Korte Law international boutique law firm
  1. Homepage EN
  2. Insights

Data Protection and Privacy Law in Morocco

By Zakaria Korte, Korte Law in association with Amereller

Data Protection and Privacy Law in Morocco (Law 09-08)

Morocco’s Law 09-08 on the protection of individuals with regard to the processing of personal data is the country’s foundational privacy statute. It establishes comprehensive rules for the collection, use, disclosure, and cross-border transfer of personal data, and it created the national regulator responsible for oversight and enforcement. This article provides a practitioner-focused overview of the law’s scope, key definitions, compliance obligations, and enforcement framework, with practical guidance for organizations operating in or targeting Morocco.

Scope and Key Definitions

Law 09-08 applies broadly to the processing of personal data carried out by controllers and processors established in Morocco, as well as to certain processing performed outside Morocco when tools or means located in Morocco are used. The law is technology-neutral and sector-agnostic, with special regimes for certain categories of data and processing operations.

Personal data is defined as any information relating to an identified or identifiable natural person. Identifiability may be direct or indirect, including by reference to an identification number or one or more factors specific to the person’s identity. The law draws a clear distinction between ordinary personal data and sensitive personal data, which includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, genetic or biometric data used for identification, sex life, and data relating to criminal convictions and offenses. Processing sensitive data is subject to stricter conditions and, in several cases, prior authorization by the regulator.

Processing encompasses any operation performed upon personal data, whether or not by automatic means, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, blocking, erasure, or destruction. A controller is the natural or legal person, public authority, or any other body which determines the purposes and means of processing, while a processor processes personal data on behalf of the controller.

The law applies to both public and private sector bodies. Certain public interest processing may be subject to additional conditions or authorizations, and sectoral rules can layer on top of Law 09-08.

The CNDP: Competences and Powers

Law 09-08 created the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP), Morocco’s independent data protection authority. The CNDP’s core functions include:

  • Receiving and reviewing declarations (registrations) of processing operations and granting authorizations for certain high-risk processing, including many sensitive data processing operations and international transfers in the absence of adequacy.

  • Issuing opinions, recommendations, and guidance, including model clauses and practical compliance materials.

  • Conducting inspections and investigations, on-site or otherwise, to verify compliance.

  • Ordering corrective measures, such as blocking, erasure, or prohibition of unlawful processing.

  • Referring matters to the public prosecutor where criminal offenses are suspected.

The CNDP’s procedural role is central: many organizations’ first interaction with the authority will be through declaration or authorization filings before launching processing activities.

Processing Principles

Controllers must implement and demonstrate compliance with core processing principles that structure the lifecycle of personal data:

  • Related Articles

    Lawfulness, fairness, and transparency: Processing must have a lawful basis, be conducted fairly, and be transparent vis-à-vis data subjects.

  • Purpose limitation: Data must be collected for specific, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes.

  • Data minimization and proportionality: Data must be adequate, relevant, and not excessive in relation to the purposes.

  • Accuracy: Data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified.

  • Storage limitation: Data must not be retained longer than necessary for the purposes for which it is processed, subject to archival and statutory retention obligations.

  • Security and confidentiality: Controllers and processors must ensure appropriate technical and organizational measures to protect data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These principles guide how controllers design processes, draft notices, choose vendors, and manage retention and deletion.

Legal Bases for Processing and the Role of Consent

Processing is lawful only if it rests on at least one legal basis recognized by Law 09-08. The principal bases include:

  • Consent: The data subject has given free, specific, and informed consent. For sensitive data, consent generally must be explicit, and the CNDP may still require prior authorization for certain categories (for example, biometrics used for identification).

  • Contractual necessity: Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the data subject’s request prior to entering into a contract.

  • Legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Vital interests: Processing is necessary to protect the vital interests of the data subject or another natural person.

  • Public interest/official authority: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

  • Legitimate interests: Processing is necessary for the legitimate interests pursued by the controller or a third party, provided such interests are not overridden by the data subject’s fundamental rights and interests.

Controllers should document the chosen basis in their processing records and ensure alignment with data subject notices. Where consent is relied upon, it must be demonstrable and revocable, and processing must cease if consent is withdrawn unless another valid legal basis exists.

