20th Data Privacy Day 2026 !

Since 2006, 28 January has been European Data Protection Day, which has now become an international day to raise awareness of the protection of personal data and privacy. This date corresponds to the opening for signature of Council of Europe Convention 108, the first binding international legal instrument aimed at guaranteeing the protection of individuals with regard to the automated processing of personal data, applicable in Monaco.

In 2025, following Monaco's ratification of the Council of Europe's modernised Convention 108+, 99 AVOCATS ASSOCIÉS addressed its interaction and complementarity with the European Union's General Data Protection Regulation 2016/679 of 27 April 2016 (GDPR) >Data Privacy Day 2025 !

This year, for the 20th International Privacy Day, we have chosen to address the process leading to the European Commission's adequacy decision, the purpose of which for the Principality of Monaco is to facilitate the transfer of personal data fro: the European Union (EU) Member States.

There is a lot of talk about Monaco's goal of obtaining an adequacy decision from the European Commission, but what does this actually involve?

IN SHORT

The adequacy decision, requested by a non-EU country, is adopted by the European Commission on the basis of Article 45 of the GDPR.

It can only be obtained if the third country offers a level of personal data protection equivalent to that of EU Member States.

The adequacy decision allows the transfer of personal data from the EU to that third country without additional safeguards.

The adequacy process requires:

• a proposal from the European Commission (correspondence with the third country, report, conclusions of the Commission, forwarded to the Committee);
• the opinion of the European Data Protection Board (EDPB) on the conclusions of the European Commission;
• the approval of the representatives of the EU countries;
• the adoption of the decision by the European Commission.

Equivalence is assessed in light of European legislation, the case law of the Court of Justice of the European Union (CJEU) and the benchmarks for adequacy (WP 254 rev.01).

The criteria taken into account by the European Commission include:

• the rule of law, which includes "legality, which presupposes a transparent, accountable, democratic and pluralistic law-making process; legal certainty; the prohibition of arbitrary exercise of executive power; effective judicial protection by independent and impartial courts, with effective judicial review including respect for fundamental rights; the separation of powers; and equality before the law" (European Commission, What is the rule of law?);
• respect for human rights and fundamental freedoms;
• relevant legislation;
• the existence and effective functioning of supervisory authority or authorities, which must be independent;
• international commitments made by the third country.

The European Commission's analysis is carried out within the overall legal context of the third country.

The adequacy principle does not require the third country to replicate EU rules identically.

The level of protection in the third country must be substantially equivalent to that in the EU, i.e. the foreign system as a whole must offer the required level of protection through the substance of its data protection rights and their effective implementation, enforceability and monitoring.

It is with this in mind that the Principality of Monaco has aligned its new Law No. 1.565 of 3 December 2024 on the protection of personal data with European Union standards (GDPR, Directive (EU) ‘Police Justice’), while transposing the provisions of Council of Europe Convention 108+ and its Additional Protocol concerning supervisory authorities and transborder data flows (the ratification of which is a criterion taken into account for the adequacy decision).

* * *

With an adequacy decision, Monaco would benefit from a simplified regime: transfers of personal data from the EU could be carried out without additional formalities, as if Monaco were part of the EU.

The benefits would be reciprocal:

• for European companies: simplification of personal data transfers from the EU to Monaco, without additional formalities, as if Monaco were part of the EU, which would mean fewer contractual and organisational constraints and reduced compliance costs.
• for Monegasque companies: international recognition of the high level of personal data protection, increased confidence among European partners and economic attractiveness.

In the meantime, without an adequacy decision, transfers of personal data from the EU to Monaco are subject to the implementation of appropriate safeguards (standard contractual clauses (SCCs) adopted by the European Commission, binding corporate rules (BCRs), or other possible mechanisms under the GDPR).

The Monaco Personal Data Protection Authority (APDP) was keen to point out that its actions and opinions are "in the interests of the Principality's domestic law and the effectiveness of its application, which will be analysed by the European Union when examining the adequacy request made by the Monegasque Government." (Public Budget Session of 11 December 2025 APDP response https://apdp.mc/seance-publiqu...)

* * *

Currently, the following have been granted adequacy decision by the European Commission (available here):

COUNTRIES: Andorra, Argentina, Brazil, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea (South), Switzerland, United Kingdom (under the GDPR and Directive (EU) 2016/680, amended in December 2025 by two renewal decisions), United States (commercial organisations participating in the EU/US data protection framework), Uruguay.

INTERNATIONAL ORGANISATION: European Patent Office (EPO).