Guide · Law 09-08

CNDP Compliance in Morocco — Complete 2026 Guide

Everything a Moroccan organisation needs to know to comply with Law 09-08 and decree 2-09-165, without copy-pasting the GDPR.

By Yasmine R.Published on May 11, 2026Updated on May 12, 202612 min read

Note on the 2025 CNDP nomenclature. Several earlier preparatory documents used codes that are now obsolete for CNDP forms. The nomenclature in force on cndp.ma is as follows: F211 standard declaration, F214 simplified declaration (cases pre-authorised by framework decision), F112 prior authorisation (formerly referenced as F212), F113 simplified authorisation, F118 international transfer (formerly referenced as F214 in some documents). This guide was corrected on 12 May 2026 to reflect this mapping.

CNDP compliance is not an "imported European" topic. It is a Moroccan obligation, founded on Law no. 09-08 enacted in 2009 and its implementing decree 2-09-165 also published in 2009. Any organisation, Moroccan or foreign, that processes personal data concerning persons located in Morocco is subject to this framework, supervised by the CNDP — the Commission Nationale de contrôle de la Protection des Données à caractère Personnel, Morocco's data protection authority, based in Rabat.

This pillar guide covers the entirety of practical obligations, form by form, article by article, with an operational logic for Moroccan organisations in 2026. It does not replace a tailored audit, but it gives you the complete map to refer back to.

Reading rule. This guide is descriptive and legal, but not legally binding. For sensitive judgement calls — qualification of a processing activity, F112 vs F211 choice, litigation — the opinion of a specialised law firm remains essential. Our role: cover 90% of operational questions, and identify the 10% that deserve a lawyer.

1. The legal framework in two lines

Personal data protection in Morocco rests on two layered texts:

Law no. 09-08 on the protection of natural persons with regard to the processing of personal data, which sets out the principles (purpose, proportionality, quality, security, rights) and establishes the CNDP.
Implementing decree no. 2-09-165, which specifies the concrete arrangements: CNDP forms, processing deadlines, organisation of the Commission, procedures for exercising rights.

The supervisory authority is the CNDP, created by Law 09-08, which has powers of investigation, formal notice and proposal of sanctions. It publishes its rulings (decisions and guidelines), some of which are public and constitute the reference doctrine for practitioners.

In addition to these two main texts, organisations exposed to the European Union (subsidiaries of EU groups, websites targeted at Europeans, e-commerce shipping to the EU) must also comply with the GDPR (EU Regulation 2016/679). The two frameworks layer on top of one another without being mutually exclusive: you must comply with the more demanding of the two, processing by processing.

2. Who does Law 09-08 apply to?

2.1 Material scope

The law applies to any automated or non-automated processing of personal data as soon as it is incorporated into a structured filing system. The definition is very broad:

A client database in a CRM: yes.
An HR Excel file: yes.
A paper file organised by name: yes.
Surveillance videos enabling identification of persons: yes.
Server logs containing the IP address: yes (the IP is considered personal data in modern doctrine).

2.2 Territorial scope

The law applies:

To processing carried out on Moroccan territory, regardless of the nationality of the data controller;
To processing carried out from abroad but using means located in Morocco (hosting, local processor, employees in Morocco), excluding mere transit means;
To processing directed at persons in Morocco, in an increasingly extraterritorial logic aligned with international standards.

2.3 The three actors

Role	Operational definition
Data controller	Legal or natural person who determines the purposes and means of the processing. The organisation that decides "why and how".
Processor	Person who processes the data on behalf of the controller (hoster, SaaS provider, IT outsourcer, external HR firm).
Data subject	The individual whose data is processed: customer, employee, candidate, visitor, subscriber, prospect.

The controller/processor distinction determines obligations: the controller must declare, inform, secure; the processor must sign a processing contract (DPA) and act only on instructions.

