9anon Logo
9anonقانون

Moroccan Law on Data Localization

9anon AI Team5 min read
Share this article:

Moroccan Law on Data Localization: Navigating Sovereignty and Privacy

In an increasingly digitised global economy, the management of information has become a cornerstone of national security and economic regulation. For multinational companies operating in the Kingdom, understanding the Moroccan legal framework regarding data localization, reporting, and privacy is essential for maintaining compliance.

Morocco has established a sophisticated legal ecosystem designed to balance the free flow of commercial data with the need for "data sovereignty." This ensures that the state can monitor economic health, protect individual privacy, and maintain oversight of financial stability. This article explores the key pillars of Moroccan law governing how data is stored, reported, and protected within the national territory.

The Framework for Economic and Financial Data

One of the primary drivers of data localization and reporting in Morocco is the need for accurate national accounting. Under Law No. 19.06, the Moroccan legislator established strict requirements for statistical declarations. This law is fundamental for the preparation of data regarding foreign exchanges, the balance of payments, and Morocco’s overall external financial position.

According to Article 1 of Law 19.06, these provisions apply to all commercial and financial transactions between residents and non-residents. This includes:

  • Movements of funds between Morocco and abroad.
  • Transactions carried out within Morocco between residents and non-residents.
  • Any operation that must be recorded in the statistics of foreign exchanges.

For multinational companies, this means that financial data related to cross-border transactions cannot simply exist on a foreign server without being declared to Moroccan authorities. The law mandates that these operations are subject to compulsory statistical declarations, ensuring that the Moroccan state maintains a clear digital record of its financial interactions with the world.

Privacy and Personal Data Protection

While economic data is regulated for financial stability, personal data is governed by a robust privacy framework. Law No. 09.08, relating to the protection of individuals with regard to the processing of personal data, is the bedrock of Moroccan privacy law.

A critical aspect of this law is its jurisdictional reach, which effectively imposes localization requirements on data controllers. Under the provisions of this law (as referenced in supporting decrees), the law applies to:

  1. Local Entities: Any processing carried out by a data controller (individual or legal entity) resident or established on Moroccan territory.
  2. Foreign Entities Using Local Means: If a controller is not resident in Morocco but uses automated or non-automated means located within the Kingdom to process data (unless the data is merely passing through), they must comply with Moroccan law.

In cases where a foreign company uses Moroccan-based infrastructure, Article 2(b) and subsequent paragraphs require the appointment of a local representative. This representative assumes all rights and obligations of the foreign entity, ensuring that the National Commission for the Control of Personal Data Protection (CNDP) has a local point of contact for enforcement.

Transparency and the Public Register of Beneficial Owners

Morocco has recently strengthened its corporate transparency through the creation of the Public Register of Beneficial Owners. This register is designed to centralise accurate and updated information regarding the individuals who ultimately own or control legal entities.

According to Article 4 of the relevant Decree, this register applies to:

  • Companies established in Morocco.
  • Foreign companies conducting commercial activities within the national territory.
  • Legal arrangements established abroad that have conducted transactions in Morocco.

The localization of this specific data is vital for anti-money laundering (AML) efforts. Article 9 of the decree stipulates that information and supporting documents must be kept for ten years after a company is struck off the register. Furthermore, while this data is localised in Morocco, Article 10 allows for its use in international cooperation, provided that such sharing respects Moroccan laws on personal data protection.

Sector-Specific Requirements: Credit and Identity

Certain sectors face even more stringent data and operational localization rules. For instance, Credit Information Bureaus are subject to strict oversight by Bank Al-Maghrib (the Central Bank).

Under Articles 14 and 15 of the Law relating to Credit Information Bureaus, the withdrawal of an authorization from a bureau affects all its branches and agencies in Morocco. These bureaus are subject to heavy fines (ranging from 250,000 to 1,000,000 Dirhams under Article 44) if they fail to comply with reporting and management standards. This ensures that the financial history and creditworthiness of Moroccan citizens remain within a regulated, local supervisory framework.

Similarly, administrative data, such as that found on the Electronic National Identity Card (CNIE), is strictly controlled. Law No. 04.20 and its implementing decrees regulate the collection of biometric data (fingerprints) and the electronic chips within these cards. This data is managed by the Ministry of Interior, ensuring that the core identity data of the population is held securely within state-controlled systems.

Conclusion and Key Takeaways

For businesses and legal practitioners, Moroccan data localization and privacy laws represent a commitment to digital sovereignty. The legal landscape is characterised by:

  • Compulsory Reporting: Financial and commercial transactions with foreign elements must be declared under Law 19.06.
  • Territorial Privacy Limits: Law 09.08 ensures that any processing using Moroccan infrastructure falls under the jurisdiction of the CNDP.
  • Corporate Transparency: The Register of Beneficial Owners requires localized record-keeping for at least a decade.
  • Strict Oversight: Financial and identity data are subject to specialized regimes that prioritize national security and economic integrity.

Compliance requires not only technical measures for data storage but also administrative diligence in reporting to Moroccan institutions such as Bank Al-Maghrib and the CNDP.

Related Search Terms

9anoun ai, 9anon ai, kanon ai, kanoun ai, qanon ai, qanoun ai

Share this article:

Have More Legal Questions?

Consult 9anon AI now and get accurate, instant answers about your legal situation in seconds.

Start Chatting FreeAI Contract Builder

Related Articles

VAT Exemptions: New Products List 2026 Morocco

What new products are exempt from VAT in 2026? Learn about Decree 2.25.1041 and how it affects your business and consumer rights.

Read More

Tax Dispute Appeals: New Deadlines in Morocco 2026

What are the new deadlines for tax dispute appeals under the 2026 General Tax Code (CGI)? Find out how to challenge VAT assessments on time.

Read More

Supreme Court: Cassation Appeal Procedures Change 2026

What are the procedural changes to cassation appeals in the Supreme Court under Organic Law 36.24? Learn about the amendments and their impact on cases.

Read More