FAQS
Until 28 November 2024, the protection of personal data was guaranteed in the Principality by Law no. 1.165 of December 23, 1993 related to the Protection of Personal Information.
Among other things, this law instituted the Commission de Contrôle des Informations Nominatives (CCIN), an Independent Administrative Authority in charge of controlling and verifying compliance with the legislative and regulatory provisions relating to personal data on the Monegasque territory.
Over time, this legislation has evolved to take account of the fast growing development of technologies, combined with the globalization of flows, as well as of the legal instruments adopted at European level, respectively by the Council of Europe and the European Union.
However, following the signature of the Convention 108+ of the Council of Europe and the adoption by the European Union in 2016 of the “European data protection package”, namely, the General Data Protection Regulation (GDPR) and the "Law Enforcement Directive”, it has become crucial for the Principality to modernize its data protection legal framework; this has now been done with the adoption of Law no. 1.565 of December 3, 2024 on the Protection of Personal Data.
Law no. 1.565 of December 3, 2024 provides that an Independent Administrative Authority is in charge of controlling and verifying that personal data processed in the Principality comply with the applicable laws and regulations.
So named the Autorité de Protection des Données Personnelles (APDP), this Independent Administrative Authority is the successor of the Commission de Contrôle des Informations Nominatives (CCIN), instituted by the Law no. 1.165 of 23 December 1993, amended.
In its article 4, Law no. 1.565 of December 3, 2024 lists the essential principles to be observed when processing personal data:
- the lawfulness, fairness, and transparency principle;
- the purpose limitation principle;
- the data minimization principle;
- the data accuracy principle;
- the storage limitation principle; and
- the data security principle.
Chapter III of Law no. 1.565 of December 3, 2024 is dedicated to the rights of data subjects. Some of these rights were already provided for by the Law no. 1.165 of December 23, 1993 as amended, and some have been reinforced. Other rights, taken from the GDPR, are new, however.
The consent of the data subject is one of the six legal bases, defined by Article 5 of Law no. 1.565 of December 3, 2024, allowing personal data to be processed in a lawful manner.
Article 2 of this law defines consent as:
« any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her ».
To be valid, the agreement given by the data subject must therefore meet several conditions, namely, it must be:
- freely-given
- specific
- informed
- unambiguous
Article 22 of Law no. 1.565 of December 3, 2024 introduces the notion of “accountability” of the data controller. This latter must ensure and demonstrate that the processing is carried out in compliance with the provisions of the Law.
In particular, he or she must take appropriate measures to inform the data subjects and facilitate the exercise of their rights. He or she must also cooperate with the APDP, at the latter's request, to accomplish their missions.
However, while these two obligations are not new, the Law now also incorporates a very large number of self-regulatory tools that the data controller must also put in place.
Under Article 2 of Law no. 1.565 of December 3, 2024, the data processor is “the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller”.
The obligations of the processor have been reinforced by the new legislation and the Processor must now provide sufficient guarantees with regard to the principles of data protection.
If the processor is required to cooperate with the APDP, at request of the latter, in the execution of its missions and providing assistance to the data controller, he or she is also subject, like this latter, to a large number of the new self-regulatory tools put in place by the new Law.
Codes of conduct are part of the new compliance tools introduced by the new legislation (Article 33 of Law no. 1.565 of December 3, 2024).
They are developed by associations and professional bodies representing categories of data controllers and processors.
They thus enable professionals, in a specific sector, to meet their operational needs in terms of data protection compliance by providing a detailed description of the most appropriate and ethical behaviors.
This voluntary approach encourages professionals in a given sector to adopt good practices (for example, specific security measures) and to demonstrate, to data subjects and other stakeholders, compliance with the provisions applicable to the processing of personal data.
Once developed, the codes of conduct applicable in Monaco are forwarded to the APDP for validation and publication.
Any subsequent changes to a code or, where applicable, its extension must be sent to the APDP who then verifies that the said code still offers appropriate guarantees of protection.
The APDP approves draft codes, amendments and extensions within 4 months of receipt of the request. This period may be extended by a further 2 months by decision of its President.
If the APDP has not reached a decision within this timeframe, the request is deemed to have been rejected.
The codes of conduct, their amendments and, where appropriate, their extensions are listed by the APDP in a register open to the public.
It is important to note that when a code of conduct has been approved already by a foreign protection authority, the data controller or the processor must forward it to the APDP so that the latter can verify that the provisions of the said code contain the appropriate guarantees pursuant to the Law.
