Understanding Morocco’s Law 09-08: A Comprehensive Guide to Data Protection Compliance

Sameer Ahirrao -

Introduction

When it comes to protecting personal data, Morocco has a well-defined legal framework in place. At its core is Law No. 09-08 (hereinafter referred to as “the law”), enacted on February 18, 2009, and supported by its implementing Decree No. 2-09-165 of May 21, 2009. Together, they form the backbone of Morocco’s data protection regime, outlining how personal information must be collected, processed, and stored.

The law ensures transparency, accountability, and security in the way organizations handle data. By setting clear obligations for data controllers and processors, Morocco aims to safeguard individuals’ rights and strengthen trust in both digital and business environments.

1. Scope & Applicability

The law applies broadly to the processing of personal data, whether done fully or partly through automated systems, as well as to non-automated processing of personal data contained or to be contained in manual files.

It covers situations where:

1) The data controller is based in Morocco

  • This includes any natural or legal person whose management is established on Moroccan territory.

2) The data controller is based outside Morocco but uses means within Morocco

  • Applies when personal data is processed, whether automated or not, using equipment or resources located in Morocco.
  • This does not apply if the processing is solely for data transit purposes through Moroccan territory or through a country with equivalent data protection laws.

In the case referred to in paragraph 2 above, the data controller must notify the National Commission of the identity of a representative established in Morocco, who, without prejudice to his personal liability, replace him in all his rights and obligations resulting from the provisions of the present law and the texts adopted for its application;

2. Data Quality & Prior Consent of the data subject

The law ensures that personal data is collected, stored, and used responsibly.

Key principles under Article 3:

Personal data must be:

  • Processed fairly and lawfully
  • Collected for specific, explicit, and legitimate purposes and not used in ways that are incompatible with those purposes.
  • Collected data should be adequate, relevant, and not excessive for the stated purpose.
  • Data collected should be accurate and up-to-date and all reasonable steps should be taken to ensure that all inaccurate or incomplete data should be erasured or rectified.
  • Stored only as long as necessary and kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or subsequently processed.

The National Commission may allow data to be stored for longer periods if there’s a legitimate interest, such as for historical, statistical, or scientific purposes. It’s the data controller’s responsibility to ensure these rules are followed.

Conditions for the Lawful Processing and Disclosure of Personal Data under Article 4:

Personal data may only be processed if the data subject has unambiguously given their consent to the specific operation(s) envisaged.

Personal data undergoing processing may only be disclosed or communicated to a third party for purposes directly related to the functions of both the transferor and transferee, and only with the prior consent of the data subject.

Consent of the data subject is not required if the processing is necessary for:

  • Compliance with a legal obligation to which the data subject or the data controller is subject;
  • The performance of a contract to which the data subject is a party, or in order to take pre-contractual measures at the request of the data subject;
  • Safeguarding the vital interests of the data subject where they are physically or legally incapable of giving consent;
  • The performance of a task carried out in the public interest, or in the exercise of official authority vested in the data controller or the third party to whom the data is disclosed;
  • Achieving the legitimate interests pursued by the controller or the recipient, provided such interests do not override the rights and fundamental freedoms of the data subject.

3. The Rights of the Data Subject

The law grants data subjects several rights to ensure their personal information is collected and used transparently, lawfully, and securely.

1. Right to Information at the Time of Data Collection (Article 5)

Whenever an organization collects personal data directly from a person, they must provide clear, precise, and unambiguous information.

2. Right of Access (Article 7)

Individuals, after proving their identity, have the right to request from the data controller:

  • Confirmation of whether their data is being processed.
  • The purposes of processing, the categories of data involved, and who receives it.
  • A clear, understandable copy of their personal data and, where possible, its source.
  • Information about the logic behind any automated processing.

The controller must respond without undue delay and free of charge, unless the request is manifestly abusive (e.g., excessive in number or repetitive).

3. Right of Rectification (Article 8)

If personal data is incomplete, inaccurate, or unlawfully processed, the Data Subject can request:

  • Rectification, updation , erasure , or blocking of the data within 10 days (at no cost).
  • Notification to third parties who received the data about the corrections made, unless this is impossible.

If the controller refuses or fails to respond within 10 days, , the individual can submit a request of rectification to the National Commission, which will investigate and ensure corrections are made.

4. Right to Object (Article 9)

The Data Subject, upon proof of identity, may:

  • Object, on legitimate grounds, to the processing of their personal data.
  • Object, free of charge, to the use of their data for canvassing purposes, particularly commercial marketing, whether by the current controller or a future one.

This right does not apply when the processing is required by law or when the law expressly excludes it.

5. Prohibition of Direct Marketing Without Consent (Article 10)

Direct marketing is prohibited unless the data subject has given prior, specific, and informed consent.

