Morocco Law 09-08

Law 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data

Morocco's data protection law establishing rights regarding automated decision-making and requiring parental consent for children's data processing.

Jurisdiction

Morocco

Enacted

Feb 18, 2009

Effective

Jan 1, 2011

Enforcement

Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP)

CNDP (Morocco Data Protection Authority)

Why It Matters

Morocco is a key North African market. Automated decision-making rights apply to AI chatbots, requiring transparency and appeal mechanisms.

At a Glance

Applies to

AI CompanionMental Health AppGeneral Chatbot

Requires

Transparency User Rights

Who Must Comply

Controllers and processors of personal data in Morocco
Entities processing data of Moroccan residents
Automated systems making decisions about individuals

Obligations fall on:

Safety Provisions

Right to object to automated decision-making
Parental consent required for children's personal data
Prior authorization required from CNDP for sensitive data processing
Security measures required for data protection
Cross-border transfer restrictions

Compliance & Enforcement

Penalties

criminal liability

Criminal liability

Primary Source

CNDP (Morocco Data Protection Authority)

https://www.cndp.ma/

View on map

Morocco

Focus Areas

Mental health & crisis

Child safety

Algorithmic accountability

Cite This

APA

Morocco. (2009). Law 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data.

Related Regulations

In Effect ZM

Zambia DPA

Zambia's comprehensive data protection law with special protections for vulnerable persons and DPIA requirements for high-risk processing.

In Effect BW

Botswana DPA

Botswana's modernized data protection law requiring Data Protection Impact Assessment and establishing age 16 for consent.

In Effect SC

Seychelles DPA

Seychelles' modern data protection law requiring DPO for large-scale processing and recognizing Cross-Border Privacy Rules certification.

In Effect RW

First African country to adopt comprehensive national AI policy. Establishes Responsible AI Office (RAIO) under MINICT. Implements RURA ethical guidelines covering beneficence, non-maleficence, autonomy, justice, explicability, transparency. Non-binding framework.

In Effect CN

China CSL Amendments

First major revision of China's foundational Cybersecurity Law since 2017. Introduces formal AI governance provisions, significantly increases penalties, and expands extraterritorial application to all cybersecurity violations.

In Effect US-CA

CA SB 524

Requires law enforcement agencies to disclose when AI is used to write or assist in creating official police reports, maintain audit trails, and preserve AI-generated first drafts.

All regulations Check if this applies to you

Last updated January 22, 2026. Verify against primary sources before relying on this information.