The Impact of the GDPR in Monaco until the Revision of the Monegasque Data Protection Legislation
The Monegasque legislation will be revised in order to implement the standards of the GDPR. In the meantime and in any case, the Law No. 1.165 of 23 December 1993 as consolidated still governs the protection of personal data in the Principality.
Applicability of the GDPR in Monaco
A controller or a sub-processor located in Monaco may be subject to the obligations provided for by the GDPR under the two criteria set out in its Article 3 (establishment and targeting), in addition to the obligations provided for by Law No. 1.165.
- When a data controller or sub-processor in Monaco has an establishment in the European Union, then the GDPR applies to the activities of that entity, whether or not the processing takes place in the Union.
Example: A Monegasque company has a branch in France. The GDPR applies to the activities of this branch, even if the headquarters company in Monaco performs the processing.
- When a Monegasque sub-processor works for a controller established in the European Union, the GDPR applies, and the Monegasque sub-processor must therefore comply with the new obligations of the sub-processor under the GDPR.
Example: A Monegasque company hosts personal data in Monaco on behalf of a French company under a sub-processing contract. The GDPR is applicable to the Monegasque company because it is a sub-processor of a company established in the European Union.
- Conversely, the fact that a company located in Monaco uses a service provider located in the European Union is not sufficient in itself to submit this company to the GDPR.
- As soon as a controller or a sub-processor located in Monaco offers goods or services to people in the European Union, this one must comply with the new obligations of the GDPR.
Example: A Monegasque company sells products to people domiciled in France and Italy through an online sales site available in French and Italian. The GDPR is then applicable because the said company offers goods and services to residents of the European Union.
In addition, a data controller or a sub-processor located in Monaco must also comply with the new obligations of the GDPR when it processes personal data for monitoring the behaviour of the persons concerned within the European Union.
Example: A Monegasque company creates a mobile application available in several languages (French, English, Spanish and Italian) that collects users' habits, preferences and hobbies in order to offer them a personalized experience. The GDPR is then applicable because the company has implemented a treatment to track the behaviour of people, some of whom reside in the European Union.
- The GDPR does not affect companies based solely in Monaco that do not target persons within the European Union.
Data transfers to and from Monaco
The Monegasque Data Protection Authority points out the impact of the GDPR on data transfers to and from Monaco.
At its stands, the Monegasque legislation does not provide an adequate level of protection within the meaning of the GDPR.
Therefore, European Union companies wishing to send data to the Principality should put in place specific tools:
- Standard contractual clauses approved by the European Commission within the meaning of Article 46 of the GDPR;
- Binding Corporate Rules within the meaning of Article 47 of the GDPR;
- Code of conduct approved in accordance with Article 40 of the GDPR;
- Certification mechanism approved in accordance with Article 42 of the GDPR.
Companies wishing to send data from the Principality to a country that does not have an adequate level of protection remain subject to the transfer request form to the Monegasque Data Protection Authority.
Other key contributions of the GDPR
Lastly, the Monegasque Data Protection Authority summarizes the essential inputs of the GDPR compared to the Law No. 1.165 of 23 December 1993, consolidated:
- New obligations of the data controller;
- New obligations of the sub-processor;
- Notification of a personal data breach;
- Records of processing activities;
- Privacy impact assessment;
- Data Protection Officer;
- Concept of ‘accountability’;
- New rights of the data subject;
- Amount of the administrative fines.
Article provided by:
- Thomas GIACCARDI, Avocat Défenseur, founder of GIACCARDI.
- Anne ROBERT, Associate, GIACCARDI.