Morocco Data Privacy Laws: Law 09-08, CNDP & Compliance Guide (2026)

Morocco's data privacy framework is governed by Law 09-08, enacted in 2009, which requires all data controllers to register with the independent CNDP before processing begins. Violations carry criminal fines up to 300,000 Moroccan dirhams and up to two years imprisonment.

Morocco's data protection framework is among the most developed in Africa. Law No. 09-08, enacted on February 18, 2009, established comprehensive rules for the processing of personal data and created an independent supervisory authority, the CNDP. The law entered into force following its publication in the Official Bulletin (Bulletin Officiel) on March 23, 2009, with a two-year transitional period ending on March 16, 2011.

The framework draws heavily from the French Data Protection Act (Loi Informatique et Libertes) and the EU Data Protection Directive 95/46/EC, reflecting Morocco's close legal and economic ties with Europe. Decree No. 2-09-165 of May 21, 2009 provides the implementing regulations, setting out operational details including CNDP composition, registration procedures, and the handling of authorization requests.

This guide covers the full scope of Morocco's data privacy regime as of May 2026, including the constitutional basis, CNDP powers, registration requirements, legal bases for processing, data subject rights, cross-border transfer rules, penalties, and the latest regulatory developments.

Quick Answer: Key Facts About Morocco's Data Privacy Law

Morocco's primary data protection law is Law 09-08 of 2009. Processing of personal data requires prior registration with the CNDP, either through a declaration (notification) for standard operations or a prior authorization request for sensitive, biometric, or interconnected processing. The CNDP oversees compliance and can impose administrative sanctions and refer matters for criminal prosecution. Fines range from 10,000 to 300,000 Moroccan dirhams (MAD); imprisonment can reach two years for the most serious violations.

Morocco is not covered by an EU GDPR adequacy decision, but it has ratified Council of Europe Convention 108 and its data protection standards broadly align with European norms. Cross-border transfers from Morocco to countries without adequate protections require CNDP authorization or specific derogations.

The CNDP issued five deliberations on November 28, 2025 (D-939 through D-943), covering cookies, newsletters, patient follow-up processing, CCTV cameras in healthcare facilities, and access control to professional premises. A broader Law 09-08 modernization toward closer GDPR alignment remains under study.

Constitutional Basis: Article 24 of the 2011 Constitution

Morocco's 2011 Constitution, adopted following the Arab Spring reform process, establishes privacy as a fundamental right. Article 24 states: "Any person has the right to the protection of their private life. The domicile is inviolable. Searches may only intervene in the conditions and the forms provided by the law."

This constitutional guarantee predates and underpins the statutory data protection regime. Article 24 applies to all persons in Morocco regardless of nationality, and it places privacy protection in the same category as other fundamental rights such as freedom of expression and judicial protection.

The 2011 Constitution also reinforced judicial oversight of law enforcement activity, creating a constitutional environment in which the CNDP's independent supervisory role carries added institutional legitimacy. When regulators or courts interpret Law 09-08, Article 24 serves as the baseline: data protection rules derive their authority from the constitution, not merely from legislative discretion.

Law 09-08 and Decree 2-09-165: The Statutory Framework

Law 09-08 is titled the Law on the Protection of Individuals with Regard to the Processing of Personal Data (Loi relative a la protection des personnes physiques a l'egard du traitement des donnees a caractere personnel). It was passed by both chambers of Parliament and enacted by Dahir (Royal Decree) No. 1-09-15 of February 18, 2009.

Decree No. 2-09-165 of May 21, 2009 implements Law 09-08. The decree specifies the CNDP's internal organization and composition, the forms and procedures for declarations and authorization requests, the rules governing CNDP deliberations, and the practical mechanics of data subject rights exercises.

Together, Law 09-08 and Decree 2-09-165 form the core of Morocco's data protection legal architecture. The CNDP supplements this with deliberations, recommendations, and guidance documents covering specific sectors and processing activities.

Scope of Application

Law 09-08 applies to the automated processing of personal data and to non-automated processing of personal data contained in or intended for a filing system. It covers both public and private sector data controllers operating within Moroccan territory.

The law applies when the data controller is established in Morocco. It also applies when the controller is not established in Morocco but uses processing means located on Moroccan territory, except where those means are used solely for transit purposes.

