CNDP & Law 09-08: Enterprise Compliance Guide

The CNDP (Commission Nationale de contrôle de la Protection des Données à caractère personnel) is the independent authority that enforces Law 09-08, the statute governing all personal data processing in Morocco since 2009. Together they set the obligations of every Moroccan business: declare your processing, secure the data, and respect the rights of the people behind it.

In 2026, any Moroccan company that collects personal data (customers, employees, leads) must, before processing, either file a declaration on cndp.ma (receipt within 24h) or obtain prior authorization for sensitive data. Since early 2025, the CNDP has moved from awareness to active enforcement, with fines up to 300,000 MAD plus criminal penalties.

For fifteen years, CNDP compliance stayed a theoretical topic for most Moroccan executives. That era is over. This guide explains, without jargon, what Law 09-08 actually requires, who is affected, how to complete the formalities, what you risk, and where to concretely start.

What are Law 09-08 and the CNDP, and why do they apply to my business?

Law 09-08 on the protection of individuals with regard to the processing of personal data was promulgated by Dahir 1-09-15 on 18 February 2009. Its application decree (no. 2-09-165) dates from 21 May 2009, with full effect from 2011 after a transition period.

The CNDP is the independent authority that enforces it. Its missions: information, advice, processing declarations and authorization requests, control, and sanction. Morocco has also ratified the Council of Europe's Convention 108 and its Additional Protocol, in force for the Kingdom since 1 September 2019, making it the 55th State Party.

Why does this apply to you? Because the moment your company collects a name, an email, a phone number, an HR record, or a purchase history, you are a data controller subject to the law. It is not a question of headcount or sector: it is a general legal obligation that covers the entire local business ecosystem.

Is my company actually subject to Law 09-08?

Yes, in nearly every case. The obligations apply broadly: every Moroccan company that collects personal data, foreign companies processing data of Moroccan residents or using Moroccan infrastructure, associations and NGOs, public institutions, plus websites, mobile apps, and e-commerce platforms.

In practice, if you have a customer database, a payroll system, a CRM, a site with a contact form, or video surveillance, you are covered. Only three categories escape the declaration requirement: purely personal or domestic activities, public registers intended for public information, and certain processing tied to national defense, state security, or crime prevention. Non-profit associations of a religious, philosophical, political, union, cultural, or sports nature also benefit from targeted exemptions.

In other words, Law 09-08 does not target a niche: it reaches the whole of Morocco's economy, from the family-owned SME to the large listed group, and even foreign firms handling Moroccan residents' data.

CNDP declaration or authorization: which formality applies to my processing?

Morocco runs a two-track system, and picking the wrong track is the most common mistake. Declaration is the default regime: all processing must be declared unless it is exempt or falls under authorization. The CNDP issues a receipt within 24 hours and has 8 days to notify you if your processing actually requires prior authorization.

Prior authorization is required for more sensitive processing. The table below summarizes the fork.

| Criterion | Declaration (default) | Prior authorization | |-----------|----------------------|---------------------| | Data involved | Ordinary data (name, email, basic HR) | Sensitive data: origin, opinions, health, genetic, religion, union | | Identifiers | Standard contact details | National ID (CIN) number, criminal record, convictions | | Use | Original purpose | Repurposing data beyond original collection | | Cross-referencing | Single file | File interconnection across different purposes | | International | No transfer outside adequate zone | Transfer to a non-adequate country | | CNDP timeline | Receipt within 24h | Opinion within 2 months, extendable once |

In concrete terms: a standard customer file is declared; a health-data file, processing of the CIN number, or a transfer to a non-adequate foreign cloud all require authorization.

How do I file a CNDP declaration step by step?

Everything happens online at cndp.ma. The declaration must contain, per Article 15: the controller's identity, the purpose, the data categories, the categories of people concerned, the recipients, international transfers and their safeguards, the retention duration, and the security measures.

The form depends on your situation:

| Form | Use | |------|-----| | F211 | Standard declaration | | F214 | Simplified declaration | | F112 | Standard authorization request | | F113 | Simplified authorization request | | F118 | Cross-border data transfer |

The sequence is simple on paper: first map your processing (one file equals one purpose), create your account on the CNDP portal, select the right form, fill in the eight headings of Article 15, submit, and keep your receipt. Then wait the 8 days to confirm no further authorization is required. The real difficulty is not administrative: it is the upfront mapping, which means knowing exactly what data you hold and why. This is where digital consulting support saves weeks.

What data-subject rights must my company guarantee?

