Data Protection Impact Assessment • Opinion of the APDP on the draft Ministerial Order implementing Article 35 of Law no. 1. 565 (Deliberation no. 2025-5 of 9 April 2025)

Deliberation no. 2025-5 of 9 April 2025 of the Personal Data Protection Authority (APDP) (JDM no. 8744 of 25 April 2025), referred to it by the Minister of State on 20 February 2025, gives its opinion on the draft Ministerial Order implementing article 35 of Law no. 1. 565 of 3 December 2024 specifying the criteria for determining whether processing, in particular through the use of new technologies, is likely to give rise to a high risk for the rights and freedoms of natural persons, triggering the obligation for an impact assessment.

* * *

Observations of the APDP

The APDP points out that the draft Ministerial Order substantially transposes the criteria established by the Article 29 Working Party in its Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, wp248rev.01 (as last amended and adopted on 4 October 2017). This convergence promotes the objective of obtaining an adequacy decision from the European Commission for the benefit of Monaco.

It states that "for educational purposes, [it] will explain the scope, to enlighten data controllers and data subjects on the precise contours of these criteria."

The APDP notes that "these criteria are sometimes worded slightly differently" and makes the following comments:

• Criterion 1 "systematic and in-depth evaluation of personal aspects relating to natural persons, including profiling": The APDP questions the change to its wording, particularly concerning the absence of the notion of "rating", unlike the European criterion (evaluation or rating, including profiling and prediction activities), which is considered important and should be incorporated.
• Criterion 4 "the processing of sensitive data within the meaning of point 9 of article 2 of the aforementioned law no. 1.565 of 3 December 2024, or relating to offences, criminal convictions and security measures or relating to suspicions of unlawful activity": The APDP recommends an extension with the inclusion of the notion of "data of a highly personal nature", following the broader approach of Group 29. At present, the Monegasque draft seems too restrictive, being limited to the sensitive data provided for by law, whereas other types of data "may be considered to increase the possible risk to the rights and freedoms of individuals". [Note].
  
• Criterion 8 "the use of a digital identifier within the meaning of Law No. 1.483 of 17 December 2019 on digital identity": The APDP recommends deleting the clarification that the digital identifier must be understood within the meaning of Law No. 1.483, as it limits the scope of the criterion by linking it "to the notion of identity provider and therefore, to a particular typology of data controller".
• "Large-scale processing" criterion: The APDP regrets that this criterion is isolated in a separate article and not included in the main list of high-risk criteria.

* * *

[Note] The Article 29 Working Party Guidelines specify : "Beyond these provisions of the GDPR, some categories of data can be considered as increasing the possible risk to the rights and freedoms of individuals. These personal data are considered as sensitive (as this term is commonly understood) because they are linked to household and private activities (such as electronic communications whose confidentiality should be protected), or because they impact the exercise of a fundamental right (such as location data whose collection questions the freedom of movement) or because their violation clearly involves serious impacts in the data subject’s daily life (such as financial data that might be used for payment fraud). In this regard, whether the data has already been made publicly available by the data subject or by third parties may be relevant. The fact that personal data is publicly available may be considered as a factor in the assessment if the data was expected to be further used for certain purposes. This criterion may also include data such as personal documents, emails, diaries, notes from e-readers equipped with note taking features, and very personal information contained in life-logging applications."

* * *