The law does not apply to data processing by a natural person for purely personal or household activities. It also does not apply to processing carried out for national defense, state security, or criminal investigation purposes, which fall under separate frameworks.

Core Principles

Law 09-08 incorporates six core principles that every data controller must observe.

Fairness and lawfulness: Data must be processed fairly, lawfully, and in a non-fraudulent manner.

Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes. It may not be processed in a way incompatible with those purposes.

Data minimization: Data must be adequate, relevant, and not excessive in relation to the purposes for which it is processed.

Accuracy: Data must be accurate and, where necessary, kept up to date. Inaccurate or incomplete data must be rectified or erased.

Storage limitation: Data must not be retained in identifiable form for longer than necessary to achieve the specified purposes.

Security and confidentiality: Controllers and processors must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, alteration, unauthorized disclosure, or access.

Key Definitions

Personal data (donnees a caractere personnel): Any information relating to an identified or identifiable natural person. A person is identifiable if they can be identified, directly or indirectly, through an identifier such as a name, identification number, location data, or one or more factors specific to their physical, psychological, economic, cultural, or social identity.

Sensitive data (donnees sensibles): Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health information, or data concerning sexual life. Genetic data is treated as sensitive under CNDP practice, though the 2009 text predates the widespread recognition of genetic data as a distinct category.

Data controller (responsable du traitement): The natural or legal person, public authority, agency, or other body that determines the purposes and means of processing.

Data processor (sous-traitant): The natural or legal person that processes personal data on behalf of the controller. Processors must act on documented instructions from the controller and must implement adequate security measures.

Processing: Any operation applied to personal data, whether or not by automated means, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, blocking, erasure, or destruction.

The CNDP: Morocco's Data Protection Authority

The Commission Nationale de Controle de la Protection des Donnees a Caractere Personnel (CNDP) is established under Article 27 of Law 09-08. It operates as an independent administrative authority, free from instructions from the government or other public bodies when exercising its supervisory and enforcement functions.

Composition

Under Decree 2-09-165, the CNDP is composed of a president and members appointed by the King of Morocco for six-year renewable terms. Members include judges proposed by the Supreme Council of the Judiciary, members of Parliament, and expert members nominated for their competence in law, information technology, telecommunications, or related fields. The mixed composition ensures both legal expertise and technical knowledge in the commission's oversight work.

The CNDP is headquartered in Rabat. Its president represents the institution in its relations with external bodies and in legal proceedings.

Core Powers and Functions

Registration and authorization: The CNDP receives and processes all declarations and authorization requests for personal data processing in Morocco. It maintains a public register of lawful processing activities, which any person may consult.

Investigations and inspections: The CNDP may conduct investigations on its own initiative or in response to complaints. Its authorized agents may access premises where processing is carried out, examine documents and equipment, and interview staff. Obstruction of a CNDP investigation constitutes a separate offense under Law 09-08.

Administrative sanctions: The CNDP can issue formal notices requiring a controller to bring processing into compliance within a set deadline. It can order the suspension or cessation of processing and can withdraw a declaration receipt or authorization. For persistent non-compliance, it can refer the matter to the public prosecutor.

Advisory role: The CNDP issues opinions to the government and parliament on draft legislation affecting personal data. Ministries are expected to consult the CNDP when developing regulations involving significant data processing by public bodies.

International cooperation: The CNDP participates in the International Conference of Data Protection and Privacy Commissioners, maintains bilateral contacts with European data protection authorities, and plays an active role in the Network of African Data Protection Authorities (RAPDP).

Public guidance: The CNDP publishes deliberations, recommendations, sector-specific guidance, and simplified declaration models that set compliance standards for common processing operations.

CNDP AI Guidance (2025)

In March 2025, the CNDP issued a communique on AI and personal data protection, signaling that artificial intelligence processing requires specific attention to principles of transparency, fairness, and non-discrimination. The communique stated that AI-driven processing of personal data must ensure citizens have effective means of redress.

Separately, in September 2025, the CNDP and the Ministry of Digital Transition and Administrative Reform signed a partnership agreement to develop a national platform for responsible AI and a framework based on a Large Language Model. The CNDP is preparing a dedicated deliberation on AI processing rules, which had not yet been finalized as of May 2026.

