If your company operates in Morocco — or processes Moroccan customer or employee data from abroad — it almost certainly processes personal data covered by Law 09-08, Morocco’s data protection law. Since 2009, most of that processing has required a prior formality with the CNDP, the Commission Nationale de contrôle de la protection des Données à caractère Personnel. For years, many teams treated this as distant paperwork. That era is over: the CNDP closed its awareness phase in February 2025 and now runs active, sector-by-sector enforcement. This guide explains what the law actually expects, how to tell a declaration from a prior authorization, and what evidence to prepare — in operational terms, without pretending to replace your legal counsel.
What the CNDP expects from you in 2026
The CNDP is Morocco’s data protection authority. It receives declarations, grants authorizations, handles complaints from data subjects, and audits data controllers. What changed recently is posture: after a long period of deliberate pedagogy, the authority announced the end of its awareness phase in February 2025 and has been running sectoral inspection campaigns since.
Seen from the authority’s side, being compliant comes down to three things that are easy to state and demanding to maintain. First, your formalities are filed and match what you actually do — a processing operation declared for one purpose and used for another is a problem, not a protection. Second, the security measures the law expects exist and work, and you can demonstrate it. Third, when a person exercises their rights — or the CNDP asks a question — your team knows how to respond, with records rather than recollections.
The rest of this guide follows that order, because it is the order in which the work gets built.
Declaration or prior authorization: the practical test
The most structural difference in Law 09-08 — and the one that consistently surprises GDPR-trained teams — is its regime of prior formalities. Where the GDPR rests on controller accountability, the Moroccan law kept a system in which you present yourself to the authority before processing.
In practice the test reads like this. Ordinary processing — customer management, payroll and HR administration, standard commercial prospecting — falls under prior declaration to the CNDP. Processing that involves sensitive data — revealing, for instance, health, opinions, beliefs or origin — and processing the law singles out specifically require prior authorization: the CNDP’s approval must come before the processing starts, not after.
Two mistakes come up constantly. The first: launching the processing and “regularizing later” — the Moroccan regime is built for exactly the opposite. The second: filing a generic formality that does not describe the real processing — approximate purpose, incomplete data categories, missing recipients. An inaccurate filing protects no one; it documents the gap.
One point of method: determining whether a given activity requires a declaration, an authorization, or qualifies for an exemption is a legal qualification. That belongs to your counsel. Our role, as security practitioners, begins once that qualification is set: making sure what is filed matches what actually runs in your systems.
The processing inventory — the step everyone skips
You cannot file accurate formalities for processing you have not mapped. That sounds obvious, and yet it is the step most organizations skip, because it is less visible than a filing and less gratifying than a policy.
A useful inventory answers five questions for every processing operation: what purpose, which categories of data and of people, what retention periods, which internal and external recipients, and which flows — where the data is stored, what it transits through, who accesses it. At this stage, the usual blind spots surface on their own: the Excel export marketing keeps “just in case”, the SaaS tool adopted without review, the vendor who subcontracts in turn.
This inventory is not one more document: it is the backbone of everything else. It determines which formalities to file, where security measures must focus, how to answer a person exercising their rights, and which transfers out of Morocco need attention. An organization that keeps its inventory current has done half the work; one that has not improvises everything else.
The security evidence behind the filing
Law 09-08 requires the data controller to protect the data it processes — technical and organizational measures proportionate to the risks. In other words, every filed formality carries an implicit claim: “this processing is protected.” The question that follows — the one an inspection or a customer will eventually ask — is simple: can you prove it?
The expected evidence is that of serious security hygiene: who accesses what and why, named accounts rather than shared ones, logs that allow an incident to be reconstructed, tested backups, encryption where it matters, maintained endpoints and servers. Nothing exotic — but the gap between “it is written in a policy” and “it works, and here is the proof” is exactly the gap an inspection exposes.
This is where our core trade changes the nature of the advice. Because we run security assessments and penetration tests, we know which controls hold against a real attack and which only look right on a register. Our Law 09-08 readiness work starts from there: measures attested by people whose day job is making them fail.