Special Rules for Sensitive Data

As a rule, processing sensitive data is prohibited unless a specific exception applies, such as explicit consent, processing necessary for employment law obligations, protection of vital interests where consent cannot be obtained, activities of foundations, associations, or other non-profit bodies with appropriate safeguards, data manifestly made public by the data subject, establishment or defense of legal claims, preventive or occupational medicine by a health professional bound by secrecy, or express CNDP authorization. Data concerning criminal convictions and offenses generally requires specific legal authorization and enhanced safeguards.

Data Subject Rights

Law 09-08 grants individuals enforceable rights in relation to their personal data, including:

  • Right to information: Controllers must provide clear notices at the time of collection, stating the identity of the controller, purposes of processing, recipients or categories of recipients, whether replies are obligatory or voluntary, potential consequences of not replying, and the existence of rights, including how to exercise them and any intended international transfers.

  • Right of access: Individuals may obtain confirmation that data about them is being processed and access to that data in an intelligible form, along with information on its source and purposes.

  • Right to rectification and erasure: Individuals may require the correction, completion, updating, or deletion of data that is inaccurate, incomplete, ambiguous, outdated, or whose collection, use, disclosure, or storage is prohibited.

  • Right to object: Individuals may object, on legitimate grounds, to processing of their data, including for direct marketing. Where objection relates to marketing, it should be honored without undue formality.

  • Right to withdraw consent: Where processing is based on consent, individuals may withdraw it, which should be as easy as giving consent.

  • Right to lodge complaints: Individuals may file complaints with the CNDP, which can investigate and order corrective measures.

Controllers must enable rights requests through accessible channels, verify identity appropriately, and respond within the timeframes the law contemplates. Refusals must be justified and are subject to CNDP oversight.

Cross-Border Data Transfers

International data transfers are tightly regulated. As a baseline, personal data may be transferred to a foreign country only if that country ensures an adequate level of protection recognized under Moroccan law, typically reflected in CNDP positions or determinations. In the absence of adequacy, a transfer may proceed if one of the following applies:

  • The CNDP grants prior authorization, which can be grounded on appropriate safeguards such as contractual protections or other assurances presented by the controller.

  • An applicable derogation applies, such as the data subject’s explicit consent; necessity for the performance of a contract with the data subject or for pre-contractual measures; conclusion or performance of a contract in the interest of the data subject; public interest grounds; establishment, exercise, or defense of legal claims; protection of vital interests; or transfers from a public register intended to provide information to the public.

In practice, organizations frequently rely on CNDP authorization supported by contractual clauses with the recipient and a transfer impact assessment addressing local law risks. Controllers should not commence a restricted transfer before securing the requisite authorization, unless a narrowly tailored derogation squarely applies and is documented.

Security Obligations and Vendor Management

Controllers and processors must adopt appropriate technical and organizational measures to secure personal data. The law is risk-based: measures should be proportionate to the likelihood and severity of harm from unauthorized or unlawful processing or accidental loss or damage. Typical controls include access management, encryption or pseudonymization where appropriate, physical security, secure development practices, logging and monitoring, vulnerability management, and employee confidentiality undertakings and training.

Where a controller engages a processor, the relationship must be governed by a written agreement that:

  • Binds the processor to act only on the documented instructions of the controller.

  • Imposes confidentiality obligations.

  • Requires implementation of security measures appropriate to the risk.

  • Addresses sub-processing, data return or deletion at end of services, and cooperation with the controller to enable rights and regulatory compliance.

Vendor risk assessments should be commensurate with the processing and, for high-risk activities such as biometrics, geolocation, or large-scale profiling, should include deeper due diligence and, where applicable, prior CNDP authorization.

Personal Data Breach: Notification and Response

Law 09-08 imposes a general duty to ensure security and confidentiality of processing. While the statute does not set out a GDPR-style mandatory breach notification regime with fixed timelines, the CNDP expects prompt and responsible incident management. As a matter of good practice and in line with regulatory expectations and sectoral obligations, organizations should:

  • Maintain and test an incident response plan covering detection, containment, forensic analysis, legal assessment, and communications.