The Registration and Authorization Regime

Morocco's prior registration requirement is the feature that most distinguishes Law 09-08 from the GDPR accountability model. Under Law 09-08, a controller may not begin processing personal data until it has obtained either a declaration receipt or a CNDP authorization. There is no option to simply document an internal assessment and proceed.

Declarations (Notifications)

Standard data processing operations require a prior declaration (declaration prealable) to the CNDP. The declaration form, updated by the CNDP in September 2025, must include:

• Identity and contact details of the data controller
• Purposes of the processing
• Categories of personal data processed
• Categories of data subjects
• Data recipients, including any sub-processors
• Any transfers of data outside Morocco
• Description of security measures implemented
• Expected duration of processing

The CNDP issues an acknowledgment receipt (recepisse) once the declaration is complete. Processing may lawfully begin once the receipt is issued. The online declaration portal, accessible via cndp.ma, is free of charge.

Prior Authorization

Certain processing operations require formal authorization from the CNDP before they may begin. Authorization is mandatory for:

• Processing of sensitive data (health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual life, genetic data)
• Processing involving genetic research or public health protection
• Processing involving interconnection of databases with different purposes or managed by different controllers
• Processing involving a national identification number
• Processing involving biometric data used for identification

The CNDP evaluates authorization requests against the requirements of Law 09-08 and may grant authorization unconditionally, grant it subject to conditions, or refuse it. Controllers must not begin processing while an authorization request is pending.

CNDP Deliberations of November 28, 2025

The CNDP issued five deliberations on November 28, 2025 (D-939-2025 through D-943-2025), introducing simplified compliance pathways for five categories of processing activity.

Deliberation D-939-2025: Establishes a simplified declaration model for processing of personal data through cookies and similar tracking technologies on a user's terminal. Controllers whose cookie processing stays within the defined parameters of the model may file the simplified form rather than a standard declaration.

Deliberation D-940-2025: Establishes a simplified declaration model for personal data processing in the context of newsletter management. Controllers that manage subscriber lists and send newsletters within the scope of the model may use the streamlined route.

Deliberation D-941-2025: Provides a standard authorization request model for patient follow-up processing (traitements de suivi des patients) in healthcare settings. Controllers running patient follow-up operations that meet the specified conditions may use this model authorization request rather than preparing a bespoke submission.

Deliberation D-942-2025: Provides a standard authorization request model for video surveillance systems in healthcare establishments (etablissements de sante). Controllers deploying CCTV in hospitals or clinics for the purposes covered by the model may use this streamlined authorization route.

Deliberation D-943-2025: Provides a standard authorization request model for access control processing in private professional premises (controle d'acces aux locaux professionnels prives). Controllers using personal data collected through entry management or badge systems within the defined parameters may use this model request.

D-939 and D-940 are simplified declaration models (declarations simplifiees), reflecting the lower risk profile of cookie and newsletter operations. D-941, D-942, and D-943 are standard authorization request models (demandes d'autorisation type), meaning these operations require formal CNDP authorization rather than a simple declaration, but the model forms reduce the preparation burden. Controllers that deviate from the parameters of any model must revert to a full individual declaration or authorization procedure.

Legal Bases for Processing

Law 09-08 sets out six lawful bases for processing personal data. A controller must identify a valid legal basis before processing begins and disclose it as part of the declaration to the CNDP.

Consent: The data subject has given unambiguous consent to the processing of their data for one or more specific purposes. Consent must be freely given, specific, informed, and revocable. Pre-ticked boxes and bundled consents do not satisfy this standard under CNDP guidance.

Contractual necessity: Processing is necessary for the performance of a contract to which the data subject is party, or for pre-contractual steps taken at the data subject's request.

Legal obligation: Processing is necessary to comply with a legal obligation to which the controller is subject under Moroccan law.

Vital interests: Processing is necessary to protect the vital interests of the data subject in circumstances where the data subject is physically or legally incapable of giving consent.

Public interest or official authority: Processing is necessary for the performance of a task in the public interest or the exercise of official authority vested in the controller.

Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided those interests do not override the fundamental rights and freedoms of the data subject. This basis requires a balancing test and is not available to public authorities acting in their official capacity.

For sensitive data, the general prohibition on processing applies unless explicit consent or a specific statutory exception is engaged. The exceptions include employment law obligations, protection of vital interests, processing by membership organizations relating to members, and processing for legal proceedings.

