Skip to main content
DataSouv
Audit
Internal or external DPO

DPO appointment in Morocco — internal, outsourced, or hybrid

The Data Protection Officer is not strictly mandatory under Law 09-08, but becomes the natural anchor for any organisation that takes compliance seriously over time. We coach your internal DPO, or we run the mission for you.

Pick the right formatFull audit first

Two modes

Choose based on size and maturity

Coached internal DPO

You appoint an internal employee (often legal, IT or compliance) whom we train and coach for 6 to 12 months. Suited to organisations of more than 50 people with the critical mass to progressively internalise the function.

Typical profile

Moroccan groups with a legal team, subsidiaries of an EU group, regulated companies (banking, insurance, healthcare).

Outsourced DPO on long-term mission

We act as DPO on your behalf, with a monthly report, reachable on-call coverage, and presence at your compliance or executive committee. Contracted 12-month renewable mission, exit clause provided.

Typical profile

SMEs, mid-caps, e-commerce sites, SaaS platforms that lack the critical mass to internalise but want a competent and reachable DPO.

Recurring missions

What a competent DPO does day to day

The DPO is neither a decorative position nor an administrative duty imposed by a distant regulation. It is an operational role with regular deliverables and accountability to leadership.

  • Maintenance and update of the records of processing
  • CNDP regulatory watch (deliberations, guidelines)
  • Interface with the CNDP (case review, inspections, reports)
  • Advice on new product features and their compliance impact
  • Running awareness sessions for teams (HR, marketing, IT, support)
  • Handling of data subject rights requests (access, rectification, objection)
  • Notification of data breaches within regulatory timelines
  • Monthly or quarterly report to leadership

Profile of a good DPO

Four dimensions, a rare balance

The effective DPO is not just a lawyer. They combine technical, legal, independence and availability skills. That is the profile we train internally or embody on mission.

Legal skills

Mastery of Law 09-08 and decree 2-09-165, operational knowledge of the GDPR (increasingly required by EU partners), ability to legally qualify a processing activity.

Technical skills

Understanding of common IT systems (CMS, CRM, ERP, SaaS), cloud architectures, basics of application security (TLS, HSTS, encryption, logging). No need to be an engineer, but able to engage with an IT director.

Independence

In line with CNDP doctrine and the GDPR, the DPO must be able to escalate to leadership without an intermediary, receives no instructions on the content of their opinions, and cannot be sanctioned for performing their mission.

Availability

Reachable within reasonable timelines (24-48h) by data subjects and the CNDP. Present at key moments: audits, product launches, incidents, inspections.

Frequently asked questions

What we are asked about the DPO

Is appointing a DPO mandatory in Morocco?

Law 09-08 does not create a general appointment obligation comparable to the GDPR. However, appointing a DPO is strongly recommended for organisations processing sensitive data, operating at scale, or exposed to inspections. For Moroccan subsidiaries of EU groups, the group DPO must rely on a local correspondent.

What is the difference between an internal and an outsourced DPO?

The internal DPO is an employee. Advantages: deep cultural knowledge, daily availability. Drawbacks: risk of conflict of interest with other duties, training cost, learning curve. The outsourced DPO brings immediate expertise, structural independence and predictable cost — but requires an internal point of contact for daily coordination.

Can the DPO be the IT director or in-house counsel?

Possible but to be handled carefully: the DPO function must be structurally independent. An IT director who is also DPO may face a conflict of interest when auditing their own technical decisions. In-house counsel is usually a better candidate, provided they have no commercial role.

What does an outsourced DPO mission cost?

As a guide, between 2,500 and 7,000 MAD per month depending on organisation size and mission intensity. Annual commitment is typical. Decreasing rates for multi-year commitments or multi-entity groups.

What recurring deliverables?

Monthly activity report (regulatory watch summary, handled requests, alerts), updated records of processing, documentation support to leadership, support for annual audits. In case of an incident, regulatory notification within deadlines and support for the CNDP communication.

Can we start with a short mission?

Yes. For organisations discovering the function, we offer a 3-month format (initial training + first records + first rights requests) that can be extended into a long-term mission. It is often the best entry point.

Free initial call

Internal, external, or both?

In 30 minutes, we identify the right format for your organisation and propose a clear trajectory. No commitment, no follow-up spam.

Request a callSee all services