whole system. It sets a simple principle: every processing of personal data must be the subject of a prior declaration to the CNDP, unless it falls outside the law's scope, is exempted from declaration, or is subject to the prior-authorization regime.
In other words, declaration is the normal situation. You are not asking for permission; you are notifying the authority of the existence and characteristics of your processing. The CNDP then issues a récépissé (receipt) that records your step. Authorization, by contrast, is a heavier procedure, triggered by the nature of the data or the use you make of it.
The practical consequence: never assume your file is "ordinary". Start from article 12, then check, trigger by trigger, whether it tips into the authorization regime. That reversal of the usual reflex is what protects you. Our Law 09-08 and CNDP compliance guide sets the wider context.
Which processings require prior CNDP authorization?
The law lists exhaustively the cases where a simple declaration is not enough. Here is the checklist a manager can self-apply. Prior CNDP authorization is required for:
- sensitive data: racial or ethnic origin, political opinions, religious or philosophical convictions, trade-union membership, health data (including genetic data);
- genetic data, except where processed by health personnel for medical purposes;
- data relating to offences, convictions or security measures, except where processed by auxiliaries of justice;
- data containing the national identity card number (CIN/CNIE);
- interconnection of files (between public-service bodies pursuing different public-interest purposes, or between other bodies whose main purposes differ);
- processing for purposes other than those for which the data were collected (re-purposing beyond the original finality).
To this add the cross-border transfer of data to a foreign country, governed by articles 43 and 44, which we treat below as a decision branch of its own. Note carefully: biometrics (facial recognition, fingerprints) do not have a dedicated article as under the GDPR; they fall under the sensitive-data category and therefore the authorization regime.
The decision table: declaration or authorization, by use case
Here is the centrepiece. Find the row that matches your processing, then read the regime required and the legal basis. This is the tool to keep in front of you while you map your data. The legal-basis column points to the regime at stake: article 12 sets the entry rule (declaration by default), while the authorization triggers sit around articles 12 and 21-22, and cross-border transfer falls under articles 43-44.
| Data type or use case | Regime required | Legal basis | Notes | |---|---|---|---| | Ordinary customer file (name, email, phone) | Declaration | Art. 12 (ordinary regime) | Ordinary regime | | Staff / basic payroll file | Declaration | Art. 12 (ordinary regime) | Switches if the CIN number is processed | | CIN / CNIE number | Authorization | Authorization regime (art. 12 / 21-22) | Very common in HR, KYC, telecom | | Health, genetic data | Authorization | Authorization regime, sensitive data | Exception: health staff for medical purposes | | Origin, opinions, religion, union | Authorization | Authorization regime, sensitive data | Includes biometrics | | Offences, convictions, security measures | Authorization | Authorization regime (art. 12 / 21-22) | Exception: auxiliaries of justice | | Interconnection of files | Authorization | Authorization regime (art. 12 / 21-22) | Different main purposes | | Re-purposing beyond original finality | Authorization | Authorization regime (art. 12 / 21-22) | Typical of AI and data mining | | Transfer to a non-adequate country | Authorization | Art. 43-44 | Unless an article 44 exception applies | | Religious, political, union, cultural, sporting non-profit | Exempt | Art. 12-1-a | Non-profit carve-out | | Public register for public information | Outside ordinary regime | Art. 12 | No declaration |
The reading is clear: a standard customer file is declared; the moment sensitive data, a CIN number, a file crossing, a re-purposing or a transfer appears, you change regime.
What are the timelines and procedure for each regime?
The two regimes are nothing alike on the calendar, which should weigh on your project planning. Filing is form-based (codes F211, F214 and so on), in French and Arabic, on the CNDP portal. Choosing the wrong form or under-classifying a processing is the most common administrative mistake among Moroccan SMEs.
| Step | Declaration | Prior authorization | |---|---|---| | Receipt (récépissé) | Within 24 hours | No receipt: reasoned decision | | Reclassification window | 8 days to reclassify into authorization if "manifest dangers" | Not applicable | | Decision time | Immediate (receipt) | 2 months, extendable once | | Incomplete file | To complete | Suspends the time limit until provided | | Nature of the act | Notification | Authorization to obtain before processing |
A crucial point that is often misread: a declaration is not an approval. The CNDP does not validate your processing; it acknowledges receipt within 24 hours and reserves, for 8 days, the right to notify you that your processing presents manifest dangers (dangers manifestes) to privacy and fundamental rights, and that it therefore moves into the authorization regime. Authorization, by contrast, is a genuine decision rendered within two months, extendable once, and any incomplete file suspends that clock. In practice, build two to three months into the plan of any project touching sensitive data.
Why do foreign cloud and SaaS push you toward authorization?
This is the decision branch most Moroccan companies overlook. The moment you host personal data on an AWS, Google Cloud or Microsoft Azure region located outside Morocco, or you use a foreign CRM, HR tool or payroll solution, you are carrying out a cross-border transfer within the meaning of articles 43 and 44.
Article 43 forbids transfer to a foreign country unless that country ensures a sufficient level of protection; the CNDP maintains and updates a list of countries deemed adequate. Article 44 sets out exceptions allowing transfer to a non-adequate country, in particular with CNDP authorization or the data subject's consent. In practice, most large providers' default regions are not on the adequacy list, which pushes the company toward the authorization procedure.
The direct consequence: choosing a host is not only a technical or pricing decision. Server location determines your legal obligations. Many Moroccan companies thus run a transfer they never authorised. Audit your vendor contracts before an inspection does it for you. For the governance picture, see our enterprise data security and compliance hub.
Which exemptions and exceptions should stop you over-declaring?
Classifying well also means knowing when you are not subject to authorization, or even to declaration. Over-declaring burns internal time for nothing and clutters your compliance file.