Data Subject Rights

Law 09-08 grants individuals in Morocco a suite of rights regarding their personal data. These rights apply regardless of whether the data subject is a Moroccan national; the law protects any person whose data is processed by a controller subject to Moroccan jurisdiction.

Right to Information

Controllers must provide information to data subjects at the time of data collection or, where data is obtained from third parties, within a reasonable period after collection. The information must include: the identity of the controller, the purposes of the processing, whether responses are mandatory or voluntary, the consequences of failing to provide data, the recipients or categories of recipients, and the data subject's rights under Law 09-08.

Right of Access

Data subjects may request access to all personal data that a controller holds about them. The controller must respond within 10 days of receiving a valid request. The response must include a copy of the data in intelligible form and information about the processing purposes, the categories of data, and the recipients to whom the data has been disclosed.

If the controller fails to respond within 10 days or refuses the request, the data subject may file a complaint with the CNDP or seek judicial relief.

Right of Rectification

Data subjects may request the correction, completion, updating, blocking, or erasure of data that is inaccurate, incomplete, ambiguous, outdated, or whose collection, use, communication, or storage is prohibited. The controller must make the requested changes free of charge and notify any third parties who received the inaccurate data.

Right to Object

Data subjects may object at any time, on legitimate grounds, to the processing of their data. An unconditional right to object applies to the use of personal data for direct marketing purposes: any person may demand, at no cost, that their data no longer be used for direct marketing.

Right Regarding Automated Decisions

No person may be subject to a decision that produces legal effects or significantly affects them if that decision is based solely on automated processing intended to evaluate aspects of their personality, such as professional performance, creditworthiness, reliability, or behavior. Exceptions apply where the automated decision is authorized by law or taken in connection with a contract to which the data subject is party, provided the data subject is given an opportunity to express their views.

Exercising Rights

Data subjects exercise their rights by submitting a written or electronic request directly to the data controller. If the controller does not respond satisfactorily within the statutory timeframe, the data subject may file a complaint with the CNDP. The CNDP investigates complaints and may take enforcement action against controllers who violate data subject rights.

Breach Handling

Law 09-08 does not include an explicit breach notification obligation requiring controllers to notify the CNDP or affected individuals within a set timeframe, unlike the GDPR's 72-hour notification rule. However, the general security obligation under Law 09-08 requires controllers to implement measures that prevent unauthorized access and to address breaches when they occur.

The CNDP's inspection powers mean it can investigate security incidents proactively. Controllers that experience a significant breach and fail to take remedial action may be found to have violated the security principle, exposing them to administrative sanctions and criminal referral.

Sector-specific regulations, including rules for financial institutions and telecommunications operators, may impose additional breach reporting requirements beyond the baseline of Law 09-08. Controllers in regulated sectors should check applicable sector requirements alongside Law 09-08.

The absence of a mandatory breach notification deadline under Law 09-08 is one of the frequently cited gaps in the current framework and a likely target of any future modernization effort.

Cross-Border Data Transfers

Law 09-08 restricts the transfer of personal data outside Morocco to countries that do not provide an adequate level of protection for personal data.

Adequacy Assessment

The CNDP assesses whether a recipient country provides adequate protection. Factors include: the country's domestic legal framework, the existence and effective functioning of an independent supervisory authority, the country's international commitments on data protection, and the specific circumstances of the proposed transfer. EU member states are generally treated as providing adequate protection given their GDPR compliance.

Derogations for Transfers Without Adequacy

Where the recipient country does not meet the adequacy standard, a transfer may nonetheless proceed if one of the following derogations applies:

• The data subject gives express consent to the transfer after being informed of the risks
• The transfer is necessary for the performance of a contract between the data subject and the controller, or for pre-contractual steps at the data subject's request
• The transfer is necessary for a contract concluded in the interest of the data subject between the controller and a third party
• The transfer is necessary for public interest reasons or for the establishment, exercise, or defense of legal claims
• The transfer is necessary to protect the vital interests of the data subject
• The controller provides sufficient guarantees regarding the protection of privacy and fundamental rights, such as through contractual clauses approved by the CNDP

Transfers relying on contractual safeguards require CNDP authorization before the transfer takes place.

