Law No 09-08 on the protection of individuals with regard to the processing of personal data and its implementing Decree No 2-09-165 govern personal data in Morocco. This law applies to personal data processing:

• when it is carried out by a natural or legal person established in Moroccan territory; and
• when the data controller is not established in Moroccan territory but uses automated or non-automated means to process personal data in Moroccan territory (except any processing which is used solely for purposes of transit in national territory, or in a country where the legislation is recognised as equivalent to that of Morocco with regard to the protection of personal data).

The regulatory authority in charge of personal data protection in Morocco, the National Commission for the Control of Personal Data Protection (Commission Nationale de Contrôle de Protection des Données à Caractère Personnel – CNDP), issues decisions that provide specifications regarding types of processing to simplify the notification requirements and standardise the processing of personal data. Data controllers and processors are required to comply with these decisions. Although Morocco does not yet have AI-specific regulations, the CNDP is currently preparing a decision on AI and personal data.

Data in Morocco is also regulated by Law No 05-20 relating to cybersecurity. This law contains provisions applicable to all data, including but not limited to personal data, processed by specific types of data controllers, such as public entities and critical infrastructures.

In addition to these laws, the EU GDPR and other foreign data protection regulations may apply to some entities in Morocco if the processing conducted by these entities falls within the scope of the regulation in question.

Moroccan data protection law is built around a set of core principles that shape all personal data processing. Controllers must ensure that data is collected for legitimate purposes, remains proportionate to those purposes, is kept accurate and up to date, and is not retained longer than necessary. Processing typically requires the individual’s free, specific and informed consent, except in rare cases allowed by law. Organisations are also required to put in place appropriate technical and organisational safeguards to protect personal data, with reinforced measures when dealing with sensitive personal data.

Individuals are granted a broad range of rights enabling them to understand and control how their personal data is used. These include the right to be informed at the time of collection, the right to access their data, the right to request rectification or deletion of inaccurate or unlawful data, and the right to object to the processing of their data.

To achieve compliance in practice, organisations should implement the following measures:

• map all data-processing activities;
• ensure that all processing activities are conducted within the limits permitted under Moroccan law and regulations;
• ensure that the documentation (eg, information notices and data protection clauses) used in the context of each processing is compliant with the applicable regulations;
• complete mandatory filings with the CNDP or obtain prior authorisations where required, including for sensitive data, changes of purpose or interconnections;
• enter into written contracts with data processors that clearly define security, confidentiality and instruction-bound obligations; and
• implement data retention rules consistent with the purpose of processing.

Moroccan law imposes enhanced safeguards when processing sensitive personal data, which includes data relating to a person’s ethnic or racial origin, political or religious beliefs, trade union membership, health status or genetic characteristics. This data may only be processed under strict conditions and typically requires explicit consent, and prior authorisation from the data protection authority, given its heightened potential to impact individual rights and freedoms.

In Morocco, there are no specific regulations governing the processing of personal data for research and development purposes. As a result, the general data protection rules apply. That said, where anonymisation is effective and the individual is no longer identifiable from the data, the dataset no longer constitutes personal data. In those circumstances, it falls outside the scope of data protection law and may be used without prior authorisation.

Additionally, at the request of the data controller and where a legitimate interest exists, the data protection authority may authorise the retention of personal data for historical, statistical or scientific purposes beyond the period necessary for achieving the initial purposes of collection.

Morocco does not yet have a dedicated regulatory framework governing artificial intelligence, automated decision-making or algorithmic systems. As a result, any use of personal data in AI models must comply with the general principles of lawfulness, purpose limitation, proportionality and accuracy that apply to all processing activities under Moroccan data protection law. The CNDP is currently preparing a decision that should bring more clarity to the future of AI and personal data in Morocco.

Moroccan data protection law requires controllers to implement technical and organisational measures that ensure the security of personal data and protect it against unauthorised access, alteration, disclosure, accidental loss or destruction. These obligations form the foundation of how organisations must prevent data breaches. When a data breach occurs, data controllers and data processors are not required to notify the data protection authority about it under the applicable regulations. That said, notifying the data protection authority about a data breach would be highly recommended.

The CNDP is the only personal data protection regulator in Morocco. The CNDP has jurisdiction over any and all data controllers and data processors that are subject to Law No 09-08 on the protection of individuals with regard to the processing of personal data.

The CNDP has focused, for over a decade, on familiarising stakeholders with the applicable data protection regulations. Over the last few months, the CNDP has started to issue warnings to some major data controllers in Morocco, asking them to comply with the provisions of Law No 09-08. The CNDP has also initiated some investigations into potential violations of the applicable regulations, specifically by data controllers that process significant amounts of personal data.

Cybersecurity on the other hand falls under the scope of a different regulator, which is the Information Systems Security Department within the Ministry of Defence. This regulator is in charge of monitoring, providing guidance and receiving complaints relating to the information systems security of entities that are within the scope of Law No 05-20 on cybersecurity.

The CNDP has the authority to investigate incidents related to the protection of personal data, and to refer cases to the public prosecutor to initiate proceedings against any suspected offender. In addition to police officers, specially commissioned and duly sworn officers of the CNDP may search for and formally record violations in official reports.

Non-compliance with Law No 09-08 on the protection of individuals with regard to the processing of personal data is subject to a fine ranging from MAD10,000 to MAD600,000 and/or imprisonment of between three months and four years. The CNDP typically sends a warning to the data controller prior to any measure that may result in a fine or imprisonment.

In addition to these fines, legal persons may be punished with one of the following penalties:

• the partial confiscation of their property; or
• seizure of objects and items where the production, use, carrying, holding or selling of such is an offence; or
• the closure of the establishment(s) of the legal person where the offence was committed.

