Monaco: New law on the protection of personal data
The adoption of Bill No. 1.054 on the protection of personal data will bring a number of changes. Find out what they are.
On 28 November 2024, during a legislative session, the members of the National Executive had the opportunity to vote on the Monegasque Bill n°1.054 on the protection of personal data.
The unanimous adoption of draft law no. 1.054 repeals the Monegasque law on the protection of personal data currently in force, namely law no. 1.165 of 23 December 1993.
The new law comprises 118 articles that apply to both the private and public sectors.
Objective of the new law: to align with RGPD standards
The objective is to guarantee Monaco a high level of personal data protection, equivalent to European standards. By bringing the Principality into line with the requirements of the European standards defined by the General Data Protection Regulation (GDPR), it would be possible for the European Commission to reassess Monaco and grant it an adequate level of protection in the coming months.
Major changes :
The adoption of Bill 1.054 on the protection of personal data has brought about a number of changes. The new law strengthens the obligations of data controllers and processors, while streamlining the formalities that previously had to be carried out with the Monegasque supervisory authority.
A new field of application :
- Une nouvelle terminologie, utilisation du terme « données personnelles » au lieu de celui d’« informations nominatives ».
- Élément de liste #2
- Élément de liste #3
- A new terminology, using the term ‘personal data’ instead of ‘nominative information’.
- The new law introduces precise definitions of key terms, inspired by the RGPD.
- The introduction of the status of the processor, already present in the GDPR but not clearly defined in Law no. 1.165 of 1993.
- New requirements for the scope of the text.
- Reinforcement of the requirements relating to consent, which must be ‘free, specific, informed and unambiguous’.
- Simplification of the formalities to be carried out with the Control Authority.
Better protection for people in Monaco :
Law no. 1.054 introduces new rights for the people concerned:
- Right to erasure > obtain the erasure of personal data from the controller as soon as possible.
- Right to portability > receive personal data supplied by an individual to a data controller, in a structured, commonly used and machine-readable format, and have the right to transmit this data to another data controller without the data controller to which the personal data has been communicated hindering this.
- Right to restrict processing > obtain from the controller the restriction of processing where the accuracy of the data is called into question, the processing is unlawful, the controller no longer needs the data for the purposes of the processing or where the data subject has objected to the processing.
- Right of rectification > to rectify, complete, update, block or erase information concerning him or her when errors, inaccuracies or the presence of data whose collection, use, communication or storage is prohibited have been detected.
Of course, the data subject retains his or her pre-existing rights under Law no. 1.165, namely the right of access and the right to object.
More stringent obligations for data controllers and processors:
- Notification of individuals by the data controller in the event of personal data breaches.
- Rigorous maintenance of a processing register for each processing operation carried out.
- Carrying out a data protection impact assessment (DPIA) where necessary.
- The obligation, according to certain criteria, to appoint a Data Protection Officer (DPO) whose duties and functions are defined.
A new supervisory authority :
The “Autorité de Protection des Données Personnelles” (APDP) is the successor to the Commission de Contrôle des Informations Nominatives (CCIN).
Role of the new authority
The APDP is a new authority with powers of investigation, control and sanction:
- Carry out checks and investigations.
- Access the premises where data processing is carried out.
- Request any relevant documents.
- Issue warnings, formal notices, processing restrictions, processing bans and administrative fines.
Stronger penalties for non-compliance:
With regard to penalties for failure to comply with the legislation, Law no. 1.054 provides for heavy administrative fines, as already provided for under the RGPD at European level, and the select committee may decide to make the penalties imposed public.
- Maximum fine of €5,000,000 or 2% of annual worldwide turnover for failure to comply with various obligations, including cooperation with the data protection authority or notification of data breaches.
- Maximum fine of €10,000,000 or 4% of worldwide annual turnover for more serious offences, such as failure to comply with the principles of lawfulness of processing, the rights of data subjects or data transfers.
An ACTIS meeting to find out more:
On 18 December, ACTIS experts will be holding a videoconference to explain and discuss the new law. Register now, free of charge at : event.groupetelis@telis.mc