Morocco and Convention 108

Morocco ratified Council of Europe Convention 108 for the Protection of Individuals with Regard to Automatic Processing of Personal Data in September 2019, becoming the 55th state party. Convention 108 is the only legally binding international treaty on data protection open to non-Council of Europe member states. Morocco's ratification was a significant step that positioned it as a country with internationally recognized data protection commitments.

Morocco has been participating in a Council of Europe cooperation programme specifically designed to prepare it for ratification of the modernized Convention 108+. The amending protocol was adopted in 2018 and updates the original treaty to address profiling, data breach notification, and enhanced enforcement requirements. As of April 2025, Convention 108+ had 33 ratifications out of the 38 needed to enter into force, and Morocco remained among the parties that had not yet completed ratification of the protocol.

EU Adequacy Status

Morocco does not have a formal adequacy decision from the European Commission under the GDPR. Several EU member states with historical legal and economic ties to Morocco apply a de facto favorable assessment, but this does not substitute for a Commission decision. Organizations transferring personal data from the EU to Morocco should rely on standard contractual clauses or other appropriate safeguards rather than assuming an adequacy finding.

Penalties and Enforcement

Law 09-08 establishes criminal penalties for violations and gives the CNDP broad administrative enforcement powers.

Criminal Penalties Under Law 09-08

Offense	Fine (MAD)	Imprisonment
Processing without declaration or authorization	10,000 to 100,000	3 months to 1 year
Processing after withdrawal of authorization	10,000 to 100,000	3 months to 1 year
Refusing or obstructing data subject rights	10,000 to 100,000	3 months to 1 year
Unauthorized transfer to inadequate country	10,000 to 100,000	3 months to 1 year
Processing sensitive data in violation of Law 09-08	50,000 to 300,000	6 months to 2 years
Processing for purposes beyond authorized scope	20,000 to 200,000	3 months to 1 year
Security negligence contributing to unauthorized access	20,000 to 200,000	3 months to 1 year
Obstructing a CNDP inspection	10,000 to 100,000	3 months to 1 year

Repeat offenses may result in doubled fines and imprisonment. Legal persons (companies) face the same fines, and directors or officers responsible for the violation may be individually prosecuted.

Morocco is one of the few jurisdictions globally where data protection violations can result in actual imprisonment. This makes compliance with the registration regime particularly important for organizations operating in Morocco.

Administrative Sanctions

The CNDP's administrative toolkit includes:

Formal notices (mises en demeure): The CNDP can require a controller to bring processing into compliance within a specified deadline. Failure to comply with a formal notice escalates to stronger action.

Suspension of processing: The CNDP can order the temporary suspension of a processing activity. This can have significant operational impact for companies that depend on automated data processing.

Withdrawal of declaration or authorization: The CNDP can revoke the receipt or authorization that permits a controller to process data, effectively requiring them to cease the relevant operations.

Criminal referral: For serious or persistent violations, the CNDP refers the matter to the public prosecutor for criminal proceedings.

Publication: The CNDP can publish enforcement actions, including the identity of the controller and the nature of the violation, in its annual report or on its website.

Enforcement Focus Areas

The CNDP has stated publicly that its inspection and enforcement priorities include telecommunications operators and internet service providers, banking and financial services firms, healthcare providers, digital commerce and marketing platforms, and employers using biometric access or monitoring systems.

Since 2023, the CNDP has shifted toward a stricter enforcement posture after years of prioritizing education and awareness. Controllers in priority sectors that have not yet registered with the CNDP face elevated inspection risk.

Pending Reforms: Modernizing Law 09-08

Law 09-08 predates the GDPR by seven years and does not reflect several concepts central to modern data protection practice: the accountability principle, data protection officers, data protection by design and by default, mandatory breach notification, or granular consent rules for cookies and tracking technologies.

A gap analysis comparing Law 09-08 to the GDPR was carried out under the CNDP's auspices, with international support. The analysis identified areas of convergence, including definitions, material scope, processing principles, transfer safeguards, and supervisory authority mission. It also identified areas where Law 09-08 falls short, including accountability documentation, DPO requirements, breach notification timelines, and automated decision-making safeguards.

The recommended modernization scenario, described in published government consultations, aims for progressive alignment on a "moderate GDPR" model. This means adopting GDPR-equivalent rules where alignment would not impose disproportionate burdens, while preserving the prior registration system as a core feature of the Moroccan approach.

