Data protection and cybersecurity laws in Monaco

The main applicable legislation governing data protection in Monaco is Law No. 1.565 of 3^rd December 2024 (hereafter referred to as the “Law”).

This is supplemented by regulatory norms (see in particular Sovereign Ordinance No. 11.327 of 10 July 2025 and Ministerial Order No. 2025-361 of 14 July 2025.

The Law applies to the processing of personal data that is either fully or partially automated, or non-automated, provided that the data is contained in or is intended to be included in a filing system

• carried out by a data controller or processor established in Monaco, regardless of whether the processing takes place or not within Monaco;
• carried out by a data controller or processor established outside Monaco, where the data subjects are located within the Principality and the processing activities are related to the offering of goods or services to those individuals or to the monitoring of their behaviour.

The Law does not apply to processing carried out by a natural person during purely personal or household activities.

The Principality is an independent state with its own legal and regulatory framework : foreign provisions such as the GDPR do not, in principle, apply in Monaco.

Although the GDPR is not part of Monegasque law, it may apply to entities established in the Principality.

Article 3.2 of this regulation extends its territorial scope beyond the EU for data controllers or processors whose processing activities are related to the offering of goods or services to data subjects in the EU or to the monitoring of the behavior of such persons within the EU. For example, if a Monegasque company hosts personal data in Monaco on behalf of a Belgian company as a processor, then the GDPR will apply to it.

The data protection authority in Monaco is the Autorité de Protection des Données Personnelles (hereafter “A.P.D.P.”).

As of 29 October 2025, no significant changes are anticipated.

The Law provides for penalties:

The A.P.D.P. President may notably:

• issue warnings or formal notices to data controllers or subcontractors to comply with Monegasque data protection law or with a request of a data subject ;
• order the suspension, restriction, or prohibition of certain processing activities;
• order the withdrawal of “agrément” or instruct the relevant certification body to refuse certification or withdraw a certification already granted ;
• impose an administrative financial penalty of up to:
  • €5 million or 2% of the total worldwide annual turnover for breaches such as failure to cooperate or failure to notify data breaches;
  • €10 million or 4% of the total worldwide annual turnover for more serious violations, such as failure to respect data subjects’ rights.

Depending on the seriousness of the breach of law, criminal sanctions can range from fines of up to €9,000 to €90,000 and/or imprisonment from 1 month to a year.

In the event of a repeat offense, the prison sentences may not be less than twice the length of the previous sentence, but may not exceed twice the maximum sentence applicable.

In the event of conviction for breach of the Law, the Tribunal de première instance may order the confiscation and destruction, without compensation, of the personal data storage devices and forbid new data proceeding for a period which may not exceed three years nor be less than six months.

It may also order that the legal person governed by private law be held jointly responsible with its statutory representative for the fine’s payment.

Prior declarations or authorizations for data processing is generally not required, with notable exceptions for data transfers to countries that do not ensure an adequate level of protection, public space video surveillance, and particularly sensitive or high-risk data processing.

The latter notably includes processing activities related to the prevention and detention of criminal offences, processing of genetic or biometric data, processing for health research purposes and international transfers of personal data to countries that do not provide an adequate level of protection.

Depending on the nature of the processing, the required formality could either be a request for an opinion or a request for authorisation, both from the A.P.D.P. :

• For certain high-risk or sensitive processing activities (for prevention and detection of criminal infractions, processing of genetic or biometrical data, health data…), the data controller must submit a formal request for an opinion to the A.P.D.P. using the prescribed form and including all required supporting documentation. The A.P.D.P. reviews the admissibility and completeness of the request and may request additional information if necessary. The A.P.D.P. then issues a reasoned opinion within a two months period (renewable once). If no opinion is issued within this period, the opinion is implicitly deemed favourable.
• For processing activities that require explicit authorisation, the data controller must file a request for authorisation with the A.P.D.P. The Authority acknowledges receipt of the request and examines the substance of the file, particularly the compliance of the proposed processing with Monegasque data protection law and the evidence provided by the applicant. The A.P.D.P. then issues a decision within a two months period (renewable once). If no response is given within this period, the authorisation is deemed refused. The processing or transfer cannot proceed without the explicit authorisation of the A.P.D.P..

The data controller shall ensure that personal data are processed lawfully, fairly and transparently in relation to the data subject, and collected for specified, explicit and legitimate purposes, not being further processed in a manner that is incompatible with those purposes.

