Morocco Loi 09-08

Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data

Flag of MA
MoroccoOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
February 18, 2009
Enacted
February 18, 2009
Enforcing Authority
Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP)
Consent Model
Opt-in
Applies To
All natural and legal persons processing personal data on Moroccan territory, or using means located in Morocco

Overview

Morocco's Loi 09-08 is among the first data protection laws in Africa, modeled after the French Data Protection Act. The CNDP serves as an autonomous supervisory authority. All processing activities must be declared to the CNDP before implementation, and the authority takes a graduated enforcement approach.

What This Means for Your Website

  • All personal data processing must be declared to CNDP before implementation
  • Valid consent is required for most processing activities
  • International data transfers require CNDP authorization
  • The CNDP takes a graduated approach: warnings before fines or criminal referrals
  • Criminal penalties include 3 months to 4 years imprisonment

Key Requirements

The CNDP enforces Loi 09-08 with administrative fines of MAD 10,000-600,000 and criminal sanctions of 3 months to 4 years. Processing must be declared before beginning. International transfers require authorization. Enhanced protections apply to sensitive data.

How ConsentStack Handles This

ConsentStack applies consent-based processing for Moroccan visitors meeting the law's requirements for prior consent and transparency.

Penalties

Administrative fines MAD 10,000-600,000. Criminal sanctions: 3 months to 4 years imprisonment.

Maximum Fine
MAD 600,000 per violation

Key Requirements

  • All processing must be declared to CNDP prior to implementation
  • Valid consent required for most processing activities
  • International transfers require CNDP authorization
  • Appropriate technical and organizational security measures mandatory
  • Enhanced protections for sensitive data categories
  • Data subject rights: access, rectification, objection

Notable Provisions

  • Among earliest African data protection frameworks
  • Modeled closely on French law
  • CNDP takes graduated enforcement approach (warnings first)
  • Declaration to CNDP required before processing begins

Other Middle East & North Africa Regulations

KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.

Frequently Asked Questions

Is Morocco's law modeled on French law?

Yes. Loi 09-08 is modeled closely on the French Data Protection Act (Loi Informatique et Libertés), reflecting Morocco's legal tradition.

Must processing be declared before starting?

Yes. All personal data processing must be declared to the CNDP prior to implementation.

What are Morocco's penalties?

Administrative fines of MAD 10,000-600,000 plus criminal sanctions of 3 months to 4 years imprisonment.

Stay compliant with Morocco Loi 09-08

ConsentStack helps you implement Opt-in consent for Morocco automatically.

Get started free