Personal data ● Sovereign Order no. 11.327 of 10 July 2025 implementing Law no. 1.565

Sovereign Order no. 11.327 of 10 July 2025 (OS) (JDM no. 8756 of 18 July 2025) implements Law no. 1.565 of 3 December 2024 on the protection of personal data (L.) and repeals Sovereign Order no. 2.230 of 19 June 2009. Entry into force: 19 July 2025.

* * *

TABLEAU DE SYNTHESE

* * *

Detailed content

Chapter I - Rights of the data subject

→ How to exercise the rights referred to in art. 12 à 19 L. (art. 1 OS)

• Request from the data subject by post or electronically, or on site where possible, providing proof of identity by any means, including using digital identity data;
• The request may also be made by a person specially authorised for the purpose, accompanied by the supporting documents mentioned;
• Case of remote access to a secure system allowing the data subject direct access to personal data concerning him/her.

→ Reasonable measures taken by the controller to verify the identity of a data subject who requests access to data, in particular in the context of online services and identifiers ((art. 2 OS)

• Where there are reasonable doubts as to the identity of the data subject, provision of additional information and a copy of an identity document;
• Suspension of the time limits provided for in art. 10 L.

→Data subject's request imprecise or not containing information enabling the controller to reply (art. 3 OS)

• Provision of additional information;
• Suspension of the response deadlines provided for in the 2nd paragraph of art. 10 L.;
• Cases where the request is deemed to be rejected.

→ Personal data not collected from the data subject. Cases where the provision of information proves impossible or requires disproportionate efforts pursuant to the 3rd paragraph, 1st indent of art. 11 L. (art. 4 OS)

• In particular: processing carried out for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the guarantees referred to in the 1st paragraph of art. 81 L.; or the provision of such information is likely to make it impossible or to seriously compromise the achievement of the purposes of the processing.
• In such cases, appropriate measures by the controller to protect the rights and freedoms and legitimate interests of the data subject, including by making the information publicly available.

→ Person deceased, art. 20 L. (art. 5 OS)

• Exercise of rights by ascendant, descendant up to the second degree, surviving spouse of a deceased person or cohabitant or partner within the meaning of Law no. 1.481 of 17 December 2019 on civil solidarity contracts: proof of link with the deceased person by any means.

Chapiter II - Obligations of controllers and processors

→ Agreement between the joint data controllers referred to in art. 24 L. (art. 6 OS)

• Respective roles and responsibilities;
• Relations vis-à-vis data subjects (contact point for exercising their rights, etc.).

→ Appointment of a representative to the Monegasque Data Protection Authority "APDP" (in Monaco or, failing that, in the EU) as referred to in art. 25 L. (art. 7 OS)

• Processing relating to data subjects on the territory of the Principality of Monaco and implemented by a controller or processor established outside the territory of the Principality when the processing activities are linked to the supply of goods or services or the monitoring of the behaviour of these data subjects.

→ Obligations of the processor towards the controller referred to in art. 26 L. (art. 8 OS)

• Provision of the information necessary to demonstrate compliance with obligations, enable audits, including inspections, to be carried out, and contribute to these audits.
• Secondary subcontracting: in the event of prior general written authorisation, notification of any changes, giving the data controller the opportunity to raise objections.

→ Data Protection Officer (DPO) function performed on the basis of a service contract with the assignment of one or more natural persons in accordance with the third paragraph of art. 28 L. (art. 9 OS)

• Contractual designation of the qualified natural person as contact, of which the APDP is informed.
• Submission of natural persons responsible to the rights and obligations of DPOs.

→ Police Justice processing, and processing relating to genetic or biometric data referred to in 64 and 77 L. (art. 10 OS)

• DP0 made recipient of the APDP's opinion.

→ A single DPO appointed by several legal entities governed by public law or several legal entities governed by private law entrusted with a public interest mission or a public service concessionaire, application of the second paragraph of art. 29 L. (art. 11 OS)

• Sharing agreement.

→ DPO, application of 5e et 6e alinéas de l'art. 30 L. (art. 12 OS)

• Internal rules for defining and preventing conflicts of interest;
• Contact details provided to the APDP.

