{"id":20347,"date":"2025-01-21T14:43:57","date_gmt":"2025-01-21T13:43:57","guid":{"rendered":"https:\/\/apdp-mc-stage.jupiter.cdigital.fr\/?page_id=20347"},"modified":"2025-10-29T09:24:11","modified_gmt":"2025-10-29T08:24:11","slug":"glossary","status":"publish","type":"page","link":"https:\/\/apdp.mc\/en\/glossary\/","title":{"rendered":"Glossary"},"content":{"rendered":"<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Anonymization<\/strong><strong>:<\/strong><\/span> a technique that consists in \u00ab <em>removing any identifying characteristics from a set of data<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\">It corresponds to the \u00ab <em>process by which personally identifiable information (PII) is irreversibly altered in such a way that a PII subject can no longer be identified directly or indirectly, either by the data controller of the PII alone or in collaboration with any other party<\/em> \u00bb. (ISO 29100: 2011).<\/p>\n<p style=\"text-align: justify;\">As such, anonymization is recognizable by the <strong>irreversibility<\/strong> of the <strong>loss of any identifiable individual characteristics<\/strong>.<\/p>\n<p style=\"text-align: justify;\">[For more information, refer to the factsheet <a href=\"https:\/\/apdp.mc\/en\/apdp\/fact-sheets\/security\/6379-2\/\" target=\"_blank\" rel=\"noopener\"><strong>Anonymization or pseudonymisation<\/strong><\/a>]<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Biometric data<\/strong><strong>:<\/strong><\/span> defined in article 2 of Law no. 1,565 of December 3, 2024 as \u00ab <em>personal data resulting from a specific technical processing, relating to the physical, physiological, or behavioral characteristics of an individual, which allow or c<\/em>onfirm their unique identification, such as facial images or fingerprint data \u00bb.<\/p>\n<p style=\"text-align: justify;\">Biometrics refers to the <strong>physical characteristics<\/strong> but also to the <strong>behavioral characteristics<\/strong> of an individual.<\/p>\n<p style=\"text-align: justify;\"><strong>Examples<\/strong>:<\/p>\n<ul style=\"text-align: justify;\">\n<li>body language<\/li>\n<li>way of walking<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">However, within the meaning of the law, these characteristics are only considered to be biometric data when they are processed for the purpose of uniquely identifying or authenticating a natural person.<\/p>\n<p style=\"text-align: justify;\"><strong>Examples<\/strong>:<\/p>\n<ul>\n<li style=\"text-align: justify;\">the voice recording for the purpose of uniquely identifying an individual is a biometric data<\/li>\n<li style=\"text-align: justify;\">the voice recording for the purpose of improving a company&#8217;s quality service without identifying the person is not a biometric data<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px;\"><strong><span style=\"color: #001780;\">Certification:<\/span> <\/strong><\/span>as provided for in article 34 of Law no. 1.565 of December 3, 2024, the certification makes it possible to demonstrate that the <strong>processing operations<\/strong> carried out by data controllers or processors comply with the law.<br \/>\nresponsables du traitement ou les sous-traitants respectent la Loi.<\/p>\n<p style=\"text-align: justify;\">It is a <strong>legally binding<\/strong> compliance tool for those who choose to engage in this process.<\/p>\n<p style=\"text-align: justify;\">Thus, the candidate for certification agrees to comply with the criteria approved by the APDP and to maintain this compliance with the criteria for the <strong>duration of the certificate\u2019s validity<\/strong>.<\/p>\n<p style=\"text-align: justify;\">This is, however, a <strong>voluntary approach<\/strong>.<\/p>\n<p style=\"text-align: justify;\">The certification procedure may be implemented by the APDP or by independent bodies accredited by the APDP.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Codes of conduct:<\/strong><\/span> developed by associations and professional bodies representing categories of data controllers or processors, codes of conduct are part of the new compliance tools established by article 33 of Law no. 1.565 of December 3, 2024.<\/p>\n<p style=\"text-align: justify;\">They thus enable professionals, <strong>in a specific sector<\/strong>, to meet their <strong>operational needs<\/strong> in terms of data protection compliance by providing a <strong>detailed description<\/strong> of the most appropriate and ethical behaviors.<\/p>\n<p style=\"text-align: justify;\">This <strong>voluntary approach<\/strong> encourages professionals in a given sector to adopt good practices (for example, specific security measures) and to <strong>demonstrate<\/strong>, to data subjects and other stakeholders, <strong>compliance with the provisions applicable to the processing of personal data<\/strong>.