{"id":20,"date":"2026-04-13T16:19:17","date_gmt":"2026-04-13T15:19:17","guid":{"rendered":"https:\/\/arrowlancer.ma\/blog\/morocco-cndp-law-09-08-compliance-checklist-2026\/"},"modified":"2026-04-13T16:19:17","modified_gmt":"2026-04-13T15:19:17","slug":"morocco-cndp-law-09-08-compliance-checklist-2026","status":"publish","type":"post","link":"https:\/\/arrowlancer.ma\/blog\/en\/morocco-cndp-law-09-08-compliance-checklist-2026\/","title":{"rendered":"Morocco CNDP Law 09-08 compliance: 2026 checklist for businesses"},"content":{"rendered":"<p class=\"wp-block-paragraph\"><strong>Morocco CNDP Law 09-08 compliance<\/strong> is no longer optional in 2026: audits are multiplying, fines are climbing, and any data breach exposes your company to a reputation crisis. This guide is an operational checklist to assess where you stand \u2014 and what&#8217;s left to do.<\/p>\n<h2 class=\"wp-block-heading\">Reminder: what is Morocco CNDP Law 09-08 compliance?<\/h2>\n<p>Law 09-08 of 18 February 2009 and its implementing decree 2-09-165 govern the processing of personal data in Morocco. The supervising authority is the <a href=\"https:\/\/www.cndp.ma\/\" target=\"_blank\" rel=\"noopener\">Commission Nationale de contr\u00f4le de la protection des Donn\u00e9es \u00e0 caract\u00e8re Personnel (CNDP)<\/a>.<\/p>\n<p>Since 2020, the CNDP has significantly stepped up its actions: field audits, financial sanctions, published decisions. In 2026, the authority is clearly steering compliance toward a posture closer to the European GDPR \u2014 more demanding than a literal reading of the 2009 text.<\/p>\n<h2 class=\"wp-block-heading\">Who is concerned by Morocco CNDP Law 09-08?<\/h2>\n<p>Any company or administration that <strong>processes personal data<\/strong> of natural persons in Morocco. In practice:<\/p>\n<ul class=\"wp-block-list\">\n<li>HR (payroll, personnel management, candidate files)<\/li>\n<li>Marketing and CRM (customer contacts, newsletters, loyalty programmes)<\/li>\n<li>E-commerce (user profiles, purchase history)<\/li>\n<li>Medical services (health data \u2014 highest sensitivity)<\/li>\n<li>Banking, insurance (financial data)<\/li>\n<li>Video surveillance (cameras in public or company premises)<\/li>\n<\/ul>\n<p>If you also process data of EU residents, you&#8217;re subject to <strong>GDPR<\/strong> as well \u2014 two regimes to reconcile.<\/p>\n<h2 class=\"wp-block-heading\">Operational checklist \u2014 Morocco CNDP Law 09-08 compliance<\/h2>\n<h3 class=\"wp-block-heading\">1. Prior declaration or authorisation<\/h3>\n<p>Before any processing, you must either <strong>declare<\/strong> it to the CNDP (most routine processing), or request <strong>prior authorisation<\/strong> (sensitive data: health, ethnicity, opinions, etc.).<\/p>\n<p><strong>Checklist<\/strong>:<\/p>\n<ul class=\"wp-block-list\">\n<li>Identify every ongoing processing activity (HR, customers, prospects, CCTV\u2026).<\/li>\n<li>For each, qualify: declaration or authorisation?<\/li>\n<li>Submit dossiers via the CNDP portal.<\/li>\n<li>Retain acknowledgements \u2014 they can be requested during an audit.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">2. Informing data subjects<\/h3>\n<p>Any person whose data you collect must be informed \u2014 at the moment of collection \u2014 of:<\/p>\n<ul class=\"wp-block-list\">\n<li>The identity of the data controller<\/li>\n<li>The purpose of the processing<\/li>\n<li>Recipients of the data<\/li>\n<li>Whether the response is mandatory or optional<\/li>\n<li>Rights of access, rectification, and opposition<\/li>\n<\/ul>\n<p><strong>In practice<\/strong>: web forms with a legal notice, a privacy policy visible in the footer, information signs on CCTV panels, clauses in employment contracts.<\/p>\n<h3 class=\"wp-block-heading\">3. Processing register (best practice \u2014 not mandatory but strongly recommended)<\/h3>\n<p>The Moroccan text doesn&#8217;t formally require a register (unlike GDPR article 30). But in a CNDP audit, knowing how to list your processing activities, their purposes, retention periods, and associated security measures is what separates a serious company from one in default.<\/p>\n<h3 class=\"wp-block-heading\">4. Data security<\/h3>\n<p>Article 23 of Law 09-08 requires &#8220;appropriate technical and organisational measures&#8221;. 2026 interpretation: what a mature company actually does in InfoSec. At minimum:<\/p>\n<ul class=\"wp-block-list\">\n<li>Encryption in transit (HTTPS everywhere, TLS 1.2+)<\/li>\n<li>Encryption at rest for sensitive data<\/li>\n<li>Role-based access control (RBAC)<\/li>\n<li>Audit logging of sensitive-data access<\/li>\n<li>Regular, tested backups<\/li>\n<li>Strong password policy + 2FA on admin access<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">5. Limited retention<\/h3>\n<p>You cannot retain data indefinitely. Retention periods must be proportionate to the purpose: a rejected CV is deleted within 2 years max, an employment contract is kept for the relationship + statute of limitations, banking data has its own rules (AML).