GDPR vs Law 09-08 — article-by-article comparison

Moroccan Law 09-08 and the European GDPR are two personal data protection frameworks close in principle but profoundly different in their procedures. Any Moroccan organisation with international exposure — subsidiary of an EU group, e-commerce shipping to Europe, service provider for European clients, heavy user of US SaaS — must articulate the two.

This guide compares the two texts article by article and identifies what to do concretely when you are subject to both.

1. History and structure

The GDPR lags 15 years behind Law 09-08, which may seem surprising — but the delay stems from the European legislative cycle. A reform of Law 09-08 has been expected for several years to bring the Moroccan framework closer to the GDPR, with no firm official date so far.

2. Scope of application

2.1 Territorial scope

• Law 09-08: applies to processing carried out in Morocco, to processing carried out from abroad using means located in Morocco, and to processing directed at people in Morocco.
• GDPR: extraterritorial. Applies to any processing of data of people located in the EU, regardless of where the organisation is.

In practice: a Moroccan website that sells to European customers is subject to both. A European website that collects CVs from Moroccan candidates is subject to both. Dual application is frequent.

2.2 Material scope

Nearly identical: both texts apply to any processing of personal data, automated or manual integrated in a structured filing system. The definitions of "personal data" and "processing" are very close.

3. Administrative formalities — the major difference

This is the most operational point of divergence.

3.1 Law 09-08 — systematic prior declaration

Every processing activity must be the subject of a prior declaration to the CNDP via forms F211 (standard declaration), F214 (simplified declaration), F112 (prior authorisation), F113 (simplified authorisation), F118 (international transfer). The Commission issues a receipt which must be displayed publicly.

It is an ex ante system: you declare before processing.

3.2 GDPR — accountability and internal register

No mandatory prior declaration. Instead:

• A processing register kept internally (Article 30 of the GDPR)
• A Data Protection Impact Assessment (DPIA) for high-risk processing (Article 35)
• A notification to the authority only in the event of a breach (Article 33)

It is an ex post system: you document and own your compliance, and oversight intervenes upon a report or audit.

3.3 Stacking for those exposed to both

A Moroccan organisation subject to the GDPR must combine:

• CNDP declarations (forms F211, F214, F112, F113, F118)
• GDPR internal register
• DPIA where applicable
• CNDP notification and CNIL (or other) notification in the event of a breach

4. Fundamental principles — close

Both texts share the key principles:

The gap lies in the depth: the GDPR is more precise on the modalities (e.g. "privacy by design" in Article 25 GDPR, sparsely detailed in Law 09-08).

5. Rights of data subjects

5.1 Common rights

5.2 GDPR-specific rights

The GDPR adds rights not explicitly provided for by Law 09-08:

• Right to data portability (Art. 20): retrieve your data in a structured, machine-readable format and transmit it to another controller
• Reinforced right to erasure (Art. 17): deletion in broader cases
• Right not to be subject to an automated decision (Art. 22)
• Right to restriction (Art. 18): freeze processing rather than delete it

For organisations exposed to both, offering these additional rights is good practice even if Law 09-08 does not explicitly require it.

6. DPO — different obligation

• Law 09-08: no general obligation to designate a DPO. Recommended for organisations processing sensitive data or operating at large scale.
• GDPR (Art. 37): DPO mandatory in three cases — processing by a public authority, regular and systematic large-scale monitoring, large-scale processing of sensitive data.

A Moroccan subsidiary of an EU group processing at large scale must therefore have a mandatory DPO within the meaning of the GDPR, designated either internally or via an outsourced assignment.

7. International transfers — divergent logics

7.1 Law 09-08

A data transfer outside Morocco is subject to prior authorisation by the CNDP via F118, unless:

• The destination country offers an adequate level of protection recognised by the CNDP
• The transfer is governed by sufficient contractual safeguards (SCC, BCR)

7.2 GDPR

Transfers outside the EU/EEA are subject to:

• An adequacy decision by the European Commission (United Kingdom, Japan, Canada commercial sector, etc.)
• Failing that, appropriate safeguards (SCC, BCR, certification, code of conduct)
• Failing that, specific derogations (explicit consent, performance of a contract, etc.)

7.3 Practical case: using Google Workspace in Morocco

• Law 09-08: F118 to file to authorise the transfer to Google datacentres outside Morocco, with documented SCC
• GDPR: SCC with Google (already provided by default), Transfer Impact Assessment where applicable

Many Moroccan organisations use Google Workspace without having filed an F118 or documented SCC. This is one of the most systemic shortcomings on the market.

8. Sanctions

8.1 Law 09-08

• Warning, formal notice, withdrawal of authorisation
• Criminal sanctions: prison sentences and fines depending on the nature of the breach
• Reform expected to align with international standards

8.2 GDPR

• Administrative fines of up to 4% of annual worldwide turnover or 20 million euros (whichever is higher)
• Broad investigative power of the supervisory authority
• Additional criminal sanctions possible depending on national legislation

The gap in financial severity is significant. A large organisation exposed to the GDPR must treat the GDPR risk as a priority in terms of potential financial impact.

9. Data breach notification

• Law 09-08: no explicit obligation. Strong recommendation to notify the CNDP in the event of a significant incident, in a good-faith approach.
• GDPR (Art. 33-34): obligation to notify the authority within 72 hours (unless the risk to individuals is low), and to notify data subjects if the risk is high.

For an organisation exposed to both, the notification procedure must be ready with templates and identified channels.

10. Practical strategy for an exposed Moroccan organisation

10.1 Build the common backbone

• Localised privacy policy referencing both frameworks
• Internal processing register (GDPR) + CNDP declarations (Law 09-08)
• DPAs signed with all processors
• GDPR-level technical security measures (which mechanically satisfy Article 23 of Law 09-08)
• Rights-handling procedure covering all GDPR rights (which mechanically cover those of Law 09-08)

10.2 Add the specifics

• F211/F112/F118 for Morocco
• GDPR DPO if thresholds are met
• DPIA for high-risk processing
• 72-hour breach notification procedure

10.3 Document dual compliance

Maintaining a single compliance file referencing both frameworks reassures auditors, clients, EU partners and authorities. It is a signal of organisational maturity.

11. Resources

• Pillar guide — CNDP compliance in Morocco 2026
• F211 — how-to
• CNDP receipt — timing and procedure
• Service — CNDP compliance audit (covers GDPR where applicable)
• Official CNDP website
• Official CNIL website — GDPR

Cumulative, not exclusive. The golden rule for exposed Moroccan organisations: apply whichever of the two frameworks is more demanding for each processing activity. The apparent complexity disappears as soon as you accept this logic: document once, respect both. This is the approach we systematically apply at DataSouv for subsidiaries of EU groups and Moroccan exporters.

Hicham E. — CNDP and GDPR specialist, DataSouv contributor. Article reviewed and validated by Amine Rais, founder.