Monaco: Overview Of The Prior Control Activity Of The Personal Data Protection Authority (“Ccin”) Since 2020

CCIN prior authorisations in the private sector since 2020:

In the last fifteen months, the CCIN has issued 107 deliberations authorising the implementation of automated personal data processing.

Almost half of the authorisations are related to video surveillance to ensure the safety of persons and property, as well as to allow the constitution of evidence in case of offenses (52), of :

• Professional and private premises of companies and banks;
• Stores, boutiques, shopping centers;
• Hotels, restaurants ;
• Shopping center ;
• Buildings, condominiums;
• Entrance of a building site outside official working hours;
• Entrance of a Private educational establishment.

The CCIN authorisations relating to video surveillance include the following reminders:

• The angle of view of the video cameras must not film the public domain, including sidewalks (at the accesses of buildings) and measures must be taken to ensure it (repositioning of cameras, blurring of images…) ;
• The video cameras must be positioned so as to film only the common areas of a building or condominium and not the private areas, and must not monitor residents or visitors;
• Video cameras in elevators and freight elevators must be oriented to film only the doors of these facilities;
• Video cameras should not film customers at tables or counters in restaurants, the interior of sports halls, the corridors leading to spas and the terraces of hotel rooms;
• Unless there is a specific justification (e.g., cash registers), employees' workstations and the private areas at their disposal must not be filmed.

The other half of the authorizations (55) concern the following personal data processing:

• Management of Litigation, customer relationship, and conflict of interest (17);
  
• Meeting legal and regulatory obligations in the fight against money laundering, terrorist financing and corruption (15);
  
• Access control by badges (11), or by a biometric device based on the recognition of partial fingerprint sections of the hand (1);
  
• Telephone registration (6);
  
• Whistleblowing devices (3);
  
• Professional messaging (1); 
• Geolocation of company vehicles (1).

Most of these authorisations were requested by the banking, financial and insurance sector.

In addition, since 2020 the CCIN has issued 32 authorisations for the transfer of personal data to countries that do not have an adequate level of protection:

• United States of America (website hosting, website or application audience analysis Google Analytics, Google Workspace, Emailing Mailchimp, Email Management, Microsoft, ticketing/customer support Zendesk, customer relationship management Salesforce, travel reservation system SABRE, alert checks, HR data to the parent company for backup/archiving) ;
• Indian (front and back-office inventories outsourcing, alert checks, control of authorizations and computer access, detection of cyberattacks);
• Singapore (operations on the intra-group trading platform);
• Mauritius (webmaster);
• Japan (provider facilitating partnerships for an association);
• Worldwide (operational management of maritime personnel to local authorities in charge of immigration and work at sea procedures, travel agencies and training organizations, management of ship passengers to local authorities in the event of an epidemic risk, platforms for broadcasting videos of sporting events, panel for checking the information of candidates for the position of official of an association).

These cross-border transfers requests were submitted by banks, management companies, insurance companies, trading companies, transport, cruise and sea travel companies and a sports association.

CCIN prior notices in the Public sector:

The Monegasque Administration is undertaking its digital transformation as part of the “Extended Monaco” programme (e-Government).  

A non-negligible part of the CCIN's prior opinions have thus focused on the dematerialisation of the administration and its teleservices:

• Management and monitoring of the progress of the Government of Monaco's digital programmes and projects;
• Management of electronic pay slips;
• Provision of an Electronic Document Management solution to the Public Works Department;
• Management of a secure document sharing tool with partners inside and outside the Monegasque administration;
• Requesting a derogation from the principle of Sunday rest, the daily rest period for women, night work for women employees, working hours, relating to legal public holidays;
• Seconding an employee to Monaco for less than 3 months;
• Managing the integration of graduates with links to Monaco and the reintegration of Monegasque expatriates;
• Enrolling children in a school outside the enrolment periods by electronic means;
• Enrolling in a class with a special timetable for intensive sports practice;
• Request for online certificates issued by the Civil Status - Nationality Department ;
• Management of the State medical aid;
• Dematerialised management of relations between tenants and occupiers with the State Property Administration;
• Application for support for the purchase of an environmentally friendly vehicle;
• Dematerialised mail management for the Monegasque Administration;
• Management of the Principality's digital twin website;
• Management of the website “Your Monaco”;
• Computerised management of pre-litigation and litigation files for the coordination and monitoring of the State's legal representation;
• Characterisation of an attack targeting the Principality's information systems;
• Requesting vignettes and pre-fare declaration for foreign VTC and VLC companies.
• Follow-up of the car-sharing subscription;

Finally, the following CCIN's prior notices since 2020 related to the COVID-19 pandemic should be noted:

• Monitoring the evolution of SARS-COV-2 in the Principality, concerning nationals, residents, workers (employees, agents and civil servants of the State and the Commune), as well as students attending school in Monaco;
• To collect and analyse data from patients who consented to participate in biomedical research evaluating : the impact of prone positioning in spontaneously ventilated patients on the incidence of intubation or non-invasive ventilation or death in acute respiratory distress related to COVID-19 infection; the impact of ventral decubitus in spontaneously ventilated patients on the incidence of intubation or non-invasive ventilation or death in acute respiratory distress associated with COVID-19 infection; the rate of venous thromboembolism during COVID-19 infection in cancer patients; the implementation of the revised HOME-CoV score to guide the choice of hospitalisation or outpatient management of patients with proven or probable SARS-CoV-2 infection admitted to emergency departments; the efficacy of hydroxychloroquine versus placebo in patients with COVID-19 infection at risk of secondary worsening; the implementation in emergency departments of consensus criteria for non-hospitalization of known or probable COVID-19 patients, compared to previous standard practice.

Article provided by: Thomas Giaccardi and Anne Robert (GIACCARDI & BREZZO Avocats, Monaco)

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)