Who protects your personal data in Morocco in 2026?
⏩ Discover the CNDP and the Moroccan authorities responsible for protecting your personal data in 2026. Law 09-08, prior declarations, international transfers, complaints — our complete guide covers everything you need to know.
Introduction: Law 09-08, the legal framework for personal data in Morocco
In Morocco, the protection of personal data is governed by Law No. 09-08 on the protection of individuals with regard to the processing of personal data (the Law No. 09-08).
For reference, personal data is defined as any information, of whatever nature and regardless of its medium, including sound and image, relating to an identified or identifiable natural person, referred to as the "data subject."
📌 Important: all personal data processing must be declared in advance before implementation to the CNDP (excluding those exempt from the scope of Law 09-08, dispensed from declaration, or subject to prior authorization).
⚠️ Warning — sensitive data: if you process sensitive data, meaning data relating to:
- racial or ethnic origin;
- political opinions;
- religious beliefs;
- trade union membership;
- genetic or health-related data;
- data including the national identity card number (CIN);
you must submit an authorization request to the CNDP.
🌍 International transfers: if you transfer data abroad (outside Morocco), or if personal data is hosted or transmitted abroad, you must also submit an international data transfer request to the CNDP.
If you are launching a startup in Morocco, personal data compliance is an essential step in your legal structuring. See also our Morocco Startup Guide 2026.
Who ensures the protection of your personal data in Morocco?
Law No. 09-08 provides that the National Commission for the Control of Personal Data Protection (the CNDP or the Commission) is the authority "responsible for implementing and ensuring compliance with [its] provisions" relating to personal data protection (Articles 27 et seq.).
The CNDP is responsible for verifying that personal data processing is:
- lawful and legal;
- respectful of privacy;
- respectful of fundamental rights and freedoms.
The Commission is located at: Avenue Al Arz, Sector 4, M1, Hay Riad – Rabat, Morocco.
How to enforce your rights with the CNDP?
If you believe that those responsible for processing your personal data are infringing your rights, you can file a complaint with the CNDP: it will help you assert your rights.
You also have the right to contact any organization that may hold your personal data (data controller) to exercise your rights of access, rectification and objection.
You may file your complaint through the following channels:
- online on the CNDP website;
- by sending an email to the CNDP;
- by sending a letter (you may use the template below as a guide).
Subject: Complaint regarding the processing of my personal data by [company name]
Dear President,
I am writing to file a complaint regarding the processing of my personal data carried out by [company name], registered in the trade register of [trade register location] under number [trade register number] and with its registered office at [company address].
Indeed, [describe the grounds for your complaint and the steps taken with the data controller. E.g.: "the company whose details are indicated above processes personal data concerning me. Said company has not provided me with any means to access my personal data in its possession, despite the correspondence I sent it, copies of which are attached to this letter."]
I would be grateful if you would instruct your departments to require the company to comply with the provisions of Law 09-08.
Yours faithfully,
What are the CNDP's missions?
The CNDP is responsible for two main categories of missions:
1. Providing opinions
- to the government or parliament on draft laws, legislative proposals, or regulatory projects relating to personal data processing referred to it;
- to the competent authority on draft regulations creating files relating to personal data collected and processed for crime prevention and prosecution purposes — the opinion requested serves as a declaration;
- to the competent authority on draft and proposed laws establishing and processing data relating to surveys and statistical data collected and processed by public authorities;
- to the government on the procedures for prior declaration of personal data processing;
- to the government on the procedures for registration in the national register;
- to the government on the procedural rules and data protection for security file processing that must be registered.
2. Receiving
- notification of the identity of the representative established in Morocco acting on behalf of a data controller residing abroad;
- prior declarations of personal data processing and issuing a receipt of declaration;
- the identity of the data controller of registers kept open to the public.
What powers does the CNDP have to carry out its missions?
The CNDP has the following powers:
- Investigation and inquiry powers — allowing its agents to access data being processed, to require direct access to the premises where processing takes place, and to collect and seize all information and documents necessary to carry out oversight functions;
- Power to order that documents of any kind or on any medium be communicated to it, enabling it to examine the facts relating to complaints submitted to it;
- Power to order or carry out, or have carried out, the necessary modifications to ensure the fair maintenance of data contained in a file;
- Power to order the locking, erasure or destruction of data and to provisionally or permanently prohibit the processing of personal data, including data included in open data transmission networks from servers located on national territory.
The CNDP exercises its powers in compliance with a disciplinary procedure guaranteeing the rights of the defense, and in particular the adversarial principle set out in its internal rules of procedure.
Looking for legal assistance with your personal data obligations in Morocco?
Fill in this questionnaire and we will get back to you with a tailored proposal for your situation.
What is the composition of the CNDP?
The CNDP is composed of seven members:
- a president appointed by His Majesty the King;
- six members also appointed by His Majesty the King, on the proposal of:
- the Prime Minister;
- the President of the House of Representatives;
- the President of the House of Councillors.
The term of office of CNDP members is five years, renewable once.
The detailed organizational chart of CNDP members is available on the Commission's website.
How is the CNDP administered?
The Commission is administered by a president. The president convenes and chairs Commission meetings. Meetings are validly held when at least two-thirds of members are present. Decisions are taken by a majority of members present. The president has a casting vote in the event of a tie.
