Data Protection Impact Assessment • Opinion of the APDP on the draft Ministerial Order implementing Article 35 of Law no. 1. 565 (Deliberation no. 2025-5 of 9 April 2025)

Deliberation no. 2025-5 of 9 April 2025 of the Personal Data Protection Authority (APDP) (JDM no. 8744 of 25 April 2025), referred to it by the Minister of State on 20 February 2025, gives its opinion on the draft Ministerial Order implementing article 35 of Law no. 1. 565 of 3 December 2024 specifying the criteria for determining whether processing, in particular through the use of new technologies, is likely to give rise to a high risk for the rights and freedoms of natural persons, triggering the obligation for an impact assessment.

* * *

Observations of the APDP

The APDP points out that the draft Ministerial Order substantially transposes the criteria established by the Article 29 Working Party in its Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, wp248rev.01 (as last amended and adopted on 4 October 2017). This convergence promotes the objective of obtaining an adequacy decision from the European Commission for the benefit of Monaco.

It states that "for educational purposes, [it] will explain the scope, to enlighten data controllers and data subjects on the precise contours of these criteria."

The APDP notes that "these criteria are sometimes worded slightly differently" and makes the following comments:

• Criterion 1 "systematic and in-depth evaluation of personal aspects relating to natural persons, including profiling": The APDP questions the change to its wording, particularly concerning the absence of the notion of "rating", unlike the European criterion (evaluation or rating, including profiling and prediction activities), which is considered important and should be incorporated.
• Criterion 4 "the processing of sensitive data within the meaning of point 9 of article 2 of the aforementioned law no. 1.565 of 3 December 2024, or relating to offences, criminal convictions and security measures or relating to suspicions of unlawful activity": The APDP recommends an extension with the inclusion of the notion of "highly personal data", following the broader approach of Group 29. At present, the Monegasque draft seems too restrictive, being limited to the sensitive data provided for by law, whereas other types of data "may be considered to increase the possible risk to the rights and freedoms of individuals", of which it gives examples. [Note 1].
  
• Criterion 8 "the use of a digital identifier within the meaning of Law No. 1.483 of 17 December 2019 on digital identity": The APDP recommends deleting the clarification that the digital identifier must be understood within the meaning of Law No. 1.483, as it limits the scope of the criterion by linking it "to the notion of identity provider and therefore, to a particular typology of data controller".
• "Large-scale processing" criterion: The APDP regrets that this criterion is isolated in a separate article and not included in the main list of high-risk criteria.

* * *

[Note 1] The APDP states: "Personal data is considered sensitive (in the common sense of the term) insofar as it relates to domestic and private activities (electronic communications whose confidentiality must be protected, for example), insofar as it has an impact on the exercise of a fundamental right (location data whose collection calls into question freedom of movement, for example) or insofar as its breach would clearly have serious repercussions on the daily life of the data subject (financial data likely to be used for fraudulent payments, for example). In this respect, it may be relevant to determine whether the data has already been made public by the data subject or by third parties. The fact that personal data is publicly available may be taken into account as a factor in the analysis where it is intended that the data will be used subsequently for certain purposes. This criterion may also include data such as personal documents, e-mails, diaries, notes from e-readers equipped with note-taking functions and highly personal information contained in ‘life-logging’ applications."

* * *