Email marketing is permitted without prior consent only if:

  • Contact details were obtained directly from the individual during a sale or service.
  • The marketing concerns similar products or services from the same provider.
  • The recipient is offered a clear, simple, and free way to opt out both at the time their details are collected and in every message sent.

In all cases, it is prohibited to:

  • Hide the identity of the sender.
  • State a purpose unrelated to the service offered.
  • Fail to include valid contact details for opt-out requests.

4. Obligations of Data Controllers (Article 12)

The processing of personal data in Morocco must follow strict rules including situations where prior authorization is required.

When Prior Authorization is Required

Data controllers must obtain prior authorization from the National Commission before processing personal data in the following cases:

  • Sensitive Data: This includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and health.
  • Processing Data for New Purposes: If personal data is used for purposes different from the ones for which it was originally collected.
  • Genetic Data: Except when used by healthcare professionals for medical purposes such as preventive care, diagnosis, or treatment.
  • Data on Offences, Convictions, or Security Measures: Except when handled by court officials as part of their legal duties.
  • Data Containing the National Identity Card Number: Any processing that involves the person’s official national ID number.
  • File Interconnection: Linking files from one or more public service entities with different public interest purposes. Linking files from private or other legal entities with different primary purposes.

Section 1 – Prior Declaration (Articles 13–20)

  • Art. 13–14: Before processing personal data, controllers must file a declaration with the National Commission.
  • Art. 15: Declaration must include details such as: identity of controller, purpose, categories of data, recipients, transfers abroad, retention period, rights of individuals, and security measures.
  • Art. 16–17: Some low-risk or non-automated processing can follow simplified declarations, as defined by the Commission.
  • Art. 18: Registers created for public information (e.g., official public lists) are exempt but must still have a responsible controller.
  • Art. 19: The Commission issues a receipt within 24 hours, after which processing may start.
  • Art. 20: If processing risks privacy/fundamental rights, the Commission can require prior authorization instead of just declaration.

Section 2 – Prior Authorization (Articles 21–22)

  • Art. 21: Processing of sensitive data (e.g., health, ethnicity, religion, criminal data, etc.) requires authorization by law or the Commission.
  • Art. 22: Health-related processing is allowed with a declaration if for medical care, diagnosis, or health services, carried out by professionals under secrecy obligations.

Section 3 – Security & Confidentiality (Articles 23–26)

  • Art. 23: Controllers must apply technical and organizational measures to protect data against unauthorized access, loss, or misuse. Contracts with processors must ensure compliance.
  • Art. 24: Extra safeguards are required for sensitive/health data (e.g., access controls, transmission controls, logging of data entry, transport security).
  • Art. 25: Anyone handling data (controller or processor) can only process it on instructions of the controller, unless required by law.
  • Art. 26: Controllers and anyone accessing personal data are bound by professional secrecy, even after leaving their duties.

5. Transfer of Personal Data to a Foreign Country

A data controller in Morocco may only transfer personal data to another country if that country provides an adequate level of protection for individuals’ privacy, fundamental rights, and freedoms in relation to processing of such data.

When deciding whether a country offers adequate protection, several factors are considered, including:

  • The laws and regulations in force in that country.
  • The security measures implemented to protect personal data.
  • The specific characteristics of the processing such as its purpose and duration.
  • The nature, origin, and destination of the personal data being processed.

Transfers to Countries Without Adequate Protection

In certain cases, personal data may be transferred to a country that does not meet the adequacy requirements, if:

1. The individual has given explicit consent, or if the transfer is necessary for:

  • Safeguarding the person’s life.
  • Protecting the public interest.
  • Fulfilling obligations for the establishment, exercise, or defense of legal claims.
  • Performing a contract between the data controller and the individual, or taking pre-contractual steps at the individual’s request.
  • Concluding or performing a contract, in the individual’s interest, between the controller and a third party.
  • Executing an international judicial assistance measure.
  • Preventing, diagnosing, or treating medical conditions.

2. The transfer is made under a bilateral or multilateral agreement to which the Kingdom of Morocco is a party.

3. The transfer has express, reasoned authorization from the National Commission, where the processing provides adequate safeguards - particularly through contractual clauses or internal rules that protect privacy and fundamental rights.

6. Penalties & Consequences for Non-Compliance

Morocco’s data protection law imposes strict penalties including fines, imprisonment, or both for violations of personal data processing rules. These sanctions apply to individuals, organizations, and in some cases, legal entities.

1. Fines for Non-Declaration or Continuing After Withdrawal

  • Implementing a personal data file without the required declaration or authorization.
  • Continuing to process data after authorization is withdrawn.
  • Fine: DH 10,000 – DH 100,000.

2. Denial of Data Subject Rights

  • Refusing access, rectification, or opposition rights (Articles 7–9) can result in: Fine: DH 20,000 – DH 200,000 per offence.

