Summary — Law 09-08 on the protection of individuals with regard to the processing of personal data establishes a strict sanctions regime in Morocco. Non-compliant businesses face fines of up to 300,000 MAD, prison sentences of up to 2 years, and administrative penalties including establishment closure. This article details every sanction under Chapter VII (Articles 51 to 66) of the law.
Why Take CNDP Sanctions Seriously?
The National Commission for the Control of Personal Data Protection (CNDP) holds extensive powers to penalize violations of Law 09-08. The enforcement framework was designed to effectively deter non-compliance, with a graduated scale of sanctions ranging from simple fines to imprisonment and business closure.
Any company, association, or public body processing personal data in Morocco must understand precisely the risks involved in case of non-compliance.
Criminal Sanctions: Article by Article
Article 52 — Failure to Declare or Obtain Authorization
Any data controller who processes personal data without filing the required prior declaration or obtaining authorization from the CNDP faces a fine of 10,000 to 100,000 MAD.
This violation applies particularly to companies collecting customer, HR, or prospect data without completing the mandatory administrative formalities.
Article 53 — Refusing Data Subject Rights
Refusing to grant data subjects their rights of access, rectification, or objection carries a fine of 20,000 to 200,000 MAD per violation.
Each refusal constitutes a separate offense, meaning fines can accumulate rapidly in cases of systematic non-compliance.
Article 54 — Fraudulent or Unlawful Collection
Collecting personal data through fraudulent, unfair, or unlawful means is punishable by 3 months to 1 year of imprisonment and a fine of 20,000 to 200,000 MAD.
This covers practices such as collecting data without informed consent, using deceptive forms, or covertly capturing information.
Article 55 — Processing Sensitive Data Without Authorization
Processing sensitive data (racial origins, political opinions, religious beliefs, health data, etc.) without prior CNDP authorization or the explicit consent of the data subject is punishable by 6 months to 2 years of imprisonment and a fine of 50,000 to 300,000 MAD.
This represents the harshest criminal penalty in the framework, reflecting the particular sensitivity of these data categories.
Article 57 — Excessive Data Retention
Retaining personal data beyond the period necessary for the processing purpose is sanctioned with 3 months to 1 year of imprisonment and a fine of 20,000 to 200,000 MAD.
Companies must define and respect proportionate retention periods for each category of processed data.
Article 58 — Inadequate Security Measures
A data controller who fails to implement appropriate technical and organizational security measures to protect data faces 3 months to 1 year of imprisonment and a fine of 20,000 to 200,000 MAD.
This includes lack of encryption, access controls, backups, or an IT security policy.
Article 59 — Processing Despite Legitimate Objection
Continuing to process data despite a legitimate objection from the data subject is punishable by 3 months to 1 year of imprisonment and a fine of 20,000 to 200,000 MAD.
The right to object is a fundamental right that every data controller must respect without delay.
Articles 60 and 61 — Illegal International Transfer
Transferring personal data to a country that does not provide an adequate level of protection, without CNDP authorization, exposes the controller to 3 months to 1 year of imprisonment and a fine of 20,000 to 200,000 MAD.
This provision specifically targets companies hosting data abroad or sharing information with international partners without verifying protection guarantees.
Articles 62 and 63 — Obstructing CNDP Investigations
Any person who obstructs the CNDP’s control and verification missions faces 3 months to 1 year of imprisonment and a fine of 10,000 to 100,000 MAD.
Refusing access to premises, destroying documents, or providing false information to CNDP agents constitutes an independent offense.
Article 64 — Legal Entities: Doubled Penalties
When an offense is committed by a legal entity (company, association, etc.), fines are doubled. The court may also order:
- Seizure of equipment used to commit the offense
- Confiscation of data storage media
- Temporary or permanent closure of the establishment
This provision makes the stakes particularly critical for businesses.
Administrative Sanctions by the CNDP
Beyond criminal penalties, the CNDP has a range of graduated administrative sanctions:
Warning
The CNDP may issue a warning to the data controller when a violation is identified. While not coercive, this measure is recorded in the controller’s file and may be made public.
Formal Notice
In cases of persistent non-compliance, the CNDP may issue a formal notice with a deadline to achieve compliance. Failure to comply with this notice may lead to more severe sanctions.
Withdrawal of Authorization or Receipt
The CNDP may withdraw the authorization or declaration receipt, rendering the processing illegal and exposing the controller to the criminal penalties under Article 52.
Suspension or Prohibition of Processing
In the most serious cases, the CNDP may order the temporary suspension or permanent prohibition of processing, with an obligation to delete the collected data.
Summary Table of Criminal Sanctions
| Article | Offense | Fine (MAD) | Prison |
|---|---|---|---|
| Art. 52 | Failure to declare/authorize | 10,000 – 100,000 | — |
| Art. 53 | Refusing rights | 20,000 – 200,000 | — |
| Art. 54 | Fraudulent collection | 20,000 – 200,000 | 3 months – 1 year |
| Art. 55 | Sensitive data without authorization | 50,000 – 300,000 | 6 months – 2 years |
| Art. 57 | Excessive retention | 20,000 – 200,000 | 3 months – 1 year |
| Art. 58 | Inadequate security | 20,000 – 200,000 | 3 months – 1 year |
| Art. 59 | Processing despite objection | 20,000 – 200,000 | 3 months – 1 year |
| Art. 60-61 | Illegal international transfer | 20,000 – 200,000 | 3 months – 1 year |
| Art. 62-63 | Obstructing CNDP | 10,000 – 100,000 | 3 months – 1 year |
| Art. 64 | Legal entity | Doubled fines | Seizure / closure |
FAQ — Frequently Asked Questions
Do CNDP sanctions apply to all businesses?
Yes. Any entity (company, association, government body) that processes personal data in Morocco is subject to Law 09-08 and its sanctions regime, regardless of size or industry.
Can administrative and criminal sanctions be combined?
Yes. Administrative sanctions imposed by the CNDP do not prevent criminal prosecution. The same violation may result in both an administrative warning and criminal proceedings before the courts.
How can CNDP sanctions be avoided?
Compliance involves several steps: declaring or authorizing data processing, respecting data subject rights, securing data, defining retention periods, and regulating international transfers. Working with a specialized chartered accountant facilitates overall compliance management.
What is the statute of limitations for offenses?
Offenses under Law 09-08 follow the general statute of limitations under criminal law. It is strongly recommended not to rely on prescription and to achieve compliance immediately.
Does the CNDP conduct proactive audits?
Yes. The CNDP has the power to conduct on-site and document-based inspections. It may act on its own initiative or following a complaint from a data subject. Audits are becoming increasingly frequent, particularly in data-intensive sectors.
READ ALSO
CNDP and Law 09-08: complete guide
