The Principality of Monaco modernizes its data protection legislation with the adoption of Law n° 1.565 of 3 December 2024. Inspired by the European General Data Protection Regulation (GDPR), this ambitious reform strengthens individual rights and increases corporate accountability.
Key Provisions of the Law
- Expanded Scope: The new law applies to the processing of personal data by data controllers or processors established in Monaco, as well as those located outside the Principality that process data of individuals within Monaco's territory.
- Strengthening Individual Rights: The rights of individuals are significantly enhanced, including the right to data portability, the right to erasure, and the right to restrict processing.
- Creation of the Personal Data Protection Authority (APDP): The law establishes the APDP, which succeeds the Commission for the Control of Personal Information (CCIN). This new authority, composed of 8 expert members, will primarily oversee compliance with personal data processing and advise data controllers, processors, and individuals.
- Elimination of Formalities with the Regulator: The law largely eliminates the need for prior declarations or authorizations for processing, with certain exceptions for data transfers to countries that do not ensure an adequate level of protection, public space video surveillance, and particularly sensitive or high-risk data processing.
- Appointment of a Data Protection Officer (DPO): The law requires companies to appoint a DPO in certain cases, particularly for public bodies or when processing involves regular and systematic large-scale monitoring of individuals.
- Maintenance of a Processing Activities Register: Companies with at least fifty employees must maintain a register of processing activities accessible to the APDP, with some exceptions.
- Conducting Impact Assessments: In certain situations explicitly mentioned by the law or when a type of processing is likely to pose a high risk to the rights and freedoms of individuals, an impact assessment must be conducted.
Sanctions for Non-Compliance
The law significantly strengthens the sanctions regime:
- The APDP will have the power to impose administrative fines of up to 10 million euros.
- Criminal penalties are also provided for the most serious offenses.
These sanctions aim to ensure effective enforcement of the law and encourage companies to take their data protection obligations seriously.
Application of the Law Over Time
The new law is immediately applicable but provides compliance deadlines for certain data controllers and obligations.
Data controllers who have regularly implemented personal data processing before the law's effective date have one year to comply with the new obligations, including maintaining a processing activities register, appointing a DPO, and implementing security obligations.
A three-year period is also granted to conduct the impact assessments required by the law.
This reform represents a major step forward for data protection in Monaco. It is crucial for companies to prepare effectively to avoid any sanctions.
