Any European company that shares personal data with a Moroccan office, subsidiary, call center, or service provider confronts two distinct legal frameworks simultaneously. On the export side, the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) governs the conditions under which personal data may leave the European Economic Area. On the import side, Morocco’s Law No. 09-08 on the protection of individuals with regard to the processing of personal data, together with its implementing Decree No. 2-09-165 and the supervisory authority it created—the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP)—imposes independent registration, authorization, and security obligations on the Moroccan data recipient.
Compliance requires satisfying both regimes. A transfer that is lawful under GDPR but ignores the CNDP, or vice versa, remains non-compliant. This article focuses specifically on the cross-border transfer question. For a broader overview of Moroccan data protection obligations, see our companion guide on Law 09-08 compliance.
Morocco is not on the European Commission’s list of countries benefiting from an adequacy decision under GDPR Article 45. The Commission has adopted adequacy decisions for 17 jurisdictions and frameworks—including Japan, the United Kingdom, South Korea, Argentina, Canada (commercial organizations), Israel, New Zealand, Switzerland, Uruguay, and the United States (under the EU-U.S. Data Privacy Framework)—but Morocco is not among them.
Morocco submitted a request for an adequacy assessment to the European Commission as early as 2009. That request remains pending; no adequacy decision has been adopted. The practical consequence is clear: GDPR Article 45 does not apply, and any transfer of personal data from the EU or EEA to Morocco must rely on the alternative transfer mechanisms set out in GDPR Articles 46 through 49.
The most widely used tool is the set of Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. These replaced the prior 2001/2004/2010 SCC sets; pre-2021 clauses are no longer valid for any transfer. The 2021 SCCs employ a modular structure: Module 1 (controller-to-controller), Module 2 (controller-to-processor), Module 3 (processor-to-processor), and Module 4 (processor-to-controller). German exporters should select the module corresponding to their relationship with the Moroccan importer—most commonly Module 2 for outsourcing and BPO, or Module 1 for shared-access scenarios between group companies each acting as controller.
Clause 14 of the 2021 SCCs requires the parties, before concluding the clauses, to assess whether the laws and practices of the destination country—here, Morocco—could prevent the data importer from fulfilling its obligations under the SCCs. This obligation flows directly from the Court of Justice’s judgment in Schrems II (CJEU Case C-311/18, 16 July 2020). The exporter must document this Transfer Impact Assessment, identify any supplementary measures (technical, organizational, or contractual) needed to ensure an essentially equivalent level of protection, and make the assessment available to its supervisory authority on request. For Morocco, the TIA should address the CNDP’s powers, any government access provisions under Moroccan law, and the practical enforceability of data-subject rights.
Corporate groups that regularly transfer personal data to a Moroccan subsidiary may apply for Binding Corporate Rules under GDPR Article 47. BCRs require approval by a lead supervisory authority in the EU and establish group-wide data protection standards. While more resource-intensive to obtain than SCCs, BCRs provide a durable, enterprise-wide framework for intra-group transfers without the need to execute individual SCC sets per entity.
GDPR Article 49 provides narrow derogations—explicit consent, necessity for the performance of a contract, important public interest, legal claims, and vital interests—that permit transfers in the absence of adequacy or appropriate safeguards. These derogations are interpreted restrictively and are not suitable for systematic, repetitive, or large-scale transfers such as ongoing BPO operations, regular payroll processing, or continuous CRM access. They may apply to occasional, one-off transfers (e.g., a single employee relocation file sent with explicit consent).
Under Law 09-08, all processing of personal data carried out in Morocco—or using means located in Morocco—must be the subject of a prior declaration or prior authorization with the CNDP, under penalty of criminal sanctions. Ordinary processing operations require a declaration (notification). Processing involving sensitive data (health, biometric, criminal records) or international transfers of personal data to countries without adequate protection requires prior authorization from the CNDP.
Law 09-08 separately requires CNDP authorization for transfers of personal data outside Morocco to countries that do not provide an adequate level of protection. This is relevant where the Moroccan entity itself onward-transfers data or where data hosted in Morocco is accessed from a third country. The CNDP’s transfer authorization is a distinct regulatory step from the EU-side SCCs; it must be obtained independently and in advance.
Law 09-08 grants data subjects rights of access, rectification, and opposition. The Moroccan data controller or processor must also implement appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, or destruction. The CNDP may impose administrative measures including formal warnings, suspension of processing, withdrawal of declarations or authorizations, and referral to the public prosecutor.
No. Morocco is not on the European Commission’s adequacy list and has no adequacy decision in force. Any EU-to-Morocco transfer of personal data requires a transfer mechanism under GDPR Articles 46–49.
Yes, where applicable. The SCCs satisfy the GDPR export requirement. The CNDP declaration or authorization satisfies Moroccan law’s import requirement. They address different legal obligations under different legal systems and are not interchangeable.
The transfer may be lawful from a GDPR perspective, but the Moroccan importer is in breach of Law 09-08, which requires prior declaration or authorization. The CNDP may impose administrative sanctions, and the failure to register exposes the Moroccan entity—and potentially the group—to criminal liability under Moroccan law.
Yes. GDPR does not exempt intra-group transfers from Chapter V requirements. A transfer to a wholly owned subsidiary in Morocco requires SCCs (or BCRs) and a TIA, just as a transfer to an unrelated third party would.