3. Key obligations in eight points

3.1 Prior declaration — the central obligation

Law 09-08 organises compliance around the prior declaration obligation. Concretely, before starting any processing of personal data, the organisation must declare that processing to the CNDP. The 2025 nomenclature structures this mechanism around the following forms:

F211 — Standard declaration: the general case. The majority of ordinary processing activities (HR, customers, suppliers, non-sensitive video surveillance).
F214 — Simplified declaration: for cases pre-authorised by a CNDP framework decision (recurring categories presenting no particular risk).
F112 — Prior authorisation: for sensitive processing (health, biometrics, offences, file interconnection). Formerly referenced as F212 in some preparatory documents.
F113 — Simplified authorisation: lighter authorisation regime for processing covered by a dedicated framework decision.
F118 — International transfer: to transfer data outside Morocco to a country without an adequate level of protection. Formerly referenced as F214 in some preparatory documents.

Any substantial change to an already-filed dossier (new purpose, new processor, new data category) is handled via a re-filing marked "modificative"; the exact arrangements have evolved and continue to evolve — this point has been corrected in the present version of the guide to avoid propagating the former "F112 modificative" label.

At the end of processing, the CNDP issues a CNDP receipt (acknowledgement of filing) which materialises administrative compliance and must be publicly displayed (in practice, in the website footer and in the privacy policy).

3.2 Prior information — Article 5 of Law 09-08

Every data subject must be informed, before collection or at the time of collection, of the following:

The identity of the data controller
The purpose pursued
Whether responses are mandatory or optional
The recipients of the data
The existence of the rights of access, rectification and objection
Where applicable, the envisaged transfers

This information materialises on the website through the privacy policy (dedicated page) and through short notices at the point of collection (form, banner, account-creation screen). A GDPR copy-paste is not enough: notices must reference Law 09-08 and the CNDP, not just the CNIL or the EDPB.

Consent is required when the processing has no other basis (legitimate interest, legal obligation, contractual performance). To be valid, it must be:

Freely given: no pre-ticked boxes, no abusive conditioning
Specific: one consent per purpose, not a "global" consent
Informed: preceded by complete information
Unambiguous: clear positive action
Withdrawable: as easy to withdraw as to give

For tracking cookies, prior consent is required: no third-party script may fire before consent, and the absence of a response does not amount to consent (no "implied consent").

3.4 Security — Article 23

Article 23 of Law 09-08 requires the data controller to take all useful precautions to ensure the security of the data and to prevent it from being distorted, damaged, or accessed by unauthorised third parties.

In practice, this implies:

TLS encryption on all pages collecting data (TLS 1.2 minimum, TLS 1.3 recommended)
HSTS preload to prevent any HTTPS → HTTP downgrade
Strict HTTP security headers: Content-Security-Policy, X-Frame-Options, Permissions-Policy
Access management: named accounts, least-privilege principle, MFA for admin access
Logging: auditable traces of access to sensitive data
Backups: regular, encrypted, tested (at least annual restoration test)
Incident-response procedure: who notifies whom, within what deadline, to the CNDP

A website without HSTS and with tracking cookies firing before consent is not merely "suboptimal": it breaches Article 23.

3.5 Data subject rights — Articles 7 to 11

Every data subject is entitled to four enforceable rights:

Right	Article	Response deadline
Access: obtain confirmation and a copy of the data	Article 7	"Reasonable time" — in practice: 30 days
Rectification: correct inaccurate data	Article 8	Reasonable time, free of charge
Objection: refuse processing for legitimate reasons	Article 9	Stops processing after review
Erasure: delete data no longer complying with the law	Article 11	Reasonable time

The organisation must provide a point of contact (dedicated email, form, postal mail) clearly indicated in the privacy policy. Requests must be tracked (who, when, action taken) — that's the first thing a CNDP inspector asks for.

