Data protection and cybersecurity laws in Monaco

The applicable legislation governing data protection in Monaco is Law No. 1.165 of December 23rd, 1993, as amended by Law No. 1.353 of December 4th, 2008 (hereinafter referred to as the: “Law”).

Monaco’s law is applicable to processing of personal data:

• implemented by a data controller established in Monaco
• implemented in Monaco, even if the processing is only intended to be used abroad
• whose controller is established abroad, but uses processing means located in Monaco.

In this last case, the controller must appoint a representative established in Monaco, who makes the declaration, the request for an opinion or for authorisation and to whom the obligations provided for by the law applies, without prejudice to actions which may be brought against the controller himself.

The data protection authority in Monaco is the “Commission de Contrôle des Informations Nominatives (CCIN)”.

A bill is under consideration, the purpose of which is to align with the GDPR provisions. 

The Law provides for penalties:

Administrative sanctions:

The CCIN may issue warnings or formal notices to data controllers in case of non-compliance with normative and regulatory provisions.

Criminal sanctions:

Depending on the seriousness of the breach of law, criminal sanctions can be from one to six months of imprisonment with a fine of 9.000 to 18.000 euros; or three months to one year imprisonment with a fine of 18.000 to 90.000 euros

Others: 

The court may order the confiscation and destruction, without compensation, of the personal data carriers and the prohibition of reinstatement in the register for a period which may not exceed three years nor be less than six months.

It may also order that the legal person governed by private law be held jointly responsible with its statutory representative for the fine’s payment.

The Monegasque personal data regulations provide that any Monegasque company implementing a data processing should carry out formalities with the Monegasque regulator (CCIN). One formality is required for each data processing relating to a specific purpose.

Depending on the concerned data processing, it could either be a declaration (ordinary or simplified) of the data processing or a request for authorization.

• Once the declaration is filed, the CCIN delivers a receipt. The CCIN only verifies that the declaration is admissible and contains all the required documents. However, it does not have to “authorize” the data processing.
• Once a request for authorization is filed, the CCIN acknowledges receipt of the request. Then, a committee assesses the substance of the request, in particular the compliance with the Monegasque regulations and the evidence of such compliances provided by the applicant. Then, the CCIN issues an authorization to implement the data processing. 

The data controller or its representative is required to provide appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, particularly when the processing involves the transmission of information over a network, and against all other unlawful forms of processing.

The measures implemented must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected.

Personal data can not be kept in a nominative form beyond the period specified in the request for an opinion, the declaration, or the application for authorization, except for historical, statistical, or scientific purposes.

Persons from whom personal data is collected must be informed of:

• the data controller’s identity and, as the case may be, the identity of its representative in Monaco
• the purpose of the processing
• whether replies are compulsory or optional
• the consequences for them of failing to reply
• the recipients’ identity or categories of recipients
• their rights of opposition, access, and rectification regarding the information concerning them
• their right to object to the use on behalf of third parties, or to the communication to third parties, of personal data concerning them for the purposes of canvassing, particularly commercial canvassing.

When personal data is not collected directly from the data subject, the controller or his representative must provide him with the information provided for in the previous paragraph, unless the information of the data subject has already been carried out, proves impossible, or implies disproportionate measures regarding the interest of the procedure or if the collection or communication of information is expressly provided for by the legislative or regulatory provisions.

When the controller or his representative uses the services of a third party, he must ensure that the latter is able to meet the obligations laid down by the Law.

The carrying out of a processing by a service provider shall be governed by a written contract between the service provider and the controller or its representative. The contract shall stipulate that the service provider and his staff members shall act solely on the controller’s instructions and that the obligations set out by the Law shall also be imposed on him.

Personal data transfer outside the Principality may only be carried out provided that the country or body to which the transfer is made has an adequate level of protection. 

However, under specific conditions, after authorization from the CCIN.

Monaco’s law is applicable to automated processing of personal data: 

• implemented by a data controller established in Monaco
• implemented in Monaco, even if the processing is only intended to be used abroad
• whose controller is established abroad, but uses processing means located in Monaco.

Only the controller must appoint a representative established in Monaco, who makes the declaration, the request for an opinion or for authorisation and to whom the obligations provided for by the law applies, without prejudice to actions which may be brought against the controller himself. 

The measures implemented must ensure an adequate level of security in relation to the risks presented by the processing and the nature of the data to be protected.

