Everything you need to know about the future law on the protection of personal data in Monaco
How was the Personal Data Protection Bill born? No. 1054?
In 2008, the update of Law No. 1.165 of December 23, 1993, on the protection of personal data, allowed the Principality of Monaco to join, from the following year, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) of the Council of Europe, more commonly known as Convention 108.
However, as highlighted in the introduction to the bill, “it is clear that the ever more rapid development of technologies, combined with the globalization of flows, requires the Principality to once again modernize its legal data protection framework.“
On December 20, 2021, Bill No. 1054 relating to the protection of personal data was submitted to the National Council of Monaco to reform Law No. 1.165 of December 23, 1993, as amended.
The main objective of this large-scale reform is to obtain “suitable country” status for the Principality of Monaco from the European Commission.
The proclamation of this “adequacy” would notably provide assurance that Monegasque legislation offers a level of protection of personal data equivalent to that of the European Union.
NOTE: the vote on this bill is conditional on the prior vote of Bill No. 1053 approving the ratification of the protocol of amendment to the Convention on the protection of individuals with regard to automated processing of personal data.
What are the main objectives of Bill No. 1054?
Through this regulatory reform, the Principality mainly aims to achieve the following objectives:
Align Monegasque legislation with the protection of personal data General Data Protection Regulation (GDPR).
Take into account the provisions of Convention 108 modernized.
Take into account the provisions of the so-called Police Justice Directive (DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL).
Have Monaco recognized by the European Commission as a country with an adequate level of protection in terms of personal data protection, and thus facilitate data transfers to Monaco.
Establish the Personal Data Protection Authority (APDP), replacing the current CCIN (Commission for the Control of Nominative Information).
What are the key points and main changes introduced by Bill No. 1054?
1. Assimilating the Principality of Monaco to the EU in terms of transfers of personal data
The recognition of Monaco as a “suitable country” would allow transfers of personal data to and from the European Union to take place in complete transparency.
This is, for example, already the case for countries on the continent, but outside the EU, such as Switzerland or the United Kingdom, but also for more distant countries such as Japan or New Zealand.
This “adequacy decision” would de facto allow Monaco to be considered a country of the European Union with regard to GDPR legislation.
2. Exclude legal entities from personal data protection legislation
Unlike Law No. 1.165 of December 23, 1993, as amended, Bill No. 1054 provides not to maintain obligations regarding the processing of personal data for legal entities.
Mr. Franck JULIEN, Rapporteur of the Bill and President of the Committee on Finance and the National Economy, explains in substance that “the practice having demonstrated that the exercise of these rights was extremely limited, even non-existent and a source of difficulty for the protection authority”.
Bill No. 1054 thus takes up the provisions of Law No. 1.383 for a digital Principality amended in 2011 which defines personal data as “information relating to an identified or identifiable natural person”.
This exclusion of legal entities is also in line with similar provisions of the GDPR and the modernized Convention 108, like France or Luxembourg.
3. Enforcing data protection in Monaco and outside Monaco
This provision is directly inspired by the principle of “territorial scope” of Article 3 of the GDPR and gives the bill both territorial and extraterritorial scope.
This will in particular make it possible to better protect the persons concerned, including in the usual case of tracking by cookies, and whether the data controller (or the subcontractor concerned) is established inside or outside the Monegasque territory.
Thus, the location taken into account will be the physical location of the people concerned, and not that of the processing means.
4. Create new rights and strengthen existing rights for data subjects
Article 14 of Bill No. 1054 takes up Article 18 of the GDPR to create a new right concerning the limitation of the processing of personal data.
These limitations are applicable in the event of dispute, opposition to the processing or deletion of data, or necessity for the defense of legal rights, and require the consent of the person concerned, with exceptions.
A new right is also created allowing the data subject to transmit this data to another data controller, without prior consent from the data controller.
Finally, many rights will be strengthened, including: right to information (Art. 10), right of access (Art. 11), rectification (Art. 12), erasure (Art. 13), and opposition (Art. 16), limitation of processing (Art. 14), as well as the right to refuse automated processing, including profiling (Art. 18).
5. With exceptions, remove the requirement for prior formalities
According to Articles 21 and 22 of Bill No. 1054, the legal obligations of declaration or authorization prior to the actual processing of personal data would be replaced by a principle of self-regulation.
Thus, it would no longer be necessary to carry out the usual formalities, which are undoubtedly complex and cumbersome to implement within the framework of the current obligations of Law No. 1.165.
However, this will not exempt the person responsible for legal compliance with the processing of personal data, in particular with regard to the new provisions if they come into existence within the new law.
Above all, this self-regulatory capacity presupposes the implementation of a number of preventive measures and appropriate technical tools, like the prerequisites for compliance with the GDPR, as well as the ability to demonstrate the effectiveness of these measures on request. of the regulatory authority.
Finally, notable exceptions to the exemption from declaration or prior authorization:
- Transfers of personal data to “inappropriate” countries or organizations.
- Particularly sensitive data processing.
- Video surveillance authorizations.
6. Include new obligations in line with the GDPR
Although most organizations will no longer be subject to the prior declaration obligation, the adequacy of the new Monegasque regulations with the GDPR induces new provisions and obligations in the actual implementation of the processing of personal data, in particular:
- Data protection by design / by default
- Joint responsibility for processing with processor, where applicable
- Appointment of a representative in Monaco
- Additional obligations for subcontractors
- Register of processing activities if the workforce exceeds 50 employees
- Mandatory appointment of a Data Protection Officer (similar to the GDPR DPO), under conditions
- Mandatory completion of an impact analysis relating to data protection, under conditions.
- Data security obligations of the controller and the processor.
- Obligation to report notable data breaches
For more information on these new obligations, and other key points not mentioned here, you can consult the firm’s very comprehensive article on the subject GIACCARDI & BREZZO Lawyers..
7. Create new independent administrative authorities
The new authority will be called the Personal Data Protection Authority (APDP), and will have to monitor and verify that personal data is processed in compliance with the new legislative and regulatory provisions.
The APDP will be commissioned to implement and explain the new law and new obligations, and will have the power to impose sanctions through administrative fines.
To this end, the regulatory authority has acquired two additional members.
The authority will also have an advisory mission, supporting data controllers, subcontractors, and data subjects, and will welcome 2 additional members.
A Judicial Data Protection Officer will also be appointed in charge of investigations or verifications relating to processing implemented by the courts and by the public prosecutor in the exercise of their jurisdictional functions.
Finally, data related to national security and defense will be subject to the authority of a Commission composed of three members (as detailed in Article 16 of Law No. 1.430 of July 13, 2016, relating to various measures relating to the preservation of national security)..