Law no. 1.565 of 3 December 2024 on the protection of personal data

Provisions of the Law no. 1.565 of 3 December 2024 on the protection of personal data (118 articles)

Chapter I - General provisions(art. 1 à 3)

Scope of the Law

Definitions

• Material and personal scope - Applicable to all or part of automated processing and to non-automated processing of personal data relating to natural persons.
  • Also applicable to temporary copies.
  • Inapplicable to processing carried out by a natural person in the exercise of exclusively personal or domestic activities.
  • Inapplicable to the processing of personal data of legal persons.

• Territorial scope - Applicable to processing:
  • implemented by a controller or processor established in Monaco, whether or not the processing takes place in Monaco (establishment criterion) ;
  • relating to data subjects on the territory of Monaco and carried out by a controller or processor established outside the territory of Monaco where the processing activities relate to the offering of goods or services or the monitoring of the behaviour of these data subjects (targeting criterion). For example, goods or services offered to consumers in Monaco via a Website, tracking of Internet users in Monaco in order to send them targeted advertising.

Chapter II - Principles relating to data quality and the lawfulness of personal data processing (art. 4 à 9)

• Data quality principles:

1. Lawfulness, fairness, transparency;
2. Purpose limitation: personal data may be collected for several purposes, provided that the purposes are specified, explicit and legitimate, and that the data is not further processed in a way that is incompatible with the initial purposes. For example, data may be collected by the marketing department for canvassing and promotional events;
3. Minimisation of data: data must be adequate, relevant and limited to what is necessary for the purposes of processing;
4. Accuracy of data, updated where necessary;
5. Data must be kept for no longer than is necessary for the purposes for which it is to be processed (with the exception of data kept for archival purposes in the public interest, for scientific research or for statistical purposes);
6. Data security: data integrity and confidentiality guaranteed by appropriate technical and organisational measures.

• Conditions governing lawful processing:

1. Consent of the data subject (clear positive act resulting from a free, specific, informed and unequivocal action; specific provisions applicable to minors under the age of 15 in the context of the direct offer of information society services, i.e. contracts and other services concluded or transmitted online);
2. Compliance with a legal obligation;
3. Performance of a contract or pre-contractual measures;
4. Safeguarding vital interests;
5. in the public interest;
6. Fulfilment of a legitimate interest, unless the interests or fundamental rights and freedoms of the data subject (notably a minor) prevail. For example, the data subject is a customer or employee of the data controller.

• Exceptions to the prohibition in principle on processing sensitive data (political opinions or affiliations, racial or ethnic origins, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, data concerning health, sex life or sexual orientation):

1. Explicit consent of the person concerned, unless prohibited by law;
2. Safeguarding the vital interests of the person when he or she is unable to give consent, in particular due to impaired personal faculties;
3. Members of an ecclesiastical institution or a political, religious, philosophical, humanitarian or trade union group;
4. Personal data manifestly made public by the person concerned;
5. Establishment, exercise or defence of legal claims or whenever the courts or the public prosecutor's office are acting in their judicial capacity;
6. Important public interests as provided for under Monegasque law;
7. Preventive or occupational medicine, assessment of a worker's aptitude, medical diagnosis, administration of care, medication or management of health and social welfare services or in the interests of research or in the field of public health;
8. Archiving in the public interest;
9. Biometric data used by employers that is strictly necessary for controlling access to workplaces, devices and applications used in the course of employees' duties;
10. Fulfilment of obligations and exercise of rights in terms of employment law, social security and social protection;
11. Institut Monégasque de la Statistique et des Etudes Economiques (IMSEE) for the preparation of studies and surveys;
12. Competent administrative and judicial authorities within the scope of their legally conferred duties;
13. In the public interest in the field of public health.