N/A

Direct marketing by means of an automatic fax or e-mail using, in any form, a consumer’s contact details who has not expressed his or her prior consent to receive direct marketing by this method is prohibited.

However, direct marketing by electronic mail shall be permitted if the consumer’s contact details have been collected directly from him during a sale or provisions of services, if the direct marketing concerns similar products or services provided by the same supplier, and if the consumer is offered, in an express and unambiguous manner, the possibility of objecting, free of charge apart from those linked to the transmission of the refusal, and in a simple manner, to the use of his contact details when these are collected and each time a canvassing e-mail is sent to him. 

Strictly necessary cookies may be placed on a user’s terminal without consent.

Other cookie must be accepted by users before they are deposited. In case of refusal, the website must remain accessible and functional. 

In this case, it is necessary to insert a banner which is displayed as soon as a user arrives on the visited site. 

The banner must not be used solely for information purposes but must also allow the approval or deactivation of the cookies’ deposits directly on the website by a positive action on the part of the person concerned. If possible, this can incorporate the cookie’s type (advertising, analytics, social media) with an option for a one-time global refusal.

N/A

https://www.ccin.mc/fr/fiches-pratiques/comment-aborder-un-chantier-ccin

The applicable legislations governing cybersecurity in Monaco is Law No. 1.402 of December 5th, 2013, ratifying the European Council’s Convention on cybercrime (hereinafter referred to as the: “Convention”) and Law No. 1.435 on combating technological crime.

These laws apply to operators running a radio communication network open to the public or proving radio communication services to the public.  

Apart from criminals, the Convention covers service providers such as: 

• any public or private entity that offers users of its services the possibility of communicating by means of a computer system
• any other entity processing or storing computer data for this communication service or its users. 

Law No. 1435 ensures that the Minister of State takes all necessary measures to ensure the security of information systems in the Principality of Monaco. It is based on the Criminal code articles in order to punish criminally any person who has fraudulently accessed or retained access to all or part of the information system.

A bill was introduced on December 20th, 2021, which aims to align with the level of protection provided by European Union law.

The Sovereign Ordinance No. 8.504 of February 18th, 2021, implemented Article 24 of Law No. 1.435 of November 8th, 2016, on the fight against technological crime. 

The state minister shall ensure that all measures are taken to guarantee the security of information systems in the Principality. 

In order to prepare and execute these measures, a specialised administrative authority has been created by sovereign ordinance: Agence Monégasque de Sécurité Numérique (AMSN).

Operators shall be obliged to apply the security rules at their own expense and to inform the state minister without delay of incidents affecting the operation or security of the information systems.

At the state minister’s request, the said operators shall submit their information systems to checks. They are carried out by the AMSN to verify the level of compliance with the security rules.

The cost of such checks shall be borne by the operator concerned.

The AMSN shall preserve confidentiality of the information gathered during the checks. 

In case of violation of the law or non-compliance, penalties are applied: 

• 150,000 euros fine is imposed on the managers of operators for failing to draw up a protection plan or to carry out the work provided for on expiry of the time limit set by formal notice.
• 150,000 euros shall be imposed on the same persons for failing, after formal notice, to maintain the protection devices in good condition.
• 150,000 euros fine is applied for failing to comply with the control obligations.
• 150,000 euros fine is imposed on the same persons for failing to inform the state minister of incidents affecting the operation or security of the information systems.

Legal entities declared responsible for these offences shall be liable to a fine equal to five times the fine provided for the operators’ directors.

Within the AMSN, a response centre for digital security incidents has been set up, it is called CERT-MC. 

The TF-CIRST is a group that promotes collaboration and coordination between, CSIRTs in Europe and neighboring regions, while ensuring the connection with relevant global organizations and in other regions. 
AMSN is now listed in the TF-CSIRT

The AMSN, created by Sovereign Order 5.664 of December 23rd, 2015, is the national authority responsible for the security of information systems.

The bill on the fight against harassment and violence in schools was submitted to and registered by the Secrétariat Général du Conseil Nation on May 10th, 2021, under No. 1.036. 

This law considers cyber-bullying. Harassment in schools through the use of an online public communication service or through a digital or electronic support is now punishable by one to three years’ imprisonment and a fine of between 18,000 and 90,000 euros. 

https://amsn.gouv.mc/Presentation/