Article 2(2)(1)(a) of Law 09-08 establishes the territorial scope of the law based on the establishment of the data controller. The provision contains two key elements:

1. The law applies when the processing is "carried out by a natural or legal person whose data controller is established on Moroccan territory". This clause directly links the applicability of the law to the establishment of the data controller in Morocco.
2. It further clarifies that "The data controller of a processing activity conducted within Moroccan territory, regardless of its legal form, is considered established there". This second part expands the concept of establishment, focusing on the location of the processing activity rather than the legal form of the entity.

The lawmakers' rationale for including this factor is to ensure that all data processing activities occurring within Morocco's borders are subject to the country's data protection regulations, regardless of the legal structure of the entity conducting the processing. This approach aims to create a comprehensive data protection framework that covers all relevant actors operating within the country.

Implications

The establishment-based applicability of Law 09-08 has several implications for businesses:

1. Any entity, whether a natural person or a legal entity, that processes personal data and is established in Morocco must comply with Law 09-08.
2. The legal form of the entity is irrelevant; what matters is the establishment in Morocco and the conduct of data processing activities within the territory.
3. Foreign companies with subsidiaries, branches, or other forms of establishment in Morocco are subject to the law for their data processing activities in the country.
4. The law applies to both Moroccan and foreign-owned businesses, as long as they are established in Morocco and process personal data there.
5. Companies conducting data processing activities in Morocco should assess whether they fall under the definition of being "established" in the country, even if their primary operations are elsewhere.
6. Entities that process data in Morocco but are not established there may still be subject to the law under other provisions (such as the use of processing means in Morocco, as mentioned in Article 2(2)(1)(b), though this is beyond the scope of the current analysis).
7. Companies established in Morocco must ensure compliance with all aspects of Law 09-08, including data protection principles, data subject rights, and any registration or notification requirements.

This establishment-based approach to territorial scope aligns Morocco's data protection framework with international standards, ensuring that entities operating within the country are held accountable for their data processing activities, regardless of their origin or legal structure.