Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

PERSONAL DATA PROTECTION LAW IN MONACO: A “STRUCTURAL MODIFICATION” ANNOUNCED

18.11.2019

The preparatory work for the reform of the Monegasque data protection law (Act No. 1.165 of 23 December 1993, consolidated), carried out jointly by the State services and the Commission for the control of personal data (Commission de contrôle des informations nominatives – CCIN), began in 2018, and should be completed in 2019

The CCIN’s 2018 Activity Report refers to “the structural modification in domestic law governing the protection of personal data”.

Thus, the Monegasque Authorities have a twofold objective:

  1. “to incorporate the amendments made to Convention 108 as they result from the Amending Protocol adopted by the Committee of Ministers of the Council of Europe in May 2018 and signed by the Monegasque Authorities on 10 October 2018”; 
  2. ”to take into account the principles introduced on the territory of the European Union by the General Data Protection Regulation (GDPR), in order to ensure that the Principality benefits from the highest standards in this area (…) bearing in mind, of course, the adequacy benchmark on which the European Commission will base its analysis when it will have to evaluate the level of personal data protection guaranteed by the new Monegasque legislation, with regard to the GDPR”.

 

Monaco's geographical proximity to the territory of the European Union in practice means that a large number of Monegasque entities must comply with both Monegasque law and GDPR, which each has its own compliance logic.

Indeed, the Monegasque current domestic legislation is based on the system of preliminary formalities (ordinary or simplified declaration, authorization or legal advisory request), while the GDPR is based on the principle of accountability with self-regulatory mechanisms.

Another difference lies in the notification of a personal data breach to the personal data protection authority.

 

To date, the only notification obligation to the CCIN concerns breaches in personal data processed in connection with the automatic exchange of tax information.

Outside of this context, in the case of a personal data breach involving natural persons located on the territory of the European Union, the CCIN redirects the entities concerned to the competent supervisory authority.

Thus, on the recommendation of the CCIN, the French supervisory authority (Commission nationale de l’Informatique et des Libertés - CNIL) has already been seized by Monegasque entities pursuant to Article 33 of the GDPR.

 

Already, the GDPR has a significant influence on the CCIN’s guidance, as evidenced by its Deliberation No. 2019-083 of 15 May 2019 on the placing and storage period of cookies and other tracers on the terminals of users of electronic communication networks.

It is clear from this Deliberation, that the CCIN is oriented towards the GDPR principle of prior, explicit and specific consent to cookies.

According to the CCIN, “the banner must not be used solely for informative purposes but must allow the approval or deactivation of the placing of cookies directly on the website by a positive action of the person concerned, if possible by type of cookie (advertising, analytical, social networks, etc.) with an option allowing a global refusal expressed at once”. 

Thus, the continuation of navigation on a website does not constitute valid consent to the placing of cookies.

In this respect, only cookies strictly necessary for the operation of a website may be placed in a user's terminal without his/her consent, while other cookies must be accepted before they are stored. In case of refusal by the user, the Website must remain accessible and functional.

The new Monegasque legislation on personal data protection, which will be inspired by the high standards of the GDPR, should be adopted by 2020 at the latest.

 

References:

 

Article provided by: Thomas GIACCARDI, Defense-Attorney, Founder; Anne ROBERT, Senior Associate (GIACCARDI & BREZZO Avocats).

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

WHAT IS THE DPC/CPC PROJECT?

53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More

 

CPC MISSION & VISION STATEMENT

The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.