Law 09-08 grants the people whose data you process a baseline of rights that your company must be able to honor quickly and, in most cases, free of charge.

The right to information requires you to state clearly, at the point of collection, who is collecting, why, and what rights the person has: that is the role of your privacy policy. The right of access lets anyone find out what data you hold about them. The right of rectification lets them correct inaccurate or outdated information. The right of opposition lets them refuse, on legitimate grounds, certain processing, particularly direct marketing. On top of this sits the ability to withdraw consent where the processing relied on it.

For a business, guaranteeing these rights means three things: a readable privacy policy, an identified contact point to receive requests, and an internal procedure to respond within reasonable timeframes. Ignoring an access or opposition request is precisely the kind of failure the CNDP now actively checks.

Why does 2025 change everything for CNDP compliance?

This is the point many executives have not yet absorbed. After roughly fifteen years devoted to awareness, the CNDP officially closed its sensitization phase in early 2025 and moved to active controls and prosecutions, with strict compliance deadlines.

The first wave targeted the pharmaceutical sector in February 2025: more than 3,000 pharmacies received an official letter setting precise deadlines to declare their processing. In May 2025 the campaign expanded to health (clinics, labs), finance (credit institutions), e-commerce (platforms, marketplaces), and telecoms. The CNDP sent letters to non-compliant companies, requiring them to declare all processing, designate a clear data-responsibility representative, and obtain the necessary authorizations, warning of legal sanctions for persistent non-compliance.

The message is unambiguous: declaration is no longer a formality you postpone. Sectors regulated by Bank Al-Maghrib, ACAPS, or the AMMC are on the front line, but no company is now beyond the reach of a control.

What does non-compliance cost my company?

Penalties under Law 09-08 are criminal, which sets them apart from a simple administrative fine and exposes directors to personal liability. They are graduated by article.

| Failure (article) | Fine | Prison | |-------------------|------|--------| | Processing without declaration (Art. 52) | 10,000 - 100,000 MAD | - | | Breach of obligations (Art. 52/53/55) | 20,000 - 200,000 MAD | 3 months to 1 year | | Sensitive data without explicit consent (Art. 56) | 50,000 - 300,000 MAD | 3 months to 1 year | | Obstruction and other offenses (Art. 62-63) | 10,000 - 100,000 MAD | with prison |

The decisive point: for a legal entity, all fines are doubled, raising the effective ceiling to roughly 600,000 MAD. Add a prison term of 3 months to 1 year depending on the offense, and, in serious cases, closure of the establishment or seizure of assets.

What is the DATA-TIKA program and the CGEM-CNDP corridor?

DATA-TIKA is a program launched by the CNDP in 2020 to strengthen organizations' capacity in data governance and security. In practice it is a support-and-labelling scheme that helps members structure their compliance proactively rather than absorb it reactively.

Membership took on a new dimension on 13 November 2025: the CGEM (the Moroccan employers' confederation) signed a partnership convention with the CNDP, executed in Casablanca by CGEM president Chakib Alj and CNDP president Omar Seghrouchni. This CGEM-CNDP corridor aims to facilitate regulatory compliance for member companies.

The signal is strategic. When the country's main employers' body formally aligns with the regulator, compliance stops being a topic for lawyers and becomes a governance priority. Other documented adherents include the CMR (April 2024), Maroc Telecom, and ANGSPE (April 2025). The CNDP has also held the permanent secretariat of the African network of data protection authorities since May 2023, positioning Morocco as a regional reference.

Cross-border data transfers: when do I need CNDP authorization?

This is a point every executive using the cloud must understand. The moment you host personal data on AWS, Google Cloud, Microsoft Azure, or a foreign SaaS, you are performing an international transfer, subject to the Office des Changes for financial flows and, for data, to Law 09-08.

The rule is this: transfers are freer to countries recognized as offering an adequate level of protection, equivalent to that of the European Union. To other destinations, prior CNDP authorization is required, together with safeguards such as standard contractual clauses between you and your provider.

Put plainly, choosing a host is not just a technical or pricing decision: where the servers sit determines your legal obligations. A project that offloads customer data to a non-adequate cloud without CNDP authorization is in breach, no matter how good the solution is. A reform of Law 09-08 toward closer GDPR alignment (legal bases, accountability, sanction levels) has also been announced.

The CNDP compliance checklist: where do I concretely start?

Here is the pragmatic sequence to go from zero to compliant without scattering your effort.