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Consent:<\/strong><\/span> defined in article 2 of Law no. 1.565 of December 3, 2024 as \u00ab\u00a0<em>any freely given, specific, informed and unambiguous indication of the data subject&#8217;s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\">To be valid, the consent given by the data subject must therefore <strong>meet four conditions<\/strong>:<\/p>\n<ul>\n<li style=\"text-align: justify;\"><strong>freely-given<\/strong>: the data subjects must be able to <strong>make a real choice<\/strong> regarding the processing of their data. Therefore, they <strong>must not be coerced or influenced<\/strong> in their choice. They should not suffer from any negative consequences if they do not consent.<\/li>\n<li style=\"text-align: justify;\"><strong>specific<\/strong>: the consent <strong>must be specific to the purpose<\/strong> of the processing. Therefore, when the processing has <strong>several purposes<\/strong>, the consent should be <strong>obtained independently for each purpose<\/strong>. This is referred to as <strong>separate consent<\/strong> for each purpose.<\/li>\n<li style=\"text-align: justify;\"><strong>informed<\/strong>: before the data subject makes a choice, the data controller must <strong>inform<\/strong> the data subject of <strong>certain information<\/strong> as listed in article 11 of Law no. 1.565 of December 3, 2024.<\/li>\n<li style=\"text-align: justify;\"><strong>unambiguous<\/strong>: the consent must be given by an <strong>oral or written<\/strong> statement from the data subject or result from a <strong>clear affirmative<\/strong> act. There must be no reasonable doubt as to the data subject\u2019s wish to give consent to the processing of his or her data.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><strong>Silence or inaction<\/strong> of the data subject <strong>does not constitute valid consent<\/strong> within the meaning of the legislation relating to the protection of personal data as consent cannot be unambiguous.<\/p>\n<p style=\"text-align: justify;\">[For more information, refer to the factsheet <a href=\"https:\/\/apdp.mc\/en\/apdp\/fact-sheets\/all-you-need-to-know-about-the-law\/the-consent-of-data-subjects\/\" target=\"_blank\" rel=\"noopener\"><strong>The consent of data subjects<\/strong><\/a>]<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Data breach notifications:<\/strong><\/span> pursuant to article 32 of Law no. 1.565 of December 3, 2024, a data controller must notify the APDP of <strong>any data breach of which it has become aware and which is likely to pose a risk to the rights and freedoms of the affected individuals<\/strong>.<\/p>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: an unauthorized third party accesses a company&#8217;s HR file and modifies its content<\/p>\n<p style=\"text-align: justify;\">This notification must be done <strong>without undue delay<\/strong>, and if possible within a maximum of <strong>seventy-two hours after becoming aware of it<\/strong>.<\/p>\n<p style=\"text-align: justify;\">It <strong>must<\/strong> be done through the <strong>APDP<\/strong> to ensure the preservation of the rights and freedoms of the individuals affected by the violation by any necessary intervention.<\/p>\n<p style=\"text-align: justify;\">The notification may also be accompanied, in certain cases, by a <strong>communication<\/strong> to the <strong>data subjects<\/strong> impacted by this breach, when the said breach is <strong>likely to result in a high risk to the rights and freedoms of an individual<\/strong>.<\/p>\n<p style=\"text-align: justify;\">The assessment of high risk is made in the light of a particular incident and is based on the consequences that could arise from it.<\/p>\n<p style=\"text-align: justify;\">[For more information, refer to the factsheet <a href=\"https:\/\/apdp.mc\/en\/apdp\/fact-sheets\/security\/notification-of-personal-data-breaches\/\" target=\"_blank\" rel=\"noopener\"><strong>Notification of personal data breaches<\/strong><\/a>]<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Data controller<\/strong><\/span>: defined in article 2 of Law no. 1.565 of December 3, 2024 as the \u00ab\u00a0<em>natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\">The data controller is therefore the person or body with <strong>decision-making power<\/strong> over the purposes and means of data processing.<\/p>\n<p style=\"text-align: justify;\">In general, this is the <strong>legal entity<\/strong> (e.g. a company) represented by <strong>its legal representative<\/strong> (e.g. its Chairman).<\/p>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: a holding company which decides on the purposes of data processing for its entities is the data controller<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\">If two or more data controllers <strong>jointly determine<\/strong> the purposes and means of the processing, they are considered to be <strong>joint data controllers<\/strong> under article 24 of Law no. 1.565 of December 3, 2024.