Any company that processes personal data in Morocco must either file a CNDP declaration or obtain prior CNDP authorization under Law 09-08.
This obligation applies to Moroccan and foreign companies alike and covers activities as simple as operating a website with contact forms or as complex as transferring customer data abroad.
The competent authority is the CNDP, which supervises and enforces personal data protection in Morocco.
Table of Contents
What is CNDP authorization?
CNDP authorization is a prior legal approval required before carrying out certain types of personal data processing that present a higher risk to individuals’ rights.
It is governed by Law 09-08 on the protection of individuals with regard to the processing of personal data, in force since 2009.
Unlike a declaration, authorization must be granted before the processing begins.
Which companies are required to comply?
CNDP obligations apply when:
- the company is established in Morocco, or the processing uses technical or operational means located in Morocco
Common examples include:
- E-commerce platforms
- Hotels and tourism businesses
- Clinics, laboratories, and healthcare providers
- Call centers and BPO companies
- Startups and SaaS platforms
- HR and recruitment firms
- Moroccan subsidiaries of foreign groups
Even a basic website collecting personal data may fall within CNDP scope.
Declaration vs authorization: understanding the difference
| CNDP Declaration | CNDP Authorization |
|---|---|
| Standard personal data | Sensitive or high-risk data |
| Simplified filing | Prior approval required |
| Lower compliance risk | Higher regulatory scrutiny |
| Faster processing | Longer review time |
Incorrectly filing a declaration when authorization is required is a frequent compliance error.
When is CNDP authorization mandatory?
Authorization is required when processing involves:
- sensitive personal data (health, biometric, political, religious data)
- criminal records or sanctions
- national identity numbers
- interconnection of databases
- transfers of personal data outside Morocco
- use of data for purposes different from those initially declared
Each case must be assessed individually.
Risks of non-compliance
Failure to comply with Law 09-08 may result in:
- fines of up to MAD 600,000
- criminal liability for company officers
- suspension or prohibition of data processing
- referral to the public prosecutor
- reputational and commercial damage
In practice, CNDP often issues warnings first, but enforcement activity has increased.
Why legal assistance matters
CNDP filings are legal submissions, not administrative formalities.
Professional assistance helps companies to:
- correctly qualify data processing activities
- prepare compliant CNDP applications
- secure international data transfers
- avoid rejection or delays
- prepare for inspections or audits
For foreign investors, CNDP compliance is often a key governance requirement.
Frequently Asked Questions
How long does CNDP authorization take?
Do foreign companies need CNDP authorization?
Yes, if their processing relies on systems or operations located in Morocco.
Does a website need CNDP registration?
Key takeaway
CNDP authorization in Morocco is a legal obligation, not an option.
Early compliance protects companies from sanctions and strengthens regulatory credibility.
Brahim Rami | Member of institute of chartered accountants in Morocco
He is a CPA and tax advisor, founder of NeoExpertise.net, a Legal and Tax firm helping foreign companies with business setup, due diligence, payroll, and tax compliance in Morocco and Africa.
