Skip to main content
DataSouv
Audit
Guide · Formalities

CNDP F211 form — 2026 user guide

The F211 is the most widely used form in Morocco. Properly qualifying and filling it out avoids 80% of review friction.

By Karim B.6 min read

The F211 — standard declaration is the reference CNDP form for ordinary personal data processing in Morocco. Statistically, it is the most frequently filed form: the majority of standard commercial activities go through it. This guide details its use cases, its preparation, its filing, and the recurring pitfalls.

1. Who is the F211 for?

The F211 is the default form for any personal data processing that does not fall within one of the sensitive categories covered by the F112 (prior authorisation). It covers the vast majority of ordinary processing activities:

  • Customer files: CRM, purchase history, loyalty programme (excluding sensitive scoring)
  • Prospect files: commercial prospecting database, newsletter subscribers
  • Supplier files: contact details and order history
  • Non-sensitive HR files: internal directory, emergency contacts, administrative personnel management
  • Simple video-surveillance: premises security, access, parking (excluding facial recognition)
  • Candidate files: recruitment, CVs received, application tracking
  • Technical logs: connection traces to an online service, for security purposes

Conversely, the following do not go through F211 (but through F112 — prior authorisation):

  • Health data
  • Biometric data (fingerprints, facial recognition)
  • Data on offences and convictions
  • Credit scoring or automated behavioural assessment
  • File interconnection for multiple purposes
  • Sensitive files within the meaning of article 1 of Law 09-08

2. Required documents

The F211 file comprises several sections to be completed precisely:

2.1 Identification of the data controller

  • Corporate name in full (as registered in the commercial register)
  • RC number and tax identifier
  • Head office address
  • Legal representative: name, position, contact
  • Contact person for the CNDP (often the DPO or in-house legal counsel)

For subsidiaries of foreign groups, also indicate the parent company and the originating jurisdiction. The CNDP attaches importance to the chain of responsibility.

2.2 Description of the processing

  • Purpose: describe the objective precisely. Not "customer management" but "maintenance of a customer file for the purposes of order fulfilment, invoicing, after-sales support and information about commercial offers"
  • Categories of data: surname, first name, email, telephone, postal address, payment data, purchase history, etc.
  • Categories of data subjects: customers, prospects, minors?, employees?
  • Origin: direct collection from the data subjects, data received from a third party, data computed by scoring

2.3 Recipients

  • Internal: departments that will have access to the data (sales, support, accounting)
  • External: processors (host, emailing provider, external accountant) with their precise function

2.4 Retention period

To be indicated by category:

CategoryTypical duration
Untransformed prospect data24 months maximum after last contact
Active customer dataDuration of the contract + accounting obligations (generally 10 years)
Non-recruited candidate data24 months maximum after last application
Technical logs6 to 12 months depending on purpose
Video-surveillance footage30 days unless incident

2.5 Security measures

Describe technical and organisational measures:

  • Technical: TLS, encryption at rest, access management, MFA, logging, backups
  • Organisational: employee NDAs, IT charter, training, incident procedures

2.6 International transfers

If applicable: recipient countries and legal basis (separate F118, SCCs, etc.). If all processing is internal to Morocco, declare this explicitly.

3. Preparing the file — best practice

3.1 One sheet per processing activity

The most frequent mistake: mixing several purposes in a single declaration. The rule: one purpose = one declaration. If you operate both a customer file and a prospect file, these are two separate F211 filings.

3.2 Precise description, not generic

A purpose that is too generic will be rejected or will trigger requests for additional information. Instead of "marketing", write: "sending monthly product information newsletters to subscribers who have given their prior consent".

3.3 Internal consistency

The declared retention periods must correspond to the reality of your infrastructure. If you declare "logs retained for 6 months" but technically keep them for 24 months, an audit will hold this against you. Verify with your IT department or your host.

3.4 Annexes: published privacy policy

Attach the version currently published of your privacy policy. If it is not aligned with the F211, the Commission will require it to be updated before issuing the acknowledgement of filing (récépissé).

4. Filing

The exact procedures evolve; the CNDP currently offers an online service complemented by physical submission of signed documents. Consult cndp.ma for the current procedure.