The application of codes of conduct, once these have been approved and published, make them mandatory for their members.
Compliance with a code of conduct may be carried out by a body chosen by the bearer of the code.
This body must demonstrate, to the satisfaction of the APDP, its independence and expertise with regard to the purpose of the code. It must also demonstrate that its tasks and missions do not give rise to any conflict of interest.
The said body shall take appropriate measures in the event of a breach of the code by a data controller or data processor, and may in particular suspend or exclude the controller or processor concerned from the application of the code. It shall inform the APDP of such measures and the reasons for taking them
Adherence to a code of conduct is one of the appropriate guarantees that allow a data controller or processor to carry out a transfer to a State, a territory or an international organization that does not offer an adequate level of protection.
The certification makes it possible to demonstrate that the processing operations carried out by the data controllers or processors comply with the Law.
It is a legally binding compliance tool for those who choose to engage in this process.
Thus, the certification candidate undertakes to:
- comply with the criteria approved by the APDP and
- maintain compliance with the criteria for the duration of the certificate's validity
Like the implementation of codes of conduct, it is a voluntary approach.
Certification is issued for a maximum of three years, and may be renewed under the same procedures and conditions as long as the applicable requirements continue to be met.
The APDP keeps a register of all personal data protection certification mechanisms and makes them available to the public by any appropriate means.
Pursuant to Article 34 of Law no. 1.565 of December 3, 2024, the certification procedure may be implemented by the APDP or by independent bodies approved by the APDP.
Any organization applying for accreditation must
- provide evidence of an expert opinion with regard to the subject of the certification and
- meet the criteria defined by ministerial decree on the proposal of the APDP.
If these guarantees are provided, the APDP can approve the organization for a renewable period of 5 years.
The latter is then authorized to issue a certification attesting that the data controller or the processor complies with the provisions of the Law and the regulatory texts adopted for its application.
Certification bodies must inform the APDP of the certifications they have issued and the reasons for issuing or withdrawing certification.
The APDP can recognize the certifications issued by an approved body in a Member State of the European Union or with an adequate level of protection.
This possibility facilitates access to the Monegasque market for players certified abroad.
The certification is one of the appropriate guarantees that allow the data controller or processor to make a transfer towards a State, a territory or an international organization that does not offer an adequate level of protection
Sensitive data are special personal data due to their highly private nature, likely to lead to discrimination if they are revealed or processed for purposes or in ways that do not guarantee the protection of the data subjects’ rights and freedoms.
The following data are considered sensitive data:
- political opinions or affiliations;
- racial or ethnic origins;
- religious convictions;
- philosophical convictions;
- trade union membership;
- genetic data;
- biometric data for identification purposes;
- health data;
- data relating to an individual’s sex life;
- data relating to an individual’s sexual orientation.
Article 7 of Law no. 1.565 of December 3, 2024 establishes the prohibition of processing sensitive data principle.
Thirteen (13) derogatory situations, 6 of which were already included in Law no. 1.165 of 23 December 1993, as amended, nevertheless allow the collection of these data:
• the data subject has given explicit consent to the processing of their personal data;
• the processing is necessary to preserve the vital interests of the data subject or of another natural person, in the event that the person is unable to give consent due to an impairment of his or her faculties, physical or legal incapacity or a complete material impossibility;
• the processing concerns members of an ecclesial institution or a group of a political, religious, philosophical, humanitarian or trade union nature, provided that the processing relates only to members or former members of that body or to persons in regular contact with persons in connection to the processing purpose and that the information is not communicated to third parties without the consent of the data subjects;
• the processing relates to personal data manifestly made public by the data subject;
• the processing is necessary in the establishment, exercise or defence of a legal claim or whenever courts are acting in the context of their judicial function;
• the processing is justified on the grounds of important public interest provided for in Monegasque law, which must be proportionate to the objective pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the data subjects’ fundamental rights and interests;
• the processing is necessary for preventive medical purposes or occupational health, in the assessment of the worker’s aptitude, medical diagnoses, the administration of care, medication or the management of health and social welfare services or in the interest of research or in the field of public health, when the processing of such data is performed by a health professional subject to professional secrecy or by another person also subject to professional secrecy;
• the processing is carried out for archiving purposes out of public interest, for scientific or historical research purposes or for statistical purposes;
• the processing is implemented by the employer and relates to biometric data strictly necessary for access controls to the workplaces, as well as for the devices and applications used in the course of the tasks entrusted to employees;
• the processing is necessary for the fulfilment of the obligations and the exercise of the data controller's or the data subject's own rights in the field of labour, social security and social protection law;
• the treatment is implemented by the Monegasque Institute of Statistics and Economic Studies within the framework of the establishment for the necessary studies and investigations only;
• the processing, only when it is carried out by a competent administrative or judicial authority acting within the framework of the tasks legally conferred to it:
- is implemented for the purposes of the prevention, detection, investigation and prosecution of criminal offences or the execution of criminal sanctions.
