ACTIVITY OF THE PERSONAL DATA SUPERVISORY AUTHORITY OF MONACO (CCIN) IN 2023/24

06.08.2024

This article is devoted to the positions of principle of the personal data supervisory authority of Monaco (hereinafter “CCIN”) formulated in the context of complaints or requests for authorisation to implement data processing in 2023 (I), as well as its recommendations and practical information sheets published in the first quarter of 2024 (II).

1. Positions of principle of the CCIN formulated in the context of complaints or requests for authorisation to implement data processing in 2023

The CCIN recalled the principles governing the use of communication tools in connection with the professional environment (1) and the data processing implemented in the fight against money laundering and the financing of terrorism (2).

 

1.1. Principles governing the use of communication tools linked to the professional environment

a) Good practice in electronic messaging when an employee leaves permanently:

The CCIN has issued a reminder of the best practices to adopt in the event of an employee's permanent departure, given that it is more and more often approached by former employees who have noticed that their professional email address is still active even though they left their job several months ago:

  1. When an employee leaves the company for good, his or her email inbox should be "blocked" (i.e. he or she should no longer be able to receive or send emails), with the exception of an automatic message informing the sender of the email that the person no longer works for the company, and that he or she should henceforth send his or her emails to a given address. This can be practised for a maximum of 3 months, depending on the duties and degree of responsibility of the former employee.
  2. At the end of this period, the former employee's personal email address will be deactivated (deleted).
  3. The employer must allow the employee to retrieve any private emails that may be in the employee's nominative professional email inbox.

b) Principles governing the right of access to a private chat and to personal data processed:

Employees of a company had set up a private chat on their personal telephones, to discuss a proposed restructuring of their company. One of the employees had informed the employer of the content of this chat. Employees and also the employer referred the matter to the CCIN to find out which employee had given the information. The CCIN refused access to the content of the private chat and to seek out the employee who had given the information to the employer, pointing out that the employer could not in any way draw consequences from a private chat between employees of which he should not have been aware.

Faced with recurring complaints relating to the right of access, the CCIN has reiterated the basic principles for responding to a request for access to personal data processed:

  1. under Monegasque law, the right of access does not entitle the holder to obtain a copy of all documents concerning him or her;
  2. the response to a request for right of access must respect the rights of third parties (the right of access must not be a means for the applicant to obtain personal information about third parties);
  3. a copy (in black and white, crossed out) of an identity document may only be requested when there are doubts about the identity of the person requesting access.

 

1.2. Principles governing the data processing carried out in the context of the fight against money laundering and the financing of terrorism

In 2023, the CCIN issued 18 deliberations on data processing as part of the fight against money laundering and the financing of terrorism (AML/CFT), most of which concerned banking institutions, in addition to chartered accountants, ship lessors and lawyers for activities relating to their clients' financial or real estate transactions.

The CCIN pays particular attention to the strict application of, and compliance with, the texts governing the AML/CFT field.

a) In this context, the CCIN very often has to request that the scope and coverage of the due diligence measures provided for by law not be extended:

The purpose of the processing chosen by the data controller is generally precise and explicit (e.g. "Management of the identification/verification of persons subject to the AML/CFT - KYC"; "Responding to requests for information from the Monegasque Financial Security Authority (AMSF)" or "Management of suspicious transaction reports").

However, with regard to the scope of the due diligence measures, the CCIN is often called upon to point out that the employees of the entities subject to the law are only concerned by the processing in their capacity as transaction managers, and that they should not be subject to the due diligence measures put in place in the context of AML/CFT processing (AML/CFT risks must be taken into account when recruiting staff, and according to the level of responsibilities exercised).

b) With regard to checks on Politically Exposed Persons (PEPs), the CCIN must frequently reiterate its legal scope:

In their applications for authorisation, data controllers tend to use the broad concept of "all persons of interest", the contours of which are uncertain, whereas the law draws up a list of persons who qualify as PEPs, persons deemed to be members of their family and persons closely associated with them.

When data controllers omit certain categories of persons subject to due diligence measures, the CCIN reinstates them so as not to place the entities subject to the law AML/CFT at legal risk.

c) The origin of the information processed, and the risk assessment profile often call for comments from the CCIN:

Data controllers very often mention doing research on the Internet in order to fulfil their due diligence obligations and completing KYC documentation on prospects or their clients.

