Morocco CNDP Law 09-08 compliance is no longer optional in 2026: audits are multiplying, fines are climbing, and any data breach exposes your company to a reputation crisis. This guide is an operational checklist to assess where you stand — and what’s left to do.

Reminder: what is Morocco CNDP Law 09-08 compliance?

Law 09-08 of 18 February 2009 and its implementing decree 2-09-165 govern the processing of personal data in Morocco. The supervising authority is the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP).

Since 2020, the CNDP has significantly stepped up its actions: field audits, financial sanctions, published decisions. In 2026, the authority is clearly steering compliance toward a posture closer to the European GDPR — more demanding than a literal reading of the 2009 text.

Who is concerned by Morocco CNDP Law 09-08?

Any company or administration that processes personal data of natural persons in Morocco. In practice:

• HR (payroll, personnel management, candidate files)
• Marketing and CRM (customer contacts, newsletters, loyalty programmes)
• E-commerce (user profiles, purchase history)
• Medical services (health data — highest sensitivity)
• Banking, insurance (financial data)
• Video surveillance (cameras in public or company premises)

If you also process data of EU residents, you’re subject to GDPR as well — two regimes to reconcile.

Operational checklist — Morocco CNDP Law 09-08 compliance

1. Prior declaration or authorisation

Before any processing, you must either declare it to the CNDP (most routine processing), or request prior authorisation (sensitive data: health, ethnicity, opinions, etc.).

Checklist:

• Identify every ongoing processing activity (HR, customers, prospects, CCTV…).
• For each, qualify: declaration or authorisation?
• Submit dossiers via the CNDP portal.
• Retain acknowledgements — they can be requested during an audit.

2. Informing data subjects

Any person whose data you collect must be informed — at the moment of collection — of:

• The identity of the data controller
• The purpose of the processing
• Recipients of the data
• Whether the response is mandatory or optional
• Rights of access, rectification, and opposition

In practice: web forms with a legal notice, a privacy policy visible in the footer, information signs on CCTV panels, clauses in employment contracts.

3. Processing register (best practice — not mandatory but strongly recommended)

The Moroccan text doesn’t formally require a register (unlike GDPR article 30). But in a CNDP audit, knowing how to list your processing activities, their purposes, retention periods, and associated security measures is what separates a serious company from one in default.

4. Data security

Article 23 of Law 09-08 requires “appropriate technical and organisational measures”. 2026 interpretation: what a mature company actually does in InfoSec. At minimum:

• Encryption in transit (HTTPS everywhere, TLS 1.2+)
• Encryption at rest for sensitive data
• Role-based access control (RBAC)
• Audit logging of sensitive-data access
• Regular, tested backups
• Strong password policy + 2FA on admin access

5. Limited retention

You cannot retain data indefinitely. Retention periods must be proportionate to the purpose: a rejected CV is deleted within 2 years max, an employment contract is kept for the relationship + statute of limitations, banking data has its own rules (AML).

To do: define a retention policy per data type, automate it (purge scripts), document it.

6. International data transfers

If you use a cloud hosted outside Morocco (AWS Paris, Azure Ireland, Google US), you perform an international transfer under Law 09-08. You must:

• Verify the destination country offers “sufficient” protection (CNDP list)
• Otherwise, frame the transfer with standard contractual clauses
• In all cases, inform data subjects

7. Data subject rights

Users have the right to access their data, rectify it, object to it. Practically:

• Define a single contact point (dedicated email: privacy@ or data@)
• Target response time: 30 days maximum
• Keep a written record of each request and the response

8. Video surveillance

A special area, tightly controlled by the CNDP:

• Prior CNDP authorisation is mandatory.
• Information signs must be visible at entrances.
• Prohibited: filming private areas (locker rooms, individual offices without justification, staff housing).
• Typical retention: 30 days max, exceptions only.

Sanctions for non-compliance

• Administrative sanctions: fines from 10,000 to 300,000 MAD per infraction, suspension of processing.
• Criminal sanctions: 3 months to 1 year imprisonment + fines for serious cases (illegal processing of sensitive data, repeated failure to declare, unauthorised disclosure).
• Reputation risk: the CNDP publishes its decisions. A public formal notice is often worse commercially than the fine itself.

Where to start?

1. Flash audit (2 weeks) — map your processing activities, flows, SaaS tools. Identify big risks.
2. Remediation plan (3–6 months) — CNDP filings, policy updates, team training.
3. Ongoing governance — appoint a personal-data officer (DPO equivalent), schedule an annual internal audit.

In summary

Morocco CNDP Law 09-08 compliance is more than a legal obligation — it’s a competitive advantage. Clients, especially B2B and public sector, are starting to ask for proof of compliance in RFPs. Better to structure the effort now than under audit pressure.

At Arrowlancer, we help Moroccan companies align CNDP compliance, technical security, and day-to-day operations. If you want a flash audit, let’s talk.

Also read: How to choose a Morocco IT services company · Morocco sovereign cloud comparison.