DPO in Morocco: obligation, profile, appointment
The DPO is not required under the current Law 09-08. But between the absence of a formal obligation and the actual operational usefulness, there is a gap that serious organisations cross sooner rather than later.
When the DPO function is introduced to a management team unfamiliar with the subject, the most frequent reaction comes down to one sentence: "is it mandatory or not?". The answer, as is often the case with Moroccan compliance, requires two nuances. No binary yes-or-no answer. The DPO is not legally required in the strict sense of the current Law 09-08, but the obligation arrives through other routes more often than one might think, and even when it does not, operational usefulness ends up taking over. Organisations that take their compliance seriously appoint a DPO. Those that resist get there within two or three years, often after an incident.
The legal obligation, plain version
Law 09-08 does not contain a provision equivalent to Article 37 of the European GDPR, which makes the appointment of a DPO mandatory in three cases (public authority, regular and systematic large-scale monitoring, large-scale processing of sensitive data). This is a structural difference between the two frameworks, expected to be resolved by the reform of Law 09-08 that has been announced for several years.
By contrast, the GDPR obligation applies by operation of law in several situations that directly concern the Moroccan market:
Any Moroccan subsidiary of a European group whose group has appointed a DPO must provide that DPO with a local contact person. Depending on the group's structure, this contact may be qualified as a full local DPO (with full GDPR obligations) or as an operational liaison. In all cases, someone must be appointed, qualified and reachable.
Any Moroccan organisation offering goods or services to individuals located in the EU falls within the GDPR's territorial scope (Article 3). This is typically the case of e-commerce sites that ship to Europe, Moroccan SaaS platforms with European customers, and service firms acting on behalf of EU organisations. If, on top of that, the threshold criteria are met, the DPO becomes mandatory.
And for organisations that fall under none of the above scenarios, the DPO remains good practice. The deliberations published by the CNDP (cndp.ma) regularly suggest it for the most sensitive structures. It is also a maturity signal that large accounts and auditors appreciate.
The profile that nobody finds on the first try
An effective DPO combines four dimensions that are virtually never found together in a single Moroccan candidate:
Legal competency first. A fine knowledge of Law 09-08 and its decree 2-09-165, operational knowledge of the GDPR, regular reading of CNDP deliberations, the ability to qualify a processing operation (F211, F112, F118 or nothing). This competency is built up, but its learning curve is slow — typically twelve to twenty-four months of practice before autonomy.
Technical competency next. The DPO must understand the IT systems they encounter — CMS, CRM, ERP, SaaS, cloud infrastructure, application architectures, notions of network and application security. No need to be an engineer, but they should not be stuck when facing an IT Director. This is precisely the competency that is often overlooked when a pure lawyer is appointed, and it is why the IT-Director / DPO pair ends up working in parallel rather than in integration.
Structural independence next. The DPO must be able to refer matters to top management without intermediaries, receive no instructions on the content of their opinions, and cannot be sanctioned for the exercise of their mission. These principles are set out in Article 38 of the GDPR and largely taken up de facto in CNDP doctrine. In practice, this excludes assigning the function to a staff member whose performance depends on the revenue of the processing they should be able to audit.
Availability finally. Reachable within reasonable timeframes (twenty-four to forty-eight hours) by data subjects and by the CNDP. Present at key moments: audits, product launches, incidents, inspections. This dimension is more tactical but it structures everything. An unreachable DPO is worse than a non-existent DPO — it is a signal of failing governance on top of the operational shortfall.
The most frequent governance mistake
When management decides to appoint a DPO without prior experience of the subject, here is what statistically happens in the majority of cases: the in-house lawyer is appointed, or the IT Director, sometimes the HR Director, on top of their main role. It is quick, it is inexpensive, it is reassuring. It is also almost always problematic over time.
The in-house lawyer has the legal competency but often not the technical one. They end up in an audit posture facing an IT Director they cannot substantively challenge. Significant technical decisions pass over their head. When an inspection comes, their adversarial report is thin.
The IT Director has the technical competency but often not the fine legal competency. And above all, they are in a structural conflict of interest: they should be able to audit their own choices. When a poorly framed processor causes problems, they must be able to flag it — including if they were the one who chose it. It happens, but it creates a psychological and political load that is not trivial.
The HR Director is a special case. They often have the best conditions for independence and good sensitivity to personal data (HR obliges). But their operational workload generally does not leave them the space to become a competent DPO beyond the HR perimeter.
The alternative that works best is to separate the function. Either a dedicated staff member is appointed, which is only viable from a certain size onwards (typically more than one hundred staff or in a regulated sector). Or it is outsourced, which brings immediate competency, independence by construction, and predictable cost.