The CNDP has addressed warning letters to some entities that process large amounts of personal data and/or sensitive personal data. Most of these warnings have been addressed to data controllers such as hotels, pharmaceutical companies, public universities, and other public entities.

Privacy-related litigation in Morocco remains limited, reflecting both the still-developing nature of data protection awareness and the fact that the national authority acts mainly as an educator at this stage.

Individuals may file complaints when their rights to access, rectify or object are denied, and the data protection authority has the power to order corrective measures or refer cases to the public prosecutor for potential criminal proceedings. As a result, many disputes are resolved at the administrative stage, with formal court proceedings arising only when the matter escalates into a criminal offence.

There is no major privacy-related case law in Morocco due to the limited number of litigation cases related to the subject.

Examples of recent court cases do however illustrate an emerging awareness. In one instance, individuals who had been filmed without their consent during the shooting of a movie were awarded damages in court. In another instance, an individual appeared in a company’s promotional magazine without having given prior consent and successfully obtained damages in court.

There are no privacy-specific collective redress mechanisms in Morocco.

Morocco does not have any non-personal data specific law. The main law that can apply to both personal and non‑personal data in Morocco is Law No 05‑20 on cybersecurity. It applies to the sensitive information systems owned by a public entity or a critical infrastructure.

Cybersecurity regulations define critical infrastructures as installations, structures and systems that are essential to the maintenance of the vital functions of society, health, safety, security and economic or social well-being, where damage, unavailability or destruction of this infrastructure could result in the failure of these vital functions. The same regulations define public entities as administrations, local authorities, state-owned enterprises and any other legal entity governed by public law.

Moroccan regulations do not specify how mixed datasets that include personal data and are also subject to the cybersecurity framework should interact. Consequently, the obligations apply cumulatively. Where personal data is involved, Law No 09‑08 governs the legal basis and confidentiality requirements for processing. In parallel, Law No 05‑20 imposes security and resilience measures on in‑scope entities’ information systems, irrespective of whether the data is personal or non‑personal.

This is not applicable in Morocco.

The General Directorate of Information Systems Security (La Direction Générale de la Sécurité des Systèmes d'Information – DGSSI) is Morocco’s national cybersecurity authority, operating under the administration of National Defence. It is responsible for implementing the framework established by Law No 05‑20 on cybersecurity, including defining and overseeing organisational and technical measures to strengthen the security and resilience of information systems used by public entities and critical infrastructures.

Cookies and similar tracking technologies are regulated only when they collect or contain personal data, such as an IP address or any identifier capable of linking the data to an identifiable individual. In such circumstances, the deployment of cookies constitutes processing of personal data and becomes subject to the obligations of Law No 09-08, including the requirement to file a notification or obtain prior authorisation from the CNDP, depending on the type and sensitivity of the data being processed. In this context, that data protection authority has issued Decision No D-939-2025 which provides for the possibility of filing a simplified form for specific processing involving cookies.

Direct marketing by means of automatic calling machines, fax machines, electronic mail or similar technologies is strictly regulated in Morocco. The law expressly prohibits the use of such communication channels when they rely on the contact details of a natural person who has not given their prior and explicit consent to receive promotional messages. Any unsolicited marketing communication using these technologies is therefore unlawful, regardless of the nature of the product or service being promoted.

Employers, in the same manner as any other data controller, are required to notify and/or obtain prior authorisation from the CNDP for each purpose for which they process the personal data of their employees.

The processing of employees’ personal data specifically for HR management purposes is subject to obtaining authorisation under Decision No 298-AU-2014 of the data protection authority. The decision provides a list of data that may be processed by employers for HR management purposes under a simplified authorisation request. If an employer processes any other data, for the same purpose or any other purpose, they are required to file a separate notification or authorisation request.

Employers are also required to obtain employees’ consent for the processing of their personal data and to inform them of the characteristics of the data processing, in accordance with the requirements set out in the applicable Moroccan regulations.

In Morocco, personal data processing in M&A transactions is subject to the general obligations of Law No 09-08, meaning that any review or transfer of personal data requires a lawful basis, transparency and adequate security measures. During due diligence, sellers may only disclose personal data that is necessary, proportionate and relevant to the transaction, and must ensure confidentiality through controlled access and contractual safeguards.

If a transaction results in a change of data controller, the new data controller is required to notify the data subjects and the CNDP of said change. Upon notification, the CNDP may require the new data controller to file new declarations and/or authorisation requests.

In theory, personal data transfers to countries specified by the data protection authority (see list below) can be completed freely, whereas transfers to any other countries are subject to obtaining authorisation from the same authority.

However, in practice, the CNDP requires prior authorisation to be obtained for data transfers to all countries, with the authorisation being more easily granted if the data is transferred to one of the countries specified in the CNDP’s list.

The transfer of personal data abroad requires an adequate level of protection for the privacy and fundamental rights and freedoms of individuals, particularly through standard contractual clauses governing the transfer.

The data protection authority’s list of countries is as follows: Austria, Belgium, Bulgaria, Canada, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom.

Data controllers are required to obtain a separate transfer authorisation for each notified or authorised processing by the CNDP.

Data localisation requirements in Morocco are provided by the cybersecurity regulations and apply exclusively to sensitive information systems owned by a public entity or a critical infrastructure.

There are no blocking statutes in Morocco.

Morocco is continuously working towards joining the list of countries recognised by the EU as providing an adequate level of data protection, but it has not yet obtained a European Commission adequacy decision under the GDPR.