Search results

Help and definitions

Any operation, automated or otherwise, involving personal data, such as the collection, consultation or storage of information.

Examples :

  • administrative management of employees
  • management of professional e-mails
  • setting up a website
  • video surveillance of premises

[For more information, see How to identify your processing activities?]

The person or body with decision-making power regarding the purposes and means of data processing.

Example : a company represented by its legal representative (e.g. its chairman).

[For more information, refer to the factsheet The key players in data protection in the Principality]

Mandatory in certain cases, the Data Protection Officer (DPO) is the natural or legal person who ensures compliance with data protection legislation. He or she acts both as the main point of contact for all questions relating to personal data and as the contact person for the APDP.

[For more information, refer to the factsheet Job Description of the Data Protection Officer]

Field to be completed only if the data controller is established outside Monaco.

The representative is the natural or legal person established on the territory of the Principality, or, failing that, within a Member State of the European Union,  appointed by the data controller. Its role is to act as a point of contact both for the data subjects and for the APDP.

Example: a Monegasque consultancy firm representing an e-commerce company based in Italy that offers products or services to people located

[For more information, refer to the factsheet The key players in data protection in the Principality]

Applicable only in the rare cases where another person or body determines jointly with the controller the purposes and means of the processing.

Example: two online shops work together to create a common platform enabling them to market their respective products. Together, they decide on the purposes (e.g. promotion and sale of products) and means (e.g. collection of customer data, payment methods). In this case, they are jointly responsible for processing the data collected via the platform.

[For more information, refer to the factsheet The key players in data protection in the Principality]

Objective(s) for which the processing has been implemented.

ExAmples :

For a video surveillance system:
– to ensure the safety of people and property (theft, damage, attacks, etc.)
– to provide evidence in the event of an offence.

For a website:
– to present the products and services offered by the company
– to provide information about the teams and their skills
– to offer a “contact” section to enable exchanges with users
– to enable registration for a newsletter to communicate news or promotions
– to enable the creation of customer accounts for personalized purchases or services

[For more information, refer to the factsheet The main principles of personal data protection]

Activity which involves, for example, using analysis tools, observing, collecting or recording personal data on a systematic and not occasional basis.

Examples :

  • E-mail monitoring: a system that triggers automatic alerts when a keyword is detected when sending business e-mails
  • Recording telephone calls: in a banking establishment, conversations are recorded as part of the business relationship to enable orders to be traced
  • Setting up a video surveillance system: cameras are installed in a shop to ensure the safety of goods and people.

To be lawful, all data processing must be based on one of the 6 grounds for lawfulness set out in article 5 of Law no. 1.565 of December 3, 2024.

Examples :

  • the consent of the data subject for one or more specific purposes
  • the fulfilment of a legitimate interest pursued by the data controller

Each purpose of processing must be justified by a single valid legal basis from among the six provided for.

[For more information, refer to the factsheet The main principles of personal data protection]

Individuals whose data are collected, used, stored, etc. by the processing operation.

Examples: employees, customers, suppliers.

[For more information, see Glossary]

Sensitive data are particular personal data, revealing highly private or intimate information. If these data are exposed or used for purposes or in ways that do not guarantee the protection of the rights and freedoms of the data subjects, discrimination or serious breaches of privacy could result.

Examples :

  • Health data: information on medical history, diagnoses, allergies, treatments or disabilities, etc.
  • Political opinions: a person’s affiliations with or positions on a political party or current
  • Biometric data: fingerprints, retinal scans, facial recognition, collected for the purposes of unique identification

[For more information, see Glossary]

Article 7 of Law no. 1.565 of December 3, 2024 establishes the principle that the processing of sensitive data is prohibited. However, it provides for 13 derogations in which the collection and processing of such data is authorized, subject to strict compliance with these conditions in order to guarantee the rights and freedoms of the data subjects.

