The CNDP is Morocco’s national authority responsible for supervising and enforcing personal data protection under Law 09-08.
It has the power to review data processing activities, issue authorizations, conduct investigations, and impose sanctions.
Its full name is the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel.
Table of Contents
Legal basis of the CNDP
The CNDP was established by Law 09-08 and operates under the authority of the Moroccan government.
Its mission is to ensure that personal data processing:
- respects individuals’ rights
- is lawful, fair, and transparent
- complies with national and international standards
Core responsibilities of the CNDP
The CNDP’s main functions include:
- receiving and reviewing CNDP declarations
- granting or refusing CNDP authorizations
- maintaining the national register of data processing
- issuing opinions and guidance
- conducting inspections and investigations
- referring violations to judicial authorities
It is the sole data protection authority in Morocco.
CNDP’s enforcement powers
The CNDP has extensive legal powers, including the ability to:
- request documents and explanations
- access business premises related to data processing
- order suspension or termination of unlawful processing
- withdraw authorizations or declarations
- initiate criminal proceedings through the public prosecutor
These powers apply to both public and private entities.
Who is subject to CNDP oversight?
CNDP oversight applies to:
- Moroccan companies
- foreign companies operating in Morocco
- public entities
- private service providers
- subcontractors processing data on behalf of others
There are no exemptions based on company size.
CNDP and international data transfers
One of the CNDP’s key roles is supervising international transfers of personal data.
In practice:
- most transfers outside Morocco require CNDP authorization
- contractual safeguards are often required
- consent alone is rarely sufficient
This is particularly relevant for cloud services and international groups.
CNDP vs GDPR: not the same authority
Although inspired by European standards, CNDP enforcement differs from GDPR practice:
- prior authorization is still central in Morocco
- enforcement is more administrative than civil
- consent is interpreted more strictly
Companies compliant with GDPR must still adapt to CNDP requirements.
Why understanding the CNDP matters for businesses
A clear understanding of the CNDP allows companies to:
- anticipate compliance obligations
- reduce regulatory risk
- structure data governance correctly
- reassure partners and investors
CNDP compliance is increasingly seen as a marker of corporate reliability.
Frequently Asked Questions
Can the CNDP inspect companies?
Yes. It has full investigation and inspection powers under Law 09-08.
Does the CNDP issue fines directly?
It may impose administrative measures and refer cases for criminal prosecution.
Is the CNDP independent?
It operates independently within the framework set by Moroccan law.
Final note
The CNDP plays a central role in Morocco’s data protection framework.
For any company processing personal data, understanding its role is essential to operating lawfully and securely.
Brahim Rami | Member of institute of chartered accountants in Morocco
He is a CPA and tax advisor, founder of NeoExpertise.net, a Legal and Tax firm helping foreign companies with business setup, due diligence, payroll, and tax compliance in Morocco and Africa.
