Morocco Data Privacy Laws: Law 09-08 Compliance Guide (2026)
Morocco became the first country in Africa to adopt a comprehensive data protection law when Law 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data (Loi 09-08 relative a la protection des personnes physiques a l'egard du traitement des donnees a caractere personnel) was enacted on February 18, 2009. The law entered into force following its publication in the Official Bulletin on March 23, 2009.
Law 09-08 was modeled on the French Data Protection Act (Loi Informatique et Libertes) and the EU Data Protection Directive 95/46/EC, the predecessor to the GDPR, reflecting Morocco's close legal ties with the European framework. Morocco's 2011 Constitution reinforced the right to privacy under Article 24, providing a constitutional foundation for the data protection regime.
This guide covers Morocco's data privacy framework, including the CNDP's role, registration requirements, data subject rights, cross-border transfer rules, and the country's adequacy status.
Overview of Law 09-08
Law 09-08 applies to the automated processing of personal data, as well as non-automated processing of personal data contained in or intended to be included in a filing system. The law governs data processing by both public and private entities operating within Moroccan territory.
Scope and Application
The law applies when:
- The data controller is established in Moroccan territory
- The data controller is not established in Morocco but uses processing means located in Moroccan territory (other than for mere transit)
The law does not apply to data processing carried out by a natural person for purely personal or household activities, or to data processing for national defense and state security purposes (which are governed by separate legal frameworks).
Fundamental Principles
Law 09-08 establishes several core principles:
- Fair and lawful processing: Data must be processed fairly, lawfully, and in a non-fraudulent manner
- Purpose specification: Data must be collected for specified, explicit, and legitimate purposes
- Proportionality: Data must be adequate, relevant, and not excessive in relation to the processing purposes
- Accuracy: Data must be accurate and kept up to date
- Limited retention: Data must not be kept longer than necessary for the specified purposes
- Security and confidentiality: Appropriate technical and organizational measures must protect personal data
Key Definitions
Personal data (donnees a caractere personnel): Any information relating to an identified or identifiable natural person.
Sensitive data (donnees sensibles): Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, or data concerning sexual life. Genetic data is also treated as sensitive.
Data controller (responsable du traitement): The natural or legal person, public authority, or other body that determines the purposes and means of data processing.
Data processor (sous-traitant): The natural or legal person that processes data on behalf of the controller.
Registration and Authorization Requirements
One of the most distinctive features of Morocco's data protection framework is its mandatory prior registration system. All data processing activities must be notified to or authorized by the CNDP before they begin.
Notification (Declaration)
Standard data processing operations require a prior declaration (notification) to the CNDP. The declaration must include the identity of the controller, the purposes of the processing, the categories of data processed, the categories of data subjects, the recipients of the data, proposed data transfers, and the security measures in place.
The CNDP issues a receipt acknowledging the declaration, and processing may begin once the receipt is issued.
Prior Authorization
Certain types of data processing require prior authorization from the CNDP rather than simple notification. Authorization is required for:
- Processing of sensitive data
- Processing for purposes of genetic research or the protection of public health
- Processing involving the interconnection of databases with different purposes or managed by different controllers
- Processing involving a national identification number
- Processing that includes biometric data
The CNDP evaluates authorization requests and may impose conditions or refuse authorization when the processing does not comply with Law 09-08.
Practical Impact
The registration system means that organizations cannot simply begin processing personal data and demonstrate compliance after the fact. Failure to register constitutes a criminal offense under Law 09-08.
Data Subject Rights
Law 09-08 grants individuals several fundamental rights regarding their personal data.
Right of information: Data subjects must be informed of the identity of the controller, the purposes of processing, whether responses are mandatory or optional, the consequences of failing to respond, the recipients of the data, and their right to access, rectify, and object.
Right of access: Individuals may request access to their personal data held by a controller. The controller must respond within 10 days of receiving the request. The data subject may obtain a copy of the data in an intelligible form.
Right of rectification: Data subjects may request the correction, completion, updating, or blocking of inaccurate, incomplete, or outdated data. The controller must make corrections free of charge.
Right of objection: Individuals may object to the processing of their data on legitimate grounds. They also have the right to object, without cost, to the use of their data for direct marketing purposes.
Right regarding automated decision-making: Data subjects have the right not to be subject to a decision with legal effects based solely on automated processing of their data, except in limited circumstances.
These rights are exercised by submitting a request to the data controller. If the controller fails to respond or the data subject is dissatisfied, a complaint may be filed with the CNDP.
Legal Bases for Processing
Law 09-08 establishes several conditions under which personal data may be lawfully processed.
Consent: The data subject has given unambiguous consent.
Contractual necessity: Processing is necessary for the performance of a contract to which the data subject is a party or for pre-contractual steps.
Legal obligation: Processing is necessary to comply with a legal obligation applicable to the controller.
Vital interests: Processing is necessary to protect the vital interests of the data subject.
Public interest or official authority: Processing is necessary for the performance of a task in the public interest or the exercise of official authority.
Legitimate interests: Processing is necessary for the legitimate interests of the controller or a third party, provided those interests do not override the fundamental rights and freedoms of the data subject.
For sensitive data, processing is generally prohibited unless the data subject gives explicit consent or the processing falls within specific exceptions, including employment law obligations, protection of vital interests, processing by non-profit organizations regarding members, and processing for legal proceedings.
