F118 and CNDP international data transfers
If you use Google Workspace or Microsoft 365 without an F118 or documented Standard Contractual Clauses, you are non-compliant. Like roughly nine Moroccan SMEs out of ten.
Note on nomenclature. The CNDP (Commission nationale de contrôle de la protection des données à caractère personnel) now uses code F118 for the international data transfer form (previously referenced as F214 in some preparatory documents, a code that today designates the simplified declaration). The content of this guide was updated on 12 May 2026 to reflect the nomenclature in force on cndp.ma.
When you start an audit at a Moroccan SME, there is one question that always produces the same effect: "Do you have an F118 for Google Workspace?" Seven times out of ten, you get a puzzled silence in reply. One time out of ten, you hear "we signed something at sign-up, I don't remember where it is". One time out of ten, the team knows something has to be done but did not know where to start. One time out of ten, the file is in order. That is the rough but realistic estimate of market maturity in 2026, and it is the most immediate angle from which a CNDP audit can deliver value.
The stakes in two paragraphs
Law 09-08, in articles 43 to 47, requires prior authorisation from the Commission for any transfer of personal data outside Morocco to a country that does not offer an adequate level of protection. The implementing decree 2-09-165 organises the procedure via form F118. Two exit doors exist: either the destination country benefits from an adequacy recognition by the CNDP (a very narrow list of safe countries in 2026), or the transfer is framed by sufficient contractual safeguards — typically Standard Contractual Clauses (SCC) aligned with those validated by the European authorities.
Yet the daily use of US SaaS has become unavoidable: Google Workspace for productivity, Microsoft 365 for the same thing, Salesforce or HubSpot for CRM, Slack for internal communication, Notion or Asana for project management, Zendesk for support, Stripe or international payment gateways for billing. Each of these tools operates a transfer of data to the United States or to other jurisdictions. Each requires an F118 or rigorous documentation of contractual safeguards. The probability that an average SME is fully compliant across its entire stack tends towards zero.
What you actually find in an audit
The pedagogical reflex is to start from the technical stack. You ask the IT department for an exhaustive list of SaaS tools used in production, and cross-reference it with the CNDP declarations on file. The gap is almost always significant. In a recently audited retail SME — anonymised by sector, faithful to the rules of strictly sectoral anonymisation — the stack comprised seventeen SaaS tools, fourteen of them hosted outside Morocco, eleven of them outside the EU. Number of F118s filed: zero. Number of DPAs signed: three, two of them for SaaS that had been decommissioned two years earlier. This is not an extreme case, it is the average.
The other typical discovery concerns onward sub-processors. When you use Google Workspace, you transfer to Google. Google sub-processes to CDNs, regional storage providers and security partners. These sub-sub-processors are public — Google lists them in product documentation accessible to anyone. But they are never retrieved and filed in the compliance record. The mapping remains superficial, even though it is precisely the depth of the mapping that distinguishes genuine compliance from façade compliance.
The three available legal bases
Explicit authorisation via F118. This is the royal road. You file with the CNDP a record detailing the purpose of the transfer, the destination country, the vendor, the categories of data, the contractual security measures, and the retention period. The Commission instructs the file, generally within two to four months for a standard case. The receipt becomes the centrepiece to produce in the event of an inspection.
Standard Contractual Clauses (SCC). Major vendors — Google, Microsoft, Amazon, Salesforce, HubSpot — have for several years offered a Data Processing Addendum (DPA) embedding SCCs aligned with those validated by the European Commission in 2021. These SCCs, when explicitly adopted by your organisation (signature, archiving, traceability), constitute a legal safeguard recognised by CNDP doctrine, within the limits of how that doctrine evolves. See the rulings published on cndp.ma for the current position. For comparative European doctrine, the EDPB recommendations on international transfers provide a useful reference: edpb.europa.eu.
Derogations. The law provides for limited derogations: explicit consent of the data subject for an occasional transfer, performance of a contract necessarily involving the transfer, public-interest ground. These derogations are to be construed narrowly and do not cover the routine use of SaaS. They are not a governance solution, just an emergency door for one-off cases.
