Law 09-08 Personal Data
Morocco
2009
Privacy
Overview
Key Obligations
- Obtain explicit, informed consent from individuals before processing personal data
- Register data processing activities with the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP)
- Apply additional safeguards when processing sensitive personal data
- Transfer data abroad only to jurisdictions with adequate protection or with CNDP approval
- Allow individuals to access, correct, or object to data use
- Implement technical and organizational measures to ensure data security
- Maintain data processing records and documentation
Stay ahead of risk with Signzy
Explore tools that help you onboard, monitor, and verify with confidence
Data Breach
Track any instance of user or business data leaks to stay one step ahead of fraud and malpractices.
One Touch KYC
Launch global KYC flows with built-in document OCR, liveness checks, deepfake detection, and AML, all through a single, customizable dashboard.
MENA API Marketplace
A comprehensive API marketplace for the Middle East and North Africa, offering localized verification and compliance solutions.
Related Regulations
FAQ
Who regulates data protection in Morocco?
The Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP) is the responsible authority.
What entities does the law apply to?
It applies to any organization, public or private, that collects or processes personal data in Morocco.
Can Moroccan companies transfer personal data overseas?
Yes, but only to countries with adequate legal protections or with prior approval from the CNDP.
What are the penalties for violating this law?
Violations can lead to administrative fines, criminal penalties, or suspension of data processing activities.