LAW
Data protection in Monaco is regulated by Data Protection Law n° 1.165 of 23 December 1993, modified by Law n° 1.353 of 4 December 2008 ("DPL").
Furthermore, the Principally of Monaco is part of the Council of Europe and entered into Convention n° 108 of the European Council.
The Principality of Monaco is not part of the EU and as a consequence did not transpose Data Protection Directive 95/46/EC.
DEFINITION OF PERSONAL DATA
Personal data is defined under the Data Protection Law as: "data enabling identification of a determined or indeterminable person. Any individual who can be identified, directly or indirectly, notably by reference to an identification number or to one or more factors specific to his physical, psychological, psychical, economical, cultural, or social identity is deemed to be identifiable".
DEFINITION OF SENSITIVE PERSONAL DATA
Sensitive personal data is not expressly defined under the DPL but it is deemed to be: "Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health/genetic data, sex life, data concerning morals or social matters".
NATIONAL DATA PROTECTION AUTHORITY
The Monegasque regulator is the Commission for Control of Personal Data ("Commission de Contrôle des Informations Nominatives" or "CCIN").
REGISTRATION
Data controllers who process personal data must inform/notify/request approval from the CCIN so that their processing of personal data may be registered. Any changes to the processing of personal data will require the registration to be amended.
The notification should include the following information:
- what data is being collected;
- why the data will be processed;
- the categories of data subject; and
- whether the data will be transferred either within or outside the Monaco.
DATA PROTECTION OFFICERS
There is no requirement in Monaco for organisations to appoint a data protection officer.
However, appointing a data protection officer is well perceived by the CCIN as evidence of the company's actions to ensure compliance with the data protection legislation; however, in practice, companies in Monaco do not appoint data protection officer in generals.
COLLECTION AND PROCESSING
Data processing must be justified by:
- data subject's consent;
- a legal duty imposed to the data controller;
- a public purpose;
- completion of a contract entered into between the data controller and the data subject; or
- data controller's legitimate interest subject not to fail to respect data subject's fundamental rights and liberties.
Where sensitive personal data is processed, one of the above conditions must be met plus one from an additional list of more stringent conditions.
The data controller must also provide the data subject with "fair processing information". This includes the identity of the data controller, the purposes of processing and any other information needed under the circumstances to ensure that the processing is fair.
TRANSFER
As the Principality of Monaco is not part of the EU, the DPL does not distinguish between EEA jurisdictions and non EEA jurisdictions.
However, the DPL provides that the transfer of data is authorised for cross border access, storage and processing of data only to a country with equivalent protection and reciprocity.
The CCIN has established a list of the countries deemed to have an equivalent protection and reciprocity. States, and parties to Convention of the Council of Europe n° 108 relating to the protection of individuals for personal data automatic processing, are deemed to have the equivalent protection as Monaco.
The declaration to CCIN should indicate whether it is intended for personal data to be transferred cross-border.
The transfer of data to countries that do not provide a sufficient level of protection shall be either:
- accepted by the data subject; or
- necessary for:
-
- safety of data subject's life;
- the protection of public purpose;
- compliance with obligations relating to the protection of a legal right;
- public access to information;
- completion of a contract entered into between the data controller and the data subject;
- conclusion or completion of a contract entered into or to be entered into between the data controller and a third party in the interest of the data subject; or
- duly authorised by the CCIN under the condition that the data controller and the data recipient provide sufficient guarantees in order to protect fundamental rights and liberties.
SECURITY
Data controllers must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data. The measures taken must ensure a level of security appropriate to the harm might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as mentioned above, and appropriate to the nature of the data.
BREACH NOTIFICATION
There is no mandatory requirement in the DPL to report breaches or losses to the CCIN or to data subjects.
ENFORCEMENT
The CCIN and Monegasque Courts are responsible for enforcing the DPL. If the CCIN becomes aware that a data controller is in breach of the DPL, he can serve an enforcement notice requiring the data controller to rectify the position. Failure to comply with an enforcement notice is criminal offence and can be punished on conviction of imprisonment of 1 to 6 months or a fine of from Eur 9,000 to Eur 90,000 or both.
ELECTRONIC MARKETING
Prior to implementing any electronic marketing activity the CCIN must be notified, as electronic marketing activities may use personal data. The law does not prohibit the use personal data for the purpose of electronic marketing. However, when implementing electronic marketing activities a company must respect the provisions of article 1, article 10 and article 14 of the DPL
The automated or non-automated processing of personal data must not infringe the fundamental rights and freedoms enshrined in Title III of the Constitution.
Personal data must be:
- collected and processed fairly and lawfully;
- collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes;
- adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed;
- accurate and, if necessary, updated; every reasonable step must be taken to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified; and
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.
Processing of personal data must be justified:
- by consent from the data subject(s);
- by compliance with a legal obligation to which the data controller or their representative is subject;
- by it being in the public interest;
- by the performance of a contract or pre-contractual measures with the data subject; or
- by the fulfillment of a legitimate motive on the part of the data controller or their representative or by the recipient, on condition that the interests or fundamental rights and freedoms of the data subject are not infringed.
Persons from whom personal data is collected must be informed:
- of the identity of the data controller and, if applicable, the identity of their representative in Monaco;
- of the purpose of processing;
- of the obligatory or optional nature of replies;
- of the consequences for them of failure to reply;
- of the identity of recipients or categories of recipients;
- of their right to oppose, access and rectify their data; and
- of their right to oppose the use on behalf of a third party, or the disclosure to a third party of their personal data for the purposes of prospection, particularly commercial prospection
ONLINE PRIVACY (INLCUDING COOKIES AND LOCATION DATA)
Prior to the use of Traffic Data, Location Data and Cookies the CCIN must be notified. The use of Traffic Data, Location Data and Cookies will have to respect of the provisions of the DPL.
In addition, the data controller or their representative must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, corruption, unauthorised disclosure or access, in particular where processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Measures implemented must ensure an adequate level of security with regard to the risks posed by processing and by the nature of the data to be protected.
Where the data controller or their representative makes use of the services of one or more service providers, they must ensure that the latter are able to comply with the obligations laid down in the two previous paragraphs.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com