Data subject rights: information, access, rectification, objection
Law 09-08 grants people rights over their data, and those rights create very concrete obligations. Information first: at the point of collection, a person must know who processes their data, for what purpose, and how to exercise their rights — which translates into accurate notices on your forms, contracts and digital journeys, and a clean consent posture wherever consent is the basis for processing.
Then come access, rectification and objection. The honest test is not “does our policy mention them?” but: if someone wrote tomorrow asking what you hold about them, would your team know what to do, within what time, and would a record remain? A process nobody can run does not exist. Serious organizations tool this path — a known entry point, a handling workflow, records — so the answer is a reflex rather than a crisis.
Transfers out of Morocco: the default-cloud trap
Law 09-08 regulates transfers of personal data abroad: where the destination country does not ensure an adequate level of protection, the transfer is subject to CNDP authorization. The trap is that “transfer” does not mean “exotic outsourcing project”: cloud hosting outside Morocco, a SaaS tool with foreign servers, technical support accessing data from another country — all of it transfers.
The reasonable approach follows the inventory: map the real flows, identify those leaving the country, determine — with your counsel — the regime applicable to each, and assemble the corresponding evidence. Teams that discover their transfers the day someone asks usually also discover they do not know exactly where their data lives. The inventory, again, is what prevents that conversation.
Law 09-08 and the GDPR together: one evidence program
Many companies in Morocco — software vendors, BPOs, service providers with European clients — live under two regimes at once: Law 09-08 for their processing in Morocco, the GDPR as soon as they handle data of people in the EU. The temptation is to run two parallel programs; it is almost always a mistake.
The formality logics differ — prior formalities here, accountability there — but the foundations are identical: an accurate inventory, demonstrable security measures, rights your team can serve, mapped transfers. One set of controls, documented once, feeds both compliances. The reverse — mechanically importing GDPR reflexes into Morocco — is precisely how teams miss what is specific to Law 09-08: the prior formalities, which have no European equivalent.
The coming reform — and why it does not change your next step
Modernizing Law 09-08 is publicly on the agenda: the authority itself argues for a framework closer to international standards, with lighter ex-ante controls and stronger sanctions. But as of today, no new text is in force: Law 09-08 and its formality regime apply in full.
The practical conclusion is simpler than it looks. Everything a reform might change — the shape of the formalities, the scale of the sanctions — rests on foundations that will not change: knowing what you process, protecting it, proving it. A current inventory and solid security evidence carry over to any future regime in full. Waiting for the reform means stacking today’s risk on top of tomorrow’s delay.
Where to start
The sequence that works has four steps: an honest processing inventory; formality qualification with your counsel; security measures and their evidence; then the rights and transfer processes that rest on all of it. That is exactly the readiness work we run — starting from security, which is our ground, and leaving legal interpretation to yours.
If a deadline is approaching — a client review, a CNDP question, a new product processing personal data — tell us what you are working with: a scoping call is usually enough to size the real work.
Frequently asked questions
Who must file a declaration with the CNDP?
Any data controller whose processing falls within the scope of Law 09-08 — in practice, most organizations processing customer, employee or prospect data in Morocco. Qualifying your precise situation belongs to your legal counsel; the processing inventory is the prerequisite either way.
What is the difference between a declaration and a prior authorization?
A declaration applies to ordinary processing: you inform the CNDP before processing. Prior authorization applies to sensitive data and to processing the law singles out: the CNDP’s approval must be obtained before the processing starts.
What happens if you are not compliant?
Law 09-08 provides for sanctions, and the CNDP moved from awareness to active inspections in February 2025. Beyond sanctions, the most immediate risk is commercial: clients — Moroccan and European alike — increasingly ask for compliance evidence before signing.
Is Law 09-08 the Moroccan equivalent of the GDPR?
It shares the foundations — purpose, proportionality, data subject rights, security — but differs on one structural point: Law 09-08 keeps prior formalities with the CNDP, where the GDPR moved to accountability. That is the classic mistake of GDPR-trained teams.
Do you need a lawyer to become compliant?
Applying the law to your case and filing as a legal act belong to your counsel. But most of the preparation work — inventory, security measures, evidence, processes — is operational and technical. The two complement each other; neither replaces the other.