<\/p>\n<p><strong>To do<\/strong>: define a retention policy per data type, automate it (purge scripts), document it.<\/p>\n<h3 class=\"wp-block-heading\">6. International data transfers<\/h3>\n<p>If you use a <a href=\"\/blog\/en\/morocco-sovereign-cloud-comparison-2026\/\">cloud hosted outside Morocco<\/a> (AWS Paris, Azure Ireland, Google US), you perform an international transfer under Law 09-08. You must:<\/p>\n<ul class=\"wp-block-list\">\n<li>Verify the destination country offers &#8220;sufficient&#8221; protection (CNDP list)<\/li>\n<li>Otherwise, frame the transfer with standard contractual clauses<\/li>\n<li>In all cases, inform data subjects<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">7. Data subject rights<\/h3>\n<p>Users have the right to access their data, rectify it, object to it. Practically:<\/p>\n<ul class=\"wp-block-list\">\n<li>Define a single contact point (dedicated email: <code>privacy@<\/code> or <code>data@<\/code>)<\/li>\n<li>Target response time: 30 days maximum<\/li>\n<li>Keep a written record of each request and the response<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">8. Video surveillance<\/h3>\n<p>A special area, tightly controlled by the CNDP:<\/p>\n<ul class=\"wp-block-list\">\n<li>Prior CNDP authorisation is mandatory.<\/li>\n<li>Information signs must be visible at entrances.<\/li>\n<li>Prohibited: filming private areas (locker rooms, individual offices without justification, staff housing).<\/li>\n<li>Typical retention: 30 days max, exceptions only.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">Sanctions for non-compliance<\/h2>\n<ul class=\"wp-block-list\">\n<li><strong>Administrative sanctions<\/strong>: fines from 10,000 to 300,000 MAD per infraction, suspension of processing.<\/li>\n<li><strong>Criminal sanctions<\/strong>: 3 months to 1 year imprisonment + fines for serious cases (illegal processing of sensitive data, repeated failure to declare, unauthorised disclosure).<\/li>\n<li><strong>Reputation risk<\/strong>: the CNDP publishes its decisions. A public formal notice is often worse commercially than the fine itself.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">Where to start?<\/h2>\n<ol class=\"wp-block-list\">\n<li><strong>Flash audit (2 weeks)<\/strong> \u2014 map your processing activities, flows, SaaS tools. Identify big risks.<\/li>\n<li><strong>Remediation plan (3\u20136 months)<\/strong> \u2014 CNDP filings, policy updates, team training.<\/li>\n<li><strong>Ongoing governance<\/strong> \u2014 appoint a personal-data officer (DPO equivalent), schedule an annual internal audit.<\/li>\n<\/ol>\n<h2 class=\"wp-block-heading\">In summary<\/h2>\n<p><strong>Morocco CNDP Law 09-08 compliance<\/strong> is more than a legal obligation \u2014 it&#8217;s a competitive advantage. Clients, especially B2B and public sector, are starting to ask for proof of compliance in RFPs. Better to structure the effort now than under audit pressure.<\/p>\n<p>At <strong><a href=\"https:\/\/arrowlancer.ma\/\">Arrowlancer<\/a><\/strong>, we help Moroccan companies align CNDP compliance, technical security, and day-to-day operations. If you want a flash audit, <a href=\"https:\/\/arrowlancer.ma\/en\/#contact\">let&#8217;s talk<\/a>.<\/p>\n<p>Also read: <a href=\"\/blog\/en\/morocco-it-services-company-how-to-choose-2026-guide\/\">How to choose a Morocco IT services company<\/a> \u00b7 <a href=\"\/blog\/en\/morocco-sovereign-cloud-comparison-2026\/\">Morocco sovereign cloud comparison<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Operational 2026 checklist for Morocco CNDP Law 09-08 compliance: declarations, security, retention, international transfers, video surveillance. Arrowlancer guide.<\/p>\n","protected":false},"author":0,"featured_media":13,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-20","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/arrowlancer.ma\/blog\/wp-json\/wp\/v2\/posts\/20","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arrowlancer.ma\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arrowlancer.ma\/blog\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/arrowlancer.ma\/blog\/wp-json\/wp\/v2\/comments?post=20"}],"version-history":[{"count":0,"href":"https:\/\/arrowlancer.ma\/blog\/wp-json\/wp\/v2\/posts\/20\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/arrowlancer.ma\/blog\/wp-json\/wp\/v2\/media\/13"}],"wp:attachment":[{"href":"https:\/\/arrowlancer.ma\/blog\/wp-json\/wp\/v2\/media?parent=20"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arrowlancer.ma\/blog\/wp-json\/wp\/v2\/categories?post=20"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arrowlancer.ma\/blog\/wp-json\/wp\/v2\/tags?post=20"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}