<\/p>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: creation and use of a common platform by two data controllers who offer different services<\/p>\n<p style=\"text-align: justify;\">To this end, they must determine<strong> their respective responsibilities for compliance in a transparent arrangement<\/strong>, particularly with regard to the exercise of the data subject&#8217;s rights.<\/p>\n<p style=\"text-align: justify;\">Irrespective of the terms of the arrangement, the data subject will be able to exercise his or her rights conferred by the law in respect of and against each of the controllers.<\/p>\n<p style=\"text-align: justify;\">[For more information, refer to the factsheet <a href=\"https:\/\/apdp.mc\/en\/apdp\/fact-sheets\/all-you-need-to-know-about-the-law\/les-acteurs-cles-de-la-protection-des-donnees-en-principaute\/\" target=\"_blank\" rel=\"noopener\"><strong>The key players in data protection in the Principality<\/strong><\/a>]<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Data Protection Impact Assessment (DPIA or AIPD in French):<\/strong><\/span> a new instrument introduced by Law no. 1.565 of December 3, 2024, the data protection impact assessment is a study whose objective is to <strong>determine and analyze<\/strong> how the rights and freedoms of the individuals concerned by the processing <strong>will be impacted before launching a new personal data processing<\/strong>.<\/p>\n<p style=\"text-align: justify;\">Any operation that could cause risks to the rights and freedoms of individuals does not automatically require an impact assessment.<\/p>\n<p style=\"text-align: justify;\">Indeed, the Law only requires such an analysis when processing is likely to result in a <strong>high risk to rights and freedoms<\/strong>, particularly in the case of the use of a <strong>new processing technology<\/strong>.<\/p>\n<p style=\"text-align: justify;\">The list of criteria for determining whether processing is likely to result in a high risk is established by Ministerial Oder No. 2025-361 of July 14, 2025 implementing Article 35 of Law no. 1.565 of December 3, 2024 on the protection of personal data.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Data Protection Officer or DPO:<\/strong><\/span> as provided for in articles 28, 29 and 30 of Law no. 1.565 of December 3, 2024, the DPO is the person within an entity who facilitates compliance with the data protection legislation and acts both as the <strong>privileged contact<\/strong> for all issues related to personal data, whether internal or arising from a data subject affected by processing, and as the<strong> interlocutor of the APDP<\/strong>.<\/p>\n<p style=\"text-align: justify;\">Article 29 of the Law provides that with the exception of courts within the exercise of their judicial duties, the appointment of a DPO is mandatory in the following cases:<\/p>\n<ul>\n<li style=\"text-align: justify;\">the data processing is carried out by a <strong>legal person governed by public law or a legal person governed by private law entrusted with a mission of general interest or a public service concession<\/strong>;<\/li>\n<li style=\"text-align: justify;\">the core activities of the head of the data controller consist of processing operations, which by reason of their nature, scope or purposes, require <strong>regular and systematic monitoring of the data subjects on a large scale<\/strong>;<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: profiling and rating for risk assessment purposes<\/p>\n<ul>\n<li style=\"text-align: justify;\">the basic activities of the organization consist of <strong>large-scale processing of sensitive data or personal data relating to criminal convictions or offences<\/strong>.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: processing of customer data by an insurance company or bank in the normal course of its business.<\/p>\n<p style=\"text-align: justify;\">The Data Protection Officer has 5 missions:<\/p>\n<ul>\n<li style=\"text-align: justify;\"><strong>inform and advise<\/strong> the organization and the employees who carry out the processing of their obligations pursuant to the legislation currently in place in the Principality;<\/li>\n<li style=\"text-align: justify;\">monitor compliance with the personal data protection legislation and the organization&#8217;s internal rules on the protection of personal data, including the allocation of responsibilities, <strong>awareness-raising, and training of staff involved in the processing operations, and related audits<\/strong>;<\/li>\n<li style=\"text-align: justify;\"><strong>provide on-demand advice<\/strong>, on data protection impact assessment;<\/li>\n<li style=\"text-align: justify;\"><strong>cooperate<\/strong> with the Data Protection Authority and be its contact point on matters relating to the processing;<\/li>\n<li style=\"text-align: justify;\"><strong>submit requests for opinion to the Data Protection Authority<\/strong> when they relate to the following processing operations:\n<ul>\n<li>processing for the purposes of preventing, detecting, investigating, prosecuting or punishing criminal offences, including protection against and prevention of threats to public security;<\/li>\n<li>processing for the purposes of preventing, detecting, investigating, prosecuting or punishing criminal offences, including protection against and prevention of threats to public security.