Summary — Any foreign company operating in Morocco or using means located on Moroccan territory is subject to Law 09-08 on personal data protection. This entails appointing a local representative, filing declarations with the CNDP, and obtaining specific authorizations for data transfers to the parent company. This guide details the concrete obligations and steps required to ensure compliance.
Why Law 09-08 concerns foreign companies
Morocco has become a prime destination for international investors, multinationals, and nearshoring companies. Whether setting up a subsidiary, opening a representative office, or engaging local service providers, these companies inevitably collect and process personal data on Moroccan soil: employee data, customer information, supplier details, and prospect records.
Law 09-08, enacted in 2009 and inspired by the European data protection model, strictly regulates these processing activities. Ignoring these obligations exposes companies to criminal sanctions, fines, and significant reputational risk.
Territorial scope (Article 2)
Article 2 of Law 09-08 defines a broad territorial scope. The law applies in two main scenarios:
Scenario 1: The data controller is established on Moroccan territory. This covers any subsidiary, branch, liaison office, or legal entity registered in Morocco. Even if the parent company is based abroad, as soon as it has an establishment in Morocco, the law applies in full.
Scenario 2: The data controller uses means located in Morocco. This provision is more nuanced. A company with no physical presence in Morocco but using servers, cookies, subcontractors, or business partners located on Moroccan territory also falls under the law. This is a critical point for nearshoring companies and digital platforms.
In both cases, the company must designate a representative in Morocco with the CNDP.
The obligation to appoint a representative in Morocco
When a foreign company is subject to Law 09-08 without being directly established in Morocco, it must appoint a representative on Moroccan territory. This representative acts as the point of contact with the CNDP and the individuals whose data is being processed.
The representative can be a natural or legal person. In practice, companies often rely on their local subsidiary, an accounting firm, or a specialized legal practice. The representative must be clearly identified in all declarations submitted to the CNDP.
Declarations and authorizations for subsidiaries
Any subsidiary of a foreign company established in Morocco must complete preliminary formalities with the CNDP before implementing its data processing activities.
Prior declarations
Standard processing operations (human resources management, customer files, accounting, invoicing) require a prior declaration. This declaration describes the purpose of the processing, the categories of data collected, the recipients, and the retention period.
Prior authorizations
Certain processing operations require prior authorization from the CNDP, including:
- Processing of sensitive data (health, political opinions, trade union membership, biometric data)
- Interconnection of files with different purposes
- Processing involving genetic data
- Data transfers to countries that do not provide an adequate level of protection
The CNDP review period is generally two months for authorizations. It is therefore essential to plan these procedures into the establishment timeline.
Data transfers to the parent company (Articles 43-44)
This is one of the most sensitive issues for foreign companies. Articles 43 and 44 of Law 09-08 strictly regulate international transfers of personal data.
The default rule is a prohibition on transferring personal data to a country that does not ensure an adequate level of protection. The CNDP establishes and updates the list of countries recognized as providing sufficient protection.
To transfer data to a parent company located in a country without adequate protection, the company must obtain specific CNDP authorization. This authorization may be granted if:
- The data subject has given explicit consent
- The transfer is necessary for the performance of a contract
- The data controller ensures a sufficient level of protection through contractual clauses or binding corporate rules (equivalent to European BCRs)
In practice, international groups must formalize standard contractual clauses or intra-group privacy policies and submit them to the CNDP for validation.
Cloud, SaaS, and hosting outside Morocco
The growing use of cloud services and SaaS solutions poses particular challenges under Law 09-08. When a company established in Morocco uses a service whose data is hosted on servers located abroad, this constitutes an international data transfer.
In concrete terms, this means that:
- Using Microsoft 365, Google Workspace, Salesforce, or any other SaaS involving hosting outside Morocco must be assessed against Articles 43-44
- If the hosting country is not on the list of countries with adequate protection, CNDP authorization is required
- The contract with the cloud provider must include guarantees on data security and confidentiality
- The company remains the data controller, even if the data is technically managed by a foreign subcontractor
Nearshoring companies are particularly exposed, as their operational model often relies on constant data exchange with foreign clients and the use of international cloud infrastructure.
Practical steps toward compliance
Here are the concrete steps a foreign company must take:
-
Appoint a representative in Morocco — Identify a natural or legal person who will serve as your point of contact with the CNDP.
-
Map all data processing activities — Inventory all personal data processing carried out by your subsidiary or through means located in Morocco: HR, payroll, customers, suppliers, video surveillance, marketing, etc.
-
File prior declarations — For each identified processing activity, submit the corresponding declaration to the CNDP.
-
Obtain necessary authorizations — For sensitive data and international transfers, prepare and submit authorization requests.
-
Secure international transfers — Implement standard contractual clauses or binding corporate rules to govern data flows to the parent company.
-
Inform data subjects — Update your legal notices, privacy policies, and employment contracts to inform individuals of their rights (access, rectification, objection).
-
Train local teams — Raise awareness among your Moroccan staff about data protection rules and internal procedures.
Connection to other compliance obligations
CNDP compliance does not exist in isolation. It intersects with other obligations that foreign companies face in Morocco:
- Tax obligations: corporate tax (IS), VAT, withholding tax on payments abroad
- Labor law: employment contracts, CNSS social security, occupational health
- Accounting obligations: bookkeeping, financial statements, statutory auditing
An integrated approach to compliance allows companies to pool their efforts and reduce risks. This is why we recommend that foreign companies work with a Moroccan accounting firm that understands all these dimensions.
Due diligence and acquisitions
For companies considering acquiring a Moroccan business, CNDP compliance is an essential element of due diligence. The absence of declarations or authorizations can constitute a significant hidden liability, with criminal penalties of up to one year of imprisonment and MAD 300,000 in fines.
Before any acquisition, it is essential to verify the register of declared processing activities, the authorizations obtained, and the compliance of international data transfers.
How Upsilon Consulting can help
Our firm supports foreign companies throughout their compliance journey in Morocco, from subsidiary creation to CNDP compliance, including tax and social obligations. We act as CNDP representative and manage the follow-up of your declarations and authorizations.
Contact us for a personalized assessment of your situation.
READ ALSO
CNDP and Law 09-08: complete guide
