Law no. 1.565 of 3 December 2024 on the protection of personal data was published in the Journal de Monaco on 13 December 2024 (the “Law”) and replaces Law no. 1.165 of 23 December 1993. This reform aims to modernise and strengthen the protection of personal data in the Principality, while bringing Monaco into line with European standards, in particular the General Data Protection Regulation (“GDPR”).
Here are the key points to remember:
Extended scope of application:
The Law applies to the processing of personal data carried out by data controllers or processors established in Monaco, but also, in certain cases, to those relating to individuals located on the Monegasque territory, even if the processing is carried out outside Monaco. In addition, it excludes processing carried out in a personal or domestic context.
Strengthening the rights of the people concerned:
The Law strengthens rights of data subjects, including the right to information, access, rectification, erasure and portability of data. A key point is the expansion of the information to be provided, to ensure greater transparency for the people whose data is collected.
Obligations of the controller and processor:
The Law imposes a number of obligations on data controllers and processors to ensure that data processing is compliant. These include, depending on the case, appointing a representative in the Principality or in the European Union, as well as keeping a register of processing operations. Data controllers must integrate data protection from the start, notify data breaches and, in the case of high risks, carry out an impact assessment. The use of a processor requires adequate guarantees and appropriate measures.
Role of the Personal Data Protection Authority – Autorité de Protection des Données Personnelles (“APDP”):
The APDP, which replaces the Commission de Contrôle des Informations Nominatives (“CCIN”), now has extensive powers, particularly in terms of sanctions. It can impose administrative fines of up to €10,000,000 or 4% of the annual worldwide turnover on non-compliant companies. It also has the power to suspend or interrupt data flows to foreign countries.
International data transfer:
The reform changes the way data transfers are managed. Transfers to countries deemed adequate, such as those in the European Union, no longer require any prior formalities. On the other hand, transfers to non-adequate countries will have to meet strict requirements, such as the use of standard contractual clauses or certification, or obtaining prior authorisation from the APDP.
Simplification of prior formalities:
The reform simplifies formalities. Most data processing no longer requires prior authorisation from the APDP, except in specific cases (health research, video surveillance in public places, etc.). Public authorities must obtain authorisation before processing data for the purposes of preventing criminal offences or for sensitive data such as biometric data.
Deadlines for compliance:
As the Law applies immediately as of its publication, data controllers and processors must, in principle, comply with the new requirements as of such date. However, certain provisions relating to the lawfulness of processing may be rectified within one year. A longer period of three years is allowed for compliance with impact assessments, risk reassessments and certain processing operations carried out by administrative or judicial authorities.
Our team remains at your disposal to support you and answer your questions in this area.
A.L.F.A. MONACO