BREXIT and the transfer of personal data from Monaco to the United Kingdom

Under the current provisions of Law no. 1.165 of 23 December 1993 on the protection of personal data, as consolidated:

During the transition period (until 31 December 2020)

The European Union GDPR/RGPD and the Data Protection Act 2018 (DPA 2018) which complements and adapts it, continue to apply in the UK.

Personal data that is collected on Monegasque territory as part of processing covered by an ordinary declaration, a request for an opinion or an authorisation may be transferred without any specific formality to the United Kingdom, which has an adequate level of protection within the meaning of Article 20[1] of Law no. 1.165 of 23 December 1993, consolidated:

"Transfers of data to the United Kingdom, or access to data from the United Kingdom, do not require an application to the CCIN for authorisation to transfer personal information". [2]

At the end of the transition period (from 1 January 2021)

The UK has planned to retain the level of protection offered by the GDPR/RGPD in its national law, while having the independence to adapt it.

If the level of protection offered by the United Kingdom is still considered adequate within the meaning of article 20 of Law no. 1.165 of 23 December 1993, consolidated, personal data collected on Monegasque territory as part of processing covered by an ordinary declaration, a request for an opinion or an authorisation will still be able to be transferred without any specific formality to the United Kingdom.

Failing this, processing operations involving data transfers to the United Kingdom would be subject to the provisions of article 20-1 [3] of Law no. 1.165 of 23 December 1993, as consolidated, and to the system of requesting authorisation:

"Transfers of data to the United Kingdom or access to data from the United Kingdom must, as Monegasque law currently stands, be subject to a request for authorisation to transfer personal information to the CCIN, unless the United Kingdom is, in the meantime, recognised as having an adequate level of protection for the protection of personal information". [4]

* * *

NOTES:

[1] "Personal data may only be transferred outside the Principality if the country or body to which the data is transferred has an adequate level of protection.

The adequacy of the level of protection offered by the third country must be assessed in the light of all the circumstances relating to the transfer of personal information, in particular the nature of the information, the purpose and duration of the processing operation or operations envisaged, the legal rules in force in the country in question and the professional rules and security measures observed there.

Without prejudice to the foregoing provisions, the Commission de contrôle des informations nominatives shall make available to any interested party the list of countries providing an adequate level of protection within the meaning of the preceding paragraph."

[2] CCIN, Information d’actualité, « Brexit : les conséquences en matière de protection des informations nominatives »

[3] "The transfer of personal information to a country or body which does not ensure, within the meaning of the second paragraph of Article 20, an adequate level of protection may, however, be carried out if the person to whom the information relates has consented to its transfer or if the transfer is necessary:

– to protect that person's life;

– to protect the public interest;

– to comply with obligations to establish, exercise or defend legal claims;

– the consultation, under proper conditions, of a public register which, by virtue of legislative or regulatory provisions, is intended to provide information to the public and is open to consultation by the public or any person demonstrating a legitimate interest;

– the performance of a contract between the data controller or its representative and the data subject, or pre-contractual measures taken at the request of the data subject;

– the conclusion or performance of a contract concluded or to be concluded, in the interests of the data subject, between the data controller or its representative and a third party.

Without prejudice to the provisions of the previous paragraph, the commission de contrôle (Supervisory Board) may authorise, on the basis of a duly substantiated request, the transfer of personal information to a country or body which does not ensure an adequate level of protection within the meaning of the second paragraph of Article 20, where the data controller, or its representative, and the recipient of the information offer sufficient guarantees to ensure compliance with the protection of the rights and freedoms referred to in Article 1. These guarantees may in particular result from appropriate contractual clauses.

The data controller must comply with the Commission's decision".

[4] CCIN, Information d’actualité, « Brexit : les conséquences en matière de protection des informations nominatives »