Data protection & privacy laws in Morocco (2026)

Law No. 09-08, promulgated by Dahir 1-09-15 on 18 February 2009 and published in the Official Bulletin No. 5714 on 5 March 2009, establishes the comprehensive personal data protection regime covering all natural and legal persons, public or private, processing data on Moroccan territory.

The CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel), established by Law 09-08, is the independent administrative authority. Its president is appointed by the King. It registers processing activities, grants authorisations for sensitive data and international transfers, conducts investigations, and can impose administrative, financial, or criminal sanctions.

Controllers must have a lawful basis (including freely given consent), respect data minimisation and accuracy principles, implement technical and organisational security measures, and register standard processing operations with the CNDP — or obtain prior authorisation for sensitive categories (health, biometric, criminal data) and certain automated decisions.

Law 09-08 grants rights to information at collection, access to personal data held, rectification of inaccurate data, and objection to processing — particularly for direct marketing. These rights are enforceable through the CNDP or Moroccan courts.

Transfers of personal data abroad require CNDP authorisation unless the destination country ensures a sufficient level of protection. Where protection is deemed inadequate, transfers may be permitted on the basis of standard contractual clauses or binding corporate rules approved by the CNDP.

Non-compliance can result in fines of MAD 10,000–600,000 (approx. USD 1,000–60,000) and/or imprisonment of 3 months to 4 years under Law 09-08. In 2025 the CNDP intensified enforcement activity, issuing decisions on cookies, video surveillance in healthcare, newsletters, and access-control data collection, while historically preferring education and warnings over heavy penalties.

Morocco applied for an EU adequacy decision as early as 2009 but has not yet received one as of 2026; it is not listed among the European Commission's recognised adequate countries. Reform discussions focus on aligning Law 09-08 closer to the GDPR — particularly regarding AI and emerging technologies — but no amending legislation has been enacted.