Data Protection (CNDP)

CNDP declarations and authorizations: practical guide | Upsilon Consulting

Salaheddine YatimAbdelhakim Soudi

Salaheddine Yatim, Abdelhakim Soudi

Upsilon Consulting

Share
CNDP declarations and authorizations: practical guide | Upsilon Consulting

In brief: Every business processing personal data in Morocco must file a declaration or obtain an authorization from the CNDP. This guide details the steps, required documents, legal timelines and exemption cases under Law 09-08.

Introduction: why must you declare your data processing to the CNDP?

The Commission Nationale de controle de la protection des Donnees a caractere Personnel (CNDP) is Morocco’s data protection authority, responsible for enforcing Law 09-08 on the protection of individuals with regard to personal data processing. Any company, association or public body that collects, stores or uses personal data falls under its jurisdiction.

Failing to comply with declaration or authorization obligations exposes a business to criminal sanctions and fines of up to 300,000 MAD, or even imprisonment. Understanding the difference between a declaration and an authorization is therefore essential for safeguarding your business.

Declaration vs. authorization: what is the difference?

Prior declaration (general regime)

The declaration is the standard formality. It applies to the majority of non-sensitive personal data processing activities. If your company manages a customer database, payroll files or a billing system, you must file a prior declaration with the CNDP.

The principle is straightforward: you inform the CNDP of your data processing activity, and the Commission issues a receipt within 24 hours. This receipt serves as authorization to proceed with the processing.

Prior authorization (sensitive data)

Authorization is required for processing activities involving sensitive data: racial or ethnic origins, political opinions, religious beliefs, trade union membership, health data, genetic data, biometric data or data relating to criminal offenses or convictions.

The CNDP has 30 days to rule on the authorization request. If no response is received within this period, the authorization is deemed refused (silence equals rejection).

Authorization for international transfers

Any transfer of personal data to a country that does not provide an adequate level of protection also requires prior authorization from the CNDP, in accordance with Articles 43 and 44 of Law 09-08.

Contents of the declaration (Article 15 of Law 09-08)

Each declaration or authorization request must include the following information:

  1. Identity of the data controller: name or company name, registered office address, trade register number.
  2. Purpose of the processing: precise objective of data collection and use (e.g., customer relationship management, recruitment, direct marketing).
  3. Categories of data processed: name, surname, address, email, phone number, banking details, etc.
  4. Categories of data subjects: customers, employees, suppliers, prospects.
  5. Data recipients: internal departments, subcontractors, business partners.
  6. International transfers: destination countries and safeguards implemented.
  7. Retention period: the duration for which data will be stored.
  8. Security measures: technical and organizational measures to protect data (encryption, access controls, backups).

Step-by-step procedure for filing a declaration

Step 1: Map your data processing activities

Before taking any action, inventory all personal data processing activities within your company. For each activity, identify the purpose, categories of data, data subjects and security measures in place.

Step 2: Determine the applicable regime

For each processing activity, verify whether it falls under a simple declaration, a simplified declaration or prior authorization. Sensitive data and international transfers systematically require authorization.

Step 3: Prepare the file

Gather the following documents:

  • Declaration or authorization form (available on the CNDP website)
  • Copy of the trade register or equivalent
  • Detailed description of the processing as per Article 15
  • Company privacy policy
  • Security measures implemented

Step 4: Submit the application

Filing can be done online via the CNDP platform (https://www.cndp.ma). You may also submit a physical filing at the Commission’s headquarters in Rabat.

Step 5: Obtain the receipt or decision

  • Declaration: receipt issued within 24 hours.
  • Authorization: decision within 30 days. If the file is incomplete, the CNDP may request additional documents, which suspends the deadline.

Step 6: Update your declarations

Any substantial modification to the processing (change of purpose, addition of data categories, new international transfer) must be reported through a new declaration or update to the CNDP.

Exemptions from declaration (Article 18)

Certain processing activities are exempt from prior declaration:

  • Processing involving personal data contained in public registers intended for public information and open for consultation.
  • Processing carried out by an individual for exclusively personal or domestic activities.
  • Processing whose purpose is limited to maintaining a register which, under legislative or regulatory provisions, is intended for public information.

Important note: exemption from declaration does not exempt from compliance with other obligations under Law 09-08, notably the rights of access, rectification and opposition of data subjects.

Simplified declarations (Article 17)

The CNDP may establish simplified standards for certain categories of processing that clearly do not infringe on privacy. In such cases, a simplified declaration suffices, with a streamlined form.

Common processing activities covered by simplified standards typically include:

  • Payroll and human resources management
  • Customer and supplier management
  • General accounting

Check the CNDP website to verify whether your processing qualifies for a simplified standard.

Practical advice for businesses

  1. Appoint an internal officer responsible for CNDP compliance. This contact person will coordinate declarations and ensure registers are kept up to date.
  2. Maintain a processing register that is documented and current. This is a best practice that facilitates any inspections.
  3. Plan ahead for timelines: do not launch a new processing activity before obtaining your receipt or authorization.
  4. Train your teams on personal data protection best practices.
  5. Seek professional support from a chartered accountant or specialized consultant to secure your procedures.

Conclusion

CNDP compliance is not optional: it is a legal obligation that protects both your business and the individuals whose data you process. By following the steps outlined in this guide and ensuring you properly distinguish between declarations and authorizations, you significantly reduce your legal exposure.

Upsilon Consulting supports businesses through every step of their CNDP compliance journey, from mapping processing activities to filing declarations and authorization requests.

READ ALSO

CNDP and Law 09-08: complete guide

CNDP sanctions: criminal risks and fines

International personal data transfer in Morocco

Related Articles

fiscalite

Setting Up a Company in Morocco in 2026: Complete Guide by a Chartered Accountant

Create a company in Morocco in 5 steps: negative certificate, articles, registration, CNSS, and bank account. Costs from

Read more →
Data Protection (CNDP)

Law 09-08 and Foreign Companies in Morocco: CNDP Obligations

CNDP obligations for foreign companies in Morocco: territorial scope, representative, declarations, data transfers and c

Read more →
Data Protection (CNDP)

CNDP Sanctions: Criminal Risks and Fines for Non-Compliance

Complete breakdown of CNDP sanctions in Morocco: fines from 10,000 to 300,000 MAD, prison sentences, administrative pena

Read more →
Data Protection (CNDP)

International personal data transfer in Morocco: legal framework and obligations

Legal framework for cross-border personal data transfers in Morocco: Law 09-08, CNDP authorization, contractual clauses,

Read more →

Upsilon

Consulting

An independent firm, hands-on expertise

Upsilon Consulting is a chartered accounting, audit and tax advisory firm, member of the Moroccan Institute of Chartered Accountants. Our team of 40+ professionals has been supporting Moroccan and multinational companies for over 15 years. Our multidisciplinary approach and client proximity allow us to support you with rigour and responsiveness.

OEC Members Technical expertise Multidisciplinary approach Client proximity

Let's talk about your project

Contact us for a free consultation. Our experts respond within 24h.

Contact us +212 522 202 568
Newsletter

Stay ahead of tax & regulatory changes

Get our expert analyses, practical guides and regulatory alerts delivered to your inbox. Join 500+ professionals who trust us.

No spam. Unsubscribe in one click.

They trust us

PfizerAlstomDrägerCFAO MotorsCDG CapitalBourse de Casablanca