Chapter III - Rights of the data subject (art. 10 à 21)

• Rights of the data subject:

1. Right to information (concise, comprehensible and easily accessible, in clear and simple terms, in particular for any information specifically intended for a minor) is strengthened, with a list of 16 items of information (including new items such as, where applicable, the contact details of the Data Protection Officer and the transfer of data abroad), distinguishing between data collected from the data subject and data collected from a third party;
2. Right of access with a list of the information that the data subject may obtain from the data controller on request, within 1 month;
3. Right to rectification as soon as possible;
4. Right to erasure as soon as possible in the cases listed, with exceptions and a strengthening of the right to digital forgetting;
5. Right to restrict processing in a limited number of cases, with exceptions. To ensure the effectiveness of this right, the data controller could, for example, move the data concerned to another processing system, or withdraw the data published on its website, or block users' access to this data.
6. Right to object, the conditions for which differ depending on the purpose of the processing, with some exceptions;
7. Right to data portability (storage by the data subject for subsequent use, in order to transmit them to another controller for other purposes) limited to processing based on consent or a contract, and subject to conditions;
8. Right not to be the subject of an automated individual decision, including profiling, with exceptions.

• With regard to the rectification or erasure of personal data, or the restriction of their processing, the data controller is obliged in principle to notify each recipient of the personal data.

• Specific rules apply to the processing of personal data of deceased persons.

• The data controller or processor may, in the cases listed and under strict conditions, make exceptions to certain rights and obligations (for example, to guarantee national or public security, the prevention and detection of criminal offences or breaches of ethics in the regulated professions, the independence of justice and legal proceedings, the important economic and financial interests of the State, freedom of public expression, etc.).

Chapter IV - Obligations of the controller and processor (art. 22 à 36)

Section 1 - General obligations

Section 2 - Specific obligations

• The accountability principle applicable to data controllers and processors means that appropriate technical and organisational measures must be put in place to protect the rights of data subjects, and to be able to demonstrate what has been done and how effective it has been, at the request of the Data Protection Authority (Autorité de Protection des Données Personnelles "APDP").
• As part of this drive to make data controllers more accountable, the formalities for declarations or authorisations prior to the processing operation are, in principle, abolished.

• Self-regulation tools and mechanisms applicable to data controllers and processors:
  • Data protection by design (privacy by design) and by default (privacy by default).
  • In the event of joint controllers, joint liability agreement.
  • Appointment (subject to listed exceptions) of a representative in Monaco or, failing that, in an EU Member State in the event of extraterritorial application. For example, an e-commerce company established in the EU offering services to persons located in Monaco, or a non-EU press company with no office in Monaco offering an online newspaper subscription service.
  • Increased supervision of processors (the processor's obligations are more stringent), with a (non-exhaustive) list of items that must be included in the subcontract, as well as supervision of the use of secondary subcontracting (by the processor, which engages another processor for carrying out specific processing activities on behalf of the controller).
  • A register of processing activities must be kept by the controller and the processor (or representative where applicable), with a minimum threshold of 50 employees, except in cases where the threshold does not apply (processing involving a risk for the data subjects, or not occasional, or involving sensitive data or data relating to offences, criminal convictions and security measures, or involving suspicions of unlawful activities). This threshold corresponds to the one above which a health and safety committee must be set up.
  • Appointment by the controller and processor of a Data Protection Officer (DPO), mandatory in specific cases: — for legal persons governed by public law and private-law bodies entrusted with a mission of general interest or holding a public service concession; — where the core activities of the controller or processor consist of processing operations which, by their nature, scope or purposes, require regular and systematic large-scale monitoring of the data subjects, or large-scale processing of sensitive data or data relating to criminal convictions or offences. The DPO may be a member of the controller's or processor's staff, or may be outsourced (service contract). A single DPO may be appointed by a group of companies, provided that he or she can be easily contacted from each location (for example, a branch of a banking establishment).
  • Security obligations on the controller and processor specified (appropriate technical and organisational measures, such as pseudonymisation, data encryption, testing procedures, analysis, evaluation of effectiveness, etc.).
    