3.6 Subcontracting — Articles 21 and 22

Any processor handling data on your behalf (hoster, SaaS, HR provider, IT outsourcer) must be subject to:

A written contract specifying obligations regarding data protection (DPA — Data Processing Agreement)
Sufficient guarantees regarding technical and organisational security measures
A prohibition on using the data beyond the controller's instructions

In practice, your contractual relationship with Google Workspace, Microsoft 365, AWS, Salesforce, HubSpot must include a signed DPA. Most vendors offer a standard downloadable one — but it still needs to have been effectively contracted.

3.7 International transfers — Articles 43 to 47

Transferring data outside Morocco is subject to prior authorisation by the CNDP via F118, except in two cases:

The destination country offers an adequate level of protection recognised by the CNDP (restricted list)
The transfer is governed by sufficient contractual safeguards (Standard Contractual Clauses — SCC — or binding corporate rules)

In 2026, the routine use of US SaaS (Google, Microsoft, Slack, Salesforce, HubSpot, Notion, etc.) implies either filing F118 for these transfers or documenting SCCs. This is one of the most frequent non-compliances in the Moroccan market: 80% of organisations use Google Workspace without having filed an F118 and without documented SCCs.

3.8 Retention period and minimisation

Data must be retained only for as long as necessary for the purpose pursued. After that, it must be deleted or anonymised. The duration must be:

Defined per purpose (e.g. prospects 24 months, customers duration of the contract + accounting obligations)
Documented in the records of processing activities
Audited periodically (automated purge recommended)

4. Sanctions — do not underestimate

4.1 Administrative sanctions

The CNDP may issue:

Warning (reminder of the law)
Formal notice with a compliance deadline (generally 3 to 6 months)
Withdrawal of authorisation for processing subject to F112
Publication of sanctions, adding a reputational dimension

4.2 Criminal sanctions

Law 09-08 provides for criminal sanctions: imprisonment and fines for characterised breaches (fraudulent collection, refusal of rights, failure to declare, unlawful disclosure). The precise thresholds may be updated by the awaited reform; the principle remains: this is not a mere administrative fine.

4.3 Economic and reputational sanctions

Beyond the legal dimension, non-compliance exposes you to increasingly significant economic consequences:

Public tenders and key accounts: CNDP compliance is becoming a blocking criterion
Partnerships with EU groups: requirement of a GDPR-compatible standard
M&A due diligence: non-compliance is a systematic friction point
Customer reputation: publication by the CNDP, specialised press, online reports

Dimension	Law 09-08 (Morocco)	GDPR (EU)
Date	2009 (in force since 2009)	2018 (in force since 2018)
Logic	Mandatory prior declaration	Internal register + accountability
DPO	No general obligation	Mandatory for large-scale / sensitive processing
Financial sanctions	Moderate fines (reform expected)	Up to 4% of worldwide turnover
Breach notification	No explicit obligation (recommended)	72 h to the authority + data subjects
International transfers	F118 or SCC	Adequacy decisions + SCC + BCR
Rights	Access, rectification, objection, erasure	+ right to portability, to be forgotten, objection to profiling
Authority	CNDP (Rabat)	CNIL (FR), DPC (IE), etc.

Detailed article-by-article comparison →

6. How to become compliant? The seven-step journey

Step 1 — Initial audit

Map existing processing activities, processors, data flows. Without this foundation, any subsequent action is disorganised. A complete audit takes 3 to 6 weeks for an SME, up to 3 months for a multi-entity group.

Step 2 — Form qualification

For each mapped processing activity, determine the relevant form: F211, F214, F112, F113, F118. This qualification conditions the processing time and the risk of error. The most frequent error: declaring under F211 a sensitive processing that falls under F112 (prior authorisation).

Step 3 — Preparation and filing of formalities

Drafting of the forms, annexes (processing sheets, security measures), supporting documents. Filing with the CNDP and retention of the acknowledgement of receipt, which serves as proof of due diligence during processing.

