This highly anticipated ordinance translates the main principles set out by the law into practice by detailing the concrete modalities for their implementation. For employers, it serves as a reference text that specifies the obligations to be respected daily and the expectations of the Personal Data Protection Authority (A.P.D.P.).
Sovereign Ordinance No. 11.327 therefore gives immediate operational scope to Law No. 1.565, transforming principles into concrete and controllable obligations. For employers, this means increased vigilance over the management of files containing personal data, securing access, and managing incidents.
Exercise of Employees’ Rights: Clarified and Secured Procedures
Law No. 1.565 enshrines the right for any person to access their data, rectify it, request its erasure, restriction, or object to its processing. The Sovereign Ordinance specifies the modalities for exercising these rights: the request may be made by post, electronically, or in person, with an obligation for the data controller to verify the identity of the requester and, in case of reasonable doubt, to request additional supporting documents (including, where necessary, a copy of an identity document bearing the holder’s signature).
The Sovereign Ordinance also provides for the possibility for the data subject to appoint a third party to act on their behalf, subject to the production of a specific mandate and proof of identities.
These clarifications are essential for employers, who must adapt their internal procedures to ensure traceability and security of these exchanges.
Deadlines and Management of Employee Requests: Suspension and Rejection in Case of Insufficiency
The law imposes a one-month deadline to respond to employee requests, extendable to two months in case of complexity or multiple requests. The Sovereign Ordinance details that this period is suspended if additional information is requested from the applicant or if the request is unclear, and this until receipt of the additional elements, which must be provided by the applicant within one month.
If the data controller fails to respond within the deadlines (in violation of Article 10 of Law No. 1.565), the request is deemed rejected.
It is recalled that in case of rejection, the law allows the data subject to file a complaint with the authority or to bring a full jurisdictional appeal before the Court of First Instance.
This procedural rigor requires professionals to implement tracking and management tools for requests to avoid litigation risks.
Security of Employee Data: Enhanced Technical and Organizational Measures
The law establishes the principle of security adapted to risks, but the Sovereign Ordinance goes further by listing concrete measures to be implemented, especially for sensitive or large-scale processing: access control to prevent unauthorized access, traceability of operations, verification of transmissions, and the ability to restore systems in case of incident. For employers in general, this implies reviewing IT security policies, training teams, and documenting the measures taken.
Focus on Subcontractor Management: Transparency and Control
The law requires formalization of relationships with subcontractors (as defined by Law No. 1.565) by contract, demanding sufficient guarantees. The Sovereign Ordinance specifies that the subcontractor must allow audits, inform the data controller of any change of subcontractor, and that the data controller must be able to object to such changes. This requirement for transparency and control is particularly important where the contractual chain is complex.
Data Protection Officer (DPO): Appointment, Independence, and Prevention of Conflicts of Interest
The law makes the appointment of a DPO mandatory in certain cases, and this appointment is of course recommended in others. The Sovereign Ordinance regulates the appointment, the communication of contact details to the A.P.D.P., and requires the adoption of internal rules to prevent conflicts of interest, prohibiting the DPO from holding functions that would lead them to determine the purposes and means of processing. Professionals must therefore ensure the DPO’s independence and the clarity of their missions.
Notification of Data Breaches: Strict Modalities and Deadlines
The law provides for the obligation to notify any data breach to the A.P.D.P. within a maximum of 72 hours. The Sovereign Ordinance specifies that if this deadline is not met, the data controller must justify the delay, and that notification may be staggered if all information is not immediately available. It also details the procedure for communicating with the data subjects, under the control of the A.P.D.P. This requirement necessitates the implementation of alert and crisis management procedures.
Prior Formalities and Documentation: Forms, Registers, and Controls
Although Law No. 1.565 has shifted from a regime of prior authorization/declaration to a regime of accountability for each actor, certain processing operations remain subject to prior formalities. This is notably the case for processing related to video surveillance systems installed in places open or not open to the public for the security of property and people.
The Sovereign Ordinance details the formalities to be completed, the list of information to be provided, the procedures for submitting requests for opinions or authorizations, and the management of modifications. It also requires the keeping of precise registers, accessible to the A.P.D.P. upon request, which necessitates rigorous organization of documents and processing.
Control and Sanction by the A.P.D.P.: Procedure and Guarantees
The law specifies that when a breach is found that can be remedied, the president of the protection authority issues a formal notice to the controller or subcontractor concerned, within a period that he sets. The Sovereign Ordinance specifies that this period cannot be less than 10 days from the notification, except in cases of urgency. This period may, upon reasoned request from the controller or subcontractor, be extended once.
When the formal notice remains unsuccessful or if the breach cannot be remedied or the person concerned does not comply with the law, the law provides for referral by the president of the supervisory authority to a restricted panel, which will decide on a possible sanction.
The Sovereign Ordinance organizes the procedures for referral to this restricted panel as well as respect for the adversarial principle. The Sovereign Ordinance also regulates the publicity of decisions and the protection of the complainants’ identities. It is recalled that violation of the law may result in an administrative fine not exceeding 10,000,000 euros or, in the case of a company, up to 4% of the total worldwide annual turnover of the previous financial year (the higher amount being retained) (these amounts may be reduced to 5,000,000 euros and 2% depending on the nature of the breach), in addition to any penalty payment imposed by the restricted panel of the protection authority where applicable. Professionals must anticipate these controls and prepare their documentation accordingly.
International Data Transfers: Documentation and Guarantees
The law strictly regulates transfers of data outside Monaco. It is recalled that such transfer may only be carried out—subject to compliance with other provisions of the law—to a country, territory, or organization with legislation or regulations providing an adequate level of protection; or provided that appropriate safeguards have been put in place (standard protection clauses approved by the authority, binding corporate rules approved by the authority, certification, adherence to a code of conduct approved and published by the supervisory authority, compliance with an international commitment enforceable in the Principality).
The Sovereign Ordinance specifies the adequacy criteria, the commitments to be made in the event of transfer to a non-adequate country, and the documentation to be kept available for the A.P.D.P.
Professionals must therefore check the compliance of their cross-border data flows and, if necessary, update their contracts and procedures.
