2018 Highlights of data protection in Monaco
At the national level, the President of the Monegasque Data Protection Authority used for the second time the power to order the publication of a pronounced sanction.
Amending Protocol (CETS: 223) to “Convention 108”: Signature
Monaco is among the first signatories of the Amending Protocol (CETS: 223) to “Convention 108” on the protection of individuals with regard to the processing of personal data of 28 January 1981, open for signature by the 53 Contracting States.
Monaco signed it on 10 October 2018, together with 19 other Council of Europe member states (Austria, Belgium, Bulgaria, Estonia, Finland, France, Germany, Ireland, Latvia, Lithuania, Luxembourg, Norway, Netherlands, Portugal, Russia, Spain, Sweden, Czech Republic, United Kingdom), and Uruguay, non-member State.
It must be kept in mind that the European Commission has not so far recognised Monaco, a non-EU country, as offering an adequate level of data protection equivalent to that of the EU, whether through its domestic legislation or the international commitments it has entered into.
The GDPR takes into account the accession to “Convention 108” (Recital 105).
The assimilation of data transfers to Monaco to intra-EU transmissions of data is a particular challenge for Monaco, which is on the doorstep of the European Union.
GDPR: The real test
The Government initiated meetings focused on the GDPR for the economic players in the private sector and representatives of the public and para-public sectors.
The Monegasque Data Protection Authority has published on its website a list of the key questions on the GDPR recurrently asked, to clarify its impact in Monaco, and has provided link to the “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation” (European Data Protection Board, 16 November 2018).
The following considerations are particularly relevant for Monegasque companies:
- Processing in the context of the activities of an establishment of a processor in the Union;
- Processing by a controller in the Union using a processor not subject to the GDPR;
- Offering of goods or services to data subjects in the Union;
- Monitoring of data subjects’ behaviour;
- Representative of controllers or processors not established in the Union.
The reform of Act No. 1.165 to adapt to these new European rules is one of the priorities of the Government of the Principality.
It should be noted that Act No. 1.165 covers the processing of data of legal persons in order to protect their legitimate interests (extension of the protection granted by the “Convention 108” to the data of natural persons).
The power of the President of the Monegasque Data Protection Authority to order the publication of a pronounced sanction: Second use
The President of the Monegasque Data Protection Authority ordered for the second time in November 2018 (first time in August 2017) the additional sanction of publicity (Article 12, paragraph 7 of Act No. 1.165).
The decision of “Warning following investigation” concerning the use of a video-surveillance system contrary to Article 11-1 of Act No. 1.165 (prior authorisation), published on the website of the Monegasque Data Protection Authority, will be anonymised at the end of a period of two years from its publication.
The sanction of publicity may be appealed to the President of the Court of First Instance, in the event of a serious and disproportionate breach of public security, the right to respect private and family life or the legitimate interests of the persons concerned.
The power to order publication of a pronounced sanction was introduced by Act No. 1.420 of 1 December 2015 amending Articles 18 and 19 of Act No. 1.165.
This reform was part of Monaco's efforts to provide an adequate level of protection within the meaning of EU law.
Article provided by: Thomas Giaccardi, Anne Robert (GIACCARDI, Monaco)