  • Assess whether to notify the CNDP and, where warranted, affected individuals, especially where a breach is likely to result in significant risk to rights and freedoms.

  • Consider sector-specific reporting to supervising authorities where applicable, for example in financial services or telecommunications, and comply with any contractual notification duties.

Given evolving expectations and the potential for authorization conditions to impose reporting, organizations operating in Morocco should treat breach notification analysis as a routine part of incident response.

Declarations, Authorizations, and Prior Formalities

Law 09-08 establishes a regime of prior formalities with the CNDP:

  • Most processing operations must be declared to the CNDP before they begin. The declaration typically includes details of the controller, purposes, categories of data and data subjects, recipients, retention periods, security measures, and any contemplated international transfers.

  • Certain processing activities require prior authorization by the CNDP. These commonly include processing of sensitive data, use of biometric identifiers for identification or authentication, processing of national identification numbers where applicable, large-scale or high-risk surveillance (including certain video surveillance deployments), and international transfers to countries without recognized adequacy unless a derogation applies.

Controllers should map processing activities, determine which require mere declaration and which require authorization, and build lead time into project plans. Launching high-risk processing or restricted transfers without the necessary CNDP authorization exposes organizations to enforcement.

Penalties and Enforcement Exposure

Non-compliance with Law 09-08 can trigger a range of sanctions:

  • Corrective orders by the CNDP, including temporary or definitive prohibition of processing, blocking, or erasure of unlawfully processed data, and directions to bring processing into compliance.

  • Referrals to the public prosecutor for offenses established by law, which can lead to criminal fines and, for serious or willful violations, potential imprisonment of responsible individuals.

  • Aggravating factors may include repeated non-compliance, obstruction of CNDP inspections, processing without required declaration or authorization, unlawful processing of sensitive data, and unauthorized international transfers.

The CNDP’s approach emphasizes prior formalities and transparency. Controllers that proactively engage with the CNDP, maintain documentary compliance, and remediate issues typically fare better in supervisory interactions.

Comparison with the GDPR

Morocco’s Law 09-08 was inspired by the EU’s earlier data protection framework and shares many principles with the GDPR, but there are meaningful differences. The table below highlights key similarities and divergences relevant to multinational compliance programs.

Topic

Law 09-08 (Morocco)

GDPR (EU)

Scope

Applies to processing of personal data by controllers/processors established in Morocco; limited extra-territorial link via use of means in Morocco

Broad territorial scope, including offering goods/services or monitoring behavior of individuals in the EU

Legal bases

Consent, contract, legal obligation, vital interests, public interest/authority, legitimate interests

Same set of bases, with detailed conditions and accountability requirements

Sensitive data

Prohibited unless exception applies; many cases require CNDP authorization

Prohibited unless exception applies; no prior authorization generally required

Data subject rights

Access, rectification, erasure, objection; complaint to CNDP

Same plus portability and restriction; enhanced profiling/automated decision safeguards

Accountability

Implicit through declarations/authorizations and security measures

Explicit accountability duties, including records of processing, DPIAs, DPOs, and privacy by design/default

DPO/DPIA

No general statutory DPO mandate or DPIA obligation

DPO mandatory for many organizations; DPIAs required for high-risk processing

Breach notification

No explicit 72-hour rule; notification expected as good practice and may be required by sector or authorization conditions

Mandatory notification to DPA within 72 hours and to individuals where high risk

Cross-border transfers

Adequacy recognized by CNDP; otherwise authorization or derogations

Adequacy decisions; standard contractual clauses, binding corporate rules, derogations

Prior formalities

Declarations for most processing; authorizations for high-risk/sensitive and certain transfers

No prior declarations/authorizations; accountability replaces prior formalities

Sanctions

Corrective orders; criminal penalties for serious offenses

Administrative fines up to 2%/4% of turnover; corrective powers

For global organizations, these differences mean that compliance architectures designed for the GDPR often meet or exceed Moroccan requirements on internal governance and security, but Morocco’s prior formalities and authorization model require specific local project management and timelines.