Examples :

  • Consent of the data subject(s): when the data subjects give their explicit and informed agreement to participate in biomedical research.
  • Safeguarding vital interest: in an emergency, the collection of sensitive data is necessary to protect the life of the data subject or that of a third party.
  • Legal or regulatory requirements: processing is required to meet an obligation laid down by law (for example, in a public health context).

[For more information, refer to the factsheet The consent of data subjects]

Any information relating to a natural person that is not sensitive data.

Examples :

  • identity data: surname, first name, photograph, date and place of birth, postal address, etc.
  • training and professional life: educational background, qualifications obtained, position held, attached department, authorized access areas, days off, etc.
  • electronic identification data: IP address, connection identifiers, computer system access logs, etc.
  • financial data: bank details or payment history, etc.

[For more information, see Glossary]

Personal data may not be kept indefinitely in a form that allows the data subjects to be identified. The retention period must be strictly limited to what is necessary to achieve the purpose for which the data were collected. Once the purpose has been achieved, the data must be deleted or rendered anonymous, unless there is a legal obligation to retain them.

Examples :

  • Video surveillance: recordings are kept for a maximum of 1 month, unless an offence justifies keeping them for investigation
  • Newsletter subscriptions: data are kept for as long as the user wishes to remain a subscriber and has not withdrawn their consent.

[For more information, refer to the factsheet The main principles of personal data protection]

The source(s) designate(s) the origin of the personal data collected as part of a processing operation. This information may come from different systems/devices, from third parties or from the data subject him/herself. Identifying the source(s) is essential to ensure transparency and compliance with data protection legislation.

Examples :

  • HR files: for employee identities, such as surnames, first names and contact details
  • video surveillance systems: for images captured by cameras
  • Internet users: when they fill in a contact form or subscribe to a newsletter.

Any department, person or management under the direct authority of the data controller who, within the organization, will have access to the data.
Such access must be strictly necessary to carry out the tasks entrusted to them and comply with the defined purposes of the processing.

Examples :

  • Human Resources Department: management of employee data, such as contracts, pay and holidays
  • Sales Director: consultation of customer information to supervise commercial actions and develop sales strategies
  • Compliance Department: access to data to check that processing complies with legal and regulatory obligations
  • Maintenance provider: limited access to data for technical operations, such as maintenance or updating of IT systems

Country(ies)/territory(ies)/international organization(s) in which the categories of persons having access to the data are located.
This information is essential for assessing the legal implications and any data protection risks, particularly in the event of data being accessed from abroad.

Examples :

  • the head office in France: employees of the head office located in France have access to customer data for administrative or commercial purposes
  • the service provider based in Europe: an IT maintenance company located in Italy works on the systems and has access to the data

Any department, person or body outside the structure, with the exception of public authorities, to whom the data will be sent.

Examples :

  • an auditor: consultation of financial and accounting data as part of the statutory audit
  • the external accountant: access to information needed to carry out accounting or tax operations
  • service providers: transmission of data to service providers for specific services, such as a marketing campaign
  • a recruitment agency: processing of candidate data on behalf of the company

[For more information, refer to the factsheet The key players in data protection in the Principality]

Country(ies)/territory(ies)/international organization(s) in which the categories of persons authorized to receive data are located.
This information is essential in order to assess the possible risks associated with these data communications, particularly when these persons are located in third countries subject to different data protection regimes.

Examples :

  • an accounting firm in France: financial data are communicated to an accountant based in France in charge of accounting management on behalf of a Monegasque company
  • a business partner in Germany: sharing of customer information for marketing purposes

All data controllers must implement appropriate technical and organizational measures to guarantee a level of security appropriate to the risks to the rights and freedoms of individuals.

These measures aim to prevent any unauthorized access, unauthorized disclosure, alteration, destruction or loss of personal data.

Examples :

  • individual logins and passwords
  • access logging
  • security updates, antivirus, etc.
  • regular back-ups
  • pseudonymisation and data
  • enryption
  • access control to facilities

[For more information, refer to the factsheet Security measures : questions to ask yourself to ensure good IT hygiene]

Any flow of data to a country, territory or international organization outside the Principality whose legislation or regulations on personal data do not provide an adequate level of protection recognized by the Principality.

