In brief: Cross-border transfer of personal data from Morocco is strictly regulated by Articles 43 and 44 of Law 09-08. Any company wishing to transfer data to a country without adequate protection must obtain prior authorization from the CNDP. Non-compliance can result in criminal penalties of up to 1 year of imprisonment and a fine of 200,000 MAD.
The chartered accountants at Upsilon Consulting assist international companies and subsidiaries of foreign groups in achieving compliance for their cross-border data transfers.
Why is international data transfer a critical issue?
With the globalization of business, Moroccan companies and subsidiaries of international groups transfer personal data across borders on a daily basis: centralized payroll, shared CRM systems, foreign cloud hosting, IT outsourcing. These data flows are subject to a strict legal framework in Morocco.
Law 09-08 on the protection of individuals with regard to the processing of personal data dedicates Articles 43 and 44 to international data transfers. The objective is to ensure that personal data of Moroccan residents benefits from an equivalent level of protection, regardless of the destination country.
The principle: prohibition unless adequate protection exists
Article 43 of Law 09-08 establishes a clear principle: personal data may only be transferred to a foreign state if that state ensures a sufficient level of protection for privacy, freedoms, and fundamental rights of individuals with regard to the processing of such data.
The adequacy of the level of protection is assessed by the CNDP taking into account:
- The nature of the data being transferred
- The purpose of the intended processing
- The duration of the processing
- The final destination country
- The legal and security rules in force in the destination country
- The professional rules and security measures applied
The CNDP publishes and updates the list of countries offering an adequate level of protection. European Union countries are generally considered to offer a sufficient level, given the existence of the GDPR.
Exceptions: when transfers are allowed without adequate protection
Article 44 provides for derogations allowing transfers even to a country that does not offer a sufficient level of protection, when:
- The data subject has given explicit consent to the proposed transfer
- The transfer is necessary for the performance of a contract between the data subject and the data controller
- The transfer is necessary to safeguard public interest
- The transfer is necessary for the establishment, exercise, or defense of legal claims
- The transfer is necessary to protect the vital interests of the data subject
- The transfer is made from a public register
Outside these exceptions, the data controller must obtain prior authorization from the CNDP.
The CNDP authorization process
To obtain CNDP authorization for an international transfer, the company must:
1. Submit an authorization request
The request must be addressed to the CNDP and include:
- Full identification of the data controller in Morocco
- Identification of the data recipient in the foreign country
- The nature of the data being transferred
- The purpose of the transfer
- The destination country
- The security measures implemented
2. Provide sufficient safeguards
The data controller must demonstrate that sufficient safeguards are in place to protect the data. These safeguards can take several forms:
- Standard Contractual Clauses (SCCs): standardized contracts between the data exporter and importer, imposing protection obligations. The CNDP has published model clauses inspired by international standards.
- Binding Corporate Rules (BCRs): internal policies adopted by a multinational group to govern intra-group transfers. These rules must be approved by the CNDP.
- Sectoral codes of conduct: adopted by professional associations and validated by the CNDP.
3. Await the CNDP decision
The CNDP has a set period to review the request. If no response is received within the legal deadline, silence constitutes a refusal. It is therefore essential to compile a complete file and plan ahead for processing times.
Practical implications for businesses
Subsidiaries of international groups
Moroccan subsidiaries of foreign groups are particularly affected. Transferring HR data to the parent company (payroll, performance reviews, disciplinary files), sharing customer databases with other group entities, or using centralized ERP systems all constitute transfers subject to authorization.
Recommendation: implement BCRs covering all intra-group data flows and have them validated by the CNDP.
Cloud services (AWS, Azure, Google Cloud)
Using cloud services with servers located abroad constitutes an international data transfer under Law 09-08. Even if the cloud provider is contracted through a local entity, the data physically transits outside Moroccan territory.
Recommendation: prioritize datacenter regions offering adequate protection levels, include standard contractual clauses in cloud provider agreements, and declare the transfer to the CNDP.
Outsourcing to foreign countries
Outsourcing services (accounting, call centers, IT development) to foreign providers often involves transferring personal data. The Moroccan data controller remains fully responsible for the protection of data entrusted to the subcontractor.
Recommendation: include data protection clauses in all international outsourcing contracts and verify the provider’s security measures.
Penalties for illegal transfers
Articles 60 and 61 of Law 09-08 provide for severe penalties for unauthorized international transfers:
| Offense | Criminal penalty | Fine |
|---|---|---|
| Transfer to a country without adequate protection without authorization | 3 months to 1 year imprisonment | 20,000 to 200,000 MAD |
| Obstruction of CNDP inspections | 3 months to 6 months imprisonment | 10,000 to 50,000 MAD |
These penalties apply to the data controller, meaning the company director or the legal entity itself. In case of repeat offenses, penalties may be doubled.
How Upsilon Consulting can help
The chartered accountants and legal advisors at Upsilon Consulting assist you with:
- Auditing your cross-border data flows to identify transfers requiring authorization
- Drafting standard contractual clauses tailored to your business relationships
- Preparing and filing the authorization application with the CNDP
- Implementing Binding Corporate Rules for multinational groups
- Training your teams on data transfer best practices
Contact Upsilon Consulting for a compliance assessment of your international data transfers.
READ ALSO
CNDP and Law 09-08: complete guide CNDP declarations and authorizations Law 09-08 and foreign companies in Morocco CNDP compliance assistance