Step 4 — Documentation and policies

Privacy policy referencing Law 09-08
Legal notices
Cookie policy with runtime blocking
Internal records of processing activities
Standard DPAs for processors
Rights-handling procedure

Step 5 — Technical hardening

HSTS preload, strict CSP, complete HTTP security headers
TLS configuration, SPF/DKIM/DMARC
Cookie banner compliant with effective runtime blocking
security.txt (RFC 9116)

Step 6 — Team training

Awareness of marketing, HR, support, IT, management. A perfect policy paired with a team unaware that an Excel export sent over WhatsApp to a partner is a data breach is not compliant.

Step 7 — Ongoing governance

Designation of a DPO (internal or external), annual review, modificative re-filing on each substantial change to an existing declaration or authorisation, annual procedure testing exercise.

7. Typical use cases in Morocco

E-commerce site

At minimum: F211 for the customer file, F211 for prospects/newsletter, F118 if payment via international gateway, F112 if profiling and scoring. Plus documentation, cookie banner, DPA with the hoster and the payment processor.

Premises video surveillance

F211 for simple access surveillance, F112 if facial recognition or biometric counting. Visible notice to filmed persons, image retention period (generally 30 days maximum, except incident).

HR file

F211 for the employee file, F112 if health data (occupational medicine), F118 if HRIS hosted outside Morocco (Workday, BambooHR, etc.). Specific notice for performance scoring or BYOD.

US SaaS tools (Google Workspace, Microsoft 365)

F118 mandatory or documented SCCs. This is the most widespread non-compliance in 2026: usage is massive, filing is rare. A CNDP inspection that reveals this breach is almost guaranteed in large organisations.

8. Resources

Official CNDP website — official forms and rulings
Article 23 — Security of processing
F211 user guide
CNDP receipt — procedure and deadlines
GDPR vs Law 09-08 — detailed comparison
Run a free 60-second audit

CNDP compliance is not just about filing a form. It is an organisational discipline, fed by an up-to-date map, localised documentation, hardened technical infrastructure and an aware team. The entry cost is moderate, the cost of non-compliance grows heavier every year — particularly for organisations exposed to international markets or regulated sectors.

Our approach: collegial, silent, executed. We tell you privately what's wrong, we deliver an actionable report, and we help you execute — or we step aside if you prefer to move forward on your own.

Yasmine R. — data protection expert, DataSouv contributor. Article reviewed and validated by Amine Rais, founder.

Frequently asked questions

What is the difference between the CNDP and Law 09-08?

Law 09-08 is the Moroccan legislative text on the protection of personal data, enacted in 2009. The CNDP (Commission Nationale de contrôle de la Protection des Données à caractère Personnel) is the independent administrative authority responsible for enforcing it. When a website states that it is 'CNDP-compliant', it means 'complies with Law 09-08 and its implementing decree 2-09-165, and has completed the required filings with the Commission'.

Does my website need to be filed with the CNDP?

Yes, as soon as it collects the slightest piece of personal data: a contact form, a user account, a cookie that identifies a visitor, a newsletter, a comment. Prior filing is the central obligation of Law 09-08, except in rare exempted cases. For a brochure website with no data collection at all, no filing is required — but such a case is exceptional in 2026.

How long does it take to obtain a CNDP receipt?

In theory, the Commission processes filings within regulatory deadlines. In practice, processing varies between 6 weeks and 6 months depending on the form (F211 is faster than an F112 prior authorisation) and the Commission's workload. The acknowledgement of filing serves as proof of due diligence during processing and allows the controller to operate the processing in good faith.

Will Law 09-08 be reformed?

A reform has been expected for several years to bring Law 09-08 closer to the European GDPR, particularly regarding sanctions, breach-notification obligations, and the definition of the DPO. No firm official date so far. Our advice: get into compliance with the current framework, while already incorporating GDPR-compatible best practices.

What happens during a CNDP inspection?

The CNDP can request the production of documents (records of processing, declarations, processor contracts), conduct on-site inspections, or open investigations following a complaint. Sanctions range from a warning to a formal notice with a compliance deadline, up to withdrawal of authorisation, and may be accompanied by criminal sanctions (prison sentences + fines) provided for by Law 09-08.