Sector-Specific Considerations in Morocco

While Law 09-08 is horizontal, Moroccan regulators and laws impose additional privacy and security obligations in particular sectors:

  • Financial services: Banks and payment institutions are subject to prudential and cybersecurity oversight and may have incident reporting and outsourcing constraints. Use of cloud and cross-border support should be aligned with both Law 09-08 and sector supervisory expectations.

  • Telecommunications: Providers must implement robust security, cooperate with lawful access requirements, and manage subscriber data and traffic data with heightened safeguards, including retention and disclosure rules.

  • Healthcare: Health data processing is subject to medical secrecy and heightened safeguards, with strong access controls, audit trails, and, in many cases, CNDP authorization for sensitive processing and transfers.

  • Employment and workplace monitoring: Employers must balance legitimate interests in managing the workforce with employees’ privacy rights. The CNDP has taken an interest in video surveillance, time/attendance biometrics, geolocation of vehicles, and monitoring of electronic communications. Declarations or authorizations and employee notices are often required.

  • Public sector and identification systems: Processing by public bodies, including national identification systems and public registers, may be grounded in law and subject to specific authorizations and oversight. International transfers by public bodies typically undergo heightened scrutiny.

Organizations should confirm applicable sectoral instruments, supervisory expectations, and any binding circulars or guidance before deploying new technologies or cross-border arrangements.

Practical Compliance Recommendations

Organizations active in Morocco should adopt a structured, risk-based privacy program calibrated to Law 09-08 and CNDP practice:

  • Map processing activities: Build and maintain a record of processing operations identifying purposes, legal bases, data categories, recipients, retention, security, and transfers. Use this to determine which operations require declaration or authorization.

  • Plan prior formalities early: For processing that likely needs CNDP authorization (for example, biometrics for access control, health data projects, marketing involving sensitive segmentation, or restricted transfers), incorporate lead time for filings and regulator engagement into project plans.

  • Design transparent notices: Draft collection notices in clear language that meet Law 09-08’s information requirements, including the controller’s identity, purposes, recipients, rights, and transfer details. Ensure notices align with the actual processing and legal bases.

  • Harden security controls: Implement appropriate technical and organizational measures, conduct periodic risk assessments, and align vendor security obligations contractually. For high-risk processing, consider encryption, pseudonymization, and strict access governance.

  • Vendor due diligence and contracts: Conduct risk-based assessments of processors, document instructions, impose confidentiality and security obligations, govern sub-processing, and require return or deletion of data at contract end. For cross-border providers, address transfer restrictions and, if necessary, seek CNDP authorization.

  • Manage rights requests: Establish intake channels and procedures for verifying identity, triaging, and timely responding to access, rectification, erasure, and objection requests. Maintain logs to evidence compliance.

  • Responsible marketing practices: Honor opt-outs, maintain suppression lists, and avoid profiling with sensitive data without an appropriate legal basis and, where required, CNDP authorization.

  • Incident readiness: Implement and test an incident response plan, define criteria for notifying the CNDP and affected individuals, and ensure contractual notification obligations with vendors are aligned with internal processes.

  • Training and governance: Provide periodic training to staff, appoint accountable owners for privacy compliance, and conduct internal audits. While not mandated, assigning a privacy lead improves accountability and regulator engagement.

  • Document everything: Keep copies of CNDP declarations and authorizations, internal assessments supporting legal bases and transfers, and evidence of security controls and training. Documentation is essential in inspections.

Conclusion

Law 09-08 establishes a comprehensive framework governing personal data in Morocco, anchored by clear processing principles, defined legal bases, enforceable data subject rights, and a supervisory model centered on declarations and authorizations. The CNDP plays an active oversight role, particularly in sensitive processing and international data transfers. While many GDPR-aligned practices translate well, organizations must account for Moroccan-specific prior formalities and sectoral overlays. A pragmatic program that combines early regulatory engagement, disciplined documentation, risk-appropriate security, and transparent data handling will position organizations to meet their obligations and maintain stakeholder trust in Morocco.

For expert guidance, contact Korte Law.

Back to "Korte Law" homepage