3. Fraudulent Data Collection or Misuse

  • Collecting data unlawfully, using it for undeclared purposes, or engaging in incompatible further processing.
  • Penalty: 3 months to 1 year imprisonment and/or DH 20,000 – DH 200,000 fine.

4. Retention Beyond Legal Limits

  • Keeping personal data longer than legally permitted or stated in the declaration.
  • Penalty: 3 months to 1 year imprisonment and/or DH 20,000 – DH 200,000 fine.

The Same Penalties shall apply to the processing, for purposes other than historical statistical or scientific, of personal data kept beyond the period mentioned in above.

Under Article 56, Processing personal data without meeting the legal conditions (Article 4 – lawful grounds for processing) is punishable by 3 months to 1 year imprisonment and/or a fine of 20,000–200,000 dirhams.

5. Processing Without Safeguards

  • Failing to implement required security measures (Articles 23–24).
  • Penalty: 3 months–1 year imprisonment and/or DH 20,000 – DH 200,000 fine.

6. Processing Despite Legitimate Opposition

  • Continuing processing despite a valid objection from the individual, especially for direct marketing or electronic solicitation.
  • Penalty: 3 months to 1 year imprisonment and/or DH 20,000 – DH 200,000 fine.

7. Illegal Data Transfers Abroad

  • Transferring personal data to a foreign country in violation of Articles 43 and 44.
  • Penalty: 3 months to 1 year imprisonment and/or DH 20,000 – DH 200,000 fine.

8. Sensitive Data Without Consent

Processing without consent of the data subject

  • Covers personal data revealing racial/ethnic origin, political/philosophical/religious opinions, or trade union membership, and health data.
  • Penalty: 3 months to 1 year imprisonment and/or fine of 50,000–300,000 dirhams.

Processing data relating to offences, convictions, or security measures

  • Treated with the same penalties as above (imprisonment 3 months to 1 year and/or fine 50,000–300,000 dirhams).

Under Article 58

  • If someone processes personal data without implementing required security measures (Articles 23 & 24),
  • Penalty: 3 months to 1 year imprisonment and/or fine of 20,000–200,000 dirhams.

Under Article 59

  • If someone processes data despite a person’s legitimate objection (Article 9) or uses it for unsolicited marketing/canvassing (Article 10),
  • Penalty: 3 months to 1 year imprisonment and/or fine of 20,000–200,000 dirhams.

Under Article 60

  • If someone transfers personal data abroad in violation of Articles 43–44 (no adequate protection or authorization),
  • Penalty: 3 months to 1 year imprisonment and/or fine of 20,000–200,000 dirhams.

Under Article 61

  • If a controller, processor, or staff member misuses data (even by negligence), enables fraudulent use, or shares it with unauthorized third parties,
  • Penalty: 3 months to 1 year imprisonment and/or fine of 20,000–200,000 dirhams.
  • The court may also order seizure of equipment used and deletion of the data involved in the offence.

9. Negligent or Fraudulent Misuse of Data (Article 62)

  • Causing, facilitating, or allowing unauthorized access or use of data.
  • Penalty: 3 months to 1 year imprisonment and/or DH 20,000 – DH 200,000 fine.

The court may also order equipment seizure or deletion of unlawfully processed data.

10. Obstructing the National Commission

  • Refusing inspections, withholding documents, or blocking investigations.
  • Penalty: 3 to 6 months imprisonment and/or DH 10,000 – DH 50,000 fine.

11. Failure to Implement Commission Decisions

  • Penalty: 3 months to 1 year imprisonment and/or DH 10,000 – DH 100,000 fine.

12. Legal Entities

If the offender is a legal entity:

  • Fines are doubled.
  • Additional penalties may include asset confiscation, partial closure, or facility shutdown.

13. Repeat Offences

  • All penalties are doubled in case of repeat offences within one year of conviction.

14. Investigation Authority

  • In addition to judicial police officers, specially appointed and sworn agents of the National Commission can investigate violations and report them to the Public Prosecutor within 5 days.

Conclusion

Morocco’s Law No. 09-08 sets a clear and comprehensive framework for protecting personal data, balancing the rights of individuals with the operational needs of organizations. By defining strict rules on consent, transparency, security, cross-border transfers, and accountability, the law not only aligns Morocco with global privacy standards but also builds public trust in both government and private sector data practices.

Organizations that proactively implement robust privacy measures, conduct regular compliance reviews, and engage with the National Commission in good faith can avoid severe penalties while enhancing their reputation.

In an era where data is both a vital asset and a potential liability, aligning with Law No. 09-08 is a strategic investment in security, customer confidence, and long-term success.

About Ardent Privacy

Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk, meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps organizations comply with evolving privacy and AI regulations and accelerates adoption of AI technologies. Ardent offers a low code platform to automate Privacy & AI governance, rapid data discovery of sensitive data and consent management with regional focus for global regulations.