→ Security measures, application of art. 31 L. (art. 13 OS)

• Natural person acting under the authority of the data controller or processor who has access to personal data;
• Specific case of processing involving sensitive data, or falling under art. 64 (Police Justice), 77 (genetic or biometric data) et 91 L. (national security)

→ Breach of personal data, application of art. 32 L. (art. 14 OS)

• Notification to the APDP after 72 hours (demonstrate that it was done "as soon as possible");
• Demonstrate that the breach is unlikely to pose a risk to the rights and freedoms of natural persons;
• Possibility of communicating the information accompanying the notification in stages;
• Documentation of the breach and verification by the APDP;
• Cases where communication of the breach to the data subjects is not necessary, subject to the APDP's power to require it.

→ Codes of conduct for professional associations and organisations representing categories of data controllers or processors, application of art. 33 L. (art. 15 et 16 OS)

• Validation by the APDP of the draft code, amendment or extension;
• Verification by the APDP that the body responsible for monitoring the code has an appropriate level of expertise and independence with regard to the subject matter of the code and that its tasks and missions do not give rise to any conflict of interest;
• Measures to be taken by the monitoring body (internal measures and measures in the event of a breach of the code).

→ Certification, application of art. 34 L. (art. 17 OS)

• Issuance and withdrawal of certifications by certification bodies approved by the APDP, and communication to the APDP;
• The APDP records all data protection certification mechanisms in a register and makes them available to the public;
• Guarantee for the transfer of personal data to a country, territory or international organisation that does not ensure an adequate level of protection, under the conditions of art. 98 L.

→ Impact assessment, application of art. 35 L (art. 18 0S)

• Measures envisaged to address risks, including safeguards, measures and security mechanisms to ensure the protection of personal data and to provide evidence of compliance with Law No. 1.565.
• See also Ministerial Order No. 2025-361 of 14 July 2025 (list of criteria for determining whether processing is likely to result in a high risk, triggering an impact assessment).

Chapter III - Personal Data Protection Authority "

→ Section 1 - Complaints, application of 1st para. of art. 39 L. (art 19 OS)

• Complaints to the "Autorité de protection des données personnelles" (APDP) made in writing on any medium and in French.
  

→ Section 2 - Appointment of members of the Personal Data Protection Authority, application of art. 40, 42 L. (art. 20 à 22 OS)

• Proposals for new members or renewals sent to the Minister of State six months before the end of the term of office;
• Situations where the president, vice-president or a member ceases or is no longer able to perform their duties;
• Cases of serious misconduct constituting a breach of duty by a member (adversarial proceedings, decision to dismiss, appointment of a new member).

→ Section 3 - Meetings ("séances") of the Personal Data Protection Authority, application of art. 41, 46 L. (art. 23 OS)

• Quorums for deliberation;
• Majorities required for the adoption of decisions;
• Participation in debates by a person or expert chosen by the president;
• Minutes of the meeting.

→ Section 4 - Restricted panel ("formation restreinte"), application of art. 41 L. (art. 24 and 25 OS)

• Situations where a member elected to the restricted panel, the chair of the restricted panel, cease or are no longer able to perform their duties;
• Cases of conflict of interest involving a member of the restricted panel, other than the chair;
• Convening, meeting and deliberation.

→ Section 5 - Functioning of dPersonal Data Protection Authority, application of art. 44 L. (art. 26 to 31 OS)

• Delegation of signature authority from the APDP president to the secretary general;
• Contents of the APDP's internal regulations;
• Recruitment of APDP staff, employment contracts;
• Ex post financial control of the legality of APDP expenditure;
• Annual financial statements communicated to the Minister of State.

→ Section 6 - Monitoring the implementation of processing operations, application of art. 46, 47 and 48 L. (art. 32 à 41 OS)

• Recourse to one or more investigators when deliberations concern verification operations requiring specific knowledge and technical expertise;
• Prevention of conflicts of interest involving APDP agents or investigators;
• Investigation mission (deliberations, mission letter);
• Terms and conditions of on-site inspections, daily inspection reports, Order of the President of the Court of First Instance hearing the case in the event of opposition to audits and investigations;
• Minutes in the event of the use of a false identity to carry out the inspection of an online communication service of a data controller or processor;
• Summons to a hearing, terms and conditions of the hearing (recording, videoconference or audioconference, minutes, etc.).

