DLA Piper Intelligence

Data Protection
Laws of the World

Law

Monaco
Monaco

Data protection in Monaco is regulated by Data Protection Law n° 1.165 of 23 December 1993, modified by Law n° 1.353 of 4 December 2008 (DPL).

Furthermore, the Principally of Monaco is part of the Council of Europe and entered into Convention n° 108 of the European Council.

The Principality of Monaco is not part of the EU and as a consequence did not transpose Data Protection Directive 95/46/EC.  

Last modified 26 Jan 2017
Law
Monaco

Data protection in Monaco is regulated by Data Protection Law n° 1.165 of 23 December 1993, modified by Law n° 1.353 of 4 December 2008 (DPL).

Furthermore, the Principally of Monaco is part of the Council of Europe and entered into Convention n° 108 of the European Council.

The Principality of Monaco is not part of the EU and as a consequence did not transpose Data Protection Directive 95/46/EC.  

Last modified 26 Jan 2017
Definitions

Definition of personal data

Personal data is defined under the Data Protection Law as: ‘data enabling identification of a determined or indeterminable person. Any individual who can be identified, directly or indirectly, notably by reference to an identification number or to one or more factors specific to his physical, psychological, psychological, economical, cultural, or social identity is deemed to be identifiable’.

Definition of sensitive personal data

Sensitive personal data is not expressly defined under the DPL but it is deemed to be: ‘Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health/genetic data, sex life, data concerning morals or social matters’.

Last modified 26 Jan 2017
Authority

The Monegasque regulator is the Commission for Control of Personal Data (Commission de Contrôle des Informations Nominatives or CCIN).

Last modified 26 Jan 2017
Registration

Data controllers who process personal data must inform/notify/request approval from the CCIN so that their processing of personal data may be registered. Any changes to the processing of personal data will require the registration to be amended.

The notification should include the following information:

  • what data is being collected
     
  • why the data will be processed
     
  • the categories of data subject, and
     
  • whether the data will be transferred either within or outside the Monaco.
Last modified 26 Jan 2017
Data Protection Officers

There is no requirement in Monaco for organisations to appoint a data protection officer.

However, appointing a data protection officer is well perceived by the CCIN as evidence of the company’s actions to ensure compliance with the data protection legislation; however, in practice, companies in Monaco do not generally appoint data protection officers.

Last modified 26 Jan 2017
Collection & Processing

Data processing must be justified by:

  • data subject’s consent
     
  • a legal duty imposed to the data controller
     
  • a public purpose
     
  • completion of a contract entered into between the data controller and the data subject, or
     
  • data controller’s legitimate interest, subject not to fail to respect data subject’s fundamental rights and liberties.

Where sensitive personal data is processed, one of the above conditions must be met plus one from an additional list of more stringent conditions.

The data controller must also provide the data subject with ‘fair processing information’. This includes the identity of the data controller, the purposes of processing and any other information needed under the circumstances to ensure that the processing is fair.

Last modified 26 Jan 2017
Transfer

As the Principality of Monaco is not part of the EU, the DPL does not distinguish between EEA jurisdictions and non EEA jurisdictions.

However, the DPL provides that the transfer of data is authorised for cross border access, storage and processing of data only to a country with equivalent protection and reciprocity.

The CCIN has established a list of the countries deemed to have an equivalent protection and reciprocity. States, and parties to Convention of the Council of Europe n° 108 relating to the protection of individuals for personal data automatic processing, are deemed to have the equivalent protection as Monaco.

Data transfers to countries with an adequate level of protection are not subject to the authorisation of the CCIN.

On the occasion of the plenary meeting on 15 April 2015, the CCIN adopted a position of principle and decided that all personal data transfers to a country or an organisation that does not ensure an adequate level of protection should, in any event, be submitted to the Commission in the form of a transfer authorisation application.

In the plenary meeting of the 16 March 2016, the CCIN affirmed that it is necessary to submit a transfer authorisation application to the Commission where personal data will be accessed from a country that does not have an adequate level of protection.

The declaration to CCIN should indicate whether it is intended for personal data to be transferred cross-border.

Last modified 26 Jan 2017
Security

Data controllers must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data. The measures taken must ensure a level of security appropriate to the harm which might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as mentioned above, and must be appropriate to the nature of the data.

Last modified 26 Jan 2017
Breach Notification

There is no mandatory requirement in the DPL to report breaches or losses to the CCIN or to data subjects.

Last modified 26 Jan 2017
Enforcement

The CCIN and Monegasque Courts are responsible for enforcing the DPL. If the CCIN becomes aware that a data controller is in breach of the DPL, he can serve an enforcement notice requiring the data controller to rectify the position. Failure to comply with an enforcement notice is a criminal offence and can be punished on conviction with imprisonment of 1 month to 1 year or a fine of between Eur 9,000 and Eur 90,000 or both.

Last modified 26 Jan 2017
Electronic Marketing

Prior to implementing any electronic marketing activity the CCIN must be notified, as electronic marketing activities may use personal data. The law does not prohibit the use of personal data for the purpose of electronic marketing. However, when implementing electronic marketing activities a company must respect the provisions of articles 1, 10-1, 10-2 and 14 of the DPL.

The automated or non-automated processing of personal data must not infringe the fundamental rights and freedoms enshrined in Title III of the Constitution.

Personal data must be:

  • collected and processed fairly and lawfully
     
  • collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes
     
  • adequate, relevant and not excessive in relation to the purposes for which it is collected and/ or further processed
     
  • accurate and, if necessary, updated; every reasonable step must be taken to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified, and
     
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.

Processing of personal data must be justified:

  • by consent from the data subject(s)
     
  • by compliance with a legal obligation to which the data controller or their representative is subject
     
  • by it being in the public interest
     
  • by the performance of a contract or pre-contractual measures with the data subject, or
     
  • by the fulfillment of a legitimate motive on the part of the data controller or their representative or by the recipient, on condition that the interests or fundamental rights and freedoms of the data subject are not infringed.

Persons from whom personal data is collected must be informed:

  • of the identity of the data controller and, if applicable, the identity of their representative in Monaco
     
  • of the purpose of processing
     
  • of the obligatory or optional nature of replies
     
  • of the consequences for them of failure to reply
     
  • of the identity of recipients or categories of recipients
     
  • of their right to oppose, access and rectify their data, and
     
  • of their right to oppose the use on behalf of a third party, or the disclosure to a third party of their personal data for the purposes of prospection, particularly commercial prospection.
Last modified 26 Jan 2017
Online Privacy

Prior to the use of Traffic Data, Location Data and Cookies the CCIN must be notified. The use of Traffic Data, Location Data and Cookies will have to respect the provisions of the DPL.

In addition, the data controller or their representative must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, corruption, unauthorised disclosure or access, in particular where processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Measures implemented must ensure an adequate level of security with regard to the risks posed by processing and by the nature of the data to be protected.

Where the data controller or their representative makes use of the services of one or more service providers, they must ensure that the latter are able to comply with the obligations laid down in the two previous paragraphs.

Last modified 26 Jan 2017
Contacts
Gilbert Delacour
Gilbert Delacour
CEO
T +377 93 25 84 00
Last modified 26 Jan 2017