  • Obligation of the data controller to notify the Data Protection Authority (APDP) as soon as possible, and if possible within 72 hours, of data breaches likely to pose a risk to the rights and freedoms of the data subjects, and to communicate this breach to the data subjects, unless exempted.
  • Obligation on the processor to notify any data breach to the controller.
  • Code of conduct and certification mechanism to help demonstrate compliance with security obligations by the controller or processor. The APDP validates and publishes the codes of conduct applicable in Monaco (codes of conduct already approved by a foreign data protection authority must be sent to the APDP for verification). Similarly, certification issued by an approved certification body in an EU Member State or demonstrating an adequate level of protection may be recognised by the APDP.
  • Obligation for the controller to carry out an impact assessment for the most sensitive processing operations entailing a high risk for the rights and freedoms of the data subjects, before implementing them, and to keep this assessment as evidence (systematic description of the processing operation, assessment of the necessity, proportionality and risks for the rights and freedoms of the data subjects, measures envisaged to deal with the risks). The APDP must be consulted if the risks identified cannot be sufficiently reduced and if there are high residual risks that cannot be controlled. The APDP may adopt recommendations or guidelines identifying the processing operations most likely to require an impact analysis, based on a list of criteria set by ministerial order.

Chapter V - The Data Protection Authority - APDP (art. 37 à 57)

Section 1 - Functioning

Section 2 - Monitoring the implementation of processing

• The APDP is not responsible for data processing:
  • carried out by a natural person in the exercise of exclusively personal or domestic activities (outside the scope of Law no. 1.565);
  • carried out by the courts and the public prosecutor in the exercise of their jurisdictional functions, as well as those carried out in the context of international mutual legal assistance procedures (Délégué Judiciaire à la protection des données);
  • relating to State safety and national security (Commission Spéciale de Sécurité Nationale).

• Composition of the APDP : 8 full members nominated for their competence and appointed for 5 years, renewable once, by Sovereign Order: one member appointed by the Minister of State, one member appointed by the Conseil National (Parliament), one member appointed by the Conseil d’Etat (Council of State), one member appointed by the First President of the Court of Appeal, one member appointed by the Conseil communal (Communal Council), one member appointed by the Conseil Economique, Social et Environnemental (Economic, Social and Environmental Council), one member appointed by the First President of the Cour de Révision (Supreme Court of Review), one member appointed by the Comité de la Santé publique (Public Health Committee).

• One of the new features of the ADPD is that it meets in two configurations: — in plenary panel to carry out checks and investigations and determine whether to prosecute; — in restricted panel (composed of the presiding judge and two other members elected by the ADPD from among its members) to take measures and impose sanctions on data controllers and processors. This separation of the prosecution and sanction mechanisms is intended to ensure greater compliance with Article 6 of the ECHR.

• With regard to checks and investigations by the APDP :
  • Exceptions to the principle of non-opposability of secrecy or confidentiality are provided for, relating to national security secrecy, professional secrecy concerning relations between a lawyer and his client, the secrecy of journalistic sources and medical secrecy.
  • The data controller and data processor have the right to object to the investigations (in which case the inspection operations may only take place after authorisation has been granted by the President of the Court of First Instance to which the matter has been referred by the President of the APDP), unless there is an imminent risk of the destruction or disappearance of the documents (in this case, an action for nullity may be brought before the President of the Court of First Instance to which the matter has been referred, ruling as in summary proceedings).
• With regard to measures prior to administrative sanctions, the Chairman of the APDP has corrective powers enabling him to point out failure to comply with the legal provisions and to give formal notice (which may be made public) to the controller or processor to comply. If this is the case, the procedure will be closed.

• The matter may be referred to the APDP's restricted panel for the purpose of imposing one or more sanctions where formal notice has been unsuccessful, or without formal notice where the breach is not likely to be brought into compliance or where the party concerned does not comply with the legal provisions.