→ Section 7 - Corrective measures and sanctions, application of art. 34, 38, 50, 51, 56 L. (art. 42 to 50 OS)

• Non-disclosure of the identity of the author of the complaint or claim to the data controller or processor, unless this is necessary to remedy the alleged breach(es);
• Terms and conditions of the formal notice ("mise en demeure");
• Terms and conditions relating to the report drawn up by one of the members of the APDP, outside the restricted panel, appointed by the chair, when the formal notice given to the data controller or processor to comply has been unsuccessful or when the breach is not likely to be remedied or the data controller or processor does not comply with the obligations of Law No. 1.565 (on the basis of which the restricted panel is seized);
• Investigation procedure;
• Convocation, hearing, decision of the restricted panel;
• Cases of total or partial non-compliance or late compliance with a compliance obligation accompanied by a penalty payment ("astreinte");
• Referral to the restricted panel in the event that an approved certification body or a certified body, or a body responsible for ensuring compliance with a code of conduct, has failed to fulfil its obligations or has not complied with the provisions of Law No. 1.565;
• Referral to the restricted panel in cases where non-compliance with the provisions of Law No. 1.565 results in a violation of fundamental freedoms and rights and where urgency so warrants.

Chapter IV - Processing subject to prior formalities

→ Section 1 - General provisions, application of art. 59, 60, 63, 100 L. (art. 51 to 58 OS)

• Formalities for requests for opinions ("demandes d'avis") (Police Justice processing, with the exception of processing carried out by the judicial authorities for the purposes of proceedings brought before the various courts and international mutual legal assistance proceedings; genetic or biometric data; research in the field of health) and requests for authorisation ("demandes d'autorisation") (transfer of personal data to a country, territory or international organisation that does not meet the requirements set out in art. 97 to 99 L.) addressed to the APDP;
• Information contained in the List of processing operations subject to these formalities, made available to the public by the APDP.

→ Section 2 - Processing carried out for the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Police Justice), application of art. 74, 75, 76, 95 L. (art. 59 to 63 OS)

• Exercise of the right of access, which is exercised indirectly through the APDP;
• Exercise of the rights of rectification and erasure, which are exercised directly with the data controller;
• Transfer of personal data relating to Police Justice processing (or processing carried out under the provisions of art. 9 to 15 and 18 of Law No. 1.430 of 13 July 2016 - State and national security) to a country, territory or international organisation that does not ensure an adequate level of data protection: content of the transfer documentation; provision of documentation at the request of the APDP (or Special National Security Commission "Commission Spéciale de Sécurité Nationale").

→ Section 3 - Processing related to health research, application of art. 78 L. (art. 64 OS)

• Consultation (optional) with the Health Action Directorate ("Direction de l’Action Sanitaire", public service responsible for health matters) prior to the APDP issuing its opinion.

Chapiter V - Specific provisions for certain types of processing

→ Section unique - Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, application of art. 81 L. (art. 65 and 66 OS)

• Processing of personal data for archiving purposes in the public interest: appropriate safeguards determined by the laws and regulations relating to archives, and ensured by compliance with state-of-the-art standards for electronic archiving.
• Processing for scientific or historical research purposes or for statistical purposes, and data resulting therefrom: list of persons authorised to access and, where applicable, modify the data, and appropriate safeguards relating to dissemination.

Chapitre VI - Transfers of personal data

→ Assessment of adequacy, updating of the list of countries offering an adequate level of protection, application of art. 97 L. (art. 67 OS)

• Criteria taken into account to determine whether a country, territory or international organisation has legislation or regulations providing an adequate level of protection;
• Update of the list of countries, territories or international organisations providing an adequate level of protection.

→ Certification mechanism, code of conduct, binding corporate rules (BCRs), application of art. 98 L. (art. 68 to 70 OS)

• Certification mechanism or code of conduct: binding and enforceable commitment made by the data controller or processor in the recipient country, territory or international organisation to apply the appropriate safeguards contained in these instruments, including with regard to the rights of data subjects; transmission of this commitment to the APDP.
• BCRs approved by the APDP: must expressly confer enforceable rights on data subjects with regard to the processing of their personal data; list of minimum requirements; any amendments subject to approval by the APDP.
• BCRs approved by a data protection authority in a country that provides an adequate level of protection: all Monegasque safeguards must be effective; a transfer may only be based on these if the rights benefit the data subjects whose data is collected in the Principality of Monaco and if the mechanisms guaranteed by the intervention of the supervisory authority are usable by the APDP.

→ Overriding legitimate interests pursued by the data controller, application of chiffre 3 de l’art. 99, art. 27 L. (art. 71 OS)

• Informing the data subject of the transfer, the compelling legitimate interests pursued and the appropriate safeguards that have been taken;
• Communicating this information to the APDP;
• Documenting the assessment and appropriate safeguards in the records of processing activities.

* * *