Internal or external — the trade-off in four questions
Good trade-offs rarely come out of a theoretical model. Here are the four concrete questions I put to management teams when they hesitate:
How many processing operations does your organisation run? Below five simple processing operations, outsourcing is almost always more efficient. Beyond twenty processing operations or in cases of sensitive processing, the function is rich enough to warrant a dedicated internal — or an outsourced DPO with significant time commitment.
What is your product evolution pace? An organisation that releases a product or feature every quarter needs a DPO involved very early in the design cycle (privacy by design, Article 25 of the GDPR). If you iterate quickly, you need proximity; either internal, or outsourced with enhanced availability.
Are you subject to the GDPR by operation of law? If so, and if your GDPR stakes are strategic (EU partnerships, European corporate clients, upcoming M&A), the external governance dimension reassures more than the internal one. An outsourced DPO documented by a clear contract is more credible to a third-party auditor than an internal DPO appointed on top of another role.
Do you have the competencies in-house? Simple but underestimated question. If you have no one with the four dimensions of the profile, outsourcing is the pragmatic option. You can always internalise later when a competent staff member emerges.
The outsourced mission — how it unfolds
To clarify what an outsourced DPO mission concretely covers, here is what is delivered in a standard twelve-month format:
Month zero consists of an in-depth scoping: initial mapping of processing operations, review of CNDP formalities, review of processor contracts, identification of major risks. This is often the step that brings out the most surprises.
The following months alternate routine and event-driven work. The routine: maintaining the register, regulatory watch, supporting teams on ad-hoc questions, monthly report to management. The event-driven: in-depth annual audit, handling data subject requests, accompanying a sensitive product project, managing any incident, quarterly review point with the executive committee.
By year-end, an annual summary emerges that itself becomes a defensible deliverable: where the organisation stands regarding its compliance, what progress has been made, what work remains, what trajectory for the following year. This is the document that an acquirer, a partner or an inspector will appreciate finding in the governance file.
Going further
- Article 37 of the GDPR — DPO designation
- Official CNDP website
- CNIL — DPO function for comparative European doctrine
- EDPB — DPO guidelines
- Pillar guide — CNDP compliance in Morocco 2026
- Service — Internal or outsourced DPO designation
In the business press (Médias24, L'Économiste, TelQuel), the topic of Moroccan digital sovereignty and the professionalisation of related functions regularly resurfaces. The DPO is one of its markers: moving from compliance endured to structured data governance. This is the natural evolution of mature organisations, and it is also a competitive advantage over time — discreet but real — over competitors who remain in artisanal mode on these subjects.
Nadia T. — compliance consultant, DataSouv contributor. Article reviewed and validated by Amine Rais, founder.
Frequently asked questions
Is appointing a DPO mandatory in Morocco?
Not strictly under the current Law 09-08, which does not create a general obligation comparable to Article 37 of the GDPR. However, as soon as a Moroccan organisation falls within the scope of the GDPR (subsidiary of an EU group, large-scale processing of European data, regular and systematic monitoring of individuals in the EU), the GDPR obligation applies by operation of law. And in all cases, the DPO becomes the most effective governance tool to steer compliance over time.
Can the IT Director also act as DPO?
Possible but to be handled with care. The DPO must be able to audit their own decisions without conflict of interest. An IT Director who is also DPO must be able to flag non-compliance in their own system to management, which is uncomfortable. European doctrine, effectively aligned by the CNDP, considers the combination of DPO and decision-making roles as structurally problematic. When possible, it is avoided.
What is the ideal profile of a DPO?
Four dimensions: legal competency (Law 09-08, GDPR, CNDP doctrine), technical competency (mainstream IT systems, application security), structural independence from operational functions, and availability. None is negotiable, all are rare in combination. That is why the outsourced DPO is often the most accessible solution for mid-sized organisations.
How much does an outsourced DPO cost in Morocco?
As a guide, between 2,500 and 7,000 MAD per month depending on the size of the organisation and the intensity of the mission. Typical annual engagement. The cost is predictable, the expertise immediate, the independence structural. For organisations with more than one hundred staff or in regulated sectors, a trained internal DPO becomes relevant beyond 12-18 months.
Can we start with a short mission?
It is even recommended for organisations discovering the function. A three-month format allows the initial mapping, processing of the first data subject requests, setting up the processing register and calibrating the trajectory. If the mission continues in outsourced mode, the marginal cost becomes that of a well-oiled routine. If the organisation subsequently internalises, the internal DPO inherits an already built foundation.