Übermittlung personenbezogener Daten von der EU nach Marokko: DSGVO, Gesetz 09-08 und grenzüberschreitende Compliance

THE ENGLISH GUIDE:

Transferring Personal Data from the EU to Morocco: GDPR, Law 09-08 and Cross-Border Compliance

Two Regimes, One Data Flow

Any European company that shares personal data with a Moroccan office, subsidiary, call center, or service provider confronts two distinct legal frameworks simultaneously. On the export side, the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) governs the conditions under which personal data may leave the European Economic Area. On the import side, Morocco’s Law No. 09-08 on the protection of individuals with regard to the processing of personal data, together with its implementing Decree No. 2-09-165 and the supervisory authority it created—the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP)—imposes independent registration, authorization, and security obligations on the Moroccan data recipient.

Compliance requires satisfying both regimes. A transfer that is lawful under GDPR but ignores the CNDP, or vice versa, remains non-compliant. This article focuses specifically on the cross-border transfer question. For a broader overview of Moroccan data protection obligations, see our companion guide on Law 09-08 compliance.

Is Morocco “Adequate” Under GDPR Article 45?

Morocco is not on the European Commission’s list of countries benefiting from an adequacy decision under GDPR Article 45. The Commission has adopted adequacy decisions for 17 jurisdictions and frameworks—including Japan, the United Kingdom, South Korea, Argentina, Canada (commercial organizations), Israel, New Zealand, Switzerland, Uruguay, and the United States (under the EU-U.S. Data Privacy Framework)—but Morocco is not among them.

Morocco submitted a request for an adequacy assessment to the European Commission as early as 2009. That request remains pending; no adequacy decision has been adopted. The practical consequence is clear: GDPR Article 45 does not apply, and any transfer of personal data from the EU or EEA to Morocco must rely on the alternative transfer mechanisms set out in GDPR Articles 46 through 49.

GDPR Transfer Mechanisms for the EU Exporter

Standard Contractual Clauses (2021 SCCs)

The most widely used tool is the set of Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. These replaced the prior 2001/2004/2010 SCC sets; pre-2021 clauses are no longer valid for any transfer. The 2021 SCCs employ a modular structure: Module 1 (controller-to-controller), Module 2 (controller-to-processor), Module 3 (processor-to-processor), and Module 4 (processor-to-controller). German exporters should select the module corresponding to their relationship with the Moroccan importer—most commonly Module 2 for outsourcing and BPO, or Module 1 for shared-access scenarios between group companies each acting as controller.

Transfer Impact Assessment (TIA)

Clause 14 of the 2021 SCCs requires the parties, before concluding the clauses, to assess whether the laws and practices of the destination country—here, Morocco—could prevent the data importer from fulfilling its obligations under the SCCs. This obligation flows directly from the Court of Justice’s judgment in Schrems II (CJEU Case C-311/18, 16 July 2020). The exporter must document this Transfer Impact Assessment, identify any supplementary measures (technical, organizational, or contractual) needed to ensure an essentially equivalent level of protection, and make the assessment available to its supervisory authority on request. For Morocco, the TIA should address the CNDP’s powers, any government access provisions under Moroccan law, and the practical enforceability of data-subject rights.

Binding Corporate Rules (BCRs)

Corporate groups that regularly transfer personal data to a Moroccan subsidiary may apply for Binding Corporate Rules under GDPR Article 47. BCRs require approval by a lead supervisory authority in the EU and establish group-wide data protection standards. While more resource-intensive to obtain than SCCs, BCRs provide a durable, enterprise-wide framework for intra-group transfers without the need to execute individual SCC sets per entity.

Article 49 Derogations

GDPR Article 49 provides narrow derogations—explicit consent, necessity for the performance of a contract, important public interest, legal claims, and vital interests—that permit transfers in the absence of adequacy or appropriate safeguards. These derogations are interpreted restrictively and are not suitable for systematic, repetitive, or large-scale transfers such as ongoing BPO operations, regular payroll processing, or continuous CRM access. They may apply to occasional, one-off transfers (e.g., a single employee relocation file sent with explicit consent).

The Moroccan Side: Law 09-08 Obligations for the Data Importer

CNDP Declaration or Authorization

Under Law 09-08, all processing of personal data carried out in Morocco—or using means located in Morocco—must be the subject of a prior declaration or prior authorization with the CNDP, under penalty of criminal sanctions. Ordinary processing operations require a declaration (notification). Processing involving sensitive data (health, biometric, criminal records) or international transfers of personal data to countries without adequate protection requires prior authorization from the CNDP.

