Yes — the EU’s GDPR can apply to a company based in Morocco, or in any country outside the European Union, even with no office, subsidiary, or server inside the EU. What triggers it isn’t where you’re established; it’s what you do. If you offer goods or services to people located in the EU, or monitor their behaviour online, the regulation reaches you — alongside Morocco’s Law 09-08, which governs your processing at home.
This guide explains when the GDPR reaches a company outside the EU, the obligation most often missed — the EU representative — how it differs from Law 09-08, and the question of data transfers between the EU and Morocco. As always, we stay on operational ground: the legal qualification of your situation belongs to your counsel and the texts, not to an article.
Why an EU law reaches outside the EU
The GDPR has a deliberate extraterritorial reach. Its Article 3 sets out two situations in which it applies to an organisation established outside the EU — so, to a company in Morocco.
The first: you offer goods or services to people who are in the Union, whether or not they pay. An online shop that ships to France, a SaaS application with users in Germany, a platform that takes orders from Spain — each processes the data of people in the EU as part of an offer aimed at them.
The second: you monitor the behaviour of people located in the Union, where that behaviour takes place in the EU. Advertising profiling, tracking cookies, audience analytics, and behavioural scoring aimed at European users all fall here.
The deciding factor is never your address; it’s targeting. A Moroccan company that sells only in Morocco, to a Moroccan customer base, is in principle outside the GDPR’s scope — it remains under Law 09-08. A Moroccan company that actively targets the European market falls within it, wherever its offices sit.
The signs you’re targeting the EU
Offering goods or services “to people in the EU” isn’t inferred from the mere fact that your site is reachable from Europe. A Moroccan site that Europeans can open is not enough. What counts is a clear intention to serve a European audience, and that shows up in concrete signals: an EU member-state language offered when it isn’t your own, prices displayed in euros, mention of delivery or shipping to EU countries, an EU domain name, European customers cited as references, or advertising aimed at those markets.
No single signal is decisive, but their accumulation is. If part of your growth rests on European customers, assume the GDPR is in the picture — and have the exact perimeter confirmed by your counsel.
Controller or processor: the BPO and software-vendor case
One distinction changes everything for a large part of Morocco’s digital economy — service centres, BPOs, software vendors, offshore providers. You can be caught by the GDPR not because you target the European market on your own account, but because you process European data on behalf of a client who is themselves subject to it.
In that case you’re a processor under the GDPR. The regulation then imposes a chain of contractual obligations: a processing contract that meets its Article 28, security guarantees, a duty to assist the client with their own obligations, and controls on any onward sub-processing. In practice your European clients will pass these requirements to you by contract and by questionnaire — and your ability to answer becomes a commercial argument as much as an obligation.
This is the point where your security posture stops being a cost and becomes an advantage: a Moroccan processor that can demonstrate serious measures wins contracts others lose at the vendor-questionnaire stage.
The EU representative: the obligation everyone forgets
When the GDPR applies to a Moroccan company that has no establishment in the Union, its Article 27 imposes a precise and often-ignored obligation: designate, in writing, a representative established in the EU. That representative — a person or company in one of the member states where your data subjects are — serves as the contact point for supervisory authorities and for people exercising their rights.
The obligation has exceptions — notably for occasional processing that isn’t large-scale, doesn’t involve sensitive data at scale, and is low-risk. But the default rule is clear: no establishment in the EU plus an activity caught by Article 3 equals a representative to appoint. It’s one of the most common gaps among companies outside the EU that assume, wrongly, that “being in Morocco” puts them out of reach.
GDPR vs Law 09-08: the differences that matter
The two regimes share their foundations — purpose limitation, proportionality, data-subject rights, processing security — and an export-facing Moroccan company often lives under both at once. But three differences shape practice.
The compliance logic, first. Law 09-08 keeps a system of prior formalities with the CNDP: you declare, or request authorisation, before processing. The GDPR removed those general formalities in favour of accountability: you wait for no one’s authorisation, but you must be able to prove your compliance at any time. Importing the reflexes of one into the other is the classic mistake — the detail of the CNDP formalities is covered in our CNDP and Law 09-08 guide, and the filing procedure (forms, timelines) in our CNDP forms and process guide.
The representative, next. The GDPR requires the EU representative described above; Law 09-08 has no equivalent.
The scale of penalties, last. The GDPR provides administrative fines measured as a percentage of worldwide turnover — an order of magnitude with no parallel in the Moroccan regime. For a company exposed to both, it’s often the GDPR that sets the bar.
EU → Morocco transfers: Morocco isn’t on the adequacy list
A technical point has direct commercial consequences. When a European client entrusts personal data to a Moroccan provider, they’re carrying out a transfer outside the EU. And Morocco is not, to date, among the countries the European Commission recognises as offering an adequate level of protection.
In concrete terms, that transfer has to be framed by appropriate safeguards — most often the Commission’s Standard Contractual Clauses, sometimes with supplementary measures after assessment. For the European client, that adds a step; for the Moroccan provider, it adds an expectation. BPOs and software vendors who anticipate — clauses ready, security measures documented, access mapped — turn a regulatory friction into a signal of seriousness. Those who discover it at signing slow the deal down.
One program, two compliances
Faced with two regimes, the temptation is to run two projects. It’s almost always a mistake, and for the same reason as on the Law 09-08 side: the foundations are shared. An accurate processing inventory, demonstrable security measures, rights your team can actually serve, mapped transfers — one set of controls, documented once, feeds both the 09-08 and the GDPR compliance. The properly GDPR-specific layer then comes down to what’s unique to it: the representative, the legal bases, the framing of transfers.
That’s the work we do in GDPR consulting, starting from security — our ground — and leaving the legal interpretation to yours. For an overview of our work in Morocco, see our Morocco page.
Where to start
The sensible sequence runs in four steps: determine, with your counsel, whether and how the GDPR reaches you; map the processing and the data flows concerned, EU data included; handle the GDPR-specific layer — representative, legal bases, transfers; and demonstrate the security underneath it all. That last step is exactly what also serves your Law 09-08 compliance.
If a deadline is approaching — a European client sending you a questionnaire, Standard Contractual Clauses to sign, a new market in the EU — tell us about your situation: a scoping call is usually enough to size the real work.
Frequently asked questions
Does the GDPR apply to companies outside the EU?
It can — even with no EU establishment — when the company offers goods or services to people located in the Union, or monitors their behaviour online. A company serving only a domestic, non-EU customer base is in principle outside its scope. The precise qualification belongs to your counsel.
Does a Moroccan company need an EU representative?
Generally yes, when the GDPR applies to it and it has no establishment in the Union (Article 27), save for limited exceptions covering certain occasional, low-risk processing. The representative is the contact point for authorities and data subjects in the EU.
What’s the difference between the GDPR and Law 09-08?
Law 09-08 keeps prior formalities with the CNDP; the GDPR rests on accountability, with no general declaration. The GDPR also requires an EU representative and carries penalties on a different scale. The foundations — security, rights, purpose — are shared.
I run a BPO or software firm serving European clients — am I caught?
Most likely, as a processor acting on behalf of clients who are subject to the GDPR. That means a contract meeting Article 28, security guarantees, and control of onward sub-processing — requirements your clients will pass to you by contract and questionnaire.
Is Morocco recognised as “adequate” by the European Union?
No. Morocco isn’t among the countries with an adequacy decision. Transfers of data from the EU to a Moroccan provider must therefore be framed by appropriate safeguards, most often the European Commission’s Standard Contractual Clauses.