Filing best practice:

  • Number and paginate the documents
  • Attach a summary cover letter
  • Keep a complete copy of the file submitted
  • Keep the acknowledgement of receipt (essential: it serves as proof of diligence during review)

5. Monitoring the review

5.1 Timeframes

In practice, review of an F211 takes between 6 weeks and 4 months depending on:

  • The Commission's workload at the time of filing
  • The complexity of the file (a "standard customer file" F211 is faster than a "multi-actor e-commerce platform" F211)
  • The quality of the initial preparation (a well-drafted file avoids requests for additional information)

During review, you may continue to operate the processing subject to compliance with the principles of Law 09-08. The acknowledgement of receipt is sufficient to evidence diligence.

5.2 Requests for additional information

The Commission may request:

  • Clarifications on the purpose
  • Clarification of security measures
  • Modifications to the privacy policy
  • Justifications for the retention period

Responding promptly (ideally within 15 days) and precisely reduces total review time.

5.3 The acknowledgement of filing (récépissé)

At the end of review, the CNDP issues an acknowledgement of filing (récépissé) with a unique registration number. This number must be:

  • Publicly displayed (website footer, privacy policy)
  • Kept to produce in the event of an audit
  • Referenced in any future amending declaration

6. Recurring pitfalls — self-check checklist

Before filing, verify:

  • One sheet per distinct purpose (no catch-all sheet)
  • Precise and operational description of the purpose
  • Exhaustive list of the categories of data collected
  • Retention periods aligned with the technical reality
  • All processors named (host, SaaS, external providers)
  • Security measures described concretely (not "best practices")
  • Privacy policy published and aligned with the F211
  • Verification that no sensitive processing actually falls under F112 (prior authorisation)
  • If SaaS or host outside Morocco: F118 prepared in parallel or SCCs documented

7. Resources

The F211 is not difficult in principle, but it is demanding in its precision. A well-prepared file obtains its acknowledgement of filing without friction; an approximate file triggers requests for additional information that double or triple the review time. This is typically the moment when the support of a firm pays for itself.

Karim B. — CNDP compliance consultant, DataSouv contributor. Article reviewed and validated by Amine Rais, founder.

Frequently asked questions

Does my website need to file an F211?

As soon as a website collects personal data (contact form, customer account, newsletter, payment, tracking cookies), a prior declaration is required. For most ordinary processing activities (customers, prospects, non-sensitive HR, access video-surveillance), the applicable form is the F211 — standard declaration.

How many F211 filings are needed?

As many as there are distinct purposes. A customer file, a prospect file, an employee file, a candidate file, a premises video-surveillance system, a loyalty programme: each is a distinct processing activity, hence a separate F211. An SME typically has between 4 and 10 processing activities to declare.

How much does an F211 cost?

Filing with the CNDP is free. The cost is that of preparation and follow-up by a consultancy or law firm. As a guideline at DataSouv: starting from 6,000 MAD for a simple F211, with degressive pricing if several F211 filings are submitted together (bundle package).

Can an F211 be filed online?

The CNDP provides an online service for declarations, complemented by physical or postal filing of signed supporting documents. The exact arrangements evolve; consult the official cndp.ma website for the current procedure.

What happens after filing?

You receive an acknowledgement of receipt. During review (typically 6 weeks to 4 months), the Commission may request additional information. At the end, it issues an acknowledgement of filing (récépissé) which evidences administrative compliance — to keep, to display in the footer, and to mention in the privacy policy.

Go further

Related articles

Guide

CNDP Compliance in Morocco — Complete 2026 Guide

Complete 2026 guide: scope of Law 09-08, forms F211, F214, F112, F118, data subject rights, security, international transfers, sanctions. Article by article.
Guide

F118 and CNDP international data transfers

Google Workspace, Microsoft 365, Salesforce: every US SaaS involves a transfer. F118 or Standard Contractual Clauses — regularisation explained.
Guide

F112 — CNDP prior authorisation, in practice

The F112 misunderstood in Morocco: health, biometrics, scoring, interconnection. Processing concerned, instruction, conditions, F211/F112 mistakes to avoid.
Put into practice

Audit my site now

Immediate CNDP, security and GDPR scores in under a minute, no signup. The natural complement to reading this guide.

Run the free auditTalk to Amine Rais