Activity of the personal data supervisory authority of Monaco (CCIN): Increase in the number of complaints and recommendations

02.02.2024

This article outlines the complaints addressed to the CCIN by data subjects, the number of which, in proportion to Monaco, is rising sharply (1), and its recommendations (2).

1. INCREASE IN THE NUMBER OF COMPLAINTS TO THE CCIN IN 2022

The number of complaints addressed to the CCIN has once again increased, with 41 complaints recorded in 2022 (28 complaints in 2021, 19 in 2020 - see our previous article).

Most of the complaints consisted of requests for the removal of online content (22), the other complaints related to the workplace (11), banking institutions (2), commercial prospecting (2), cameras in apartment buildings (2), mobile applications (1), and access to administrative documents which have highlighted a gap in Monegasque law (1).


Complaints concerning the removal of online content (22)

Most of these complaints consisted of requests for the removal of content published on social networks: Instagram (11), Facebook (7), WhatsApp (1), TikTok (1). The other media concerned were Google (1) and Hotmail (2).

A significant number of complaints involved breaches of privacy.

Mainly concerned the recovery of hacked accounts and the deletion of fake accounts ((the name, title, and official photo of a prominent personality in Monaco were used in profiles to mislead users; a page featuring a competition organised by a legal entity in order to solicit financial contributions from customers of the said company to take part).

It should be noted that for the first time, the CCIN received a request for the recovery of a TikTok account that had been hacked following a change in the associated telephone number, and a request in connection with an online sale advertisement that had been fraudulently retrieved from two websites in an attempt to defraud potential buyers, even though the property had already been sold.

The other complaints received by the CCIN were aimed at obtaining the dereferencing of several articles accessible from the Google search engine, and the deletion of a defamatory publication on a Facebook account.

Almost all the media complied with the requests of the people concerned, with or without the intervention of the CCIN.

At the end of 2023, there is an increase in requests to delete fake Instagram accounts linking to pages with sexual connotations on the Wix platform. The victims are generally young women who regularly post photos of themselves on their own Instagram accounts (often in swimming costumes). These photos and their first and last names are then used to create a fake Instagram profile under a username that looks very similar to the original, with a biography promoting adult content containing a link to a sexual page created on Wix. The CCIN noted that the Wix platform takes this problem very seriously. The fake page is generally removed within hours of the complaint form being sent.


Complaints concerning the workplace (11)

Employees or former employees have seized the CCIN to denounce practices that infringe their rights.

Most of the complaints (resolved by the CCIN's intervention) concerned the professional email of former employees whose personal email address had not been deactivated several weeks after their departure (6).

One complaint also concerned the failure to update a company's website, giving the impression that the former employee was still part of the workforce because his name still appeared in the list of employees. 

A former employee also complained that he had been refused access to his work computer on the grounds that his employer feared a leak of work-related data. In this case, the CCIN acted as a "mediator" and "trusted third party" to restore the personal data to the complainant.

The use of cameras in the workplace, involving the use of images to monitor employees' work, has also been the subject of complaints. The CCIN initiated inspection missions, which in one case led to the removal of the images from the disciplinary file of the employees concerned.


Complaints concerning banking institutions (2)

One complaint concerned the failure to respond to a request for access. More specifically, the complaint concerned access to information about deceased persons. The bank had refused to communicate the information of a deceased person to his daughter, on the grounds that the latter did not prove her status as heir to her father by communicating an official document authenticated by a notary. Article 13 of Law no. 1.165 on the protection of personal data states that: "Unless otherwise provided by law, the ascendant, descendant up to the second degree, or surviving spouse of a deceased person may, if he or she can demonstrate an interest, exercise the rights [of opposition, access and rectification], with regard to information concerning that person". After the CCIN intervened, the bank granted the request for access under the said Article 13, the interest of the request being to assert her rights in her father's estate.

The other complaint concerned the rectification of obsolete information as part of the automatic exchange of information (AEI) in tax matters. The complainant had received a letter from a bank of which he was no longer a client, informing him that data concerning him would be transmitted (by the Monegasque tax authorities) to the tax authorities of two foreign countries. The complainant had long since ceased to be a tax resident of these two countries. After the CCIN intervened and before the information was transmitted, the bank rectified the obsolete information.


Complaints concerning commercial prospecting (2)

The CCIN received complaints concerning the failure to unsubscribe from a commercial prospecting list, resulting from the use by the new owner of the establishment concerned of an old list drawn up by the previous owner. The error has been rectified.


Complaints concerning cameras in apartment buildings (2)

The first complaint concerned cameras filming access to the terrace of a private individual who had installed them to ensure that no-one entered his home via his terrace. The residents were concerned that the cameras were being directed at their homes, which was not the case.

The second complaint concerned the redirection of cameras operated by two condominiums, which were filming the complainant's private terrace and access to his terrace. The cameras were redirected after inspection.


