Personal data ● APDP opinion on the draft Sovereign Order implementing Law no. 1.565 of 3 December 2024 (Deliberation no. 2025-4 of 19 March 2025)

In its Deliberation no. 2025-4 of 19 March 2025 (JDM no. 8740 of 28 March 2025), the APDP analyses the draft Sovereign Order referred to it on 20 February 2025, provision by provision, in the light of the reference criteria for adequacy under Regulation (EU) 2016/679 (RGPD) (wp254rev.01) and Directive (EU) 2016/680 "Police Justice" (Recommendations 01/2021), given the "stated aim of obtaining an adequacy decision" from the European Commission. In some respects, the APDP is also inspired by the wording of French and Swiss regulations.

* * *

Issues raised by the APDP in the Preamble

• With regard to the effective and dissuasive nature of the penalties for non-compliance with the provisions of Law no. 1.565, the APDP considers that the objective has been fully achieved for the private sector, but notes the lack of progress in relation to the former Law no. 1.365 as far as the State is concerned (no distinction is made between the processing operations implemented, which may lead to the State not being liable).
• The APDP lists serious breaches that are not punishable under criminal law (art. 308-7 of the Criminal Code), unlike French law.
  Problems relating to the Commission Spéciale de Sécurité Nationale (CSSN) and the supervision of national security processing, and the absence of provisions in the draft Sovereign Order laying down the basis for cooperation between the three supervisory authorities created (APDP, CCSN, Délégué Judiciaire à la Protection des données).
• Another problem for the public sector is that there is only one Data Protection Officer (DPO), with "technical correspondents" who are not trained in personal data protection.

* * *

APDP recommendations

I. Rights of the data subject

• Right of access

The APDP recommends reintroducing the possibility of exercising the right of access on site, deleted from the current version of the draft. It asks that the wording be consistent with that used in previous versions that have been the subject of consultation: the request could be made by post, electronically or in person. The APDP also recommends that, when a request is made on the spot but cannot be met immediately, a dated and signed acknowledgement of receipt should be provided.

Concerning the possibility of referral by a foreign protection authority, the APDP recalls that this procedure must remain subsidiary and cannot constitute a prerequisite, in accordance with article 18, §2 of Convention 108+.

It recommends the deletion of the last two paragraphs of the draft article, which are considered to be a source of confusion and potentially restrictive for an effective and rapid procedure for the persons concerned.

• Identification and imprecision of the request

The APDP recommends that requests for additional information, in the event of doubt as to the identity of the applicant, should be made within the 1 month period provided for by Law no. 1.565 (article 10).

In the case of imprecise or incomplete requests, the APDP recommends that the time limit for informing the data subject be set at 1 month from receipt of the request, and that the time limits for the controller's response be suspended.

• Exceptions to the right to information

The APDP recommends reiterating the duty of verification to be carried out and documented by the data controller.

• Need to regulate the processing of sensitive data by the IMSEE

The APDP proposes an additional text that could be included either in the draft Sovereign Order or in Sovereign Order 3.095 of 24 January 2011 creating the Monegasque Institute for Statistics and Economic Studies (IMSEE) and the Scientific Council for Statistics and Economic Studies.

II. Obligations of data controllers and processors

• Security of processing

The APDP recommends that the wording be broadened to include, in addition to pseudonymisation, other technical and organisational measures: encryption, systems to guarantee the confidentiality, integrity and availability of data.

• Need to insert an article on the appointment of the representative

The APDP recommends the introduction of an article specifying that the appointment of a representative in a Member State of the European Union must be justified by the impossibility of appointing one in Monaco. It requests that this designation be communicated without delay to the APDP, together with all the necessary contact details, and that it be mentioned that the APDP may contact the representatives located on EU territory (failing this, the APDP should have recourse to the cooperation mechanisms as provided for by Convention 108+ with the effect of lengthening response times).

• Data Protection Officer (DPO)

The APDP recommends specifying that the data controller must provide the APDP with the first and last names of the DPO or, if this function is performed by a legal entity, of the qualified natural person acting as contact person, and, where applicable, the names and professional contact details of the data controller's or processor's representative (information that must be communicated to the CNIL in France). The APDP must also be informed of any changes as soon as possible.

The APDP welcomes the integration of provisions concerning conflict of interest situations. The internal rules established by the controller or processor to define and prevent conflicts of interest must be provided to the APDP on request.

III. Functioning of the APDP

The APDP recommends clarifications concerning:

• the right to lodge an appeal with the Court of First Instance (applicable procedure, time limits, final instance, etc.), of which the APDP must inform the appellant; the absence or inability to act of the APDP Chairman, the alternate members; the dismissal of a member for serious misconduct; the APDP panel. ), of which the APDP must inform the applicant;
• the absence or inability to act of the Chairman of the APDP, the substitute members;
• the dismissal of a member for serious misconduct;
• the restricted formation of the APDP and the situation of conflict of interest;
• the cooperation with other Authorities (Monegasque: CCSN, AMSF for ex.; foreign);
• the extension of the scope of the APDP's internal rules;
• the swearing in of APDP officers and appointed investigators;
• the investigation mission;
• the impossibility for persons heard to sign the daily minutes;
• the remote inspection of summonses;
• the possibility of being heard by a videoconferencing or audioconferencing system;
• the provisional liquidation of the penalty payment;
• the procedural rules applicable to appeals lodged against decisions of the restricted formation.

IV. Processing subject to prior formality

• Police-Justice, genetic or biometric data processed by administrative or judicial authorities, research in the field of health

Here the APDP points out the flaws in the wording of Law no. 1.565, which sets out the cases in which the APDP is notified or asked for its opinion or authorisation in the event of a change affecting processing subject to formality (article 61).

