Document reglementation/cndp ⚖️ Legal text

Law 09-08 PDF: Personal Data Protection in Morocco

Download the full text of Law 09-08 on the protection of individuals with regard to the processing of personal data in Morocco.

Law No. 09-08 — Personal Data Protection in Morocco

Law No. 09-08 on the protection of individuals with regard to the processing of personal data was enacted by Dahir No. 1-09-15 of 18 February 2009 and published in Official Gazette No. 5714 of 5 March 2009.

This foundational text establishes the legal framework for personal data protection in Morocco. It created the CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) as the regulatory authority.

Structure of the Law

Law 09-08 comprises 8 chapters and 67 articles:

Chapter I — General Provisions (Art. 1-2)

Key definitions: personal data, sensitive data, processing, data controller, processor, third party, recipient, consent. Territorial scope: all processing carried out on Moroccan territory.

Chapter II — Conditions for Lawful Processing (Art. 3-11)

  • Data quality (Art. 3): fair and lawful processing, specified purposes, adequate and proportionate data
  • Consent (Art. 4): prior consent principle with exceptions (legal obligation, contract, vital interests, public interest, legitimate interest)
  • Sensitive data (Art. 5): processing prohibited in principle, limited exceptions
  • Right to information (Art. 5 bis): obligation to inform data subjects
  • Right of access (Art. 7): communication of processed data
  • Right of rectification (Art. 8): correction, update, deletion
  • Right of objection (Art. 9): objection on legitimate grounds
  • Direct marketing (Art. 10): prohibited without prior consent
  • Neutrality of effects (Art. 11): no judicial decision may be based solely on automated processing

Chapter III — Declaration, Authorization and Obligations (Art. 12-26)

  • Section 1 — Prior declaration (Art. 12-20)
  • Section 2 — Prior authorization (Art. 21-22): required for sensitive data, CIN, file interconnection, international transfer
  • Section 3 — Confidentiality and security (Art. 23-26): technical and organizational measures, professional secrecy

Chapter IV — The CNDP (Art. 27-42)

Institution, powers and attributions. Composition: 7 members appointed by His Majesty the King. Investigation, control and sanctioning powers.

Chapter V — International Data Transfer (Art. 43-44)

Transfer conditions: adequate level of protection in the receiving country. CNDP authorization with safeguards if not.

Chapter VI — National Register and Files (Art. 45-50)

National data protection register. Regulation of files relating to offences and convictions.

Chapter VII — Criminal Penalties (Art. 51-66)

  • Art. 52: failure to declare/authorize → MAD 10,000 to 100,000 fine
  • Art. 53: refusing access/rectification/objection rights → MAD 20,000 to 200,000
  • Art. 54: fraudulent collection, unlawful processing → 3 months to 1 year imprisonment + MAD 20,000 to 200,000
  • Art. 55-56: unauthorized sensitive data processing → 6 months to 2 years + MAD 50,000 to 300,000
  • Art. 64: legal entities → fines doubled + possible seizure + closure

Chapter VIII — Transitional Provisions (Art. 67)

Two-year compliance period from CNDP installation.

Upsilon Consulting Support

Upsilon Consulting supports you in achieving compliance with Law 09-08: CNDP compliance assistance.

Contact us for a free CNDP compliance assessment.

Additional Resources

PDF format Free
Download PDF

Need guidance?

Our experts are available to assist you. Free initial consultation.

Contact us