• Administrative penalties incurred:
  • Warning;
  • Obligation to bring the processing into compliance or to satisfy the data subject's requests, possibly accompanied by a penalty payment of up to €10,000 per day of delay;
  • Temporary or permanent restriction of processing;
  • Withdrawal of certification;
  • Partial or total suspension of the decision to approve the Binding Corporate Rules (BCR);
  • Suspension of data flows to a recipient located abroad;
  • Administrative fine of up to €5,000,000 (or, in the case of a company, up to 2% of the total worldwide annual turnover for the previous financial year, whichever is higher) or €10,000,000 (or, in the case of a company, up to 4% of the total worldwide annual turnover for the previous financial year, whichever is higher), depending on the infringement. In order to enable the APDP's restricted panel to determine the amount of this administrative fine and the ceiling applicable to it, the chairman of the panel may require the controller or processor to provide any documents that may help to assess the company's total consolidated turnover.

• The criteria taken into account when imposing a periodic penalty payment and an administrative fine:
  • the nature, seriousness and duration of the breach;
  • the deliberate nature or negligent commission of the breach, or its repetition;
  • the measures taken by the controller or processor to mitigate the damage suffered by data subjects;
  • the degree of cooperation with the APDP with a view to remedying the breach and mitigating any adverse effects;
  • the categories of personal data affected by the breach;
  • any aggravating or mitigating circumstances applicable to the case in question.

• The decisions of the restricted panel may be appealed before the Court of First Instance within 2 months of the date of notification.
• These decisions may be published (this publication may be the subject of an appeal for suppression before the President of the Court of First Instance hearing the case and ruling as in summary proceedings, in the event of serious and disproportionate harm to public safety, respect for private and family life or the legitimate interests of the persons concerned).

Chapter VI - Processing subject to prior formalities (art. 58 à 79)

Section I - Common provisions

Section II – Processing for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security

Section III – Processing of personal data relating to genetic or biometric data necessary for the authentication or verification of the identity of individuals

Section IV – Processing relating to health research

• Prior authorisation from the ADPD for transfers of personal data to countries, territories or international organisations that do not meet the necessary requirements (lack of an adequate level of protection and processing that cannot be based on appropriate safeguards and none of the derogations and conditions provided for in Chapter VIII, see below).

• ADPD opinion on the processing of particularly sensitive data by administrative and judicial authorities ( - for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security; - involving genetic or biometric data necessary for the authentication or verification of the identity of individuals), and those relating to health research.

Chapter VII - Special provisions for certain processing (art. 80 à 95)

• Processing relating to video surveillance :
  • in the public space (places open to the public or filming in the vicinity of public thoroughfares, areas open to the public or used by the public: restaurants, shopping arcades, administrative offices, etc.) are subject to prior authorisation from the Minister of State (the conditions for issuing authorisation are specified by ministerial decree);
  • in private spaces (homes, garages, etc.), premises for professional use (offices, warehouses, etc.) must be notified to the APDP.

• Persons who may carry out processing relating to offences, criminal convictions and security measures or relating to suspicions of unlawful activities, subject to appropriate safeguards.

• Certain rights do not apply to processing for archival purposes in the public interest, for scientific or historical research, or for statistical purposes.

• Applicability of certain exemptions to processing relating to freedom of expression.

• Conditions of access to a service available on an electronic communications network.

• The Délégué Judiciaire à la protection des données (Judicial Delegate for Data Protection), appointed by order of the Secretary of State for Justice, Director of Judicial Services, is responsible for supervising the processing carried out by the courts and the public prosecutor's office in the exercise of their judicial functions, as well as that carried out in the context of international mutual legal assistance procedures.

• The Commission Spéciale de Sécurité Nationale (Special Commission for National Security) is responsible for monitoring processing carried out under the provisions of Articles 9 to 15 and 18 of Law no. 1.430 of 13 July 2016 on various measures relating to the preservation of national security.

