CNDP mediation, complaints and appeals
Receiving a notification from the CNDP is not a catastrophe. It is an ordinary procedure to which one responds better than expected, provided the underlying material has been prepared in advance.
Receiving a letter from the CNDP has an unpleasant effect even on a perfectly structured management. It is the procedure that breaks the routine, the administrative unknown, the poorly calibrated risk. Yet, the Commission's complaint and inspection procedure is codified, adversarial, and broadly reasonable in its economy. An organisation that knows how it works and has prepared the material in advance responds to it far better than it fears. This article describes what happens, how to respond, and where the room for manoeuvre lies.
The referral — where it comes from
The CNDP can be seized in three main ways.
The complaint from an individual is the most frequent trigger. The complainant is generally an employee or former employee in conflict with their employer, a customer or former customer dissatisfied with how their data was processed, a rejected candidate who believes their application was handled unfairly, a prospect who cannot get themselves removed from a marketing list. The complaint is generally written, reasoned, sometimes accompanied by evidence (exchanges, screenshots, proof of rights requests left unanswered).
The Commission's own-motion referral intervenes for cross-cutting topics where the CNDP decides to investigate a sector, a technology, or a phenomenon. Public deliberations on attendance biometrics in companies, on video surveillance, on the compliance of certain regulated sectors fall under this mode. It is rarer individually but it sweeps across broad perimeters.
Reporting by a third party — competitor, journalist, observatory — also exists, generally less formal but not negligible. The Moroccan economic press (Médias24, L'Économiste) plays an indirect role: a report pointing to sectoral non-compliance can trigger an own-motion investigation.
What actually happens after the referral
The organisation receives a notification from the Commission, usually by official letter. The notification mentions the grounds for the referral (complaint, own-motion, scheduled inspection), the elements in the Commission's possession, and the request made to the organisation. The response deadline is specified — typically between fifteen and thirty days depending on the nature.
This is the key moment. The quality of the response to this initial notification conditions the tone of the entire procedure. A hasty, defensive, incomplete, or tonally clumsy response can move a case from a probable warning to a formal notice. A documented, calm, factual, complete response can shift a case from formal notice to dismissal.
Concretely, here is what is prepared in the days following the notification:
First, precise identification of what is being alleged. Not the general idea, the exact content. Which processing is concerned, which rights are at stake, which dates, which actors. Without this precision, the response is inevitably approximate.
Then, the production of evidence. All available evidence: extracts from the register, CNDP declarations filed, copies of receipts obtained, exchanges with the complainant if applicable, copies of the policies published at the time of the facts, time-stamped screenshots if the situation has evolved. Time-stamped paper or digital evidence is the main ally.
Then, the legal qualification. What does Law 09-08 say about the situation alleged? Is the organisation actually in breach or does the complainant's qualification rely on an inaccurate reading? Which articles to invoke in defence? Consulting a specialised lawyer is particularly useful at this stage for high-stakes cases.
Finally, the relational posture. The Commission is not an adversary. It is a regulator. The tone of the response must be respectful, factual, cooperative. An organisation that shows it is taking the matter seriously and engaging in a compliance approach is treated differently from an organisation that shirks or systematically contests.
Mediation — when it is relevant
For certain types of disputes, the CNDP proposes or accepts a mediation rather than a formal procedure from the outset. This is typically the case for files where the complainant exercises a right (access, rectification, deletion) and where the organisation has shown good faith but may have been late or executed poorly. Mediation allows the dispute to be resolved quickly, without feeding the formal procedure.
The advantages of mediation: speed (generally a few weeks), no registration in the record as a sanction, restoration of the relationship with the data subject. The conditions for success: honest acknowledgement of what did not work, concrete proposal for compliance, immediate execution.
Mediation does not suit all cases. When the breach is characterised, structural, or when there is proven unfairness, the formal procedure is initiated anyway. Mediation is a tool for cases where there is a one-off dispute against a backdrop of general good faith.
The formal procedure — gradations
If mediation is not relevant or does not succeed, the formal procedure unfolds along several possible stages, in a logic of gradation.
The warning is the lightest sanction. It is pronounced for minor breaches or for first referrals where cooperation has been good. It has no direct financial effect but it is registered in the organisation's file and can be taken into account in the event of repeat offence.
The formal notice combined with a compliance deadline is the most frequent intermediate stage. The Commission notes the breach, sets out what must be corrected, gives a deadline (generally three to six months), and conditions the absence of further action on execution. It is an adversarial and negotiable procedure: the organisation can discuss the scope of corrections, request a reasonable extension of the deadline, propose a more structured trajectory.
