April 11th, 2022
The draft law n°1054 on the protection of personal data aims to refer not only to the requirements of the Convention 108+ of the Council of Europe (the modernised version of Convention 108) but also to the European data protection package Data Protection Package” adopted by the European Parliament and the Council on 27 April 2016 which consists of:
- Regulation (EU) 2016/679 of 27 April 2016, the so-called General Data Protection Regulation (“D.P.R.”);
- Directive (EU) 2016/680 of 27 April 2016, the so-called “police-justice”
In the interests of clarity and consistency of Monegasque law applicable to the processing of personal data, the Government has decided to suggest a single law on data protection and to repeal law n° 1.165 of 23 December 1993.
This renewal of legislation is accompanied by an evolution in terminology allowing for greater legal interoperability with the concepts covered by Monegasque legislation, on the one hand, and and Council of Europe and European Union laws, on the other hand. Thus, the notion of “nominative information” is abandoned in favour of the notion of “personal data”.
The draft law therefore introduces the new obligations of the G.D.P.R. and the new rights of individuals, in particular the portability of data and the restriction of processing. It also strengthens the right to information. It creates a register of processing activities and provides for the appointment of a data protection officer in certain cases.
It simplifies the rules to which public and private actors processing personal data are subject. Prior formalities that are currently imposed on all actors by Law n° 1.165 of December 23rd, 1993, as amended, are removed in accordance with the European logic of making the data controller responsible.
However, the Government wished to maintain formalities for certain particularly sensitive categories of particularly sensitive processing by preferring to seek the opinion of the future protection authority.
A new independent administrative authority called Personal Data Protection Authority (“A.P.D.P”), would succeed to the Commission de Contrôle des Informations Nominatives (“C.C.I.N.”). This new name positions the authority as being above all “protective” of individuals when their personal data are processed. This authority will also be responsible for monitoring processing operations
The A.P.D.P. will also be responsible for monitoring processing operations covered by Directive (EU) 2016/680, the so-called “police-justice” directive, as recommended by the G29, which calls for the same protection authority to be responsible for monitoring processing operations covered by the “European data protection package”.
In consideration of the Principality’s commitment to the modernised Convention 108 the powers of the new data protection authority will be strengthened, in particular in the area of particularly in the area of sanctions.