Complaints concerning mobile applications (1)

The complaint concerned the receipt of a notification on a mobile application, informing a person that an account had been created in his name and that he had been re-registered with an association, even though this re-registration had been refused a few weeks earlier.

This request was made in the context of a conflict between the person concerned and the association, and the CCIN carried out an inspection to check whether or not this registration was the result of a malicious act.


Complaints concerning access to administrative documents (1)

The CCIN received a complaint from a person wishing to obtain a copy of his minor child's file drawn up by a public entity, which request had been refused on the basis of Sovereign Order No. 3.413 of 29 August 2011 on various measures relating to the relationship between the Administration and the citizen.

The issue at stake in this complaint was the relationship and differences between access to administrative documents and access to personal data.

This complaint highlighted the shortcomings of Monegasque law in this area, as there is no link between the texts relating to the protection of personal information and those concerning access to administrative documents, and there is no independent body responsible for ruling on the issue of administrative documents. Nor is there any doctrine or case law on the subject.

Article 24 of the aforementioned Sovereign Order allows the administration to reject requests for access to administrative documents where consultation would prejudice the course of proceedings brought before the courts or operations preliminary to such proceedings, provided that the file which is the subject of the request had been forwarded to the competent judicial authority by the department concerned.

The CCIN considered that this refusal was liable to sanction, on the grounds that the public entity's refusal was unjustified since the documents at issue remained administrative and not judicial documents and that, even if the reservation set out in Article 24 of the Sovereign Order were to be considered applicable, it could not be invoked to oppose the enforcement of a right provided for in the Law (Act No. 1.165 on the protection of personal data of 23 December 1993, as amended), taking into account respect for the hierarchy of norms, as the Sovereign Order in question had infra-legislative value.

 

2. RECOMMENDATIONS OF THE CCIN

The CCIN issued reminders of good practice, particularly with regard to hacking on social networks, to professional e-mail after an employee has left the company, and to information about employees on the company website.

It should be also noted that the CCIN has reviewed its position on cameras in places open to the public.


Hacking on social networks

The CCIN pointed out that very often piracy problems can be easily resolved by individuals themselves by following the procedures put in place by the social networks. It recommended that complainants should first contact the social networks in question, before referring the matter to the CCIN if they are unsuccessful.

Moreover, a guide to the procedures for resetting passwords or recovering accounts can be found in the "Practical Information" section of its website.


Good practice with regard to professional e-mail after the employee has left the company 

The CCIN has issued a reminder of good practice with regard to professional e-mail, whether or not it is used for surveillance purposes, when an employee leaves permanently.

The position of the CCIN is: When an employee leaves the company permanently, his or her email address must be "blocked", i.e. it must no longer be possible to receive or send emails, with the exception of an automatic message, for a maximum of 3 months, depending on the former employee's duties and degree of responsibility; At the end of this 3-month period, the former employee's nominative email address must be deactivated; The employer must allow the employee to retrieve any private emails that may be in the employee's professional email box.


Good practice with regard to Information about employees on the company website

Similarly, with regard to the employer's website and the sections dedicated to the presentation of employees, the CCIN recalled that: This information must be strictly limited to their professional life and relevant to their functions; An employee cannot be forced to put his or her photo online, as this must result from a choice freely expressed by the employee; The obligation to immediately withdraw obsolete information in the event of the departure of an employee.


Revised position on cameras in places open to the public

At its plenary meeting on 17 May 2023, the CCIN “reconsidered its position on cameras installed in lifts located in places open to the public (shops and museums, for example).  Until now, the Commission had required these cameras to be oriented so as to film only the lift doors. However, when examining a video surveillance system that a luxury shop wished to install, the Commission considered that cameras could even film the interior of the lifts serving the various floors of the establishment, as long as the objective was to reinforce the security of the premises and prevent the risk of theft and assault."

Although the CCIN now authorises cameras to film the interior of lifts in public areas, its Deliberation no. 2010-13 of 3 May 2010 concerning recommendations on video surveillance systems implemented by private individuals or legal entities remains nonetheless applicable.

The CCIN points out that, given the intrusive nature of video surveillance systems, they can only be used for the following purposes:

  • to ensure the safety of individuals,to ensure the safety of property,
  • to control access,
  • to provide evidence in the event of an offence.

 

Finally, it should be noted that parliamentary work concerning the reform of the Monegasque legislation on personal data (presented in our previous articles) is continuing. The rapporteur (on behalf of the “Commission du Développement du Numérique” to which the bill is referred) has been chosen, and a series of consultations are underway to enlighten the parliamentary work.

Source: Commission de Contrôle des Informations Nominatives (CCIN) https://www.ccin.mc/

 

Article provided by INPLP member: Thomas Giaccardi and Anne Robert (99 Avocats associés, Monaco)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.