As with the risk assessment profile, the CCIN must frequently point out that Internet searches are not categorised as "reliable sources" by the law AML/CFT.

d) The retention periods for information processed in the AML-FT-C domain is the point that calls for the most comments and requests from the CCIN:

The law AML/CFT expressly provides for retention periods, in terms of knowledge of clients, verification of transactions, or concerning prospective clients. However, the CCIN must frequently ask entities subject to the law to comply with the 5-year time limit and to extend it only in the limited cases provided for by law and justified on a case-by-case basis.

The CCIN's requests also concern the retention periods for requests for information from the Monegasque Financial Security Authority (AMSF), the Bar Council (Conseil de l’Ordre des Avocats), the Public Prosecutor (Procureur Général) or the Examining Magistrate (Juge d’instruction), for which the maximum retention period is 1 year. The CCIN limits this 1-year retention period not only to the request for information itself, but also to information relating to the person who is the subject of the request, whether or not this person is known to the professional subject to the law AML/CFT.

However, as there is no legal framework for the retention of information relating to suspicious transaction reports filed by reporting entities, the CCIN has set the following retention periods:

  1. 5 years after a suspicious transaction report has been filed but no action has been taken by the AMSF;
  2. 6 months after the AMSF informs the reporting entity of the existence of a judicial decision that has become final;
  3. a maximum of 1 year from the date of the alert if the alert does not give rise to a suspicious transaction report.

On 18 March 2024, a meeting was held to launch thematic working groups with the Banks to answer recurring questions and harmonise practices within a common document, which could be used to draw up a Code of Conduct once the new legislation on personal data is adopted (see our previous publications).

2. CCIN recommendations and practical information sheets published in the first quarter of 2024
The CCIN has issued recommendations concerning the publication in the Official Journal (Journal de Monaco) of disciplinary sanctions and disability retirement measures for public sector personnel with regard to the right to be forgotten and the right to restriction of processing (1) and published three practical information sheets on "Cloud computing", "The security of processing: a global approach" and "The criterion of establishment" of the data controller in Monaco (2).

2.1. Recommendations concerning the publication in the Official Journal (Journal de Monaco) of disciplinary sanctions and disability retirement measures for public sector personnel

a) Disciplinary sanctions published in the Journal de Monaco: right to be forgotten (dereferencing by de-indexation):
In its Deliberation no. 2024-72 of 20 March 2024, the CCIN recommended changes to Monegasque legislation leading to the automatic publication of certain disciplinary sanctions for public sector personnel in the Journal de Monaco and the implementation of a right to be forgotten.

As Monegasque data protection legislation does not expressly provide for a right to be forgotten, the CCIN has based its recommendation on the case law of the European Court of Human Rights (ECHR), which balances in particular : the nature of the information archived, the time elapsed since the facts, the first publication and posting online, the contemporary interest in the information contained in the publication, the public interest in accessing this information, the notoriety of the person and the negative repercussions of the posting online on the person concerned, as well as the impact of the omission measure (for example Gd Ch, Hurbain v. Belgium, judgment of 4 July 2023, Application no. 57292/16, §§ 200-211).

The CCIN also relied on article R221-16 of the French Code of relations between the public and the administration, which states that "(...) may only be published in the Official Journal of the French Republic under conditions guaranteeing that they are not indexed by search engines (....) 4° Administrative and disciplinary sanctions; (...)".

The CCIN therefore recommended that Monegasque legislation be amended to make publicity an autonomous sanction which is not automatic, and that the right to be forgotten be applied to the publication in the Journal de Monaco of disciplinary sanctions, which should be de-indexed from the Journal de Monaco website within a maximum of 2 years of their publication.

Following this recommendation, a government bill tabled on 22 May 2024 provides for certain categories of individual acts (to be determined by regulation) to be published under conditions guaranteeing that they are not indexed by search engines.

b) Retirement on grounds of invalidity published in the Journal de Monaco: right to privacy and restrictions on the processing of health-related data

In its Deliberation no. 2024-71 of 20 March 2024, the CCIN recommended that measures of retirement on grounds of invalidity published in the Journal de Monaco should no longer mention the reason for the retirement.

The CCIN considered that the fact of indicating that retirement was due to invalidity constituted processing of nominative information revealing data relating to the health of the person concerned, resulting in an infringement of the right to privacy guaranteed by article 22 of the Constitution, article 22 of the Civil Code, article 8 of the European Convention on Human Rights, and article 1 of Monegasque legislation on personal data protection. The dissemination of this type of information revealing a person's medical incapacity to hold a job, in addition to the personal and moral damage, can have significant objective practical consequences for the person concerned in his or her daily life.