- relates to genetic data or biometric data necessary for the authentication or verification of the identity of individuals.
- relates to national security.
• the processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or for the purpose of ensuring high standards of quality and safety of healthcare and medicinal products or medical devices, on the basis of Monegasque law, which provides for appropriate and specific measures to safeguard the rights and freedoms of the data subjects, including professional secrecy.
A data transfer is any flow of data to a country, a territory, or an international organization outside of the Principality.
This may involve a physical transfer or a remote access, either within a group or to a third party.
Example: access to data by the IT provider located in India for maintenance purposes
Chapter VIII of Law no. 1.565 of December 3, 2024 consists of six articles that address various situations of transfers of personal data outside of the Principality.
Whereas the new legislation is effective immediately, Article 109 however provides for compliance deadlines for certain obligations.
Article 109 of Law no. 1.565 of December 3, 2024 deals with 3 situations:
Processing regularly implemented under Law no. 1.165 of December 23, 1993
Data controllers shall have one year from the effective date of the new Law to comply with the provisions of Chapter II on the principles relating to the quality of data and the conditions of lawfulness of the processing of personal data "provided that such processing has not been substantially modified".
This means that the processing previously submitted to the CCIN, for which a receipt, a favorable opinion, or an authorization has been issued by the CCIN, and whose essential characteristics are unchanged, may continue but must comply within one year with the principles set out in the provisions of Chapter II of the new Law.
The compliance deadlines for the new obligations incumbent on the data controllers
The second paragraph of Article 109 concerns data controllers and processors “having regularly implemented with the Commission de Contrôle des Informations Nominatives processing operations of personal data before the effective date of the present law, and which continues to operate after the effective date”.
They "shall have one year from that date to comply with the obligations provided for in Articles 27, 28, 29, 30 and the fourth paragraph of Article 31".
Thus, data controllers and processors have a period of one year from the effective date of the new Law to fulfill the following new obligations:
- the keeping of a record of processing operations (Article 27);
- the appointment of a Data Protection Officer (DPO) (Articles 28 et 29);
- the obligation to provide the DPO with all the necessary resources to enable him or her to carry out his or her tasks properly, and to communicate the contact details of the DPO to the APDP (Article 30);
- the implementation of compliance with the security obligations by the data controller or processor in the context of adherence to a code of conduct or a certification mechanism (fourth paragraph of Article 31). NB: The APDP specifies that the implementation of a code of conduct or a certification mechanism is optional and must not necessarily be implemented within one year of the effective date of the new legislation. Furthermore, the obligation to put in place appropriate technical and organizational measures to guarantee a level of security of personal data adapted to the risks to the rights and freedoms of the data subjects are effective immediately.
Specific case of impact assessment (Article 35):
Regarding impact assessments, which are among the new obligations incumbent on data controllers, "This period is extended to 3 years to allow data controllers to conduct the impact assessment provided for in Article 35 as part of the risk reassessment".
It is important to stress that “for the most sensitive processing operations involving a high risk to the rights and freedoms of the data subjects”, an impact assessment must be conducted by the data controller.
To conduct this impact assessment, the data controller therefore has three years to assess the risks associated with the processing of personal data of the data subjects and to identify precisely the measures necessary to handle them.
The compliance deadlines for processing under section 64 of the Law
The third case relates to the compliance of the processing referred to in Article 64, which concerns “processing implemented for the purpose of preventing, detecting, investigating, and prosecuting criminal offences or the execution of criminal sanctions, including the protection against and prevention of threats to public security”.
| NB: this article concerns only the competent administrative and judicial authorities within the exclusive framework of the missions conferred on them by law. (Police/Justice processing) |
Therefore, from the effective date of the new Law, data controllers concerned have three years to bring their processing into compliance with the provisions of Article 69 (distinction of the different categories of data subjects of the processing: victims, suspects, etc.) and Article 70 (processing access logs).
Furthermore, “This period does not apply to processing operations already subject to the logging obligation".