Chapter VIII - Transfer of personal data (art. 96 à 101)

A transfer of personal data is any flow of data outside Monaco to a third country or territory, or to an international organisation: communication or provision to a recipient outside Monaco, where data is made accessible, either physically or by means of simple remote access (for example, outsourcing).

• As before, transfers of personal data outside Monaco to a country, a third territory or an international organisation providing an adequate level of protection (the list of which is set by ministerial decree, EU Member States being deemed to have an adequate level of protection) may be carried out without the data controller having to provide additional guarantees or specific authorisation.
• A new provision requires the controller and processor to comply with the transfer conditions for subsequent transfers of personal data from the recipient country, third territory or international organisation to another country, third territory or international organisation

In the absence of adequacy:

1/ Appropriate safeguards without prior authorisation of the APDP:

• Compliance with an international undertaking enforceable in Monaco;
• Use of standard contractual clauses approved in advance by the APDP;
• Compliance with binding business rules (BCR) approved by the APDP or by a foreign data protection authority of a State ensuring an adequate level of protection;
• Approved certification;
• Code of conduct approved and published by the APDP.

2/ Derogations in the absence of the above appropriate safeguards without prior authorisation of the APDP:

• Explicit consent of the data subject to the transfer of his/her data after having been informed of the absence of the appropriate level of protection or safeguards and of the nature of the risks introduced by this absence (for example, on a website, information banner informing of the transfer of data to a foreign country without adequacy, with consent box to be ticked).
• Transfers for important reasons of public interest (the APDP may obtain any relevant information);
• Transfer necessary to safeguard the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent (e.g. disaster victims);
• Transfer necessary for the establishment, exercise or defence of legal claims (e.g. documents communicated as part of an investigation);
• Transfer for consultation of a public register provided for by law, intended to inform the public and open to consultation by the public or any person demonstrating a legitimate interest (e.g. companies register);
• Transfer necessary for the performance of a contract between the data controller or its representative and the data subject or for the implementation of pre-contractual measures taken at the request of the data subject (e.g. trips abroad organised by a travel agency).
• Transfer necessary for the conclusion or performance of a contract concluded or to be concluded, in the interest of the data subject, between the data controller or its representative and a third party.

3/ Transfer that cannot be based on the appropriate guarantees above and none of the derogations provided for above is applicable, with prior information of the APDP, if the following conditions are met:

• Transfer not of a repetitive nature (not in the normal course of business, e.g. in the context of legal proceedings);
• Transfer affecting only a limited number of persons (assessed on a case-by-case basis, taking into account the type of transfer, e.g. only the data of bank's employees);
• Transfer necessary for the purposes of overriding legitimate interests pursued by the controller over which the interests or rights and freedoms of the data subject do not take precedence (for example, protection against a serious immediate risk facing the company);
• With appropriate safeguards taken (for example, deletion of data after transfer as soon as possible).

4/ Safeguards for transfer with prior authorisation of the APDP when none of the above requirements are met – absence of appropriate safeguards, derogations, previous conditions (the APDP gives its decision within a renewable period of 2 months; if the authorisation is not given within this period, it is deemed to have been refused):

• Special protection measures;
• Use of specific (ad hoc) contractual clauses.

Specific legal framework for data transfers outside Monaco in the context of processing implemented for ‘Police Justice’ purposes and national security and defence processing under Law no. 1.430 of 13/07/2016 on various measures relating to the preservation of national security.

Chapter IX - Jurisdiction, criminal penalties and right to compensation (art. 102 à 106)

• Any person who has suffered material or non-material damage as a result of a breach of Law no. 1.565 may obtain compensation from the controller or processor.
• Law no. 1.565 provides for a right of representation: the data subject may appoint a non-profit-making body, organisation or association, authorised in Monaco or recognised, whose statutory objectives are of public interest and which is active in the field of protecting the rights and freedoms of data subjects in relation to the protection of their personal data, to act on his or her behalf. Law no. 1.585 does not provide for a right of collective redress independently of any mandate given by a data subject (opening clause of the GDPR).