• Map all your processing: a table listing who, what, why, where it is stored, for how long, and who has access.
• Qualify each processing activity: simple declaration or prior authorization depending on data sensitivity.
• Designate a clear data-protection lead internally, the contact point for the CNDP and for data subjects.
• File the declarations and authorization requests on cndp.ma with the right forms (F211, F214, F112, F113, F118).
• Publish a clear, accessible privacy policy on your sites and apps.
• Secure technically: encryption, access control, logging, backups.
• Check your international transfers and obtain CNDP authorization for any non-adequate cloud.
• Prepare a procedure for responding to data-subject rights and for breach notification.
• Document and date every decision: that is what makes the difference under a control.

For an SME, this checklist is a matter of weeks; longer for a multi-entity group. The mistake would be to wait for the CNDP letter.

Which formality fits my company profile?

To make it concrete, here is the decision tree by common use case.

• E-commerce / marketplace: declare the customer file; authorization if you cross-reference files or host data outside the adequate zone. Notices and consent are mandatory.
• Health (clinic, lab, practice): prior authorization is systematic, because health data is sensitive (Art. 56). A sector targeted by the 2025 controls.
• HR / payroll: declare the personnel file; watch the CIN number, which can tip you into authorization.
• Video surveillance: a specific declaration, visible notice to filmed individuals, limited retention period.
• AI and data: maximum caution. Reusing data to train a model, beyond the original purpose, falls under authorization. Align with the Maroc Digital 2030 and Maroc IA 2030 strategies.
• Finance (under Bank Al-Maghrib, AMMC, ACAPS): declaration plus authorization for cross-referencing and transfers; a priority sector for controls.

When in doubt, the golden rule is simple: declare by default, and switch to authorization the moment sensitive data, the CIN number, file cross-referencing, or a transfer outside the adequate zone appears.

CNDP compliance is no longer an option to defer. It is now a governance test the CNDP is administering sector by sector, and a requirement your customers and partners will start to verify. The good news: built in from the design of your sites, apps, and tools, it becomes a trust advantage rather than an imposed burden.

To map your processing, prioritize your declarations, and secure your transfers without over-investing, let's talk about your compliance. For the broader frame of data security and governance, see our pillar guide: enterprise data security and compliance in Morocco.

FAQ

Does every Moroccan company have to declare its processing to the CNDP?

Yes, in nearly all cases. The moment you collect personal data (customers, employees, leads), you are a data controller and must declare on cndp.ma, with a receipt within 24h. Only purely personal activities, public registers, and certain defense or state-security processing escape the obligation. Headcount and sector do not exempt you.

What is the difference between a CNDP declaration and authorization?

Declaration is the default regime for ordinary processing: receipt within 24h. Prior authorization is required for sensitive data (health, genetic, opinions), the CIN number, criminal records, file interconnection, and transfers to a non-adequate country. The CNDP then issues its opinion within two months, extendable once. Picking the wrong track is the most common error.

What are the fines for breaching Law 09-08?

Penalties are criminal: from 10,000 MAD (Art. 52) up to 300,000 MAD for processing sensitive data without consent (Art. 56), with 3 months to 1 year of prison. For a legal entity, all fines are doubled, so up to roughly 600,000 MAD effectively, with possible closure of the establishment and personal liability for directors.

Is the CNDP really auditing companies in 2025 and 2026?

Yes. In early 2025, the CNDP ended its awareness phase and moved to active controls. The first wave notified more than 3,000 pharmacies in February 2025, then health, finance, e-commerce, and telecoms in May 2025. The CNDP has warned of legal sanctions for persistent non-compliance, and controls continue sector by sector.

Does my foreign cloud hosting require CNDP authorization?

Yes, whenever the destination country is not recognized as offering an adequate level of protection. Hosting personal data on a non-adequate foreign cloud is an international transfer that requires prior CNDP authorization and safeguards such as standard contractual clauses with your provider. Where the servers sit determines your obligations.

Sources

• DPO Consulting, "Moroccan Data Protection Law 09-08"
• CNDP, "Formalités" and "Notifier un traitement" (cndp.ma)
• Medias24, "Personal data: what the law provides in case of violations" (2023)
• void.ma, "CNDP and personal data compliance"
• Lafrouji Avocats, "Data protection in Morocco - CNDP"
• Maroc24, "The CNDP intensifies its controls" (May 2025)
• La Vie éco, "CGEM joins the DATA-TIKA program launched by the CNDP"
• Village de la Justice, "The CNDP's African leadership"
• Council of Europe, "Morocco, 55th State Party to Convention 108"
• Upsilon Consulting, "CNDP declarations and authorizations: a practical guide"

Last verified: 16 June 2026.