Protect Your Clients’ and Employees’ Personal Data
Law 09-08 on the protection of individuals with regard to the processing of personal data imposes strict obligations on every business operating in Morocco. Non-compliance exposes your company to administrative, financial, and criminal penalties.
Upsilon Consulting supports you in achieving full compliance with the requirements of the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP).
Our CNDP Compliance Services
CNDP Compliance Audit
We conduct a comprehensive assessment of your personal data processing activities:
- Mapping of all personal data processing operations
- Identification of sensitive data (health, racial or ethnic origin, political opinions, religious beliefs, genetic and biometric data)
- Assessment of the lawfulness of processing under Law 09-08
- Verification of compliance with data subjects’ rights (consent, information, access, rectification, objection)
- Review of existing security measures
Declarations and Prior Authorizations
The CNDP distinguishes between two regimes depending on the nature of the data processed:
Prior declaration — mandatory for all non-sensitive personal data processing. We handle the preparation and filing of your declaration with the CNDP.
Prior authorization — required for processing involving:
- Sensitive data
- National Identity Card (CIN) data
- Interconnection of files with different purposes
- Transfer of data to countries without an adequate level of protection
Operational Compliance
- Drafting of information notices and consent forms
- Implementation of procedures for exercising data subjects’ rights
- Defining data retention periods
- Strengthening technical and organizational security measures
- Training your teams on data protection best practices
Ongoing Support
- Regulatory monitoring of changes in Moroccan data protection legislation
- Assistance in the event of a CNDP inspection
- Updating declarations and authorizations when processing changes
Why Choose Upsilon Consulting?
Our chartered accounting firm in Casablanca has in-depth knowledge of the Moroccan regulatory environment. Our multidisciplinary approach — accounting, tax, and legal — allows us to address data protection within the broader context of your company’s compliance.
We work with Moroccan SMEs, subsidiaries of international groups, and startups that need to comply quickly with CNDP requirements.
Contact us for a free assessment of your situation under Law 09-08.
Frequently Asked Questions
Who is subject to Law 09-08?
Any natural or legal person, public or private, that processes personal data on Moroccan territory or uses means located in Morocco to carry out such processing.
What are the penalties for non-compliance?
The CNDP can issue warnings, formal notices, withdrawal of authorization, and fines. Criminal penalties are also provided for under Law 09-08, including potential imprisonment.
How do I file a declaration with the CNDP?
Declarations are filed with the CNDP, 6 Boulevard Annakhil, Rabat, or electronically. Upsilon Consulting handles the entire procedure on your behalf.
Learn more
- Law 09-08 — full text and analysis
- CNDP leaflet — personal data protection
- CNDP and Law 09-08: comprehensive guide for businesses in Morocco
- CNDP declarations and authorizations: practical guide
- International transfer of personal data in Morocco
- CNDP sanctions: criminal risks and fines
- Law 09-08 and foreign companies in Morocco
