GDPR Compliance in Monaco
CROSS-BORDER COMPLIANCE: NAVIGATING BETWEEN THE GDPR AND MONACO’S LAW NO. 1.165
As a company or private organization in Monaco, you are subject to the legal obligations of the CCIN under Law 1.165 of December 23, 1993, as amended. However, if, like the vast majority of economic actors in the Principality, many of your clients, prospects, contacts, and visitors are located in France or the European Union, you are also subject to the constraints of the European GDPR (General Data Protection Regulation).
Article 2 of the GDPR states that this European regulation «applies to the processing of personal data, wholly or partly automated, as well as to non-automated processing of personal data contained or intended to be included in a filing system.»
Regarding its application in Monaco, Article 3 «Territorial Scope» of the GDPR provides that this «regulation applies to the processing of personal data relating to data subjects who are in the Union» regarding any «offering of goods or services» or «monitoring of behavior.»
Therefore, if your company or organization based in Monaco targets individuals within the EU, it is likely subject to the obligations of the European GDPR, in addition to the legal obligations provided by Monegasque Law No. 1.165.
Examples of companies subject to or exempt from GDPR and Law No. 1.165
| Case | Law No. 1.165 (Monaco) | GDPR (U.E) |
|---|---|---|
Monaco-based company selling goods/services in an EU country. | ||
Monaco-based subcontractor processing personal data for a company in Italy. | ||
Monegasque company with a branch in France. | ||
Monaco-based company creating a mobile application in French and Italian. | ||
Company in Monaco not targeting individuals within the EU. | ||
Monaco-based company with employees residing in France (without offering goods or services to individuals in the EU) | ||
French company with no activity in Monaco. |
Legal obligations of the European GDPR for data controllers in Monaco
With the exception of a few specific cases like those outlined above, the vast majority of Monegasque companies are de facto subject to the obligations of the GDPR.
It is important to note that the Principality aims to quickly harmonize Monegasque legislation with GDPR rules through Bill No. 1054 on the protection of personal data.
This harmonization will entail expanded constraints compared to Law No. 1.165. However, it will exempt from prior formalities for processing personal data with the CCIN to adopt the «principle of accountability» and «posteriori control.»
Thus, Bill No. 1054 incorporates all the main provisions concerning private companies processing personal data, excluding health data, data related to professional secrecy, or sensitive data, which will be subject to specific provisions in the Principality of Monaco.
Main obligations of the GDPR for companies in Monaco
For more details on the obligations, limitations, and exceptions provided by the GDPR, you can consult the website of the French CNIL (National Commission for Information Technology and Civil Liberties).
- Appointment of a representative in the EU if the data controller is not established there.
- Mandatory appointment of a DPO (Data Protection Officer) or DPD (Data Protection Delegate) for the processing of sensitive data.
- Mandatory activity register for companies with more than 250 employees in the EU.
- Free, specific, informed, and unambiguous consent of data subjects.
- Rights to portability, limitation, etc.
- Mandatory impact assessment for sensitive data.
- General obligation of protection and security of processed data.
- Notification of personal data breaches.
Sécurity + Compliance CCIN / GDPR: FREE CONSULTATION
FREE Consultation: Security and Compliance in Monaco
Protect your data and that of your clients and users! Baccana Digital Consulting helps you secure your website and business while ensuring compliance!
Contact us today for a free 30-minute consultation with our CCIN/RGPD compliance and security experts in Monaco.