This may involve the communication of information or access to data, either within a group or to a third party.

Example : a service provider located in the United States, responsible for the maintenance of an application, remotely accesses databases containing customers’ personal information, with strict contractual measures to guarantee their security (for example, standard contractual clauses or equivalent mechanisms).

[For more information, refer to the factsheet Data transfers outside the Principality: scenarios to consider]

Article 97 of the Law establishes the principle whereby any transfer of personal data outside the Principality may be undertaken without any prior formality providing the legislation or regulation of personal data of the recipient country, territory, or international organization has an adequate level of protection as observed by the Principality.

The list of countries, territories, and international organizations with an adequate level of protection is adopted by the Government by ministerial ruling.

[See List of countries, territories, and international organizations with an adequate level of protection]

If one of the 5 safeguards set out in article 98 of Law no. 1.565 of December 3, 2024 has been put in place, the data may be transferred to a country, territory or international organization that does not have an adequate level of protection as determined by the Principality.

Examples: adherence to a code of conduct, adoption of binding corporate rules

[For more information, refer to the factsheet Data transfers outside the Principality: scenarios to consider]

In the absence of an adequate level of protection and appropriate safeguards, the transfer of data to a country, territory or international organization that does not have an adequate level of protection may be carried out if one of the 7 derogations provided for in article 99 of Law no. 1.565 of December 3, 2024 applies.

Examples :

  • important reasons of public interest
  • transfer necessary to protect the vital interests of the data subject

[For more information, refer to the factsheet Data transfers outside the Principality: scenarios to consider]

In the absence of an adequate level of protection and appropriate safeguards, and if none of the derogations provided for in Article 99 is applicable, a data transfer to a country, territory or international organization that does not have an adequate level of protection is possible, if the following 4 conditions are met:

  • the transfer is not repetitive;
  • the transfer only affects a limited number of data subjects;
  • the transfer is necessary for the purposes of pursuing compelling legitimate interests of the data controller
  • appropriate safeguards have been taken

NB : the APDP must be informed of this transfer !

[For more information, refer to the factsheet Data transfers outside the Principality: scenarios to consider]

If:

  • the data are transferred to a country, territory, or international organization that does not ensure an adequate level of protection, and
  • appropriate safeguards have not been put in place, and
  • none of the derogations provided for in Article 99 of Law no. 1.565 of December 3, 2024 apply, and
  • the 4 conditions provided for in paragraph 3 of Article 99 are not met,
  • the data controller or processor must request prior authorization from the APDP.

[For more information, refer to the factsheet Data transfers outside the Principality: scenarios to consider]

The data controller must provide all data subjects with information on the use of their data. (who collects their data? for what purpose(s)? for how long? what rights do they have? etc.) so that they can keep control of them.

The information provided must be:

  • concise, intelligible and easily accessible;
  • in clear and simple terms;
  • free of charge;
  • by all appropriate means.

Examples :

  • a notice board
  • a section dedicated to the protection of personal data available on the website
  • a voice message prior to the recording of telephone conversations

[For more information, see factsheet Information to be provided to the data subjects]

Rights that the data controller must confer on data subjects to enable them to retain control of the data concerning them.

Examples :

  • the right of access to their data
  • the right to erasure of their data
  • the right to object to the processing of their data

[For more information, see factsheet The rights of the data subjects with regard to their personal data]

Field to be completed only for processing carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
Profiling is any form of processing that makes it possible to evaluate certain personal aspects of an individual, in particular his or her consumer preferences in various areas, such as culture, sport, food or political sensitivities.

If the processing is likely to result in a high risk to rights and freedoms, particularly if new processing technology is used, an impact assessment must be carried out.

Example : a video surveillance system installed in a shopping centre

[For more information, see Impact assessment on personal data protection]

Subscribe to the newsletter
This field is for validation purposes and should be left unchanged.