Activity of the personal data supervisory authority of Monaco in 2021

02.02.2023

The Personal Data Supervisory Authority (hereinafter "CCIN") has published its 13th Activity Report covering the year 2021. This article outlines the interventions of the CCIN regarding complaints addressed to it by data subjects (1) and the decisions of the Monegasque courts related to personal data protection (2).

1. Complaints to the CCIN

The number of complaints addressed to the CCIN has increased, with 28 complaints recorded in 2021 (19 complaints in 2020) involving the right of deletion of online content (14 complaints), the right of access (2), commercial prospecting (2), professional e-mail after the employee has left the company (1), access by an employer to the private data of one employee (1), video surveillance devices operated by private entities (7), the taxi fare management system (1).

  • Complaints concerning the right of deletion of online content (14)

Of these fourteen complaints, three were found to be inadmissible due to lack of evidence to deal with and three were resolved directly by the complainants with the media concerned even before the CCIN had to intervene.

- Of the eight requests finally processed by the CCIN, six concerned social networks:

The first case involved five fake accounts (two on Facebook, one on Instagram, one on LinkedIn and one on Twitter) created in the name of a high-level personality of the Principality. These fake accounts were used, among other things, to post comments on other official pages, which not only undermined the personality but also misled Monegasque residents into thinking that these accounts were official media, as more and more of them subscribed to them.

Another case involved the deletion of two Instagram accounts that had been hacked and used to send sexually explicit photos of minors.

The third case involved a fake LinkedIn account that usurped, again, the identity of a very high-profile person for the purpose of fraud.

The fourth case concerned a request from a Monegasque athlete to recover a Facebook and Instagram account that had been hacked. The athlete, who was publicly known, had started the procedure for certification of her Instagram account through the official application of the social network. In response to her request, however, she was asked to provide a copy of her ID and to change the email address associated with her account. Following these two actions, the hackers were able to take control of this account as well as the Facebook account associated with it.

In the last two cases, two Monegasque institutions seized the CCIN to recover their respective official accounts which were no longer accessible.

Following the intervention of the CCIN, all these accounts were promptly deleted or recovered.

- The other two complaints were about fake websites:

In the first case, a fake website had been created on Wix in the name of a student to post sexual content. The student did not appear in the images and videos posted, but her photo was used as a profile icon and cover page. The site was removed within 24 hours of the CCIN's intervention.

The second case involved two fake websites created on Google, each in the name of two different people, in order to spread unjustified accusations against them.

Google granted the first de-listing request because, although the site referred to the professional role of the person concerned, it considered that the complainant was not a public figure and that other elements of his private life were present on the URL.

However, the search engine refused to delist the second site, saying it was not in a position to comment on the accuracy of the statements made against the complainant, especially as other publishers, including the International Consortium of Investigative Journalists, had reported on related issues concerning him.

  • Complaints concerning the right of access (2)

The first complaint was lodged by an individual registered with a temporary employment agency who had not responded to his request for the names of the entities to which his application had been forwarded, on the grounds that these recipient entities wished to keep this information confidential, in a competitive sector of activity.

The second complaint concerned access to telephone recordings by a former employee, in the context of a conflict with his hierarchy.

On instruction from the CCIN, the data controllers had to transmit the data, in the first case directly to the complainant, in the second case to the complainant's duly mandated counsel.

  • Complaints concerning commercial prospecting (2)

Two people referred the matter to the CCIN after receiving advertising emails and SMS from entities they did not know. The advertising messages concerned commercial brands unknown to the complainants but marketed by brands of which they were customers.

The CCIN invited these entities to make more visible and accessible the links allowing to unsubscribe from their mailing lists.

  • Complaint concerning professional e-mail after the employee has left the company (1)

The CCIN was seized by a former employee who had noticed several months after his departure that his professional email address was still active, which allowed his former employer to reply to messages he had received, as well as to take cognizance of messages of a private nature sent on his professional email.

The CCIN intervened to have the former employee's email address deactivated immediately.

  • Complaint concerning access by an employer to the private data of one employee (1)

In this case, the complainant found that his former employer had accessed his personal e-mail account from his former work computer, had not logged off immediately and had copied some messages and forwarded them to third parties.

In view of the seriousness of this invasion of privacy, the CCIN immediately referred the matter to the Public Prosecutor.

  • Complaints concerning video surveillance devices operated by private entities (7)

- Two complaints concerned video surveillance systems operated in residential buildings:

In both cases, the CCIN imposed the reorientation of the cameras so that they did not film the public domain, and in particular the traffic lanes and the surrounding pavements.

In addition, in one case, the CCIN requested the installation of a standby device for the display screen in the caretaker's lodge, as well as an access authorisation system to record the data of connection to the images.

- Four other complaints were lodged by employees or trade unions, concerning the use of cameras to monitor employees' work:

In two cases, the cameras were installed without any prior formality. They were immediately deactivated pending the issuance of operating authorisations by the Minister of State and the CCIN.

In the third case, the cameras were installed above the guards' workstations, subjecting them to constant and inappropriate surveillance. At the request of the CCIN, the system was regularised, and the cameras were reoriented.

The fourth case concerned a video surveillance system authorised by the CCIN but whose images were used to monitor the work and working hours of employees. In addition, the access rights to the images had been extended from the scope of the initial authorisation. The situation was regularised, with the CCIN requesting that persons with access to the images, and in particular the immediate superiors, be explicitly informed that the images may under no circumstances be used for any purpose other than the preservation of the security of persons and property.
- One complaint was lodged by a client of a shop:

The client had noticed that cameras had been installed without any information (no pictogram at the entrance). The cameras were deactivated following the intervention of the CCIN.

  • Complaint concerning the taxi fare management system (1)

Personal data have been illegitimately communicated to the Professional Association of Taxi Drivers.

