Objectives of the bill:
First of all, it should be recalled that the bill has a twofold objective:
- on the one hand, to transcribe the new requirements of Convention 108+ of the Council of Europe.
- on the other hand, to align Monegasque legislation with the standards of the European Union's "data protection package" consisting of Regulation (EU) 2016/679 (GDPR) and Directive (EU) 2016/680 for Police and Criminal Justice Authorities.
Key points of the bill before amendments:
- Change of terminology: the former terms "personal information" (“informations nominatives”) will be replaced by the terms "personal data" (“données à caractère personnel” or “données personnelles”).
- Inapplicability of the new Monegasque legislation to the processing of personal data concerning legal persons (contrary to what is the case actually). Practice has shown that the exercise of these rights is extremely limited and a source of difficulty for the data protection authority.
- Territorial and extra-territorial scope inspired by the GDPR. The new Monegasque law would apply to data processing that are : - carried out by a controller or processor established in Monaco, whether or not the processing takes place in Monaco ; or - relating to data subjects on Monegasque territory and carried out by a controller or processor established abroad where the processing activities relate to the supply of goods or services or the monitoring of the behaviour of those persons.
- Updating of the principles and conditions of lawfulness applicable to the processing of personal data, in a formulation very close to that of the GDPR: data minimisation, data accuracy, limiting the storage of data to a period not exceeding that necessary for to achieve the purposes of the processing, etc.
- Same standards as the GDPR regarding the processing of sensitive data.
- Strengthening the rights of the persons concerned: among others, new right to limitation of the data processing, to data portability, as the GDPR.
- Rules applicable to the processing of personal data of deceased persons.
- Abolition of prior formalities (with some exceptions: transfers of personal data to countries without an adequate level of protection, processing of particularly sensitive data) with the same logic of compliance as the GDPR based on the principle of accountability, with a self-regulation regime, a posteriori control, and the same tools: privacy by design, privacy by default, joint data controllers, reinforced framework for subcontracting, records of processing activities, Data Protection Officer, obligation to notify personal data breaches that are likely to create a risk to the rights and freedoms of data subjects, code of conduct and certification scheme, impact assessment for the most sensitive processing operations involving a high risk to the rights and freedoms of data subjects, etc.
- Special provisions applicable to certain categories of data processing, e.g. video-surveillance.
- Several supervisory authorities: “Autorité de protection des données personnelles” ("APDP" Personal Data Protection Authority, successor to the CCIN), “Délégué judiciaire à la protection des données” (“Judicial Delegate for Data Protection”), and Commission established by Law No. 1.430 of 13 July 2016 for the preservation of national security.
- Right to compensation and judicial remedy against the controller or processor in case of material or non-material damage, largely inspired by the GDPR (without providing for a right of collective redress independently of any mandate given by a data subject).
The final text of the Monegasque new law on personal data protection, once adopted, will be the subject of a forthcoming publication.
Article provided by INPLP member: Thomas Giaccardi and Anne Robert (GIACCARDI & BREZZO Avocats, Monaco)
Dr. Tobias Höllwarth (Managing Director INPLP)