Skip to main content
DataSouv
Audit
Flagship service

CNDP compliance audit in Morocco — Law 09-08 and decree 2-09-165

Full diagnostic of your compliance with the Moroccan personal data protection framework. Eight audited areas, a prioritised report referenced article by article, and a costed 90-day remediation plan. No accusations, no leaks: we tell you in private before it becomes public.

Request a quoteTry our free audit first

Scope

Eight audited areas, from legal to technical

We treat compliance as a whole. A perfect policy paired with a site missing HSTS is not compliant. Hardened infrastructure without a CNDP filing is not compliant either.

  • CNDP filings

    Inventory of current processing activities vs. F211, F112, F118 and F214 filings actually submitted. Detection of undeclared processing, expired receipts and unreported substantial changes.

  • Records of processing

    Review of the internal records (purposes, legal bases, retention, processors, security measures) under the requirements of article 23 of Law 09-08 and its implementing decree.

  • Data subject rights

    Verification of internal procedures for access, rectification, objection and erasure (articles 7 to 11 of Law 09-08): intake channels, response times, traceability of requests.

  • Legal bases and consent

    Audit of consents collected (form, proof, withdrawal) and of other legal bases relied on. Consistency between published notices and the processing actually performed.

  • International transfers

    Mapping of processors located outside Morocco and the associated transfers (US SaaS, EU hosting, etc.). Verification of the legal basis (F118 authorisation, SCC, adequate country) and contractual documentation.

  • Cookies and trackers

    Analysis of the banner, of the actual runtime blocking of trackers before consent, of consent granularity (categories), and of choice persistence. Comparison with CNDP requirements and the ePrivacy directive.

  • Application security

    Evaluation of the technical measures required by article 23 (integrity, confidentiality, availability): TLS, HTTP security headers, access management, logging, backups, breach notification procedure.

  • Processors and DPAs

    Inventory of processors, verification of data processing agreements (DPAs), sub-processor conditions and contractually imposed security measures.

Methodology

Six steps, three to six weeks

A reproducible, as-asynchronous-as-possible method that does not block your IT department or your business teams.

  1. 1

    Initial scoping

    A 45-minute conversation to understand your business, your main processing activities, your systems (CMS, CRM, ERP, marketing tools) and your stakes. Signature of a strict NDA before any technical exchange.

  2. 2

    Document collection

    Retrieval of existing CNDP filings, records of processing, published policies, processor contracts and data flow mapping. Asynchronous audit: we work without blocking your teams.

  3. 3

    Non-intrusive site analysis

    External inspection of the public website: HTTP headers, TLS certificates, cookies dropped, third-party trackers, form surface, presence of mandatory notices. No intrusion, no aggressive scan — strictly public observation.

  4. 4

    Targeted interviews

    Short (30-minute) interviews with identified stakeholders (IT, marketing, HR, legal) to understand real practices and identify gaps between documentation and operations.

  5. 5

    Prioritised report

    Delivery of a structured report: findings per area, risk level (critical / high / moderate / low), precise legal references (article by article), and costed remediation plan with time and cost ranges.

  6. 6

    Debrief and trade-offs

    Debrief workshop with your executive committee. Trade-offs on priorities, CNDP filing windows, internal vs. outsourced allocation. You leave with an operational 90-day roadmap.

Deliverables

What you concretely receive

Everything is actionable. No deliverable is purely decorative. The report is written so it can be read by your leadership and executed by your technical team.

  • Audit report (40-80 pages) with findings referenced article by article
  • Visual mapping of processing activities and data flows
  • Exhaustive list of CNDP filings missing or to be updated
  • Costed remediation plan (90 days) prioritised by risk
  • Immediately usable templates (records, standard DPA, rights procedure)
  • Verbal debrief with your executive committee

Who it is for

Organisations primarily concerned

The audit is calibrated for four dominant profiles in Morocco, but remains useful for any organisation handling personal data.

Moroccan SMEs and mid-caps

Companies processing customer, HR or video surveillance data that have never formalised their compliance or whose filings predate the generalisation of SaaS.

E-commerce sites and platforms

Players collecting accounts, baskets, payments, geolocation, or running loyalty programmes. Significant exposure to CNDP audits and customer reports.

Moroccan subsidiaries of EU groups

Companies that must reconcile GDPR with Law 09-08, manage intra-group flows, and justify compliance both to the group DPO and the local CNDP.

Banking, insurance, healthcare

Regulated sectors where the CNDP exercises reinforced vigilance and where prior authorisation (F112) is often required for sensitive processing.

Frequently asked questions

What we are asked before signing

How long does a full audit take?

Between 3 and 6 weeks depending on the size of the organisation and the number of systems to map. The final report is delivered 10 business days after the end of the interviews. For organisations under 20 people with a simple website, expect 3 weeks.

Does the audit trigger a CNDP inspection?

No. The audit is strictly private between you and us, protected by a confidentiality agreement. No information is shared with the CNDP without your explicit instruction. If the audit reveals serious shortcomings, we present you with the options — including voluntary remediation, which the Commission usually handles favourably.

What is the difference with a GDPR audit?

Law 09-08 and its decree 2-09-165 are structurally close to the GDPR on principles, but diverge on the mechanics: mandatory prior filing in Morocco (vs. internal record in the EU), prior authorisation for sensitive processing, standardised CNDP forms, specific regime for transfers outside Morocco. Our audit handles both frameworks simultaneously when you are exposed to both.

Do you work with a law firm?

When the case requires it (litigation, fine legal qualification of a disputed processing activity, support before the CNDP), we coordinate the audit with a specialised law firm. Our work remains independent and our report is deliverable with or without an attorney.

What does an audit cost?

Pricing depends on the size of the organisation and the number of processing activities. As a guide: short audit (very small business / brochure site) from 25,000 MAD, standard audit (multi-system SME) between 60,000 and 120,000 MAD, extended audit (group or regulated sector) by tailored quote. A firm quote is provided after the free initial scoping call.

After the audit, do you support the compliance roll-out?

Yes, but it is never imposed. You are free to execute the plan in-house, with another provider, or with us. Our report is detailed enough to be actionable by any competent team. If you entrust us with the roll-out, we apply a discount on the dedicated package.

Free first step

We start with 45 minutes of scoping. No commitment.

At the end of the call, you leave with a first qualified opinion and a firm quote if you wish to go further. No aggressive commercial follow-up: that is not how the house operates.

Request scopingSee all services