CNDP Authorization for Cross-Border Transfers

Law 09-08 separately requires CNDP authorization for transfers of personal data outside Morocco to countries that do not provide an adequate level of protection. This is relevant where the Moroccan entity itself onward-transfers data or where data hosted in Morocco is accessed from a third country. The CNDP’s transfer authorization is a distinct regulatory step from the EU-side SCCs; it must be obtained independently and in advance.

Data-Subject Rights and Security

Law 09-08 grants data subjects rights of access, rectification, and opposition. The Moroccan data controller or processor must also implement appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, or destruction. The CNDP may impose administrative measures including formal warnings, suspension of processing, withdrawal of declarations or authorizations, and referral to the public prosecutor.

Common Practical Scenarios

  • Moroccan call center or BPO: A German company engages a Moroccan service provider to handle EU customer inquiries. The German controller executes Module 2 SCCs (controller-to-processor) with the Moroccan processor, completes a TIA, and enters into a GDPR Article 28 data processing agreement. The Moroccan processor files its CNDP declaration (or authorization, depending on data categories).

• HR data for a Moroccan subsidiary: A German parent shares employee data with its Moroccan subsidiary for local payroll and personnel administration. Module 1 SCCs (controller-to-controller) or Module 2 (if the subsidiary processes strictly on instruction) apply. The subsidiary registers the processing with the CNDP.

• Shared CRM accessible from Morocco: German and Moroccan offices access a centrally hosted CRM. Even if data is hosted in the EU, access from Morocco constitutes a transfer. SCCs and a TIA are required; the Moroccan entity must declare its processing to the CNDP.

• Cloud hosting with Moroccan access: Where a Moroccan vendor or subsidiary can access EU-hosted personal data for support or maintenance, this access qualifies as a restricted transfer under GDPR and requires appropriate safeguards.

• Moroccan vendor as GDPR Article 28 processor: The processor agreement under Article 28 governs the processing relationship but does not itself authorize the international transfer. SCCs must be executed in addition to the processor agreement.

Practitioner Insights

  • Compliance requires action on both sides simultaneously: SCCs plus TIA on the EU export side, and CNDP declaration or authorization on the Moroccan import side. Neither alone is sufficient.

• Map data flows first. Before selecting a transfer tool, document what personal data is transferred, the categories of data subjects, which systems are involved, and who in Morocco accesses the data.

• The GDPR Article 28 processor agreement should be paired with the SCCs, not treated as a substitute. The processor agreement governs the processing instructions; the SCCs authorize the cross-border transfer.

• The CNDP’s transfer authorization is a distinct requirement. Even where valid SCCs are in place on the EU side, the Moroccan entity must independently obtain CNDP authorization for any onward transfers to non-adequate countries.

• Document everything for audit readiness: the TIA and any supplementary measures, the executed SCCs, the CNDP filing confirmations, and records of the data flows mapped in point 2 above.

Frequently Asked Questions

Is Morocco GDPR-adequate?

No. Morocco is not on the European Commission’s adequacy list and has no adequacy decision in force. Any EU-to-Morocco transfer of personal data requires a transfer mechanism under GDPR Articles 46–49.

Do we need both SCCs and CNDP authorization?

Yes, where applicable. The SCCs satisfy the GDPR export requirement. The CNDP declaration or authorization satisfies Moroccan law’s import requirement. They address different legal obligations under different legal systems and are not interchangeable.

What happens if we sign SCCs but never register with the CNDP?

The transfer may be lawful from a GDPR perspective, but the Moroccan importer is in breach of Law 09-08, which requires prior declaration or authorization. The CNDP may impose administrative sanctions, and the failure to register exposes the Moroccan entity—and potentially the group—to criminal liability under Moroccan law.

Does an intra-group transfer to our own Moroccan subsidiary still need a transfer tool?

Yes. GDPR does not exempt intra-group transfers from Chapter V requirements. A transfer to a wholly owned subsidiary in Morocco requires SCCs (or BCRs) and a TIA, just as a transfer to an unrelated third party would.

How Korte Amereller Can Assist

Response

Verwandte Leitfäden

Autor: Zakaria Korte — Rechtsanwalt (deutsche Zulassung) und Avocat à la Cour (Pariser Zulassung), BVMW-Landesrepräsentant für Marokko. In Verbindung mit dem AMERELLER-Netzwerk. Büros in Rabat, Casablanca, Berlin und Paris.