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">[For more information, refer to the factsheet <a href=\"https:\/\/apdp.mc\/en\/apdp\/fact-sheets\/all-you-need-to-know-about-the-law\/job-description-of-the-data-protection-officer\/\" target=\"_blank\" rel=\"noopener\"><strong>Job description of the Data Protection Officer<\/strong><\/a>]<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Data subject:<\/strong><\/span> the <strong>natural person<\/strong> whose <strong>data<\/strong> are being processed.<br \/>\n<strong>Example<\/strong>: when a store sets up a video surveillance system, the data subjects are all people who can enter the cameras&#8217; field of vision, i.e. employees, visitors, and any service provider working on site.<\/p>\n<table style=\"width: 99.5739%;\" width=\"627\">\n<tbody>\n<tr>\n<td style=\"width: 100%; text-align: justify;\" width=\"627\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-8247 aligncenter\" src=\"https:\/\/apdp.mc\/wp-content\/uploads\/2025\/01\/attention.png\" alt=\"\" width=\"58\" height=\"45\" \/>Although Law no. 1.165 of December 23, 1993 granted rights to <strong>legal persons whose data were processed<\/strong>, namely a right of opposition and a right of access, the new Law has <strong>chosen not to maintain these rights<\/strong>; practice has shown that the <strong>exercise<\/strong> of these rights is <strong>extremely limited, if not non-existent and a source of difficulty<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: justify;\"><strong>\u00a0<\/strong><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Data transfers:<\/strong><\/span> a data transfer is <strong>any flow of data<\/strong> to a country, territory, or an international organization outside the Principality.<\/p>\n<p style=\"text-align: justify;\">This may involve a <strong>physical transfer<\/strong> or a <strong>remote access<\/strong>, either within a group or to a third party.<\/p>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: the outsourcing of processing<\/p>\n<p style=\"text-align: justify;\">Article 97 of the Law establishes the principle whereby <strong>any transfer of personal data outside the Principality<\/strong> may be undertaken <strong>without any prior formality<\/strong> providing the legislation or regulation of personal data of the recipient country, territory, or international organization has an <strong>adequate level of protection<\/strong> as observed by the Principality.<\/p>\n<p style=\"text-align: justify;\">When the recipient country, territory, or international organization of the data does not appear on the list of countries with an adequate level of protection, the other scenarios provided for in articles 98, 99, and 100 are then to be considered successively:<\/p>\n<ul>\n<li style=\"text-align: justify;\">appropriate safeguards have been put in place by the data controller or the processor;<\/li>\n<li style=\"text-align: justify;\">the transfer meets the conditions of one of the derogations provided for by the Law;<\/li>\n<li style=\"text-align: justify;\">the 4 conditions provided for in paragraph 3 of article 96 are met;<\/li>\n<li style=\"text-align: justify;\">the transfer has been previously authorized by the APDP based on special protection measures or specific contractual clauses.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">[For more information, refer to the factsheet <a href=\"https:\/\/apdp.mc\/en\/apdp\/fact-sheets\/all-you-need-to-know-about-the-law\/data-transfers-outside-the-principality-scenarios-to-consider\/\" target=\"_blank\" rel=\"noopener\"><strong>Data transfers outside the Principality: scenarios to consider<\/strong><\/a>]<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Encryption:<\/strong><\/span> defined in article 2 of Law no. 1.565 of December 3, 2024, as a \u00ab <em>cryptographic transformation process of data that makes them incomprehensible to anyone who does not have the decryption key<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\">It is a <strong>reversible<\/strong> process that makes the information in a document <strong>unreadable<\/strong> to preserve its <strong>confidentiality.<\/strong><\/p>\n<p style=\"text-align: justify;\">After encryption, it is therefore still possible to retrieve the initially encrypted data using a key, that is to say, a decryption algorithm.