DLA Piper Intelligence

Data Protection
Laws of the World

Law

Monaco
Monaco

Within the Principality of Monaco (Monaco) data protection is regulated by Data Protection Law n° 1.165 of December 23, 1993, modified from time to time and notably by Law n° 1.353 of December 4, 2008 and most recently by Law n°1.462 of June 28, 2018 (DPL).

Further, Monaco is part of the Council of Europe and entered into Convention n° 108 of the European Council. However, Monaco is not part of the EU and did not adopt Data Protection Directive 95/46/EC or its successor the General Data Protection Regulation.

Last modified 28 Jan 2019
Law
Monaco

Within the Principality of Monaco (Monaco) data protection is regulated by Data Protection Law n° 1.165 of December 23, 1993, modified from time to time and notably by Law n° 1.353 of December 4, 2008 and most recently by Law n°1.462 of June 28, 2018 (DPL).

Further, Monaco is part of the Council of Europe and entered into Convention n° 108 of the European Council. However, Monaco is not part of the EU and did not adopt Data Protection Directive 95/46/EC or its successor the General Data Protection Regulation.

Last modified 28 Jan 2019
Definitions

Definition of personal data

Under the DPL, personal data is defined as data enabling identification of a determined or indeterminable person. Any individual who can be identified, directly or indirectly, notably by reference to an identification number or to one or more factors specific to their physical, psychological, psychological, economic, cultural, or social identity is deemed to be identifiable.

Definition of sensitive personal data

While not expressly defined under the DPL, sensitive personal data is considered to be personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health / genetic data, sex life, data concerning morals or social matters.

Last modified 28 Jan 2019
Authority

The Monegasque regulator is the Commission for Control of Personal Data (Commission de Contrôle des Informations Nominatives or “CCIN”).

Last modified 28 Jan 2019
Registration

Data controllers, who process personal data must notify the CCIN and request approval so that their processing of personal data may be registered. Any changes to the processing of personal data will require the registration to be amended.

The notification to the CCIN should include the following information:

  • What data is being collected
     
  • Why the data will be processed
     
  • The categories of data subject
     
  • Whether the data will be transferred either within or outside the Monaco
Last modified 28 Jan 2019
Data Protection Officers

There is no requirement in Monaco for organizations to appoint a data protection officer.

However, appointing a data protection officer is viewed by the CCIN as evidence of a company’s measure taken in order to ensure compliance with the data protection legislation. In practice however, companies in Monaco do not generally appoint data protection officers.

Last modified 28 Jan 2019
Collection & Processing

Data processing must be justified by at least one of the following bases:

  • The data subject’s consent
     
  • A legal duty imposed to the data controller
     
  • A public purpose
     
  • The performance of a contract entered into between the data controller and the data subject
     
  • The data controller’s legitimate interests, unless the data subject’s fundamental rights and liberties outweigh the controller’s legitimate interests

If sensitive personal data is processed, at least one of the above bases must be met plus one from an additional list of more stringent conditions.

Additionally, the data controller must provide the data subject with fair processing information. This includes information about the identity of the data controller, the purposes of processing and any other information needed under the circumstances to ensure that the processing is fair.

Last modified 28 Jan 2019
Transfer

Monaco is not part of the EU, so the DPL does not distinguish between EEA jurisdictions and non-EEA jurisdictions.

However, the DPL provides that the transfer of data is authorized for cross-border access, storage and processing of data only to a country which offers equivalent data protection and reciprocity.

The CCIN has established a list of the countries deemed to offer equivalent protection and reciprocity. States, and parties to the Convention of the Council of Europe n° 108 relating to the protection of individuals for personal data automatic processing, are deemed to have the equivalent protection as Monaco.

Data transfers to countries with an adequate level of protection are not subject to the authorization by the CCIN.

The CCIN has adopted a position of principle and decided that all personal data transfers to a country or an organization which does not ensure an adequate level of protection should, in any event, be submitted to the Commission in the form of a transfer authorization application. Subsequently, the CCIN affirmed that it is necessary to submit a transfer authorization application to the Commission if personal data will be accessed from a country that does not have an adequate level of protection.

Last modified 28 Jan 2019
Security

Data controllers must take appropriate technical and organizational measures designed to protect against unauthorized or unlawful processing, accidental loss or destruction of, or damage to, personal data. The measures taken must ensure a level of security appropriate to the harm which might result from such unauthorized or unlawful processing or accidental loss, destruction or damage as mentioned above, and must be appropriate to the nature of the personal data.

Measures implemented must ensure an adequate level of security with regard to the risks posed by processing and by the nature of the data to be protected.

Where the data controller or their representative engages a service provider to process personal data, they must ensure that the service provider is able to comply with the obligations laid down in the two previous paragraphs.

Last modified 28 Jan 2019
Breach Notification

There is no mandatory requirement in the DPL to report security breaches or losses to the CCIN or to data subjects.

Last modified 28 Jan 2019
Enforcement

The CCIN and Monegasque Courts are responsible for enforcing the DPL. If the CCIN becomes aware that a data controller is in breach of the DPL, it can serve an enforcement notice requiring the data controller to resolve the non-compliance. Failure to comply with an enforcement notice is a criminal offense and can be punished on conviction with imprisonment of one month to one year or a fine of between €9,000 and €90,000 or both.

Last modified 28 Jan 2019
Electronic Marketing

Prior to implementing any electronic marketing activity the CCIN must be notified, as electronic marketing activities may use personal data. The DPL does not prohibit the use of personal data for the purpose of electronic marketing per se. However, when implementing electronic marketing activities a company must respect the provisions of Articles 1, 10-1, 10-2 and 14 of the DPL.

The automated or non-automated processing of personal data must not infringe the fundamental rights and freedoms enshrined in Title III of the Constitution.

When marketing, personal data must be:

  • Collected and processed fairly and lawfully
     
  • Collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes
     
  • Adequate, relevant and not excessive in relation to the purposes for which it is collected and / or further processed
     
  • Accurate and, if necessary, updated; every reasonable step must be taken to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified
     
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.

Processing of personal data must be justified by one of the following bases:

  • By consent from the data subject(s)
     
  • By compliance with a legal obligation to which the data controller or their representative is subject
     
  • By it being in the public interest
     
  • By the performance of a contract or pre-contractual measures with the data subject
     
  • By the fulfillment of a legitimate motive on the part of the data controller or their representative or by the recipient, on condition that the interests or fundamental rights and freedoms of the data subject are not infringed

Data subjects from whom personal data is collected must be informed of all of the following:

  • The data controller’s identity and, if applicable, the identity of their representative in Monaco
     
  • The purpose of processing
     
  • The obligatory or optional nature of replies
     
  • The consequences for data subjects of failure to reply
     
  • The identity of recipients or categories of recipients
     
  • Their right to oppose, access and rectify their data
     
  • Their right to oppose disclosure to and use of personal data by a third party, or the disclosure for the purposes of the third party’s commercial use, including marketing
Last modified 28 Jan 2019
Online Privacy

Prior to the use of traffic data, location data and cookies the CCIN must be notified. The use of traffic data, location data and cookies will have to comply with the provisions of the DPL.

Last modified 28 Jan 2019
Contacts
Gilbert Delacour
Gilbert Delacour
CEO
T +377 93 25 84 00
Last modified 28 Jan 2019