CCIN: your legal obligations in Monaco
CCIN: what are your legal obligations for the collection of personal data in Monaco?
Before anything, you must designate a signatory and a person responsible for processing this data. The latter must submit documents and files to the CCIN such as declarations or requests for opinions, and are guarantors of compliance with the law and legal obligations by their company.
The data controller is in particular responsible for ensuring compliance with the following legal obligations in the context of a showcase site or a merchant site:
1. Obligation to provide information on the collection of personal data from visitors to the site
This information must be clear and accessible on the site, for example on a page dedicated to the Personal Data Confidentiality Policy which must indicate at least: the identity of the data controller and the purpose of the processing.
The information page must also indicate the obligatory or optional nature of the data, the consequences in the event of non-response, the identity of the recipients or the categories of recipients, the admissible opposition rights, the conditions of access and rectification, communication to third parties of personal information, etc.
2. Obligation of information and consent on the use of cookies
The vast majority of websites use “cookies” files (files downloaded to an Internet user’s computer or mobile during a visit).
You must check whether these cookies use or transmit personal information, and inform visitors to your site of their use and their purpose (technical, statistical, commercial, etc.). Ideally, all cookies should be listed, specifying their purpose, the service that uses them and their retention period (knowing that this is legally limited to 13 months).
3. Obligation of information towards employees on their personal data made public
When personal data of persons employed by the company, such as first and last name, photo, function/position or contact information, are displayed on the site, or are traceable by various means (including a simple connection), the employee must be informed and consent to their use and purpose.
4. Obligation to provide information in the event of data transfers to a country that does not have an adequate level of protection
The list of countries with an adequate level of protection is defined within the meaning of Article 20 of Law No. 1.165 as amended. Therefore, if data is transferred automatically or by any other means to a country not included in this list, for example the United States, the user concerned must be informed and provide consent. For example, the use of Google Analytics cookies results in the transfer of data to servers located in the USA, the website must mention this and submit to the explicit consent of the user concerned.
In addition, the data controller must take measures to ensure the confidentiality and security of the data transferred to these countries.
5. Obligation to control personal data
The data controller must list and categorize the personal data collected, and limit its scope as much as possible to what is strictly necessary for each functionality (contact, newsletter, statistics, e-commerce customer accounts, etc.)
6. Obligation to limit the duration of personal data
The data controller must also ensure the adequacy and legality of the retention periods adapted to each of the categories of data thus collected.
Duration control obligations include in particular: the deletion of the contact data of an inactive user after a maximum of 3 years and the deletion of cookies after a maximum of 13 months.
Furthermore, it is necessary to indicate the deletion of non-necessary data once their purpose has been accomplished, the systematic deletion of data upon express request, or their archiving if and only if necessary in the case of commercial transactions.
7. Obligation to control and retain banking data
Banking data can only be kept for a maximum of 13 months after the last debit date for legal purposes linked to commercial transactions, or a maximum of 15 months in the case of deferred debit payment cards.
In addition, it is prohibited to keep visual cryptograms, or to keep expired bank card data.
8. Obligation to control and retain identity documents
Duplicates or digital copies of identity documents cannot be kept for more than 6 months when used for bank card verification purposes, and must be destroyed as soon as verification is carried out, including for requests reimbursement or remote payment.
9. Data security obligation
See our dedicated page:: CCIN : sécurité des données, systèmes et réseaux
We ensure the security of your data and your compliance in Monaco (personal data and sensitive data)
- Complete CCIN / GDPR compliance audit of your company, your site, databases and IT systems(personal data, financial data, health data, security, access, etc.).
- Analysis of compliance issues and risks, recommendations from our experts to ensure CCIN / GDPR compliance of your site, third-party applications and modules, your data as well as that of your users.
- Registration and CCIN formalities and implementation of corrective measures and good practicesto ensure compliance of your site, your data and your business.
- Options : automated CCIN / GDPR compliance service for your website.