Article 12-1-a exempts processing implemented by associations or any other non-profit body of a religious, philosophical, political, trade-union, cultural or sporting nature, for data matching their object. Public registers intended for public information fall outside the ordinary regime. On the authorization side, two technical exceptions avoid the switch: genetic data processed by health personnel for medical purposes stays outside the genetic-specific authorization regime, and data on offences processed by auxiliaries of justice escape the corresponding trigger.
The reflex to keep: first check whether an exemption applies; if not, apply the default regime (declaration); and only escalate to authorization if a trigger from article 12 or articles 43-44 is present. No more, no less.
What do you risk depending on the type of failure?
Law 09-08's penalties are criminal in nature: fixed fines in dirhams and, for serious failures, imprisonment. They are not proportional to turnover as under the GDPR; there is no percentage-of-revenue administrative fine here. Above all, they are tiered by the type of failure, which most articles confuse.
| Failure | Article | Penalty | |---|---|---| | Processing without declaration or authorization | Art. 52 | Fine of 10,000 to 100,000 DH | | Sensitive data without express consent | Art. 57 | 3 months to 1 year prison AND 50,000 to 300,000 DH (or one of the two) | | Unlawful cross-border transfer (viol. art. 43-44) | Art. 60 | 3 months to 1 year prison AND 20,000 to 200,000 DH (or one of the two) | | Diverted purpose, unfair collection, excessive retention, missing security measures (art. 23-24) | Art. 54-59 | 3 months to 1 year prison AND 20,000 to 200,000 DH (or one of the two) | | Refusal of access, rectification, opposition rights (art. 7-9) | Art. 53 | 20,000 to 200,000 DH per infraction | | Obstructing the CNDP's control missions | Art. 62 | 3 to 6 months prison and 10,000 to 50,000 DH |
Two aggravating rules change the scale. For a legal person, the fines are doubled (article 64), with possible confiscation of equipment and closure of the establishment. In case of recidivism within the year following an irrevocable conviction, all penalties are doubled (article 65). Note: the fine for failure to declare or authorise (10,000 to 100,000 DH, art. 52) is distinct from the one for sensitive data without consent (50,000 to 300,000 DH, art. 57) and from the one for unlawful transfer (20,000 to 200,000 DH, art. 60). These bands are routinely conflated; do not merge them.
How do you classify your processings starting Monday morning?
Moving from theory to action comes down to a pragmatic sequence, doable in a few weeks for an SME and longer for a multi-entity group.
- Map: list every processing (one file = one finality) with who collects it, what data, why, where it is stored, for how long, and who can access it.
- Classify: run each line through the decision table above. Actively hunt for triggers (CIN, health, offences, file crossing, re-purposing, transfer).
- Notify: file the right formality on the CNDP portal, declaration or authorization request, with the matching form.
- Keep: archive the receipt or the authorization. It is your proof of compliance in an inspection.
- Re-file: the moment a finality changes, a new vendor enters, or a transfer appears, reopen the file. Compliance is not a one-off act.
The friction point is never the form: it is the mapping and the classification. Knowing exactly which data you hold, and under which regime they fall, demands a cross-functional read of the company. That is precisely where digital consulting support saves weeks and avoids classification errors.
FAQ
Does a declaration count as CNDP approval of my processing?
No. A declaration is a mere notification: the CNDP issues a receipt within 24 hours without validating your processing. It then has 8 days to notify you of a reclassification into authorization if the processing presents manifest dangers. Only prior authorization is a genuine decision, rendered within two months. Treat the receipt as a record of your step, not as a green light.
Does processing the CIN number require authorization?
Yes. Any processing containing the national identity card number (CIN/CNIE) falls under the prior-authorization regime, not simple declaration. It is a very common and often-ignored trigger: HR onboarding, banking KYC, telecom subscriptions and loyalty programs all capture the CIN, quietly pushing seemingly ordinary processings into the authorization track that firms assume is just a declaration.
Does my foreign cloud hosting require CNDP authorization?
Most often, yes. Hosting personal data outside Morocco is a cross-border transfer governed by articles 43 and 44. Transfer to a country not deemed adequate by the CNDP requires authorization, unless an article 44 exception applies (the data subject's consent, for example). Since most default cloud regions are not on the adequacy list, authorization becomes necessary. Audit your vendor and server-location contracts.
What is the penalty if I fail to declare a processing?
Processing or creating a file without the declaration or authorization required by article 12 is punished by a fine of 10,000 to 100,000 DH (article 52). For a legal person, this fine is doubled (article 64). Do not confuse this penalty with the one for sensitive data without consent (50,000 to 300,000 DH, article 57), which is heavier and can include imprisonment.
Must an association declare or seek authorization?
Processing implemented by an association or non-profit body of a religious, philosophical, political, trade-union, cultural or sporting nature is exempt (article 12-1-a), for data matching its object. Outside that perimeter, the association becomes an ordinary data controller again and applies the standard regime: declaration by default, authorization if a trigger appears, such as members' CIN numbers or health data.
Sources
- CNDP, "Loi 09-08" (cndp.ma/loi-09-08)
- CNDP, "Formalités" (cndp.ma/formalites)
- CNDP, "Notifier un traitement" (cndp.ma/notifier-un-traitement)
- CNDP, "Notifier une demande d'autorisation préalable" (cndp.ma)
- CNDP, "Liste des infractions à la loi n° 09-08 et des sanctions prévues", official PDF (cndp.ma)
- DGSSI, Décret n° 2-09-165 implementing Law 09-08
- CMS Law, "Flash info Maroc: data transfers" (articles 43-44)
Last verified: 17 June 2026.
Getting the regime right protects both the company and its director: classify each processing with the table above, then let us discuss your CNDP compliance.