The data must be:

• adequate, relevant, and limited to what is necessary in relation to the purposes of processing;
• accurate, and kept up to date where necessary. The controller shall take every reasonable step to ensure that inaccurate or incomplete personal data are erased or rectified without delay;
• kept in a form that permits identification of data subjects for no longer than is necessary for the purposes of processing the personal data.

Personal data shall be processed in such a way as to ensure the appropriate security of the data, including protection against unauthorised or unlawful processing, or against accidental loss or destruction, using technical and organisational measures to ensure its integrity and confidentiality.

Data controllers and processors are required to maintain an up-to-date internal record of their processing activities, which must be made available to the A.P.D.P. upon request. This record must include all relevant details about the processing operations, such as the purposes, categories of data and data subjects, recipients, retention periods, and security measures.

Right to be informed. Data subjects must be informed, in clear and understandable terms, about how their personal data are used : what data are collected, by whom, and for what purposes.

Right of access. Data subjects may ask the data controller to confirm whether their personal data are being processed and, if so, to receive those data in a readable and comprehensible form.

Right to rectification. Data subjects may request, with supporting documentation, the correction of inaccurate data or the completion of incomplete data.

Right to erasure. In specific cases defined by the Law, data subjects may request deletion of their personal data, whether or not the data are publicly available.

Right to restriction of processing. Data subjects can request that certain personal data must temporarily no longer be processed except for storage purposes.

Right to object. Data subjects may object to the use of their data for a specific purpose when processing is based on public interest or the controller’s legitimate interests. They must provide « reasons related to their particular situation », except for direct marketing, to which they may object without providing reasons.

Right to data portability. Under conditions set by the Law, data subjects may obtain from a controller the personal data they have provided in a structured, commonly used, and machine-readable format, to reuse those data or have them transmitted to another controller.

Right not to be subject to an automated individual decision. Individuals may not be subject to a decision based solely on automated processing, without human intervention, where the decision produces legal effects concerning them or significantly affects them.

When the controller or his representative uses the services of a third party, he must ensure that the latter meets the obligations laid down by the Law.

The carrying out of a processing by a service provider shall be governed by a written contract between the service provider and the controller or its representative. The contract shall stipulate that the service provider and his staff members shall act solely on the controller’s instructions. It shall also impose on the service provider all obligations set out by the Law, including confidentiality, implementation of appropriate security measures, assistance in responding to data subjects’ rights requests, return or deletion of data upon completion of services, and cooperation with the controller to ensure compliance with applicable law requirements.

Transfers are freely permitted to countries with an “adequate” level of protection. EU Member States are deemed adequate. Outside the EU, adequacy must be recognized by Monaco. An official list is issued by ministerial order after the data protection authority’s advice and is regularly updated.

If a destination is not adequate, transfers may proceed if appropriate guarantees are characterized such as :

• Compliance with an international commitment that is enforceable in the Principality ;
• Use of authority-approved standard contractual clauses ;
• Compliance with binding corporate rules approved by the protection authority or by a data protection authority of a state that ensures an adequate level of protection.

If there is no adequacy and no safeguards, transfers may occur with the data subject’s explicit, informed consent (including disclosure of the absence of protection and related risks).

Other permitted grounds for transfer include:

• Vital interests when the person cannot consent.
• Important public interest.
• Establishment, exercise, or defense of legal claims.
• Consultation of a public register open to the public or to those with a legitimate interest.
• Performance of a contract with the data subject or pre‑contractual measures at the data subject’s request.
• Conclusion/performance of a contract in the data subject’s interest between the controller and a third party.

If none of the above apply: a non‑repetitive transfer concerning a limited number of people may occur for the controller’s compelling legitimate interests, if suitable safeguards are taken and the authority is informed. This last‑resort path and certain contract‑based derogations do not apply to public authorities acting under public powers.

As a last resort, the A.P.D.P. may still authorize a transfer based on specific protective measures or bespoke contractual clauses among the parties. The authority decides within two months (extendable once); lack of a decision within the deadline equals refusal.

A DPO must be appointed in the following cases:

• Where the processing is carried out by a public body or a private body entrusted with a public interest mission or operating a public service concession;
• Where the core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale;
• Where the core activities of the controller or processor consist of large-scale processing of sensitive data or data relating to criminal convictions and offences.

All data controllers and processors must implement appropriate technical and organizational measures to ensure a level of security commensurate with the risks to individuals’ rights and freedoms.