The CCIN recalled good practice. The Association is only responsible for the technical management of the system, and this task does not give it access to the identifying data of members of the profession.

Moreover, the CCIN was often approached by people who, without wishing to make formal complaints, wanted to know the applicable rules, in order to know their rights or to ensure compliance with good practice, in the following areas:

  • Sending medical certificates in the event of sick leave

If employees prefer to send medical certificates to their employer, the latter is responsible for communicating them to the insurer in a sealed and confidential envelope, with a formal ban on seeing the contents of the envelope.

  • Obligation imposed by employers to permanently activate the web cam of employees working from home, or even in the office

Webcams should not be used all the time, but only in specific circumstances (e.g., participation in certain work meetings by video conference). In any case, employees should be able to refuse to use the camera, unless there is good reason to do so (e.g. when the nature of the meeting justifies a specific means of identifying participants). If this is not the case, the use of conference calls is an appropriate way of participating in work meetings (at home or at the office).

Videoconferences or telephone conferences should not be recorded, unless there is a specific justification for doing so, for example for evidential purposes. In this case, it must be previously declared to the CCIN, and the participants must be informed in advance.

  • Use of cameras in the workplace

Any video surveillance system implemented in a workplace is subject to prior authorisation by the Minister of State and the CCIN. Such a device must only be used for the purpose of security of persons and property and must not be used to monitor the work or working time of employees. The cameras must not be directed at employees' workstations, except in a few very specific cases (e.g., handling money or valuable objects).

Employees should be informed in advance of the installation of cameras (e.g., by a visual pictogram at the entrances to the establishment).

Employees have a right of access to images concerning them. If the employee so wishes, the employer must provide him/her with a copy of the images in which the employee appears, while preserving the rights of third parties.

 

2. Decisions of the Monegasque Courts

In 2021 the Correctional Court ruled twice on cases for which the CCIN had referred to the Public Prosecutor.

  • The first case concerned the qualification of personal data (“information nominative”), and the limitations on the exercise of the right of access.

The Correctional Court recognised that a mobile phone's boundary data constituted personal data. According to Monegasque law, “Personal data, in all of its forms, is any information that can be used to determine a natural person’s identity (specific or identifiable). Is recognised as identifiable, a person who can be identified, directly or indirectly, in particular with reference to an identification number or one or more specific marks that form the person’s own physical, physiological, psychic, economic, cultural, or social identity.”

The Court thus considered "that information, such as a mobile phone number that is linked to a single person, where it allows that person to be identified, even indirectly, is personal data within the meaning of the law.“

As the collection and recording of data from mobile phones that have "hooked" or activated terminals is necessarily automatic, the Court concluded that the operator of such equipment is a data controller, subject to the obligations regarding the implementation of automated processing.

As regards the limitations on the right of access to data, the Court noted that the request for communication concerned "information that is unquestionably part of the results of a criminal investigation because it was obtained following judicial requisitions and is therefore covered by the secrecy provided for in Article 31 of the Code of Criminal Procedure" relating to the secrecy of the investigation. The request for disclosure could not therefore be granted.

- In the second case, the Correctional Court had to rule on the validity of an investigation mission conducted by the CCIN, and on the mention of this case in the annual activity report of the CCIN.

At issue were cameras used to monitor the work and working hours of employees.

The defendants invoked the nullity of the control operations on the basis of the provisions of Article 6.1 of the European Convention for the Protection of Human Rights guaranteeing the right to a fair trial.

They argued that Article 18 of the Monegasque Law violated the right not to participate in one's own incrimination by remaining silent in that it provides that, in the context of the CCIN's investigation mission, persons questioned are required to provide the information requested except in cases where they are bound by professional secrecy as defined in Article 308 of the Criminal Code.

They also argued that the mention of this case in the CCIN's annual activity report, although anonymised, violated the principle of equality of arms, infringed the presumption of innocence and the adversarial principle, and violated the obligation of secrecy surrounding criminal investigations, insofar as the file had been transmitted to the public prosecutor.

None of these arguments were accepted by the Correctional Court.

With regard to Article 18 of the Monegasque Law, which requires respondents to provide the investigating officers with the information requested, except in the case of professional secrecy, the argument that there was a breach of equality of arms did not succeed.

The Court held that the findings made by the CCIN investigating officers had been of a purely technical and factual nature and considered that this provision allowed the members of the CCIN to carry out their mission. The Court noted that the investigators' findings had been notified to defendants, who had sufficient time to make their observations. In the present case, the material findings of the CCIN had not been contested.

The Correctional Court also ruled that the publication of an annual activity report is a legal obligation of the CCIN.

With regard to the publication in question, the Court noted that it did not mention the names and capacities of the defendants, nor the brand name operated and, more generally, no information enabling them to be identified, even though the formal notice sent to them could have been made public under the Monegasque law.

The defendants were each fined €1,000 for unlawful use of automated personal data processing and ordered to pay €2,400 in damages to the former employees who had sued for damages, insofar as it was admitted by the Correctional Court that the cameras were used to monitor the work and working hours of the employees, which is formally prohibited by the CCIN.

Finally, with regard to the reform of personal data protection legislation underway in Monaco (see our previous publications), it should be noted that the CCIN deplored the fact that some of the changes it had recommended were not considered in the final version of the bill submitted to Parliament, and that it would endeavour to obtain these changes during the parliamentary proceedings. A forthcoming publication will be devoted to this subject.

Source:

CCIN, Rapport d’activité annuel 2021, 13e rapport public, 115 pages https://www.ccin.mc/fr/publications/rapports-d-activites

 

Article provided by INPLP members: Thomas Giaccardi and Anne Robert (99 Avocats associés, Monaco)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.