Impact of the GDPR in Monaco

The applicable legislation governing data protection in Monaco is the Law No. 1.165 of December 23rd, 1993, as amended by Law No. 1.353 of December 4th, 2008 (hereinafter referred to as the: “Law”). 

Like the GDPR, the Law concerns all personal data of an identified or identifiable natural person, whether the processing is implemented by a natural or legal person of public or private law. 

 In the same way as the GDPR, the Law defines the data controller as the natural or legal person, governed by private or public law, public authority, agency, or any other body which, alone or jointly with others, determines the purposes for which and the means by which personal data is processed.  

If the GDPR provides for many new obligations, the Law states that the obligations the Commission de Contrôle des Informations Normatives (hereinafter referred to as: “CCIN”), the Monegasque control authority, are: 

• to ensure the transparency of a file’s implementation;
• to highlight the nature of the information collected;
• to highlight the reasons for the data’s collection;
• to ensure that the data is used appropriately;
• to know for whom the data is intended;
• to know for how long the data will be kept;
• to ensure that individuals’ personal data is not collected without their knowledge for illegitimate reasons.

Under the Monegasque Law, the data subjects’ rights are: 

• the right to information;
• the right to access to personal data;
• the right of opposition;
• the right of rectification;
• the right of suppression. 

The GDPR provides for rights, which closely resembles the rights granted by the Law.

However there are still some differences that should be taken into account and the GDPR provides for more rights than the Law.

In Monaco, any natural or legal entity of private law whishing to operate an automated processing system containing personal information must first carry out formalities with the CCIN.

The same applies to public or similar bodies. 

The GDPR provides longer and more detailed instructions in this regard. 

Monaco’s law is applicable to automated processing of personal information: 

• implemented by a data controller established in Monaco
• implemented in Monaco, even if the processing is only intended to be used abroad
• whose controller is established abroad, but uses processing means located in Monaco.

In this last case, the controller must appoint a representative established in Monaco, who makes the declaration, the request for an opinion or for authorisation and to whom the obligations provided for by the law applies, without prejudice to actions which may be brought against the controller himself. 

The GDPR takes a different approach in that matter.

Penalties are applied in both systems. 

Although the Law sets out criminal sanctions (one to six months imprisonment with a fine or three months to one year imprisonment with a fine), the sanctions provided for by the GDPR are much more significant with fine reaching up to 20,000,000 euros or 4% of the offender’s annual worldwide revenues.

The Law does not provide for any specificity regarding emancipated or unemancipated minors contrary to what the GDPR provides. 

A bill was introduced on December 20th, 2021, which aims to align with the level of protection provided by European Union law. 

In March 2022, Monaco’s National Council met with representatives of the Monegasque Administrative Authority in charge of personal data (“CCIN”) in order to consult them on this matter. 

Such a bill would simplify personal data transfers from the Principality to the countries of the European Union and would therefore facilitate the work of many professionals based in Monaco. 

In addition to the legislative improvements, the CCIN would be replaced by an Independent Administrative Authority: “Autorité de Protection des Données Personnelles” (APDP). 

Currently, there is no case law explicitly mentioning the GDPR. However, the Monegasque Courts are aware of the European standards on data protection and have at least once referred to the Article 29 Working Party (the independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018 (entry into application of the GDPR).

Monaco’s law on data protection will soon be aligned with the GPDR’s provisions.