TheArtOfService
Back to Frameworks

Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data

Self-Assess
Morocco
v2009 (original) / 2020 (amended by Decree No. 2-20-03)
8 domains
8 controls

Law No. 09-08 (2009) establishes Morocco's data protection framework, creating the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP) as the supervisory authority. The law defines data subject rights (access, rectification, opposition, erasure), obligations for data controllers and processors, requirements for lawful processing, cross‑border data transfer restrictions, security measures, and administrative penalties. It was amended by Decree No. 2-20-03 in 2020, which updated provisions on data breach notification, electronic communications, and introduced additional safeguards for sensitive data. The law aligns with many principles of the EU GDPR but is not considered fully equivalent.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (8)

Cross-Border Transfer + CNDP Authorisation + Adequacy

1 controls
Controls in the Cross-Border Transfer + CNDP Authorisation + Adequacy domain of Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data1 controls
CodeTitle
MA-0908-Cross-Border-Data-Transfer-Authorisation-Article-43-44-CNDP-Adequacy-SCC-BCRMorocco Law 09-08 Cross-Border Transfer + CNDP Authorisation + Adequacy + SCC

DPO + Sanctions + Convention 108 + Modernisation

1 controls
Controls in the DPO + Sanctions + Convention 108 + Modernisation domain of Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data1 controls
CodeTitle
MA-0908-DPO-Correspondent-Sanctions-Convention-108-Modernisation-Articles-15-31-32-CNDP-InvestigationsMorocco Law 09-08 DPO Correspondent + Sanctions + Convention 108 + Modernisation + Articles 15-32

Lawful Basis + Consent + Notice + Article 4-6

1 controls
Controls in the Lawful Basis + Consent + Notice + Article 4-6 domain of Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data1 controls
CodeTitle
MA-0908-Lawful-Basis-Consent-Notice-Information-Article-4-5-6-Specific-Informed-UnambiguousMorocco Law 09-08 Lawful Basis + Consent + Notice + Article 4-5-6 + Specific Informed

Prior Declaration + Authorisation + CNDP + Public Register

1 controls
Controls in the Prior Declaration + Authorisation + CNDP + Public Register domain of Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data1 controls
CodeTitle
MA-0908-Prior-Declaration-Authorisation-CNDP-Article-12-Notification-Registration-Public-RegisterMorocco Law 09-08 Prior Declaration + Authorisation + CNDP + Article 12 + Public Register

Scope + Law 09-08 + Dahir 1-09-15 + CNDP + Convention 108

1 controls
Controls in the Scope + Law 09-08 + Dahir 1-09-15 + CNDP + Convention 108 domain of Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data1 controls
CodeTitle
MA-0908-Scope-Application-Law-09-08-Dahir-1-09-15-18-February-2009-Effective-23-November-2009-CNDP-Convention-108Morocco Law 09-08 Scope and Application + Dahir 1-09-15 + 18 February 2009 + CNDP

Security + Subcontractor + Retention + CCTV + Cookies

1 controls
Controls in the Security + Subcontractor + Retention + CCTV + Cookies domain of Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data1 controls
CodeTitle
MA-0908-Security-Subcontractor-Retention-Video-CCTV-Workplace-Cookies-Marketing-Articles-23-30Morocco Law 09-08 Security + Subcontractor + Retention + Video CCTV + Cookies + Marketing

Sensitive Data + Biometric + Whistleblower + Article 12

1 controls
Controls in the Sensitive Data + Biometric + Whistleblower + Article 12 domain of Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data1 controls
CodeTitle
MA-0908-Sensitive-Data-Biometric-Access-Whistleblower-Articles-12-Authorisation-Special-CategoriesMorocco Law 09-08 Sensitive Data + Biometric + Whistleblower + Authorisation

Subject Rights + Access + Correction + Object + Article 7-11

1 controls
Controls in the Subject Rights + Access + Correction + Object + Article 7-11 domain of Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data1 controls
CodeTitle
MA-0908-Data-Subject-Rights-Access-Correction-Erasure-Object-Article-7-8-9-10-11-30-Day-SLAMorocco Law 09-08 Data Subject Rights + Access + Correction + Erasure + Object + Article 7-11

Frequently Asked Questions

What is Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data?

Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data is a compliance framework from Morocco with 8 domains and 8 controls. Law No. 09-08 (2009) establishes Morocco's data protection framework, creating the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP) as the supervisory authority. The law defines data subject rights (access, rectification, opposition, erasure), obligations for data controllers and processors, requirements for lawful processing, cross‑border data transfer restrictions, security measures, and administrative penalties. It was amended by Decree No. 2-20-03 in 2020, which updated provisions on data breach notification, electronic communications, and introduced additional safeguards for sensitive data. The law aligns with many principles of the EU GDPR but is not considered fully equivalent. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data have?

Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data has 8 controls organised across 8 domains. The largest domains are Cross-Border Transfer + CNDP Authorisation + Adequacy (1 controls), DPO + Sanctions + Convention 108 + Modernisation (1 controls), Lawful Basis + Consent + Notice + Article 4-6 (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data map to?

Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data compliance?

Start your Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 8 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required