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Genetic data:<\/strong><\/span> defined in article 2 of Law no. 1.565 of December 3, 2024 as \u00ab <em>personal data relating to the hereditary or acquired genetic characteristics of a natural person that provide unique information about the physiology or health status of that natural person and that result, in particular, from an analysis of a biological sample from the person in question<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\">These data relate to <strong>hereditary characteristics<\/strong> and are used in particular in the <strong>health sector<\/strong>.<\/p>\n<p style=\"text-align: justify;\"><strong>Examples<\/strong>:<\/p>\n<ul>\n<li style=\"text-align: justify;\">saliva<\/li>\n<li style=\"text-align: justify;\">blood<\/li>\n<li style=\"text-align: justify;\">hair bulb<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">They can also be used for <strong>the purpose of identifying a person<\/strong> through their genetic fingerprints.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Information society service:<\/strong><\/span> defined in article 2 of Law no. 1.565 of December 3, 2024, as \u00ab <em>any service, whether or not for consideration, provided at a distance and without the parties being simultaneously present, by electronic means and at the individual request of a recipient of services<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\"><strong>Examples<\/strong>:<\/p>\n<ul>\n<li style=\"text-align: justify;\">ordering clothes from a retail website<\/li>\n<li style=\"text-align: justify;\">online subscription to an electronic magazine<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Personal data:<\/strong><\/span> defined in article 2 of Law no. 1.565 of December 3, 2024, as \u00ab <em>any information relating to a natural person identified or identifiable (referred to hereinafter as &#8220;data subject&#8221;). An &#8220;identifiable natural person&#8221; is one who can be identified, directly or indirectly, in particular by reference to an identifiersuch as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\">These data, which were qualified as &#8221; personal information&#8221; by Law no. 1.165 of December 23, 1993, as amended, have been detailed in relation to this old definition in order to specify that the following are <strong>personal data<\/strong>:<\/p>\n<ul>\n<li style=\"text-align: justify;\"><strong>the genetic data<\/strong> and<\/li>\n<li style=\"text-align: justify;\"><strong>the location data<\/strong><\/li>\n<\/ul>\n<p style=\"text-align: justify;\">Therefore, any information <strong>relating to an individual<\/strong> constitutes personal data.<\/p>\n<p style=\"text-align: justify;\">It is important to distinguish between two types of personal data:<\/p>\n<ul>\n<li style=\"text-align: justify;\"><strong>directly identifiable<\/strong> data.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">These data clearly identify the identity of a person.<br \/>\nFor example, a person\u2019s first and last name.<\/p>\n<ul>\n<li style=\"text-align: justify;\"><strong>indirectly identifying<\/strong> data.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">These data allow for the identification of a person in 2 ways:<\/p>\n<ul>\n<li style=\"text-align: justify;\"><strong>by reference<\/strong> to an identification number, for example, such as:\n<ul>\n<li style=\"text-align: justify;\">a phone number<\/li>\n<li style=\"text-align: justify;\">a postal address or e-mail address<\/li>\n<li style=\"text-align: justify;\">a social security number<\/li>\n<li style=\"text-align: justify;\">a file number<\/li>\n<li style=\"text-align: justify;\">a vehicle registration plate<\/li>\n<li style=\"text-align: justify;\">an IP address<\/li>\n<\/ul>\n<\/li>\n<li><strong>by elements specific to its physical identity<\/strong>, such as:\n<ul>\n<li>a photo or video<\/li>\n<li>a voice recording<\/li>\n<li>a fingerprint<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">On the other hand, company contact details as well as generic e-mail addresses <strong>are not<\/strong>, in principle, considered to be personal data.<\/p>\n<p style=\"text-align: justify;\">When it is possible to identify a person by <strong>cross-referencing several pieces of information<\/strong> such as gender, age, profession, and place of residence, the data are <span style=\"text-decoration: underline;\"><strong>always<\/strong><\/span> considered personal.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Personal data processing:<\/strong><\/span> defined in article 2 of Law no. 1.565 of December 3, 2024 as \u00ab\u00a0 <em>any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, retrieval, consultation, use, adaptation or alteration, disclosure by transmission, dissemination or otherwise making available, the reconciliation or interconnection, limitation, the application of logical or arithmetic operations to such data<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\"><strong>Any operation<\/strong> involving personal data in this way constitutes processing within the meaning of the applicable legislation.