In the absence of Monegasque case law on the subject, the CCIN also relied on a decision of the French Conseil d'Etat (M. A. c/ ministre de l'économie, des finances et de la relance, 10 June 2021, req. no. 431875) concerning the limitation of an online publication that indirectly revealed, through the endorsements (decree of 25 August 1995 on the recruitment of disabled workers in the civil service), health data. Once the time limit for appealing against such an act has expired, this publication may be maintained in the form of an extract not mentioning the legal basis of the appointment order, upon request.

The CCIN thus considered that the indication of the grounds of invalidity in a document made public and subject to wide circulation cannot be justified by any valid reason of a nature greater than the interest of the persons subject to the measure in having their right to privacy respected: only the fact that the civil servant has ceased his or her duties may be of interest to third parties; the public interest does not justify the publication of health data; the decision to retire on grounds of invalidity following an adversarial process may be notified to the civil servant by any means, other than publication, which may be appealed against by him or her.

2.2. Practical information sheets on "Cloud computing", "The security of processing: a global approach" and "The criterion of establishment" of the data controller in Monaco

c) Practical information sheet on "Cloud computing":

This factsheet presents the main advantages and disadvantages of the Cloud (public, private, hybrid and multi-cloud) and highlights the main issues it raises in terms of data protection:

  1. security risk (technical breakdowns; computer attacks considering the concentration of data in one place);
  2. risk of data loss during backup or storage procedures;
  3. risk of data leakage and loss of confidentiality, due to the number of existing servers and their relocation;
  4. risk of loss of control or sovereignty over the data, particularly with regard to the location of the data and its subjection to the laws and regulations in force in the national territory where the servers are located (many countries have introduced legislation or practices, such as the American Cloud Act, enabling them to access data hosted on Cloud services).

Finally, the CCIN recommends the measures to be taken to secure the Cloud, in terms of configuring the Cloud and accessing data, securing accounts and access to accounts, encrypting data, checking the security of the Cloud service provider and implementing internal procedures.

It should be noted that the Principality of Monaco has a sovereign Cloud, which currently relies on two data centres on Monegasque territory and a backup data centre in Luxembourg.

d) Practical information sheet on "The security of processing: a global approach":
This factsheet focuses on the question that many data controllers ask themselves: What do technicians want to know when analysing a file?

The CCIN identifies 6 essential stages in the analysis:

  1. purpose of the data processing, which requires knowledge of the type of data collected and the data flow;
  2. authorisations granted and traceability (possible accountability of actions), technical architecture diagram;
  3. security applied to the data in relation to the purpose;
  4. data communication media (web portals, e-mail, physical media such as USB keys, etc.).
  5. transfer of data to a country without adequate protection, with the security of the data concerned by this transfer;
  6. other related and/or interconnected data processing.

The CCIN has included a very detailed case study (a company based in Monaco submitting a video surveillance file, whose remote surveillance provider is located in Italy).

e) Practical information sheet on "The criterion of establishment" of the data controller in Monaco:

This factsheet focuses on the territorial scope of the Monaco law on data protection, the provisions of which are applicable to “automated processing of personal data implemented by a data controller established in Monaco”.

Since the criterion of establishment is not defined by the text, the CCIN specifies that the existence of an effective, real and stable exercise of activity is to be taken into consideration to retain the existence of an establishment of the data controller in Monaco. It refers to Article 3 (1) and Recital 22 of the GDPR, as well as the Guidelines 3/2018 on the territorial scope of the GDPR adopted by the European Data Protection Board (EDPB).

The CCIN also indicates that the question of the application of Monaco law must be approached differently with regard to services for connected objects and mobile applications.

It distinguishes data processing intrinsically linked to the sale of equipment (cars for example) and associated options which fall within the scope of application of Monegasque law, from data processing relating to options or tools that the buyer can choose to activate or use later (mobile application for example).

It should be finally noted that the reform of the data protection law underway in Monaco plans to adopt the GDPR criteria of establishment and targeting.  

Source: Commission de Contrôle des Informations Nominatives (CCIN), Rapport d’activité 2023 www.ccin.mc/wp-content/uploads/2024/06/Rapport-CCIN-2023.pdf

 

Article provided by INPLP members: Thomas Giaccardi and Anne Robert (99 Avocats Associes, Monaco)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.