Law No. 09-08 sets comprehensive obligations on every organisation that processes personal data in Morocco — including cross-border transfer restrictions, prior authorisation for sensitive data, and mandatory CNDP notification. SCOVR keeps all communications data inside Morocco, satisfying the law's core residency and security requirements by architecture, not by policy.
Unlike the post-GDPR accountability model, Moroccan law requires organisations to notify or obtain authorisation from CNDP before processing begins — making pre-deployment compliance assessment essential for every communications platform deployed in Morocco.
Promulgated in February 2009 and implemented by Decree n° 2-09-165, Law 09-08 is Morocco's primary personal data protection statute. It is supervised and enforced by the CNDP — Commission Nationale de contrôle de la protection des Données à caractère Personnel — an independent administrative authority with powers to issue formal notices, conduct investigations, impose administrative sanctions, and refer cases for criminal prosecution. The law applies to any processing of personal data carried out in Morocco or by a controller established in Morocco, regardless of where the data is stored or processed.
Authority: CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) — independent administrative authority with investigative and sanctioning powers.
Prior notification: Standard processing activities must be declared to CNDP before commencement (Art. 18). Certain categories require prior authorisation rather than simple notification.
Sensitive data: Health data, genetic data, biometric identifiers, racial or ethnic origin, political opinions, religious beliefs, criminal records — all require prior CNDP authorisation under Arts. 19–22.
Cross-border transfers: Transfers to countries without adequate protection require prior CNDP authorisation under Art. 23. Adequate countries include EU/EEA states and those on CNDP's approved list.
Fines: Criminal fines from MAD 10,000 to MAD 300,000 under Arts. 38–40. Administrative sanctions also available for procedural violations including failure to notify CNDP.
Imprisonment: One month to two years for intentional violations. Sentences are doubled for repeat offences or where the violation prejudices national security or public order.
Data subject rights: Right of access (Art. 12), rectification (Art. 13), opposition (Art. 14), and objection to automated decision-making (Art. 15) — all must be exercisable without charge.
Security obligation: Art. 29–30 require appropriate technical and organisational measures proportionate to the nature of the data and the risks of the processing.
Law 09-08 is modelled directly on the 1995 EU Data Protection Directive — the predecessor to the GDPR — rather than on the GDPR itself. This means the core principles of purpose limitation, data minimisation, proportionality, and data subject rights are structurally identical to those embedded in the GDPR, but the procedural model is different: notification and prior authorisation rather than accountability and DPOs. Organisations already operating under the GDPR or UK GDPR will recognise every substantive obligation — the difference lies in how compliance is demonstrated to the regulator.
Every key obligation that touches communications infrastructure is addressed at the platform level — architecture first, documentation second.
Art. 23 of Law 09-08 prohibits the transfer of personal data to a country that does not provide an adequate level of protection, unless CNDP grants prior authorisation. Every foreign-headquartered cloud messaging service, video conferencing platform, or file sharing tool that routes Moroccan data through servers outside Morocco — or that is operated by a company subject to another jurisdiction's laws — constitutes a potential cross-border transfer requiring CNDP clearance.
The reason is not limited to where servers are physically located. A company headquartered in the United States remains subject to US law regardless of where it operates servers. US authorities can compel production of data held anywhere in the world. Using such a platform for Moroccan communications creates legal exposure regardless of contractual assurances.
SCOVR resolves this by design. The platform is deployed on servers physically inside Morocco, under Moroccan law, with no foreign parent company holding rights over the infrastructure. Internal communications between any Moroccan organisations on sovereign infrastructure never trigger Art. 23. For communications with external counterparties — international partners, foreign governments, overseas clients — the federated architecture ensures that each organisation's server processes only its own users' data, with message content encrypted end-to-end. No Moroccan personal data is transferred to or processed by the foreign server.
All data — messages, files, voice recordings, call metadata, user profiles — is stored on servers physically inside Morocco. The cross-border transfer prohibition is satisfied architecturally, before any legal analysis is required.
Internal communications between Moroccan organisations never require Art. 23 authorisation. A single Art. 18 notification covers the deployment. Regulatory overhead is minimised without any legal risk-taking.
No US-headquartered parent, no French cloud operator, no multinational platform processes Moroccan data. The platform is self-hosted — your jurisdiction's laws govern, and no foreign authority has a legal basis for access.
Communications between government ministries, regulated financial institutions, healthcare providers, and their counterparts within Morocco — none of it ever leaves the country. Sovereignty is preserved by the architecture, not by a contractual clause.
Every deployment includes a pre-built CNDP notification package — processing description, data categories, retention schedule, security measures, and DPA-equivalent controller identification — submitted before the first message is sent.
Messaging, video conferencing, file sharing, and data hosting: four categories of personal data processing that trigger Law 09-08 obligations, all addressed by a single sovereign platform.
Every message is encrypted end-to-end before leaving the sender's device. No server operator can read content. Personal data in messages — names, IDs, financial details, health information — is protected and processed only within Morocco.
Encrypted voice and video calls hosted on sovereign infrastructure. Meeting content is never stored on foreign servers. Communications between government entities, regulated firms, and their advisors remain entirely within Morocco.
Documents, contracts, reports, and sensitive records are shared within encrypted channels on sovereign servers. Role-based access controls ensure only authorised recipients retrieve files. No foreign platform operator processes the data.
All data — messages, files, call records, user profiles, audit logs — is hosted in Morocco on shared multi-tenant infrastructure restricted to authorised users within your organisation. No cross-border residency risk, no Art. 23 exposure.
CNDP compliance is not solely an architectural question. The prior-notification model requires complete processing documentation to be ready before the first message is sent.
Pre-built Art. 18 notification documentation covering: controller identity, processing purposes, data categories, retention periods, security measures, and transfer assessment. Ready for submission to CNDP before deployment begins.
For organisations processing sensitive personal data — health records, biometrics, criminal data — the platform provides the zero-knowledge architecture evidence required to support a prior authorisation request to CNDP, demonstrating no operator access to sensitive content.
Platform and operational processes certified to ISO/IEC 27001:2022 — providing internationally recognised evidence of technical and organisational security measures that satisfies the Art. 29–30 proportionality standard and supports CNDP's security assessment framework.
Specific answers to the Law 09-08 questions legal, compliance, and technology teams across Morocco ask most often.
Book a private briefing with our CNDP compliance team. We will design a deployment that satisfies Law 09-08 — notification-ready, transfer-compliant, and architecturally sovereign — before processing begins.