The sanction proper intervenes for serious breaches, defects of cooperation, or persistence after formal notice. It can combine an administrative component (fine, withdrawal of authorisation, publication of the sanction) and a criminal component (transmission to the public prosecutor for characterised breaches within the meaning of the criminal articles of Law 09-08).
The appeal — when to use it
Any decision of the Commission can be appealed. Two avenues coexist.
The administrative appeal is exercised directly before the CNDP, to request a review of the decision. It is useful when the organisation believes that the qualification or the facts have been misunderstood, and that a new documented examination could change the decision. It is free, relatively quick, and does not engage judicial confrontation.
The judicial appeal before the competent administrative court intervenes in case of failure of the administrative appeal or directly for high-impact sanctions. It requires a lawyer, it takes time (generally several months to a year), it has a cost. It is used for significant financial sanctions or for sanctions with high reputational impact when the decision is deemed legally contestable.
In practice, appeals are rare in proportion to the decisions taken. Organisations generally prefer the route of accelerated compliance and discreet negotiation to the contentious route. This is consistent: a case brought before the administrative court leaves a public trace that the organisation sometimes prefers to avoid, regardless of the outcome.
Prior assembly of the defence file
The main lesson from practice is that an organisation defends itself well because it has assembled the material before the procedure is triggered. Here is what a prepared defence file typically contains:
An up-to-date register of processing activities, quickly exportable, with the date of last update. CNDP declarations, receipts and authorisations classified and accessible. Signed processor contracts and the associated DPAs. The privacy policy published at different dates (Wayback archives or internal archive). Internal procedures for managing rights, with traces of requests handled in the past. Security audit reports and proof of corrective measures applied. A trace of training delivered to teams.
This file is not assembled in emergency. It is assembled calmly, over a few weeks, with the help of a consulting firm or a DPO. When the notification arrives, it is already there, ready to be completed to respond. This simple fact — being able to produce a structured defence file in a few days — distinguishes prepared organisations from others. And it is, I regularly observe, the criterion that weighs most in the gradation of the sanction.
Resources
- Official CNDP website — deliberations and procedures
- Official Gazette — legal texts
- CNIL — complaint procedure for comparative European doctrine
- EDPB — sanctions and procedures guidelines
- Pillar guide — CNDP compliance in Morocco 2026
- CNDP sanctions — what you risk
- Service — CNDP compliance audit
The worst moment to discover the CNDP procedure is when you receive the notification. The best moment to understand it is before. An organisation that takes an hour to integrate these principles and invests a few weeks in documentary assembly transforms the procedure from a stressful unknown into a mastered routine. That is, fundamentally, the coming of age of data governance.
Leila B. — data protection expert, DataSouv contributor. Article reviewed and validated by Amine Rais, founder.
Frequently asked questions
Who can file a complaint with the CNDP?
Any person who believes that their personal data is being processed in a way that is not compliant with Law 09-08. Employees, former employees, customers, rejected candidates, prospects, website visitors. The complaint must be reasoned and accompanied by the elements in the complainant's possession. The Commission then conducts an adversarial investigation.
What happens after a complaint?
The CNDP notifies the organisation concerned and asks it to produce its elements within a given deadline. The procedure is adversarial: the organisation can respond, produce its evidence, contest the facts or their legal qualification. At the end, the Commission either dismisses the case, issues a warning, serves a formal notice, or decides on a sanction depending on the gravity.
What is the difference between mediation and formal procedure?
Mediation is an amicable resolution mechanism offered in certain cases, generally when the dispute concerns the exercise of a right (access, rectification, deletion) and the organisation has shown good faith. The formal procedure is initiated when mediation has failed or when the facts are serious enough to warrant it from the outset. The two are not mutually exclusive — mediation may succeed, fail, then switch to formal.
Do you need a lawyer to respond to a CNDP complaint?
For simple cases — typically a mishandled request to exercise a right — the response can be prepared internally or with a specialised consulting firm. For high-stakes cases (sensitive processing, characterised breach, criminal exposure, probable sanction), a lawyer specialised in data law becomes indispensable. The cost of a law firm at this stage is almost always lower than the cost of a poorly defended sanction.
Can a CNDP decision be appealed?
Yes. The Commission's decisions can be subject to administrative appeals before the Commission itself (review) and, in the event of persistent disagreement, judicial appeals before the competent administrative court. In practice, appeals are rare for warnings and formal notices; they are justified for formal sanctions with significant reputational or financial impact.