The APDP considers that the wording excessively restricts the cases of changes to processing operations subject to prior formality. The following would not be considered as substantial changes: opening up access to the processing operation to new persons in the case of police data, linking a police processing operation to another processing operation, completely overhauling the security measures of a processing operation, or transferring data abroad to a country that does not have adequate legislation or to an insurer in the case of medical research.

In the absence of an effective solution, the APDP could only resort to corrective measures or sanctions, which would be limited in the case of the public sector, and if necessary take action by press in the case of the most intrusive processing operations.

• Time limits

The 8-day time limit set for the APDP to check the completeness of a file is considered too short. It should be extended to 1 month, as was previously the case.

The APDP also requests that it be clarified that the 2-month period within which it must make a decision, as provided for in Law no. 1.565 (articles 59 and 100), runs from receipt of the complete file.

• Right of indirect access concerning processing for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security, by the competent administrative and judicial authorities

The APDP is requesting an amendment to Law no. 1.565 (article 74) in order to restrict the application of the right of indirect access to cases in which there has been a justified restriction on processing (pursuant to paragraph 2 of article 72). This clarification is essential in order to avoid any systematic application of the indirect access procedure, in contradiction with the Directive (EU) "Police Justice" and the principles laid down by the case law of the Court of Justice of the European Union (CJEU, Case C.333/22 of 16 November 2023).

With regard to the right of access granted to the CSSN in matters of national security, the APDP highlights the major differences between the CSSN procedure and the APDP procedure, and the real scope of the rights open to data subjects.

The APDP then observes that the draft Sovereign Order envisages an indirect access procedure for the most sensitive processing operations, including those of the Direction de la Sûreté publique (Public Security), which seriously prejudices the rights of individuals. It recommends that :

• the APDP's prerogatives be strengthened, with the possibility of directly verifying the processing implemented and fully ensuring respect for the rights of the data subjects;
• the time limits for responding to the data subject be set within a proportionate and justified maximum period, applicable to both the APDP and the data controller;
• the legal remedy available to the data subject is clearly identified (against the decision of the controller or that of the Data Protection Authority), taking into account the conditions laid down by the CJEU, namely that the remedy must be against an authority with effective powers of investigation.

The APDP draws attention to the fact that the procedure thus provided for will also affect the rights of data subjects with regard to processing carried out by reporting entities as part of their obligations in the fight against money laundering, terrorism and corruption.

• Rights of rectification and deletion

The APDP recommends a provision relating to the security of communication, taking into account the particular sensitivity of the data.

• Processing relating to research in the field of health

The Directeur de l’Action Sanitaire (Director of Health Action), when contacted by the President of the APDP, should respond directly to the latter, without any hierarchical intermediary, in the name of the principle of reciprocity and efficiency.

The APDP also considers that it is not part of its remit to select and specify the points requiring the expertise of the Directeur de l’Action Sanitaire, and this reference should be deleted.

Finally, the APDP proposes that the time limit allowed for the Direction de l'Action Sanitaire to give its opinion be reduced from 8 to 5 weeks, so that the launch of research projects is not delayed for too long.

V. Special provisions for certain types of processing

• Processing for archival purposes in the public interest

The APDP deplores the fact that archiving provisions are split up between several texts with regard to the quality of the guarantees put in place when the data controller makes archives containing personal data available. The APDP will issue an opinion on bill no. 1093 amending various provisions relating to digital technology, which deals with the re-use of data.

VI. Transfers of personal data

• Assessment of adequacy

The APDP recommends that the criteria should no longer include consideration of an adequacy decision issued by the European Union.

It also specifies that the criterion of taking account of international commitments in the area of personal data protection should be accompanied by an examination of the effectiveness of their implementation.

It also suggests that the level of protection should be reviewed every five years, and that this review should be published or at least forwarded to the APDP, following the example of Switzerland and the European Union. Knowledge of the factors that led to the adequacy decisions would enable the APDP to alert the Minister of State in the event of changes affecting these factors that would justify a reconsideration of the adequacy.

Finally, the APDP stresses that in the event of the withdrawal of an adequacy decision, ongoing transfers (for example, data hosting or remote access) must be guaranteed by other mechanisms, or must be stopped.

• Binding Corporate Rules (BCR)

The APDP notes that the draft Monegasque text contains gaps in relation to its model (article 47 GDPR). It suggests incorporating :

• the modalities for exercising the rights of data subjects, including the right not to be subject to decisions based exclusively on automated processing, including profiling;
• the tasks of the data protection officer or any person or entity responsible for compliance with the BCRs;
• the monitoring of the processing of complaints;
• the complaints procedures;
• the mechanisms put in place to communicate and record changes to the BCRs;
• the modalities for cooperation with the supervisory authority;
• the mechanisms for notifying the authority of legal obligations arising from the regulations of a third country, where these are likely to have a significant negative effect on the guarantees provided by the BCR;
• appropriate training for staff with permanent and regular access to personal data.

In addition, the APDP recommends specifying that subsequent modifications to previously approved BCRs are submitted to it for approval.

Finally, with regard to BCRs validated by foreign authorities, it recommends adding that all the guarantees set out in the Monegasque Sovereign Order must be effective.

• Transfer in the absence of an adequate level of protection, necessary for the purposes of overriding legitimate interests pursued by the controller

The APDP suggests that additions be made so that it can intervene in the event that all of the cumulative elements mentioned by Law no. 1. 565 in figure 3 of article 99 (including repetitiveness, a limited number of persons, and that the interests or rights and freedoms of the data subject do not take precedence over the overriding legitimate interests pursued by the controller) are not complied with: communication to the APDP of any relevant information making it possible to ensure that the conditions referred to in Law no. 1.565 are met, and the APDP may request any additional information.

* * *