The GDPR is applicable to companies established outside the EU that process personal data of natural persons in the EU for their offering of goods or services to such persons, or for monitoring the behavior of such persons in the EU.
The underlying principles of the two pieces of legislation are similar (Monegasque Data Protection Act No. 1.165 of 23 December (DPA) – consolidated since the Act No. 1.454 of 30 October 2017). However, the GDPR introduces several new and demanding requirements for the concerned Monegasque organisations that are likely to necessitate new policies, business processes and technologies.
What are the main differences?
The GDPR protects the personal data of natural persons exclusively, while the Monegasque DPA protects those of both natural and legal persons.
The GDPR contains an extraterritorial application rule that does not exist under the Monegasque DPA, in order to avoid the circumvention of the European legislation by a controller or a subcontractor whose establishment is not located on the territory of the EU, but which deals with personal data relating to natural persons residing on the territory of the EU.
In order for the GDPR to be applicable to such controllers or subcontractors, the processing activities must be linked to the supply of goods or services (whether or not payment is required) to the persons concerned in the EU, or to the observation of human behavior intervening in the EU.
Legitimate interests of the controller, including those of a controller to whom personal data may be disclosed, or of a third party
The GDPR is more specific about taking into account the legitimate interest that may constitute a legal basis for the processing, and provides examples of this (existence of a relevant and appropriate link between the data subject and the data controller; transmission of personal data within a group of companies for internal administrative purposes, including the processing of personal data relating to customers or employees; processing to ensure the security of the network and information).
Consent of the person concerned
The GDPR pays particular attention to the consent of the person concerned (definition, conditions applicable to the consent) which does not appear in the Monegasque DPA.
In particular, in the context of a written consent statement, that also addresses other issues, the consent request must be in a form that clearly distinguishes it from other issues in a way that is understandable and easily accessible.
For the Monegasque organisations, this latter rule should involve a new independent consideration of "contract" and "privacy" consents. Consent to general conditions containing a data processing acceptance could thus be insufficient in the light of the GDPR.
Rights of the person concerned
The GDPR provides for a strengthened duty of information to the persons concerned by the data processing, compared with the Monegasque DPA.
- Right of information
Unlike the GDPR, the Monegasque DPA does not provide for example to specify: the legal basis of the processing, the legitimate interests, the willingness to transfer data to a third country, the absence of a decision of adequacy of the level of protection, the existence of automated decision making (profiling), the data retention period.
- Right of access
Compared with the Monegasque DPA, the GDPR innovates with regard to specific information to be given following the exercise of the right of access, expressly providing for: the retention period, the right to rectification and erasure, the right to complain to the Supervisory Authority, the particular guarantees taken for data transfers to a third country.
- Right to be forgotten
The right to erasure is contained in the Monegasque DPA, but the GDPR is clearer, and sets the conditions for the exercise of the right to digital oblivion.
In particular, to facilitate the exercise of this right, the data controller who made the data public is obliged to inform the other persons responsible for the processing, of the data subject's request to erase any link to data, copies or reproductions.
- Right of limitation
The Monegasque DPA does not provide for the right to label registered personal data, with a view to limiting their future processing, which the GDPR authorizes in enumerated cases.
- Right of opposition
The legislations differ in their approach.
The Monegasque DPA lays down the principle of the exercise of the right of opposition for legitimate reasons, and provides for exceptions.
The GDPR circumscribes the right of opposition for reasons relating to the particular situation of the person concerned to only two processing hypotheses, and the controller may conditionally refuse to implement the right of opposition.
- Right to data portability
The Monegasque DPA does not recognize the right to portability of data.
The Monegasque DPA does not contain provisions equivalent to those of the GDPR below.
The GDPR expressly imposes on the controller the burden of proving the compliance of the processing activities, and the effectiveness of the technical and organizational measures taken to ensure a level of security that is appropriate to the risk, which it details.
In place of the obligation of the controller of prior notification to the Supervisory Authority, the GDPR imposes the obligation to keep a documentary record of the processing operations, with an exception for companies or organizations with fewer than 250 employees (unless the processing is regular or is likely to create a high risk for the rights and freedoms).
Obligations arise from the principles of data protection from the design of the processing (data protection by design), and the default settings (data protection by default), to ensure that the data protection measures are integrated into the products and services from the early stages of development.
The data controller has the obligation to notify the Supervisory Authority of any breaches of personal data, and to communicate to the data subject any infringements that may create a high risk for rights and freedoms.
Where a processing is likely to create a high risk for the rights and freedoms of natural persons, the controller must perform an impact assessment prior to processing.
The GDPR imposes on the controller in specific cases the obligation to appoint a Data Protection Officer.
The Monegasque DPA also addresses a joint accountability, but does not provide for a specific legal regime such as the GDPR.
Compared to the Monegasque law, the GDPR amplifies the obligations of subcontractors, and organizes a subcontracting regime, which is separated from the security duties.
Law No. 1.165 only provides for the appointment of a representative of the controller established abroad.
The GDPR also provides for the obligation of the foreign-based subcontractor when the GDPR applies to its activities, to appoint an EU-based representative, with exceptions.
Transfer of personal data to third countries
The GDPR goes further than Law No. 1.165, by setting up a “right to follow”. Data transfers outside the EU are submitted to the GDPR for transfers, and for further processing and transfers.
In the absence of a European Commission decision finding an adequate level of protection, and in the context of a group of companies facing intra-group transfers of data outside the EU, the GDPR incorporates the Binding Corporate Rules’ system.
The mandatory content imposed is very broad (essential principles, enforceable rights...), which implies a revision for Monaco of the Binding Corporate Rules already adopted.
The GDPR is in everyone's minds in Monaco. Monegasque companies falling under the GDPR will have to adapt to another philosophy of data protection than that of the Monegasque DPA, which is expected to evolve.
Article provided by: Anne Robert and Thomas Giaccardi (Giaccardi Advocats)