<\/p>\n<p style=\"text-align: justify;\"><strong>Examples<\/strong>:<\/p>\n<ul>\n<li style=\"text-align: justify;\">the collection of a person\u2019s name and e-mail address via the contact section of a website<\/li>\n<li style=\"text-align: justify;\">the recording of telephone conversations<\/li>\n<li style=\"text-align: justify;\">the implementation of a geolocation device on company vehicles<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">The processing<strong> may or not be computerized<\/strong>.<\/p>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: a paper file.<\/p>\n<p style=\"text-align: justify;\">However, processing relating to <strong>personal and domestic activities<\/strong> are excluded from the scope of Law no. 1.565 of December 3, 2024.<\/p>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: the creation of a file containing friends&#8217; contact details.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Processing at a large scale (large-scale processing):<\/strong><\/span> defined in article 2 of Law no.\u00a0 1.565 of December 3, 2024, a large-scale processing is \u00ab <em>any operation which is intended to process a considerable volume of personal data, which may affect a significant number of data subjects, assessed either as a specific number or as a proportion of the relevant population, and which is likely to give rise to a high risk, taking into account in particular the duration or permanence of the data processing activity and its geographical extent<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: processing of customer data in the regular course of business by an insurance company or a bank<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Processor:<\/strong><\/span> defined in article 2 of the Law no. 1.565 of December 3, 2024, as \u00ab <em>the natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\">In this respect, article 26 of Law no. 1.565 of December 3, 2024 stipulates that when the controller uses a processor, the latter must provide <strong>sufficient guarantees regarding the implementation of appropriate technical and organizational measures<\/strong> to ensure<strong> the protection of personal data<\/strong> and <strong>respect for the rights of data subjects<\/strong>.<\/p>\n<p style=\"text-align: justify;\">Furthermore, a processor can only act <strong>on documented instructions<\/strong> from the data controller.<\/p>\n<p style=\"text-align: justify;\">[For more information, refer to the factsheet <a href=\"https:\/\/apdp.mc\/en\/apdp\/fact-sheets\/all-you-need-to-know-about-the-law\/les-acteurs-cles-de-la-protection-des-donnees-en-principaute\/\" target=\"_blank\" rel=\"noopener\"><strong>The key players in data protection in the Principality<\/strong><\/a>]<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Profiling:<\/strong><\/span> article 2 of Law no. 1.565 of December 3, 2024 defines profiling as \u00ab <em>any form of automated processing of personal data consisting in using such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict elements concerning that person\u2019s job performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: the approval of a loan is conditioned on the result of an algorithm based on fully automated criteria.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Pseudonymization:<\/strong><\/span> pseudonymisation is defined in point 16 of article 2 of Law no. 1.565 of December 3, 2024 as \u00ab <em>the processing of personal data in such a way that these data can no longer be attributed to a specific data subject without recourse to additional information, provided that this additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\">Also know as \u201creversible anonymisation\u201d, it consists of <strong>replacing one attribute by another<\/strong> in a record.<\/p>\n<p style=\"text-align: justify;\">Hence, the physical (natural) persons may still be likely to be identified indirectly.<\/p>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: for medical research, participants are identified solely by a patient number assigned by the investigating physician. However, the latter keeps a non-automated document in which this patient number is associated with the name and surname of the patient to whom it has been assigned, so that they can be identified if necessary.<\/p>\n<p style=\"text-align: justify;\">[For more information, refer to the factsheet <a href=\"https:\/\/apdp.mc\/en\/apdp\/fact-sheets\/security\/6379-2\/\" target=\"_blank\" rel=\"noopener\"><strong>Anonymyzation or pseudonymization<\/strong><\/a>]<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Recipient:<\/strong><\/span> defined in article 2 of Law no. 1.565 of December 3, 2024 as the \u00ab <em>natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\">This same article further specifies that \u00ab <em>public authorities which may receive personal data in the framework of a particular inquiry shall not be regarded as recipients<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\">The following are therefore considered as recipients: persons, departments, divisions, etc. other than the public authorities in the context of a specific investigation, who receive the data.