The minimum mapping to build
If you want to make progress without yet commissioning a full audit, here is the baseline matrix to fill in. A simple Excel sheet will do, and it will save you considerable time on the day you really get started.
| Tool | Purpose | Data processed | Hosting | Vendor (HQ) | F118? | DPA signed? | Sub-processors retrieved? |
|---|---|---|---|---|---|---|---|
| Google Workspace | Productivity, email | All HR, client and internal communications | EU (depending on config) + US | Google LLC (US) | To file | Yes since 202X | To retrieve |
| Microsoft 365 | Productivity, Teams | Same | EU + US | Microsoft Corp (US) | To file | To verify | To retrieve |
| Salesforce | CRM | Prospect, client and opportunity data | EU / US | Salesforce.com (US) | To file | To verify | To retrieve |
| HubSpot | Marketing automation | Prospect data, site behaviour | US | HubSpot Inc (US) | To file | To verify | To retrieve |
This matrix is not an audit deliverable, it is a starting point. But it generally reveals more problems than it hides.
Timing — anticipate, do not react
Processing an F118 is shorter than an F112 but longer than an F211. Expect two to four months for a standard case without particular complications. More, if the destination country is unusual or the vendor poorly documented. The operational consequence: a stack change that involves an international transfer must be planned at least six months in advance. Migrating from CRM A to CRM B with go-live planned for April means an F118 filed in October of the previous year.
During processing, unlike the F211, use of the SaaS is not automatically authorised. Common practice is to rely on the vendor's SCCs while waiting for the receipt, documenting this articulation in the internal record and the privacy policy. It is a pragmatic, defensible grey zone, but one that deserves explicit handling.
What to do if you discover your non-compliance
Three simple principles emerging from practice:
First, do not panic. You are in a very common situation. Spontaneous regularisation is treated more favourably than discovery through inspection.
Then, prioritise by criticality. SaaS tools processing massive or sensitive data come before those hosting a thirty-subscriber newsletter. A pragmatic approach: start with the three most structuring SaaS (typically productivity, CRM, hosting), file their F118s together, and extend from there.
Finally, document. The fact that you map your transfers, assemble your files, regularise within a reasonable timeframe is in itself a signal of diligence — defensible against an inspector. The worst scenario is not being non-compliant; it is being non-compliant without having started regularisation after becoming aware of it.
Further reading
- Official CNDP site — rulings on international transfers
- EDPB — recommendations on post-Schrems II transfers
- CNIL — practical guide to transfers outside the EU
- Pillar guide — CNDP compliance in Morocco 2026
- GDPR vs Law 09-08 — legal comparison
- Service — Turnkey CNDP formalities
In the pages of Médias24 and L'Économiste, recent years have seen a multiplication of analyses on Moroccan digital sovereignty — a topic that intersects directly with the question of transfers. The political direction is clear: bring forth a local layer of storage and processing, and better frame transfers. The practical direction remains the same: as long as American SaaS is in use, you document. The F118 is not an administrative whim, it is the normal tool of that documentation.
Karim B. — CNDP compliance consultant, DataSouv contributor. Article reviewed and validated by Amine Rais, founder.
Frequently asked questions
Do all American SaaS providers require an F118?
Essentially yes, whenever they process personal data on behalf of a Moroccan controller and that processing involves storage in or access from the United States or other jurisdictions without a level of protection recognised as adequate by the CNDP. A few vendors offer explicitly European hosting with Standard Contractual Clauses covering the transfer; in that case, the SCC documentation may suffice under the prevailing doctrine.
What happens if I use Google Workspace without an F118?
You are carrying out an unauthorised international transfer. In the absence of a complaint or inspection, nothing visible happens. In the event of an inspection or report, it is a clear breach that can lead to a formal notice and, in serious cases, sanctions. Beyond that, it is increasingly a blocking point in tenders, M&A due diligence and partnerships with European groups.
How much does an F118 cost?
Filing with the CNDP is free. The cost is that of the service: mapping transfers, qualifying vendors, documenting the SCCs, building the file. As an indication, expect from 8,000 MAD for a simple F118. For multi-SaaS organisations, a bundled package is more relevant.
Are the SCCs provided by default by Google or Microsoft enough?
Major vendors offer Standard Contractual Clauses aligned with European standards. They are a solid baseline but must be explicitly adopted by your organisation, archived with date and signatory, and supplemented with a Transfer Impact Assessment (TIA) if you are exposed to the GDPR. Having them without actively signing them carries little legal weight.
What about sub-processors (sub-sub-processors)?
Every onward processor — for example the CDNs, payment processors and authentication services used by your main SaaS — must be tracked. Major vendors publish their sub-processor list. The right reflex: retrieve that list, file it with the record, and subscribe to change notifications. Without that, your mapping is incomplete.