Skip to main content
HackingByte
Global EnglishFrançais Morocco EnglishFrançais Europe EnglishFrançais

Choose your region and language

Region
Language
Scoping call

Loi 09-08 compliance you can evidence — declaration, security, and proof.

Practical readiness for Morocco’s personal-data-protection law and the CNDP — the prior formalities, the security measures, and the accountability evidence the authority and your customers expect.

Request a scoping call See how we work
  • Senior-led delivery.
  • Vendor-independent.
  • Evidence-driven reporting.

Loi 09-08 has governed the protection of personal data in Morocco since 2009, and the CNDP — the Commission Nationale de contrôle de la protection des Données à caractère Personnel — supervises it. Unlike the GDPR, it keeps a system of prior formalities: most processing must be declared to the CNDP, and sensitive processing needs prior authorisation before it begins.

We focus on the part we can prove — the security of the processing and the accountability evidence — and keep the legal interpretation with your counsel. Because we also run offensive security, the technical measures loi 09-08 expects are advised by people who know how those measures actually fail. Whether and how the law applies to a given activity stays with your counsel.

Where we help

CNDP declarations & authorisations

A mapped inventory of your processing and the prior formality each one needs — the ordinary declaration, or the prior authorisation loi 09-08 requires for sensitive data and certain processing — prepared so the filing matches what you actually do.

Security of processing

The technical and organisational measures loi 09-08 expects, and the evidence they operate. This is where our offensive work informs the advice: we know which controls hold under a real attack and which only look right on a register.

Data-subject rights & information

The notices, the consent posture, and the access, rectification, and opposition rights the law gives individuals — built into a process your team can actually run, with the records to show it.

Cross-border transfers

Loi 09-08 restricts transfers to countries that do not ensure an adequate level of protection and conditions them on CNDP authorisation — we map your flows, flag the transfers that need it, and assemble the evidence.

Scope. We provide practical compliance readiness and evidence, not legal advice — how loi 09-08 applies to you, and the filings as a legal act, are your counsel’s call. We hold no CNDP authority and claim none.

When teams call us

The most common moments organisations bring us in for loi 09-08:

  • A customer or partner is asking how you comply with loi 09-08 before they sign.
  • You’re launching a product or service that processes personal data and need the CNDP formalities right from the start.
  • You’re unsure whether a processing activity needs a declaration or a prior authorisation — and what evidence backs it.
  • You handle EU personal data as well, and need loi 09-08 and the GDPR covered together.

What you receive

The HackingByte Engagement Brief

Every service ends in the same three connected artifacts — so exploit, control gap, and business impact tell one story.

  1. Technical Report

    Reproducible findings with evidence and per-finding remediation, written for your engineers.

  2. Executive Risk Brief

    The same findings as business risk for leadership and the board — no jargon, no CVSS tables.

  3. Action Plan

    Prioritised, owner-assigned, and scoped to what your team can actually deliver.

Timeline

What a typical readiness engagement looks like.

Loi 09-08 readiness runs to a defined gate. A representative engagement opens with a processing inventory and a gap diagnostic against the law’s obligations — usually a couple of weeks — then the formality plan (which declarations, which authorisations), the security and accountability evidence, and where useful a technical assessment of the measures, over the following weeks. An ongoing arrangement keeps the inventory, the filings, and the evidence current as your processing changes.

We set the schedule around your real pressure — a customer’s data-protection questionnaire, a CNDP enquiry, or a new product handling personal data — and confirm it during scoping before you commit.

How it’s different

  1. Local and literal — HackingByte S.A.R.L. is based in Casablanca, so loi 09-08 and the CNDP are our home regime, not a foreign one we read up on.

  2. Security-first — we lead with the measures and the evidence our offensive work makes us genuinely qualified to attest, rather than reciting the whole law.

  3. Interpretation left to counsel — we operationalise loi 09-08 and the CNDP formalities and hand the legal judgement calls to your counsel; we support that work, we don’t replace it.

Who loi 09-08 reaches

Any organisation processing personal data in Morocco.

Loi 09-08 applies to the processing of personal data carried out in Morocco, by a controller established here or using means located here. It sets duties for the data controller — finality, proportionality, confidentiality, and security — and gives individuals rights over their data. We confirm where you sit and which processing you run before designing anything, because a bank, a SaaS exporter, and a BPO handling client data carry very different filing and evidence burdens.

Whether and how loi 09-08 applies to a given activity is a legal determination for your counsel. We help you scope the obligations and build the evidence once that is settled.

The CNDP regime

Prior formalities — the part that surprises GDPR-trained teams.

The biggest practical difference from the GDPR is that loi 09-08 kept prior formalities. Ordinary processing is declared to the CNDP; processing of sensitive data, or processing the law singles out, needs the CNDP’s prior authorisation before it starts. Teams arriving with a GDPR mindset often miss this entirely. We build the processing inventory, match each one to the right formality, and assemble the security evidence behind the filing — so what you declare is what you actually do.

See our security assessments

Frequently asked questions

Are you lawyers or a CNDP-approved body?

No. We provide practical security and accountability readiness; how loi 09-08 applies, and the filings as a legal act, are your counsel’s call. We hold no CNDP authority and claim none — we support the work, particularly the security evidence, rather than replace it.

How is loi 09-08 different from the GDPR?

The biggest practical difference is prior formalities: loi 09-08 keeps a declaration regime, with prior authorisation for sensitive processing, where the GDPR moved to accountability. If you handle both Moroccan and EU data, we cover them together with one control set.

Do you handle the CNDP declaration itself?

We build the processing inventory, determine which formality each processing needs, and assemble the security and accountability evidence behind it. The filing as a legal act stays with you and your counsel; we make it accurate and defensible.

We also serve EU customers — can you cover the GDPR too?

Yes. Moroccan firms handling EU personal data carry GDPR obligations as well; we run loi 09-08 and GDPR readiness together so one set of measures answers both.

Tell us what you process and what’s driving the deadline — a customer review, a CNDP formality, or a new product — and we’ll scope loi 09-08 readiness around the obligations that actually apply.

Every engagement ends in the same three connected artifacts, and the continuous platforms keep watch between engagements. Continuous monitoring platforms.

Request a scoping call