<\/p>\n<p style=\"text-align: justify;\"><strong>Example<\/strong>: commercial partners<\/p>\n<p style=\"text-align: justify;\">[For more information, refer to the factsheet <a href=\"https:\/\/apdp.mc\/en\/apdp\/fact-sheets\/all-you-need-to-know-about-the-law\/les-acteurs-cles-de-la-protection-des-donnees-en-principaute\/\" target=\"_blank\" rel=\"noopener\"><strong>The key players in data protection in the Principality<\/strong><\/a>]<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Representative:<\/strong> <\/span>pursuant to article 2 of Law no. 1.565 of December 3, 2024, the representative is the natural person or legal entity <strong>established on the territory of the Principality<\/strong> or, failing that, within a Member State of the European Union who has been <strong>appointed<\/strong> by a data controller or processor to be the <strong>contact<\/strong> both for the data subjects and for the APDP. The data subjects will then be able to contact the representative with any questions they may have.<\/p>\n<p style=\"text-align: justify;\">The representative <strong>must<\/strong> be appointed whenever a data controller or processor, <strong>not established in Monaco, offers products or services<\/strong> to individuals located in the Principality or implements processing operations relating to the <strong>monitoring of their behaviour<\/strong>.<\/p>\n<p style=\"text-align: justify;\"><strong>Examples<\/strong> :<\/p>\n<ul>\n<li style=\"text-align: justify;\">an e-commerce company based in Italy offering products or services to people in the Principality<\/li>\n<li style=\"text-align: justify;\">an American press company offering an online newspaper subscription service without having an office in Monaco<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">[For more information, refer to the factsheet <a href=\"https:\/\/apdp.mc\/en\/apdp\/fact-sheets\/all-you-need-to-know-about-the-law\/les-acteurs-cles-de-la-protection-des-donnees-en-principaute\/\" target=\"_blank\" rel=\"noopener\"><strong>The key players in data protection in the Principality<\/strong><\/a>]<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 18px; color: #001780;\"><strong>Sensitive data:<\/strong><\/span> defined by Article 2 of Law No. 1.565 of December 3, 2024 as \u00ab <em>personal data that reveal either directly or indirectly, opinions or political affiliations, racial or ethnic origins, religious, philosophical or trade union beliefs, or genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning a natural person&#8217;s health, sex life or sexual orientation<\/em> \u00bb.<\/p>\n<p style=\"text-align: justify;\">Sensitive data are particular personal data due to their <strong>highly private nature<\/strong>.<\/p>\n<p style=\"text-align: justify;\">Article 7 of the Law establishes the <strong>prohibition of processing sensitive data principle<\/strong>.<\/p>\n<p style=\"text-align: justify;\">However, the Law provides for <strong>13 exceptions<\/strong> to this principle, notably:<\/p>\n<ul>\n<li style=\"text-align: justify;\">for processing based on the <strong>explicit consent of the data subject<\/strong>;<\/li>\n<li style=\"text-align: justify;\">for the processing <strong>necessary to safeguard the vital interests of the data subject or of another natural person<\/strong>, in the event that the person cannot validly give consent due to an impairment of his or her faculties, <strong>physical or legal incapacity<\/strong> or a complete material impossibility;<\/li>\n<li style=\"text-align: justify;\">for processing relating to data data manifestly <strong>made public by the data subject<\/strong>.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Anonymization: a technique that consists in \u00ab removing any identifying characteristics from a set of data \u00bb. It corresponds to the \u00ab process by which personally identifiable information (PII) is irreversibly altered in such a way that a PII subject can no longer be identified directly or indirectly, either by the data controller of the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":10,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-20347","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Glossary &#8211; APDP<\/title>\n<meta name=\"description\" content=\"APDP - Autorit\u00e9 de Protection des Donn\u00e9es Personnelles \u2013 Principaut\u00e9 de Monaco - official site https:\/\/apdp.mc\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/apdp.mc\/en\/glossary\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Glossary &#8211; APDP\" \/>\n<meta property=\"og:description\" content=\"APDP - Autorit\u00e9 de Protection des Donn\u00e9es Personnelles \u2013 Principaut\u00e9 de Monaco - official site https:\/\/apdp.mc\" \/>\n<meta property=\"og:url\" content=\"https:\/\/apdp.mc\/en\/glossary\/\" \/>\n<meta property=\"og:site_name\" content=\"APDP\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-29T08:24:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/apdp.mc\/wp-content\/uploads\/2025\/01\/attention.png\" \/>\n\t<meta property=\"og:image:width\" content=\"139\" \/>\n\t<meta property=\"og:image:height\" content=\"108\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/apdp.mc\\\/en\\\/glossary\\\/\",\"url\":\"https:\\\/\\\/apdp.mc\\\/en\\\/glossary\\\/\",\"name\":\"Glossary &#8211; APDP\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/apdp.mc\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/apdp.mc\\\/en\\\/glossary\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/apdp.mc\\\/en\\\/glossary\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/apdp.mc\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/attention.png\",\"datePublished\":\"2025-01-21T13:43:57+00:00\",\"dateModified\":\"2025-10-29T08:24:11+00:00\",\"description\":\"APDP - Autorit\u00e9 de Protection des Donn\u00e9es Personnelles \u2013 Principaut\u00e9 de Monaco - official site https:\\\/\\\/apdp.mc\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/apdp.mc\\\/en\\\/glossary\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/apdp.mc\\\/en\\\/glossary\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/apdp.mc\\\/en\\\/glossary\\\/#primaryimage\",\"url\":\"https:\\\/\\\/apdp.mc\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/attention.png\",\"contentUrl\":\"https:\\\/\\\/apdp.mc\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/attention.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/apdp.mc\\\/en\\\/glossary\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/apdp.mc\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Glossary\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/apdp.mc\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/apdp.mc\\\/en\\\/\",\"name\":\"APDP\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/apdp.mc\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Glossary &#8211; APDP","description":"APDP - Autorit\u00e9 de Protection des Donn\u00e9es Personnelles \u2013 Principaut\u00e9 de Monaco - official site https:\/\/apdp.mc","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/apdp.mc\/en\/glossary\/","og_locale":"en_US","og_type":"article","og_title":"Glossary &#8211; APDP","og_description":"APDP - Autorit\u00e9 de Protection des Donn\u00e9es Personnelles \u2013 Principaut\u00e9 de Monaco - official site https:\/\/apdp.mc","og_url":"https:\/\/apdp.mc\/en\/glossary\/","og_site_name":"APDP","article_modified_time":"2025-10-29T08:24:11+00:00","og_image":[{"width":139,"height":108,"url":"https:\/\/apdp.mc\/wp-content\/uploads\/2025\/01\/attention.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/apdp.mc\/en\/glossary\/","url":"https:\/\/apdp.mc\/en\/glossary\/","name":"Glossary &#8211; APDP","isPartOf":{"@id":"https:\/\/apdp.mc\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/apdp.mc\/en\/glossary\/#primaryimage"},"image":{"@id":"https:\/\/apdp.mc\/en\/glossary\/#primaryimage"},"thumbnailUrl":"https:\/\/apdp.mc\/wp-content\/uploads\/2025\/01\/attention.png","datePublished":"2025-01-21T13:43:57+00:00","dateModified":"2025-10-29T08:24:11+00:00","description":"APDP - Autorit\u00e9 de Protection des Donn\u00e9es Personnelles \u2013 Principaut\u00e9 de Monaco - official site https:\/\/apdp.mc","breadcrumb":{"@id":"https:\/\/apdp.mc\/en\/glossary\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/apdp.mc\/en\/glossary\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/apdp.mc\/en\/glossary\/#primaryimage","url":"https:\/\/apdp.mc\/wp-content\/uploads\/2025\/01\/attention.png","contentUrl":"https:\/\/apdp.mc\/wp-content\/uploads\/2025\/01\/attention.png"},{"@type":"BreadcrumbList","@id":"https:\/\/apdp.mc\/en\/glossary\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/apdp.mc\/en\/"},{"@type":"ListItem","position":2,"name":"Glossary"}]},{"@type":"WebSite","@id":"https:\/\/apdp.mc\/en\/#website","url":"https:\/\/apdp.mc\/en\/","name":"APDP","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/apdp.mc\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/apdp.mc\/en\/wp-json\/wp\/v2\/pages\/20347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/apdp.mc\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/apdp.mc\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/apdp.mc\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/apdp.mc\/en\/wp-json\/wp\/v2\/comments?post=20347"}],"version-history":[{"count":13,"href":"https:\/\/apdp.mc\/en\/wp-json\/wp\/v2\/pages\/20347\/revisions"}],"predecessor-version":[{"id":21364,"href":"https:\/\/apdp.mc\/en\/wp-json\/wp\/v2\/pages\/20347\/revisions\/21364"}],"wp:attachment":[{"href":"https:\/\/apdp.mc\/en\/wp-json\/wp\/v2\/media?parent=20347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}