Personal data

At international level, on 10 October 2018, Monaco signed the Protocol amending Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol on supervisory authorities and transborder data flows (Convention 108+ modernising Convention 108 and its Protocol, to which Monaco is a party). Ratification of Convention 108+ was approved by Law no. 1.566 of 3 December 2024.

At national level, Law no. 1.565 of 3 December 2024 constitutes the general framework for the protection of personal data.

It established a new independent administrative authority responsible for supervising compliance with Law no. 1.565, the Autorité de Protection des Données Personnelles (APDP), which replaces the former Commission de Contrôle des Informations Nominatives (CCIN).

In addition to this general legislation, specific regimes are also applicable.

For example, in tax matters, Law No. 1.444 of 19 December 2016 imposes additional obligations on Monegasque Financial Institutions relating to personal data transmitted in the context of the automatic exchange of information on financial accounts.

Similarly, in the health sector, a special regime applies, justified by the sensitive nature of medical data, consisting of Law No. 1.454 of 30 October 2017 relating to consent and information in medical matters, and its implementing Order No. 6.903 of 27 April 2018, as well as Sovereign Order No.° 8.357 of 5 November 2020 relating to personal health data produced or received by health professionals and establishments, and its implementing Ministerial Order No. 2020-764 of 5 November 2020.

Law no. 1.565 represents a far-reaching reform of Monegasque personal data protection law, which:

• transcribes the requirements of Convention 108+ of the Council of Europe;
• aligns Monegasque legislation with the standards of the European Union's "data protection package" consisting of Regulation (EU) 2016/679 (GDPR) and Directive (EU) 2016/680 "Police Justice", in order to obtain an adequacy decision from the European Commission so that transfers of personal data from the EU to Monaco can take place without any specific framework.

Law no. 1.565 applies to all or part of the automated and non-automated processing of the personal data of natural persons, including temporary copies, which are:

• implemented by a controller or processor established in Monaco, whether or not the processing takes place in Monaco (establishment criterion) ;
• relating to data subjects on the territory of Monaco and implemented by a controller or processor established outside the territory of Monaco when the processing activities are linked to the offering of goods or services or the monitoring of the behaviour of these data subjects (targeting criterion).

The Monegasque legislation adopts the accountability logic of the GDPR, which means that the formalities for declarations and authorisations prior to the implementation of processing that were required under the previous legislation have been discontinued (with a few exceptions).

Like the GDPR, Law no. 1.565 requires data controllers and processors to put in place appropriate technical and organisational measures to protect the rights of data subjects, and to be able to demonstrate what has been done and its effectiveness at the request of the Personal Data Protection Authority (APDP).

The rights of data subjects and the self-regulatory tools and mechanisms applicable to data controllers and processors under Law no. 1.565 and the GDPR are similar: protection of data by design and by default (privacy by default), enhanced supervision of subcontracting, including secondary subcontracting, register of processing activities, Data Protection Officer (DPO), security obligations, obligation to notify data breaches, Code of Conduct and certification mechanism, impact assessment, etc.

In addition to its impact on the rewriting of Monegasque personal data protection law, the GDPR is applicable to companies established in Monaco that offer goods or services to persons located in the European Union or track their behaviour.

Given the extraterritorial scope of the European Union's rules, a certain amount of vigilance is required in order to comply not only with national but also European regulations on personal data.

For example, in the context of the supply and deployment of fast-growing artificial intelligence systems, fast-growing, particular vigilance is required when personal data is used for learning purposes. Depending on the case, the European Union's Law No. 1.565, the European Union GDPR (in addition to the AI Act) are likely to apply concomitantly to suppliers and developers.

Bill no. 1087, tabled on 19 December 2023, envisages the use of remote biometric identification technologies in areas accessible to the public, solely for the imperative purpose of preserving national security (to be compared with the harmonised rules of the AI Act), in compliance with the safeguards provided by ordinary personal data protection law.