F112 — CNDP prior authorisation, in practice
If you don't know why your processing falls under F112 rather than F211, there's a good chance you've misqualified at least one of the files you've filed.
Note on the nomenclature. The CNDP now uses the code F112 for this form (previously referenced as F212 in some preparatory documents). The content of this guide was updated on 12 May 2026 to reflect the nomenclature in force on cndp.ma.
For a long time, I believed — like most beginner practitioners — that the F112 was mainly about hospitals and laboratories. A few months spent mapping Moroccan SMEs convinced me otherwise. The F112 silently runs through HR, marketing, physical security, finance. And in roughly one in three SMEs, at least one processing activity supposedly under F211 actually falls under F112. It is one of the most structuring gaps in CNDP (National Commission for the Protection of Personal Data) compliance in Morocco.
What the law says, and what it means in practice
Article 12 of Law 09-08 subjects to prior authorisation by the Commission any processing that presents specific risks of infringement of the rights and freedoms of individuals. Decree 2-09-165 sets out the procedure. The logic is simple: for run-of-the-mill processing, you declare; for what touches on intimacy, freedom or automated decision-making, you ask for authorisation.
Five typical categories justify an F112. Here they are, with the pitfalls that come with them:
Health data. Obvious for a hospital, less so for an SME. Yet as soon as an HR file keeps a medical certificate, a fitness-for-work declaration, or the mere mention of a long-term illness for absence management, you are touching health data. Same for an in-house managed health plan, for occupational medicine follow-up, for an accessibility scheme whose beneficiaries are recorded. The practical rule: if a piece of data reveals the physical or mental state of a person, it is health data.
Biometrics. The Moroccan market loves them — fingerprint for clocking in, facial recognition for premises access, sometimes iris for sensitive zones. Each of these devices is biometric data processing within the meaning of CNDP doctrine, and each requires an F112. The Commission has issued several rulings framing the use: strict proportionality, non-biometric alternative for employees who refuse, minimal retention duration. See the Commission's official website (cndp.ma) for the up-to-date doctrine.
Offences and convictions. Any file that records an accusation, fraud, disciplinary incident, payment default forwarded for litigation — all of this touches on offence data. Even an internal file of e-commerce fraud incidents looks like it. CNDP requalification is almost systematic in case of inspection.
Scoring and automated decision-making. A booming subject. A credit risk score, an insurance eligibility score, behavioural rating of an e-commerce customer, an HR algorithm that filters CVs: these are processing activities that, on their own, can significantly influence a person's situation. CNDP doctrine broadly follows the CNIL position on the subject: prior authorisation, transparency on the logic, guaranteed human intervention.
Interconnection of files. When you cross an HR file with a customer file, or a video-surveillance visitor file with an employee file, you create a new processing whose use was not covered by the initial declarations. This is typically an F112 case. Many organisations use data platforms (CDP, lakehouse) that aggregate heterogeneous sources by default: the risk of undeclared crossing becomes mechanical.
The moment it gets stuck: the instruction
An F211 gets its receipt back in six to eight weeks in the best-case scenario. An F112 takes three to six months. Sometimes more. And unlike the F211, you cannot operate the processing during the instruction. It's a difference that is systematically overlooked: the acknowledgement of receipt of an F112 authorises nothing, it only attests to the filing.
The operational consequence is heavy. An HR team that wants to deploy a biometric clocking system in March must file the F112 by September of the previous year at the latest, and cross their fingers. A security team planning facial recognition for access must anticipate it on the following budget year, not in the current quarter. It's one of the arguments that eventually convince executive committees that compliance is not just an administrative act on the side of business: it integrates with the product cycle.
During the instruction, the Commission may request additional information: proportionality justifications, detailed security measures, attached processor contracts, information mechanism for data subjects. The stronger the file is from the outset, the more you avoid back-and-forth. This is typically the moment when the initial investment in a consulting firm or a specialised law firm pays off.
The conditions: the area that's poorly read
More subtle than refusal, more frequent than a clean authorisation: the condition. The Commission grants the authorisation but attaches conditions to it. Limitation of retention duration to 24 months when the organisation requested 60. Strict framing of recipients. Mandatory annual audit. Removal of an ancillary purpose deemed disproportionate.
These conditions are not negotiable, and they are enforceable. An inspection may reveal that the organisation respects the letter of the authorisation (the number is properly displayed in the footer) but not the conditions (the actual duration is 72 months, not 24). The sanction is then as severe as in the case of total absence of authorisation, sometimes more, because there is characterised disloyalty.