As of May 2026, no draft legislation to replace or substantially amend Law 09-08 had been submitted to Parliament. The CNDP continues to address modernization gaps through deliberations and guidance while formal legislative reform remains under preparation. Organizations that align their practices with both Law 09-08 and the GDPR framework will be well-positioned for any future legislative changes.

Recent Developments (2024-2026)

November 2025 CNDP Deliberations: The CNDP published five deliberations on November 28, 2025. D-939-2025 introduced a simplified declaration model for cookie and tracking technology processing. D-940-2025 did the same for newsletter subscriber processing. D-941-2025 established a model authorization request for patient follow-up processing in healthcare settings. D-942-2025 established a model authorization request for CCTV surveillance in healthcare facilities. D-943-2025 established a model authorization request for access control processing in private professional premises. Together these decisions reduce the compliance burden for common, bounded operations while maintaining CNDP oversight.

AI and Data Protection Guidance: In March 2025, the CNDP issued a communique on AI and personal data, establishing that AI-driven processing must satisfy transparency, fairness, and non-discrimination requirements under Law 09-08. In September 2025, the CNDP and the Ministry of Digital Transition signed an agreement to build a national responsible AI platform incorporating data protection by design. A dedicated CNDP deliberation on AI processing rules was under preparation as of May 2026.

Convention 108+ Progress: Morocco continued to participate in the Council of Europe cooperation programme focused on Convention 108+ ratification. As of April 2025, seven more state party ratifications were needed for the protocol to enter into force, keeping the international pressure for modernization active.

Declaration Form Update (September 2025): The CNDP published an updated standard declaration form (revision F211, dated September 10, 2025), simplifying the submission process for online declarations.

African Leadership: Morocco remains an anchor for data protection development in Africa through its active participation in RAPDP. The CNDP provides technical assistance to peer authorities across the continent, and several African states have modeled elements of their frameworks on Morocco's Law 09-08 experience.

Business Compliance Guide

Organizations that process personal data of individuals in Morocco need to take the following steps to comply with Law 09-08.

Step 1: Map your data processing activities. Identify every category of personal data your organization processes, the purposes of processing, the legal basis for each operation, the data subjects involved, the recipients of the data, any transfers outside Morocco, and the security measures in place.

Step 2: Register with the CNDP before processing begins. For each processing activity, determine whether a declaration or a prior authorization is required. Standard operations need a declaration filed through the CNDP's online portal at cndp.ma. Operations involving sensitive data, biometric data, or database interconnections require a formal authorization request. Do not begin processing until the CNDP issues the receipt or authorization.

Check whether your processing falls within a published CNDP model (cookies, newsletters, patient follow-up, healthcare CCTV, and professional premises access control as of May 2026). Use the appropriate simplified declaration or model authorization request form if the parameters match.

Step 3: Review consent and information notices. Ensure that data subjects receive complete information about your processing at the time of data collection. For consent-based processing, confirm that consent is freely given, specific, informed, and as easy to withdraw as to give. Update privacy notices and cookie consent mechanisms to reflect the November 2025 CNDP deliberations.

Step 4: Implement security measures. Technical and organizational measures must be proportionate to the risks of the processing. At minimum, implement access controls, encryption for sensitive data in transit and at rest, audit logging, regular security assessments, and a documented response process for security incidents.

Step 5: Establish data subject rights procedures. Create a process for receiving, verifying, and responding to access, rectification, and objection requests. Response to access requests must occur within 10 days. Maintain logs of requests received and responses provided.

Step 6: Review cross-border transfers. If your organization transfers personal data outside Morocco, identify the recipient country, assess whether the CNDP treats it as adequate, and determine the appropriate derogation or safeguard if it does not. Transfers relying on contractual safeguards require CNDP authorization.

Step 7: Train staff and appoint a compliance contact. Ensure that staff who handle personal data understand the requirements of Law 09-08. Appoint a designated contact to manage CNDP registrations, handle data subject requests, and respond to regulatory inquiries.

Step 8: Monitor CNDP developments. The CNDP regularly publishes new deliberations, guidance, and simplified declaration models at cndp.ma. Track these updates as Law 09-08 modernization progresses.

For legal advice tailored to your organization's specific situation, consult a qualified Moroccan data protection attorney.