Any entity that processes personal data in Morocco must comply with CNDP rules, whether it is a Moroccan company, a foreign company, or a public body.
Compliance is mandatory and supervised by the CNDP.
Table of Contents
The CNDP’s scope of authority
The CNDP oversees all personal data processing subject to Law 09-08, including:
- private companies,
- public institutions,
- foreign entities operating in Morocco,
- subcontractors and service providers.
There are no sector-based exclusions.
Moroccan companies
All Moroccan companies are subject to CNDP rules if they:
- collect customer or employee data,
- operate websites or digital platforms,
- use CRM, payroll, or marketing tools.
This includes startups, SMEs, and large enterprises.
Foreign companies and subsidiaries
Foreign companies must comply if:
- they have a subsidiary or branch in Morocco,
- they use servers, systems, or staff located in Morocco,
- they process data relating to individuals in Morocco.
CNDP compliance is often required before launching operations.
Websites and online platforms
Websites must comply if they:
- collect personal data through forms,
- use tracking tools involving personal data,
- manage user accounts or subscriptions.
Online activity does not exempt a business from CNDP obligations.
Subcontractors and service providers
Entities acting as data processors must:
- follow instructions from data controllers,
- implement security measures,
- ensure confidentiality,
- comply with CNDP requirements applicable to their role.
Liability may extend to both parties.
Activities requiring special attention
CNDP scrutiny is higher for:
- sensitive data processing,
- healthcare and HR data,
- call recording and monitoring,
- international data transfers,
- interconnection of databases.
These activities often require prior CNDP authorization.
Consequences of ignoring CNDP rules
Failure to comply may result in:
- administrative warnings,
- suspension of processing activities,
- criminal proceedings,
- reputational damage,
- contractual and commercial risks.
CNDP enforcement applies equally to local and foreign entities.
Frequently Asked Questions
Does company size matter?
No. CNDP rules apply regardless of size.
Can CNDP inspect a company?
Yes. It has investigation and inspection powers.
Is compliance a one-time obligation?
No. Compliance must be maintained continuously.
Final note
CNDP compliance is a legal obligation for any entity processing personal data in Morocco.
Understanding who is covered is the first step toward lawful and secure operations.
Brahim Rami | Member of institute of chartered accountants in Morocco
He is a CPA and tax advisor, founder of NeoExpertise.net, a Legal and Tax firm helping foreign companies with business setup, due diligence, payroll, and tax compliance in Morocco and Africa.