My reflex when I open a client file that obtained an F112 several years ago: re-read the conditions before everything else. In two-thirds of cases, at least one condition is no longer being respected — often through gradual drift, never through conscious decision. It's the classic blind spot of data governance.
The qualification mistake: where it sits
The F211/F112 confusion almost never comes from bad faith. It comes from a vocabulary gap. When the HR team talks about a "staff file", no one realises it contains health data. When the IT team talks about a "clocking system", no one wonders whether the fingerprint falls under biometrics. The discussion between business and legal rarely takes place with the required granularity.
Concretely, here is what I do during an audit: for each declared file, I request the full export of the data schema. Not the list of fields as it appears in the F211, but the actual schema of the database. In half the cases, we discover columns that the declaration did not mention. A staff file contains a "glycaemic profile" entry forgotten from a workplace wellbeing pilot. A candidate file contains an automatic employability score that was never explained to management. An e-commerce customer file contains a "risky behaviour" flag used to limit baskets — de facto scoring, without F112.
None of these situations is dramatic in itself. What is dramatic is to discover these gaps during an inspection rather than upstream. The preliminary internal audit has a cost; an unprepared CNDP inspection has another, generally higher.
You operate without F112: what to do?
This is a very common situation. No reason to dramatise it or deny it — it must be handled. Three realistic options, to be weighed according to context:
Spontaneous regularisation consists of acknowledging the breach, filing the necessary F112 by explaining the context (for instance that the processing was initiated before the correct qualification was identified), and continuing to operate during the instruction under reinforced internal supervision. The Commission generally treats these regularisations with some leniency, especially when the organisation shows that it has made the effort to map all of its processing activities. It is often the healthiest option.
Provisional suspension is the defensive option: stop the sensitive processing, file the F112, wait for authorisation to resume. This is rarely realistic for processing that structures the activity (biometric clocking, customer scoring), but it is the option to favour for ancillary uses (wellbeing pilot, marketing experimentation).
Reformulation consists of modifying the processing so that it no longer falls within the F112 scope. For example, replacing biometrics with a badge with photo. Reducing scoring to documented transparent business rules. Outsourcing occupational medicine to a provider that assumes responsibility for the processing. It is not always possible, but it is sometimes the most sustainable solution.
Resources and points of attention
- CNDP official website — forms and rulings
- Pillar guide — CNDP compliance in Morocco 2026
- F211 — user manual for the standard declaration
- CNDP receipt — timelines and procedure
- Service — Turnkey CNDP formalities
- Comparative doctrine: CNIL — sensitive processing and authorisation for the passages where the French position sheds light on that of the CNDP.
One last word. In the Moroccan economic press (Médias24, L'Économiste) you regularly read reports of data incidents — often leaks, more rarely inspections. These incidents are almost always linked to poorly framed sensitive processing. It is not a coincidence. Porosity begins where the administrative qualification stops.
Yasmine R. — data protection expert, DataSouv contributor. Article reviewed and validated by Amine Rais, founder.
Frequently asked questions
How do I know whether my processing falls under F211 or F112?
The F112 is required for processing that presents specific risks: health data, biometrics, offences and convictions, credit or behavioural scoring, interconnection of files with distinct purposes. When in doubt, ask the CNDP through a prior consultation, or have the file qualified by a professional. The most costly mistake is to declare sensitive processing as F211 — the receipt will be void as soon as an inspection requalifies it.
How long does it take to obtain an F112 authorisation?
The instruction typically takes between three and six months, sometimes up to nine in cases of complexity or requests for additional information. It's significantly longer than an F211. Anticipate: file the F112 several months before the actual production rollout of the processing. During the instruction, you cannot operate the processing — unlike with an F211.
What is an authorisation "with conditions"?
The CNDP may grant authorisation while conditioning its operation: limited retention duration, strict framing of recipients, mandatory annual audit, removal of an ancillary purpose. These conditions are enforceable and must be applied. They are not an administrative detail: non-compliance can lead to withdrawal.
What if I run sensitive processing without F112?
You are in an irregular situation. The operational risk is real: report by an employee, inspection triggered by a client complaint, internal audit or M&A due diligence. Spontaneous regularisation is generally treated with more leniency than a file discovered through inspection — but it still needs to be initiated quickly.
Is the authorisation renewable?
The authorisation remains valid as long as the processing does not change substantially. With every significant evolution — new category of data, new processor, new purpose — a modifying file must be filed. The practical rule: review all active F112s at least once a year, and file a modification whenever a product step or a partner changes.