Loi 09-08 — Morocco Data Protection
Last Updated: March 1, 2026
CloudLink LLC is registered and headquartered in Morocco. This notice describes how we process the personal data of Moroccan data subjects in accordance with Loi n° 09-08 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel (the "Law"), which is Morocco's primary personal data protection statute. This notice supplements, and does not replace, our Privacy Policy.
Data Controller
Entity: CloudLink LLC
Registered Office: 4 ème étage, Bureau 62, Centre d’affaire Malizia, Marrakech, Morocco
Email: [email protected]
Supervisory Authority: CNDP — Commission Nationale de contrôle de la protection des Données à caractère Personnel (the Moroccan data protection authority)
Declared Processing & CNDP Formalities
Under the Law, processing of personal data must generally be declared to the CNDP before it begins ("déclaration préalable"), and certain categories of processing — including processing of sensitive data (health, criminal records, and similar categories) and cross-border transfers of personal data outside Morocco — require prior CNDP authorization ("autorisation") rather than a simple declaration. This is a materially different mechanism from GDPR's "lawful basis" model: rather than self-assessing a legal basis for each purpose, a controller operating in Morocco must affirmatively notify, and in some cases seek approval from, the CNDP for its processing activities.
| Purpose | CNDP Formality | Retention |
|---|---|---|
| Account management | Declaration | Duration of contract + 3 years |
| Service delivery | Declaration | Duration of contract |
| Billing & invoicing | Declaration | 7 years (tax requirements) |
| Analytics & improvement | Declaration | 26 months |
| Marketing communications | Declaration + consent | Until consent withdrawn |
| Cross-border transfer (hosting outside Morocco) | Authorization | See below |
Your Rights Under Loi 09-08
As a data subject in Morocco, you have the right to:
- Right to Information — Be informed of the purpose, recipients, and controller identity when your data is collected
- Right of Access — Obtain confirmation of, and a copy of, personal data we hold about you
- Right to Rectification — Correct inaccurate or incomplete personal data
- Right to Opposition — Object, on legitimate grounds, to the processing of your personal data, and to object without charge to its use for prospecting/marketing purposes
- Right of Withdrawal — Withdraw previously given consent at any time
These rights overlap with, but are not identical to, the GDPR rights described on our GDPR Compliance page — notably, the Law does not include a standalone right to erasure or data portability in the same form as GDPR Art. 17/20.
Cross-Border Data Transfers
CloudLink's infrastructure is not exclusively hosted in Morocco — personal data about Moroccan data subjects may be processed or stored outside Morocco by our sub-processors (see our Sub-processors page). Transfers of personal data outside Morocco require prior CNDP authorization unless an exemption applies (for example, transfer to a country deemed to provide an adequate level of protection). We rely on contractual safeguards, including Standard Contractual Clauses with our sub-processors, and seek CNDP authorization where required by the Law.
Exercise Your Rights
To exercise any of the rights above, or to raise a question about how CloudLink processes your personal data under Loi 09-08, contact us using the details below. We will verify your identity before processing your request.
Contact Us →