The adoption of these measures requires an analysis to identify the risks and then determine their level of probability and severity.

The data controller must notify any personal data breach to the A.P.D.P. without undue delay and, where feasible, no later than seventy-two hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subjects. If the notification is not made within this period, it must be accompanied by the reasons for the delay.

The notification to the authority must include at least:

• The nature of the breach, including, where possible, the categories and approximate number of data subjects and records concerned;
• The name and contact details of the data protection officer or another point of contact;
• The likely consequences of the breach; 
• The measures taken or proposed to address the breach and mitigate any possible adverse effects. 

The data controller must document every breach, indicating the facts, effects, and measures taken to remedy it.

Where the breach is likely to result in a high risk to the rights and freedoms of a natural person, the data controller must also inform the data subject without undue delay, except if one of the following conditions is met:

• the data affected by the breach has previously been subject to technical and organizational protection measures that render the data unintelligible to any person who is not authorized to access it;
• the duty to individually inform the data subject would require disproportionate effort. In this case, a public communication or similar measure shall be taken to inform the data subjects in an equally effective manner;
• the subsequent measures taken by the controller ensure that the risk is no longer likely to materialize.

Failure to comply with notification obligations may result in administrative sanctions, including fines of up to 5,000,000 euros or 2% of the total worldwide annual turnover. 

The data subject has the right to object at any time to the processing of their personal data for marketing purposes, including profiling insofar as it is related to such marketing.

The data controller shall clearly inform the data subject of their right to object at the latest at the time of the first communication separately from any other information.

General personal data law applies to cookies, for example with regard to data transfers and data conservation duration.

For instance, websites using Google Analytics, the APDP has the following requirements:

• “Cookies” banner must be displayed to allow users to accept or refuse cookies on their device;
• this information banner must appear when the site is opened, before any cookies are stored and without the user having to take any action;
• where applicable, this banner must inform users that their data will be transferred to a country that does not have an adequate level of protection;
• If cookies are refused, the user must be informed that their request has been taken into account. They must also be able to continue browsing.
• Users must be able to change their settings in the cookie policy section and thus withdraw their consent at any time.

The former authority (CCIN) recommended that cookie retention periods - whether for technical or other purposes - be no longer than necessary for their intended purpose. In all cases, cookies should not be stored on a user’s device for more than 13 months (Deliberation n° 2019-083).

The data controller must assess the risk before implementing certain processing operations, particularly those likely to result in a high risk for data subjects rights. 

The criteria for determining whether processing presents a high risk include:

• systematic and thorough evaluation of personal aspects (including profiling),
• automated decision-making producing legal effects or significantly affecting the individual,
• systematic monitoring,
• processing of sensitive data (such as health, biometric, genetic data, criminal convictions, offences, or suspicions of unlawful activities),
• cross-referencing or combining data sets,
• processing data concerning vulnerable individuals,
• the use of innovative technological or organizational solutions, and processing that prevents the exercise of a right or access to a service or contract.

A processing operation that meets at least two of these criteria is presumed to present a high risk, but even a single criterion may suffice if the data controller considers it relevant in the context. 

Processing a considerable volume of data, likely to affect a significant number of individuals, is also considered high risk if it meets at least one of the criteria or involves the use of a digital identifier. In the event of a high risk, an impact assessment must be carried out to evaluate the processing, its purposes, proportionality, risks to individuals, and mitigation measures. 

If the risk remains, the data protection authority must be consulted before implementation.  Risk assessment is based on objective criteria and a formalized methodology, and each processing operation must be examined to determine the applicable obligations. 

https://apdp.mc/apdp/

The applicable legislations governing cybersecurity in Monaco are Law No. 1.402 of 5 December 2013, ratifying the European Council’s Convention on cybercrime (hereinafter referred to as the: “Convention”) and Law No. 1.435 of 8 November 2016 on combating technological crime.

Apart from criminal matters, the Convention covers service providers such as: 

• any public or private entity that offers users of its services the possibility of communicating by means of a computer system
• any other entity processing or storing computer data for this communication service or its users. 

Law No. 1.435 ensures that the Minister of State takes all necessary measures to ensure the security of information systems in the Principality of Monaco.

It is based on the Criminal code articles in order to punish criminally any person who has fraudulently accessed or retained access to all or part of the information system.