The president is assisted, in the exercise of administrative and financial duties, by a secretary-general appointed by the government on the president's proposal. The secretary-general is responsible for:
- managing staff recruited or seconded pursuant to the president's decisions;
- preparing and executing the Commission's budget;
- preparing and awarding the Commission's contracts;
- preparing working documents for Commission meetings and maintaining the register of its decisions;
- monitoring the work of committees established by the Commission and providing them with the material and human resources necessary to carry out their missions.
What is the status of CNDP members?
Incompatibility rules
The functions of CNDP member are incompatible with the following corporate mandates held within a personal data processing company:
- director;
- manager;
- member of the management board;
- sole chief executive officer;
- member of the supervisory board.
A CNDP member may not participate in deliberations or investigations relating to an organization in which they have held a direct or indirect interest, or in which they have held a mandate or function, unless a period of five years has elapsed between the date of cessation of the function, end of the mandate or disposal of the interest and the date of their appointment to the CNDP.
Professional secrecy
CNDP members are bound by professional secrecy with regard to facts, acts and information they may have become aware of in the course of their duties. They are subject to the same obligation even after the end of their mandate.
Civil servants, agents or technicians performing functions within the National Commission or for its members are also required to observe professional secrecy.
Legal protection
Members and civil servants, agents and technicians of the National Commission are protected against insults or attacks on their person.
Are CNDP meetings public?
Commission meetings are not public. However, any person whose presence is required by the Commission may attend the meetings.
FAQ — Personal Data Compliance in Morocco
Why is personal data compliance important in Morocco?
In Morocco, personal data processing is governed by Law 09-08 and the CNDP (National Commission for the Control of Personal Data Protection).
In practice, the risks are real:
- blockages or difficulties in partnerships (banks, fintechs, insurers, major clients);
- compliance requirements in audits (fundraising, M&A, due diligence);
- legal and reputational exposure (complaints, inspections, security incidents).
If you collect data from customers, prospects, users, employees or partners, you are affected.
What is African Legal Factory?
ALF is a legaltech specializing in legal support for entrepreneurs in Africa.
Our team is composed of lawyers authorized to practice in the Kingdom of Morocco, with expertise in personal data matters in Morocco.
To contact us and find out more: hello@africanlegalfactory.com
Which companies are subject to Moroccan law?
You are concerned if you:
- have a company in Morocco;
- target users/customers in Morocco (website, app, marketplace);
- have employees, contractors or an HR database in Morocco;
- engage in marketing (CRM, emailing, tracking, cookies) in Morocco;
- transfer data abroad (cloud, headquarters, service providers).
Compliance often hinges on actual data flows: tools used, subcontractors, hosting, transfers.
What are the concrete deliverables of a compliance project?
Our approach targets immediately usable and audit-proof deliverables:
- processing activity mapping (register);
- analysis of legal bases and data minimization;
- privacy policies and information notices (clients, users, HR);
- updated T&Cs and privacy policy;
- cookie banner and tracker management (where applicable);
- subprocessing agreements and security clauses (DPA);
- framework for international transfers (if cloud/outsourcing outside Morocco);
- operational action plan + team checklist.
CNDP compliance: is a declaration or authorization required?
Depending on the nature of the processing, CNDP formalities may be required (declaration and/or authorization request).
The key point: we qualify your processing activities (data categories, purposes, recipients, transfers, sensitive data), then determine the applicable formalities and prepare the file.
How much does a compliance engagement cost in Morocco?
The cost depends mainly on 3 factors:
- number of processing activities (product, marketing, HR, support, partners);
- level of exposure (sensitive data, fintech, health, geolocation, KYC);
- transfers and subprocessors (cloud, CRM, analytics, service providers).
We offer 2 formats:
- Flash Audit (diagnosis + prioritized action plan);
- Compliance Package (documents + implementation + CNDP formalities if required).
Request a quote: we respond quickly with a structured proposal.
How long does it take to become compliant?
If you are a startup or SME with a standard stack (website/app + CRM + marketing tools), a solid first level of compliance can be achieved in a few weeks.
What causes delays:
- no mapping of tools and service providers;
- non-existent or outdated subprocessor agreements;
- unaddressed international transfers.
Can you help us if our company is outside Morocco but we target the Moroccan market?
Yes.
This is common: team outside Morocco, users in Morocco, cloud abroad, international service providers.
We align:
- your public-facing documents (privacy policy, cookies);
- your contracts (subprocessors, partners);
- your data flows (transfers, hosting, access);
- your CNDP obligations based on your presence and processing activities.
What issues most commonly arise during due diligence (investors / corporates)?
The most common red flags:
- no register / no processing activity mapping;
- generic copy-pasted privacy policy;
- non-compliant cookies/trackers;
- no data processing agreements (DPA) with key service providers;
- unjustified / undocumented international transfers;
- KYC data or sensitive data without an enhanced framework.
To understand the stakes in fundraising: our guide on fundraising typologies.
What should we prepare before contacting you to move fast?
If you have these elements ready, we can move very quickly:
- list of tools (hosting, analytics, CRM, emailing, support, payment);
- data collection flows (forms, app, onboarding, KYC if applicable);
- current T&Cs + privacy policy;
- list of countries (team, servers, subprocessors, users).
I want to get started: how do we begin?
Book a call and we will give you a clear plan from the very first conversation:
- quick diagnosis of your data flows;
- risk level assessment;
- 30-day priorities;
- effort and budget estimate.
Then we kick off the audit and produce the deliverables.
Looking for legal assistance in Morocco?
If you would like support on your personal data matters in Morocco, fill in this questionnaire and we will get back to you promptly.