• Liability of the controller(s) and processor(s):
  • Any controller who has participated in the processing shall be liable for any damage caused by the processing which constitutes a breach of this law (liability unless s/he can prove that it s/he not responsible for the event that caused the damage).
  • A processor shall be liable for damage caused by processing only if he has failed to comply with the obligations laid down in this Law which are specifically incumbent on processors or if he has acted outside or contrary to the lawful instructions of the controller (libaility unless s/he can prove that it s/he not responsible for the event that caused the damage).
  • Where several controllers or processors or where both a controller and a processor are involved in the same data processing and they are responsible for damage caused by the processing , each of the controllers or processors shall be held liable for the damage in its entirety in order to guarantee the data subject effective compensation. Where, in such a case, a controller or processor has made full reparation for the damage suffered, it shall be entitled to claim from the other controllers or processors involved in the same processing operation that part of the reparation corresponding to their share of responsibility for the damage.
• The Monegasque courts have jurisdiction to hear actions against a controller or processor:
  • who has an establishment in Monaco where the processing in question was carried out;
  • (except a public authority of a State acting in the exercise of its prerogatives of public power) where the data subject has his or her habitual residence in Monaco.

Cases of lis pendens:

• When a court in the Principality, which has jurisdiction to hear the claim, is informed that an action concerning the same subject matter has been brought with regard to processing carried out by the same controller or the same processor and is pending before a court in another State, it contacts that court to confirm the existence of such an action. The Monegasque court, if it has not been seized first, may suspend the action brought before it.
• Without prejudice to article 12 of the Code of Private International Law, where such action is pending before courts of first instance, the Monegasque court may also decline jurisdiction, at the request of one of the parties, provided that the court first seized has jurisdiction to hear the actions in question and that the applicable law allows them to be joined.

• Criminal penalties (inapplicable to the State, the Commune and public bodies): Law no. 1.565 creates a section in the Criminal Code devoted to the protection of personal data, with a new article 308-7.
  • Any criminal conviction automatically entails the deletion of the data processing, which may be accompanied by the confiscation and destruction without compensation of the personal data media in question, and a ban on processing for a period of between 6 months and 3 years.
  • The private legal entity may be held jointly and severally liable with its statutory representative for payment of the fine imposed on the latter.

Chapitre X - Final provisions (art. 107 à 118)

Law no. 1.565 applies immediately (into force on 14 December 2024) in principle. This concerns in particular the obligations to put in place appropriate technical and organisational measures to guarantee a level of personal data security appropriate to the risks to the rights and freedoms of the data subjects.

Deadlines for compliance are applicable to certain obligations for data processing regularly carried out with the CCIN before 14 December 2024, and whose operation continues after its entry into force:

• 1 year (until 14 December 2025) for data controllers to bring their processing into compliance with the provisions of Chapter II - Principles relating to data quality and the conditions for lawful processing, provided that said processing has not been substantially modified.

• 1 year (until 14 December 2025) for data controllers and processors to comply with the following obligations:
  • Keeping a register of processing activities;
  • Appointment of a Data Protection Officer (DPO);
  • Obligation to provide the DPO with all the necessary resources to enable him or her to carry out his or her duties properly, and communication to the APDP of the DPO's contact details;
  • Implementation of compliance with security obligations as part of adherence to a code of conduct or a certification mechanism.
• 3 years (until 14 December 2027) to carry out an impact assessment as part of the risk reassessment.

When formalities prior to the implementation of processing, initiated under the former law no. 1.165, are being examined by the APDP, the latter informs the data controllers of the nature of their new obligations.

The recommendations adopted by the former data protection authority (CCIN) on the basis of law no. 1.165 remain in force until they are amended, replaced or repealed by the APDP.