In addition, Law No. 1.578 of 1^st July 2025 strengthened the obligations of operators of vital importance  (entities whose activities are essential to the population’s basic needs), such as security standards, incident notification requirements, regular controls. It increased financial penalties in case of non-compliance (up to €150,000 per infraction for individuals, and five times that amount for legal entities).

As of 26 November 2025, no significant changes are anticipated.

The Sovereign Ordinance No. 8.504 of 18 February 2021and other regulatory norms implement cybersecurity laws in Monaco.

For example, following regulations apply to operators of vital importance:

• Ministerial order 2018-1053 (8 Nov 2018): Establishes baseline security requirements to protect the information systems of operators of vital importance (OIVs) ,;
• Ministerial order 2020-902 (21 Dec 2020) : Amends the latter order and introduces the obligation for OIVs to maintain a specific Protection Plan (“plan particulier de protection”);
• Ministerial order 2023-556 (21 Sep 2023): Further amends Ministerial order 2018-1053. Clarifies applicable security rules for OIVs and redefines obligations regarding communication and supervision with Monaco authorities, including the Direction de la Sûreté Publique (police) and the Agence Monégasque de Sécurité Numérique (State Cyber Security Agency);
• Ministerial order 2023-394 (3 Jul 2023): Repeals and replaces Ministerial order 2017-42. Redefines OIVs qualification criteria.

The Ministre d’Etat (equivalent of Prime Minister) shall ensure that all measures are taken to guarantee the security of information systems in the Principality.

In order to prepare and execute these measures, a specialised administrative authority has been created by sovereign ordinance: the Agence Monégasque de Sécurité Numérique (AMSN).

Operators of vital importance are required implement security rules at their own expense and must promptly inform the  Ministre d’Etat of any incidents that affect the operation or security of their information systems.

Upon request from the  Ministre d’Etat, these operators are obliged to submit their information systems to inspections conducted by the AMSN, which is responsible for verifying the level of compliance with the applicable security rules. The costs associated with these inspections remain the responsibility of the operator.

The AMSN is required to maintain the confidentiality of all information collected during these inspections.

In case of violation of the law or non-compliance, penalties are applied:

• 150,000 euros fine is imposed on the managers of operators for failing to draw up a protection plan or to carry out the work provided for on expiry of the time limit set by formal notice.
• 150,000 euros shall be imposed on the same persons for failing, after formal notice, to maintain the protection devices in good condition.
• 150,000 euros fine is applied for failing to comply with the control obligations.
• 150,000 euros fine is imposed on the same persons for failing to inform the state minister of incidents affecting the operation or security of the information systems.

Legal entities declared responsible for these offences shall be liable to a fine equal to five times the fine provided for the operators’ directors.

Yes. Within the AMSN, a response centre for digital security incidents has been set up, the Centre de réponse et de traitement en matière d'attaques numériques or CERT-MC.

It is composed of three departments:

• the division responsible for monitoring and detecting digital security events, or the Security Operations Center (SOC-MC);
• the division responsible for responding to digital security incidents, or the Computer Security Incident Response Team (CSIRT-MC);
• the division responsible for analysis and information sharing, or the Information Sharing and Analysis Center (ISAC-MC).

The AMSN, created by Sovereign Order 5.664 of 23 December, 2015, is the national authority

responsible for the security of information systems.

It is an information security and cyber-attack expertise and response centre, and has the following remit :

• To prevent, detect and respond to cyber attacks, including by providing advice and introducing regulations, detection systems, alert systems and an incident response capability
• To lead and coordinate the response to crisis situations caused by cyber attacks
• To evaluate and certify the security of information technology products and systems
• To evaluate providers of certification and electronic signature services
• To represent the Principality within international cyber security bodies and in dealings with other cyber-attack expertise and response centres
• To raise awareness and encourage public services and critical infrastructure operators to pay attention to cyber security requirements
• To monitor the level of security deployed by critical infrastructure operators, with the collaboration of the Department of Electronic Communications as regards electronic communications network operators or suppliers of telecommunications and Internet access services

In addition, the Police Department set up a cybercrime unit in 2019, through which two inspectors with specialist skills in this area provide assistance to individuals and companies who have fallen victim to cyberattacks. 

The TF-CIRST is a group that promotes collaboration and coordination between, CSIRTs in Europe and neighboring regions, while ensuring the connection with relevant global organizations and in other regions. The AMSN is now listed in the TF-CSIRT.

In January 2025, Monaco hosted the FIRST Regional Symposium Europe, an international event bringing together cyber incident response teams.

https://amsn.gouv.mc/