Law 09-08 is Morocco’s core data protection law and applies to any business that processes personal data in Morocco, regardless of its size or nationality.
It sets out the legal rules for collecting, using, storing, and transferring personal data and is enforced by the CNDP.
Table of Contents
What is Law 09-08?
Law 09-08 governs the protection of individuals with regard to the processing of personal data in Morocco.
Adopted in 2009, the law aims to:
- protect individuals’ privacy,
- regulate how businesses use personal data,
- impose compliance obligations on data controllers and processors.
Law 09-08 applies to both manual and automated processing of personal data.
Official source: https://www.cndp.ma/images/lois/Loi-09-08-Fr.pdf
What is considered personal data under Law 09-08?
Personal data includes any information relating to an identified or identifiable individual, such as:
- name, address, email, phone number,
- ID or passport number,
- customer or employee records,
- online identifiers.
Sensitive personal data includes:
- health and medical data,
- biometric and genetic data,
- political or religious beliefs,
- trade union membership.
Processing sensitive data is subject to stricter CNDP authorization requirements.
Who must comply with Law 09-08?
Law 09-08 applies when:
- a company is established in Morocco, or personal data processing uses technical or operational means located in Morocco.
Businesses commonly concerned include:
- commercial companies of all sizes,
- foreign companies with Moroccan operations,
- websites and online platforms,
- service providers handling customer or employee data,
- subcontractors acting on behalf of other entities.
There is no exemption based on turnover or headcount.
Key obligations imposed on businesses
Under Law 09-08, businesses must:
- process data lawfully, fairly, and transparently,
- collect data for specific and legitimate purposes,
- limit data to what is necessary,
- ensure data accuracy and security,
- respect data subject rights,
- file a CNDP declaration or obtain CNDP authorization before processing.
Failure to meet these obligations may result in sanctions.
Declaration and authorization requirements
Law 09-08 establishes two main compliance mechanisms:
- CNDP declaration for standard processing activities,
- CNDP authorization for higher-risk processing (sensitive data, transfers abroad, interconnections).
Processing must not begin until the appropriate procedure is completed.
Penalties under Law 09-08
Non-compliance may lead to:
- fines up to MAD 600,000,
- criminal liability for company officers,
- suspension or prohibition of data processing,
- closure of establishments,
- referral to judicial authorities.
Enforcement has increased in recent years, particularly in data-intensive sectors.
Why Law 09-08 matters for businesses
Law 09-08 is not only a regulatory constraint.
It is also:
- a governance requirement for investors,
- a trust factor for partners and clients,
- a legal safeguard against operational risk.
Early compliance reduces exposure and supports sustainable business growth.
Frequently Asked Questions
Does Law 09-08 apply to foreign companies?
Yes, if they process personal data using systems or means located in Morocco.
Is GDPR compliance sufficient?
No. GDPR compliance does not replace Moroccan legal requirements.
Does employee data fall under Law 09-08?
Yes. HR and payroll data are fully covered.
Key takeaway
Law 09-08 is the legal foundation of data protection in Morocco.
Any business processing personal data must understand and comply with it before starting operations.
Brahim Rami | Member of institute of chartered accountants in Morocco
He is a CPA and tax advisor, founder of NeoExpertise.net, a Legal and Tax firm helping foreign companies with business setup, due diligence, payroll, and tax compliance in Morocco and Africa.
