Declaring a data processing activity to Morocco’s CNDP isn’t a maze: you download the right form, attach one document, and file it. The receipt for a declaration arrives within 24 hours; a prior authorization, by contrast, can take up to two months. This guide walks through the concrete procedure — which forms, which timelines, which documents, and where to file — for a company getting compliant in Morocco.
It complements our practical Law 09-08 guide, which explains which regime applies to you and what to prepare upstream. Here we stay on the how. As always: the legal qualification of your situation belongs to your counsel; we stay on operational ground.
The form references below (F211, F214, F112, F115) are those in force at the time of writing. The CNDP updates its forms — always download the current version from cndp.ma.
Three formalities, not to be confused
Law 09-08 sets out three distinct formalities, and the first thing to do is work out which one applies to you.
The declaration is the default regime: every processing activity must be declared, unless it falls outside the law’s scope, is exempt, or is subject to authorization. The prior authorization request covers the most sensitive processing, which can only start with the CNDP’s agreement. The transfer-abroad request governs sending data outside Morocco, under Articles 43 and 44.
Working out which box you fall into is a legal qualification — that’s your counsel’s job, and the subject of our practical guide. Once the box is known, the procedure below applies.
The declaration: the form and a receipt within 24 hours
For an ordinary activity — customer management, payroll, HR, classic prospecting — you file a declaration. Two forms exist:
- the normal declaration (F211), the general case;
- the simplified declaration (F214), when your processing matches a model already framed by a CNDP decision (a lighter format for common activities).
The document to attach is minimal: a document authorising the signatory to bind the legal entity — plus any other useful document, where relevant.
On timelines, two points are worth knowing. First, the CNDP issues the declaration receipt within 24 hours. Second — and this is the point most people miss — it has 8 days to decide, where applicable, to move your processing to the prior-authorization regime, if it considers the activity poses manifest dangers to privacy. In other words, the fast receipt doesn’t close the door for good: a declared activity can be reclassified.
Prior authorization: when, which form, which timelines
Some processing can’t make do with a declaration. Prior authorization is required notably when the processing involves:
- sensitive data — racial or ethnic origin, political opinion, religious or philosophical conviction, union membership, health data including genetic;
- the use of data for purposes other than those for which it was collected;
- data on offences, convictions, or security measures;
- data containing the national ID (CIN) number;
- the interconnection of files with different purposes.
The form is the prior-authorization request (F112). The documents to attach are more demanding than for a declaration: alongside the signatory authorisation, you need evidence that data subjects have been informed (how you tell them what you collect, for what purpose, and what rights they have), proof of consent where applicable, and extracts of any sub-processing contract guaranteeing security measures. Health-data processing calls for additional documents (identity of those responsible, research protocol, a commitment to code the data).
The timeline changes scale: the CNDP gives its opinion within two months, extendable once. And if the file is incomplete, the clock only starts once the missing documents are provided. The practical takeaway is simple: an authorization is prepared ahead of a deadline, not the night before.
Transfer abroad: a separate formality
If your processing involves sending personal data outside Morocco — cloud hosting abroad, a SaaS tool whose servers sit outside the country, offshore technical support — that’s a separate formality, governed by Articles 43 and 44 of Law 09-08, with its own procedure. Don’t assume a declaration “covers” the transfer: they’re two different steps. And if the data concerns people in the EU, the GDPR adds its own transfer requirements (Standard Contractual Clauses, adequacy). Our practical guide details the logic of transfers.
How and where to file
The steps are the same for all three formalities: download the form in force from cndp.ma, fill it in carefully — the purpose you describe must match what you actually do — attach the requested documents, then file the package with the CNDP, through its online notification procedure or, failing that, by direct deposit or registered mail.
For the CNDP itself, in Rabat:
- Address: Avenue Al Arz, Secteur 4, M1, Hay Riad — Rabat.
- Phone: +212 537 57 11 24.
- Email: contact@cndp.ma.
- Allô CNDP: 3020.
- Official site: cndp.ma.
The most common procedural mistakes
Four mistakes recur, and all of them are fixed upstream.
The first is filing a generic formality: a vague purpose, incomplete data categories, forgotten recipients. An inaccurate declaration doesn’t protect you — it documents the gap between what you declare and what you do.
The second is to process first and declare later. The Moroccan regime is built for the opposite: the formality precedes the processing, and prior authorization, by definition, must be obtained before you start.
The third is to let an incomplete file sit: as long as a document is missing, the clock doesn’t run. For an authorization, that’s two months that don’t even begin.
The fourth, the costliest over time, is to mistake the receipt for a compliance certificate. It isn’t one. The receipt confirms that you declared; it says nothing about the actual security of your processing, which the law requires separately and which an audit will check. Declaring is a formality; protecting and proving is the real work.
After filing: the formality isn’t compliance
Once the receipt is in hand, the real work begins. Law 09-08 requires you to secure the processing you declared, and it’s that security — who accesses what, usable logs, tested backups, encryption where it counts — that an audit or a customer will eventually ask you to prove. That’s our ground: our security assessments and penetration tests start from the formality and check that the declared measures actually hold. For an overview, see our cybersecurity in Morocco page.
If a deadline is approaching — a customer review, a CNDP query, a new product that processes personal data — tell us about your situation: a scoping call is enough to size the real work.
Frequently asked questions
How do you declare a processing activity to the CNDP?
Download the declaration form in force from cndp.ma (normal declaration F211, or simplified F214), fill it in, attach the document authorising the signatory to bind the legal entity, then file it with the CNDP via its online procedure or by deposit/mail. The receipt is issued within 24 hours.
What’s the difference between the normal (F211) and simplified (F214) declaration?
The normal declaration is the general case. The simplified declaration is a lighter format reserved for processing that matches a model already framed by a CNDP decision. Check on cndp.ma which form fits your activity.
How long does the declaration receipt take?
The CNDP issues the receipt within 24 hours. It keeps an 8-day window, however, to decide whether to move the activity to the prior-authorization regime if it considers the processing poses manifest dangers to privacy.
When is prior authorization required instead of a declaration?
When the processing involves sensitive data (health, opinions, convictions, union membership, origin), the national ID number, offences, the interconnection of files with different purposes, or using data for purposes other than those intended. The form is the authorization request (F112); the opinion period is two months, extendable once.
Where is the CNDP and how do you contact it?
The CNDP is based in Rabat, Avenue Al Arz, Secteur 4, M1, Hay Riad. Phone: +212 537 57 11 24; email: contact@cndp.ma; Allô CNDP: 3020; official site: cndp.ma.