04
Feb
2025
Legal news
International and European law
IT and communication law
Personal data
2025
Legal news
International and European law — IT and communication law — Personal data
International transfers of personal data • EU standard contractual clauses (STCs) and compliance with Law 1.565 (APDP Deliberation)
The Monegasque Personal Data Protection Authority (APDP) analyses the European Union's standard contractual clauses (STCs) governing the transfer of personal data to a third country that does not provide an adequate level of protection (United States of America) in the light of the new Law No. 1.565 of 3 December 2024 on the protection of personal data (Deliberation of 22 January 2025 authorising the transfer).
The European Union STCs are set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
Note: given the recent nature of Law no. 1.565, there are currently no standard protection clauses approved for use by the APDP pursuant to article 98.
* * *
SUMMARY
The transfer of personal data to a third country that does not have an adequate level of protection within the meaning of Law no. 1.565, governed by standard contractual clauses (STCs) of the European Union, is subject to prior authorisation by the APDP
- The STCs of the European Union "cannot be confused with the STCs provided for in article 98 of the aforementioned Law no. 1.565. They are therefore specific clauses as provided for in article 100 of the aforementioned Law, making transfers subject to the prior authorisation of the APDP".
Complementary clauses to the European Union's CCTs must ensure the effectiveness of the rights of data subjects in Monaco pursuant to Law no. 1. 565
- Although the EU CCTs "provide data subjects with a guarantee of the highest standards", data subjects in Monaco "only benefit from rights pursuant to the GDPR" and the prerogatives offered to them "are contractually open only on European territory: Place of exercise of rights (exercised under Regulation (EU) 2016/679 as stipulated in Article 10 of the CTTs), Supervisory Authority allowing support in exercising rights, applicable right to exercise a remedy, information by the data importer of the Supervisory Authority in the event of a personal data breach, etc.".
- "Clauses ensuring the effectiveness of these rights in the Principality" must be adopted and transmitted to the APDP.
- These additional clauses are possible pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Recital 3): "the controller or processor transferring the personal data to a third country (the ‘data exporter’) and the controller or processor receiving the personal data (the ‘data importer’) are free to include those standard contractual clauses in a wider contract and to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects. Controllers and processors are encouraged to provide additional safeguards by means of contractual commitments that supplement the standard contractual clauses".
* * *
Source : APDP Website
- APDP Publications Délibérations Autorisations
- APDP Publications Liste des pays disposant d’un niveau de protection adéquat
* * *
Other publications