Ongoing reform of data protection law in the light of the EU-GDPR
Preparatory work on the overhaul of personal data protection legislation continued via the ad hoc working group set up at the beginning of 2018, bringing together the State services and those of the CCIN on a regular basis.
The CCIN hopes that the "specific points of attention with regard to the European standards governing the subject (...) will be taken into account in the final text" (Activity Report, p. 1).
The CCIN specifies that the entry into force of the new text will profoundly modify its missions.
One objective for Monaco, Non-EU Member State, is also to obtain an adequacy decision from the European Commission, and thereby facilitate the cross-border data transfers. Monaco's main trading partners are European countries.
This reform is eagerly awaited by the private sector, which is often subject, in addition to Monegasque law (system of prior declaration), to the EU-GDPR (record of processing activities), when there is an offer of goods or services to persons located in the territory of the European Union.
The banking and financial sector of the Principality is particularly concerned. Many establishments located in Monaco are subject to the obligations arising from the GDPR, such as the formation, designation, and location of the DPO and the sharing of nominative data between entities of the same group (Activity Report, p. 24).
Processing of personal data and the activity of the CCIN in figures
The total number of personal data processing listed in the Principality's public register was 5,660 on December 31, 2019, of which 447 were newly registered in 2019 (Activity Report, p. 26-31).
During 2019, the CCIN issued 206 deliberations, of which:
- 107 authorised the implementation or modification of data processing, 3 refused to authorise the implementation or modification of data processing;
- 50 gave a favourable opinion on the implementation or modification of data processing, and 3 an unfavourable opinion;
- 28 authorised a transfer of personal data to a country without an adequate level of protection (the largest part related to the banking sector);
- 4 gave an opinion on draft legislative and regulatory texts transmitted by the Minister of State;
- 4 on an investigating mission;
- 2 on a recommendation (see below);
- 4 on a decision on the time limits for storing personal data, 1 on the internal functioning of the CCIN.
New recommendations and practical sheets
The CCIN adopted the following recommendations (Activity Report, p. 64-67):
- Recommendation on how to deposit and how long cookies and other tracers should be kept on the terminals of users of electronic communication networks (Deliberation No. 2019-083 of 15 May 2019);
- Recommendation on the security to be applied to credit card payments for the sale of goods or the provision of services at a distance, as well as to websites (Deliberation No. 2019-084 of 15 May 2019).
Moreover, the CCIN has issued the following fact sheets (Activity Report, p. 78-95):
- Good use of archiving, with, for example, the management and supervision of professional messaging, the litigation management, the case of cloud computing;
- Offering online services to children, based on the Working Paper on Online Services for Children adopted in April 2019 in Bled (Slovenia) by the International Working Group on Data Protection in Telecommunications (“Berlin Group” open to national data protection authorities, but also to representatives of the private sector and NGOs).
Complaints, investigations, sanctions, and fines
The CCIN received 24 complaints in 2019 from both individuals and legal entities, an increase from 2018 (15 complaints), which the CCIN attributes to its awareness-raising campaign (Activity Report, p. 32-41).
The CCIN has been seized on the following basis:
- Right of access, concerning information held by a sports federation over a period of 20 years;
- Right of deletion, concerning: an online auction catalogue containing the portrait of a deceased person who had served as a model for a painter; the photo and contact details of an employee who had still been on the website of her former employer for several months; comments deemed defamatory by Google and Facebook; search engines and the name of a person who was the subject of a freezing of funds measure that ended in 2018; the creation of a fraudulent Facebook page in the name of a car sales company; an unfavourable comment published on the Google My Business page of a service provider; requests to delete from e-mail distribution lists (sending slanderous letters targeting several personalities in the Principality, associations, employers);
- Use of automated processing of personal data, concerning: video surveillance systems operating in a restaurant, a shop, and a residential building; the application by banks and similar institutions of the regulations on the automatic exchange of information in tax matters and MiFID II for transactions in financial instruments; the system for managing taxi drivers' journeys; the loss of connection identifiers to access the results of medical examinations.
On-site inspections of video surveillance equipment were carried out with the authorisation of the Court of First Instance, following: a complaint about possible remote access by management which could have allowed permanent monitoring of staff without their knowledge; and an alert for the installation of cameras in the sanitary facilities of a restaurant.
The Chairman of the CCIN issued one sanction (formal notice for the immediate deactivation of an illegally operated surveillance system). Moreover, considering the numerous irregularities noted during the inspection and the attempt to conceal documents in an employee's file, he forwarded this case to the Public Prosecutor.
In May 2019, the CCIN carried out an online investigation campaign concerning 10 websites. The checks carried out showed a lack of knowledge or mastery of the tools installed on the websites (functionalities, data transfers operated by certain tools used, information to be provided to clients).
The Criminal Court ordered an employer to pay a fine of 18,000 euros and 15,000 euros in damages to a former employee who was unable to obtain tally data.
Source (in French) : CCIN, 2019 Public Report, available at: https://www.ccin.mc/fr/ccin/notre-actualite/197-11eme-rapport-public-2
Article provided by: Thomas Giaccardi and Anne Robert (GIACCARDI & BREZZO Avocats, Monaco)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)