Cross-Border Data Transfers
Law 09-08 restricts the transfer of personal data to foreign countries that do not provide an adequate level of data protection.
Adequacy Assessment
The CNDP evaluates whether a recipient country provides adequate protection by considering the country's legal framework, the existence of an independent supervisory authority, and international commitments regarding data protection.
Transfer Without Adequacy
Transfers to countries without adequate protection may be authorized by the CNDP when:
- The data subject gives express consent
- The transfer is necessary for the performance of a contract between the data subject and the controller
- The transfer is necessary for a contract concluded in the interest of the data subject
- The transfer is necessary for public interest reasons or for the establishment, exercise, or defense of legal claims
- The transfer is necessary to protect the vital interests of the data subject
- The controller provides sufficient guarantees, such as through contractual clauses
Morocco's Adequacy Status
Morocco ratified the Council of Europe Convention 108(https://www.coe.int/en/web/data-protection/convention108-and-protocol) for the Protection of Individuals with regard to Automatic Processing of Personal Data in 2019. This ratification, combined with Law 09-08's alignment with European standards, has positioned Morocco favorably for data transfers from European countries. While the European Commission has not issued a formal adequacy decision for Morocco under the GDPR, the CNDP's membership in francophone and international data protection networks facilitates cooperation.
The CNDP: Data Protection Authority
The Commission Nationale de Controle de la Protection des Donnees a Caractere Personnel (CNDP) is Morocco's independent data protection authority, established by Law 09-08.
Composition and Independence
The CNDP is composed of a president and members appointed by the King of Morocco. The commission operates independently from the government and other public authorities in the exercise of its functions.
Powers and Functions
The CNDP exercises comprehensive supervisory and enforcement functions:
- Registration: Processing all declarations and authorization requests for data processing activities
- Investigation: Conducting investigations into data processing practices, either on its own initiative or in response to complaints
- Inspection: Carrying out on-site inspections of data controllers' facilities
- Sanctions: Issuing administrative sanctions, including withdrawal of registration or authorization
- Advisory role: Providing opinions to the government and parliament on proposed legislation affecting data protection
- International cooperation: Participating in international data protection networks and cooperation mechanisms
Enforcement Record
The CNDP has steadily increased its enforcement activities since becoming operational. The commission processes thousands of declarations annually and has conducted hundreds of inspections. The CNDP publishes an annual report detailing its activities, including the number of declarations processed, complaints received, inspections conducted, and sanctions imposed.
Enforcement and Penalties
Law 09-08 establishes both criminal and administrative penalties for violations.
Criminal Penalties
| Offense | Fine (MAD) | Imprisonment |
|---|---|---|
| Processing without declaration/authorization | 10,000 - 100,000 | 3 months - 1 year |
| Processing after authorization withdrawal | 10,000 - 100,000 | 3 months - 1 year |
| Refusing data subject rights | 10,000 - 100,000 | 3 months - 1 year |
| Unlawful transfer to inadequate country | 10,000 - 100,000 | 3 months - 1 year |
| Processing sensitive data in violation of law | 50,000 - 300,000 | 6 months - 2 years |
| Processing for unauthorized purposes | 20,000 - 200,000 | 3 months - 1 year |
| Security negligence causing data breach | 20,000 - 200,000 | 3 months - 1 year |
Repeat offenses may result in doubled penalties.
Administrative Sanctions
The CNDP may also impose administrative measures, including:
- Formal warnings with deadlines for corrective action
- Temporary suspension of data processing activities
- Withdrawal of the declaration receipt or authorization
- Referral to the public prosecutor for criminal proceedings
Recent Developments
Morocco's data protection landscape continues to evolve as the country strengthens its framework.
CNDP modernization: The CNDP has invested in digital platforms to streamline the declaration and authorization process, making it easier for organizations to comply with registration requirements. Online submission and tracking of declarations has reduced processing times.
Convention 108+ ratification: Following its ratification of Convention 108, Morocco has been working toward alignment with the modernized Convention 108+ (the Amending Protocol adopted in 2018). This would further strengthen Morocco's data protection framework and support its position as a jurisdiction with adequate protections.
Increased enforcement: The CNDP has ramped up inspection and enforcement activities, particularly targeting sectors with high volumes of personal data processing, including telecommunications, banking, and digital commerce.
Digital transformation: Morocco's national digital strategy has driven significant growth in data processing activities, creating new compliance challenges. The CNDP has issued guidance on emerging issues such as cloud computing, mobile applications, and biometric data processing.
African leadership: Morocco continues to serve as a reference point for data protection in Africa. Several African countries, including Tunisia, have consulted Morocco's framework when developing their own legislation, and the CNDP participates actively in the Network of African Data Protection Authorities (RAPDP).
Sources and References
Sources and References
- CNDP - Official Website(cndp.ma).gov
- Council of Europe - Convention 108(coe.int).gov
- Secretariat General du Gouvernement - Morocco(sgg.gov.ma).gov
- Council of Europe - Morocco Data Protection Profile(coe.int).gov
- UNCTAD - Data Protection Legislation Worldwide(unctad.org)
- Network of African Data Protection Authorities (RAPDP)(rapdp.org)