Activity of the Personal Data Supervisory Authority in Monaco
1. CCIN ACTIVITIES IN RELATION TO THE COVID-19 CRISIS
The CCIN was called upon to give its opinion on the extension of the health pass to certain categories of professionals and on the implementation of teleworking following several complaints lodged by employees.
• Extension of the health pass to certain categories of professionals
It should first be noted that Monaco has introduced, from 30 October 2021 and for a period of 18 months, the obligation to vaccinate against COVID-19 for members of staff of an establishment, service or organisation whose mission is to receive or house vulnerable or fragile people, even if they are not in direct contact with them. For example, administrative staff, but also all those who, even outside of these places, work with these people (Law of 20 September 2021 on the compulsory vaccination against COVID-19 of certain categories of people).
With regard to people working in certain places such as restaurants, hotels, sports, or cultural establishments, they are required to present a health pass to access them from 15 December 2021 to 31 January 2022 inclusive (Ministerial Decision of 2 December 2021).
The CCIN has reminded the good practices that must be respected regarding the obligation to present a health pass:
- This obligation applies only during the hours of opening of the establishment to the public;
- The verification of the health pass must not give rise to any collection of information (the document must only be presented in digital or paper format for access to the premises, and a copy may not be requested by the employer or the event organiser);
- The verification of the health pass, or any other proof required, must be carried out by persons specifically authorised to carry out these checks on behalf of the persons responsible for the premises subject to these checks;
- Information to persons subject to the obligation to present a health pass must be provided in a visible and appropriate manner.
• Complaints related to the health crisis
The CCIN received complaints from employees about the implementation of teleworking, which were quickly rectified.
The employers concerned by the complaints asked their teleworking employees to permanently activate the webcam at home during working hours. The CCIN recalled the following principles in this respect:
- In order to preserve the privacy of employees and their entourage, cameras should not be permanently activated, but only in specific circumstances (e.g., participation in certain work meetings by videoconference);
- Employees should be able to refuse to use the camera, unless there is good reason to do so. The use of telephone conferencing is an appropriate way of participating in work meetings;
- Videoconferences or telephone conferences should not be recorded, unless there is a specific justification for doing so, for example for evidential purposes. In such cases, the participants must be informed in advance;
The CCIN also meinded that measures to monitor the activity of employees at home via monitoring tables and activity reports can be conceived in order to monitor the company's activities. However, in the case of monitoring the individual activity of employees, a prior formalism is required (authorisation by the CCIN and information of employees).
Finally, the CCIN was seized by an employee who noted that her nominative professional email address was being used by another employee during the containment period. The principles applicable in this area were also reminded by the CCIN, as follows:
- Blocking of the email in case of permanent departure of the employee;
- Prior information of the employees concerning the rules of use;
- Prior information of employees concerning the rules of access and/or delegation in case of absence;
- Messages identified as "private" must not be consulted by a third party;
- Setting up an automatic response message mentioning the employee's absence or permanent departure and the person to contact.
2. OPINION OF THE CCIN ON THE DRAFT LAW ON THE PROTECTION OF PERSONAL DATA
The CCIN was seized on 31 July 2020 of the draft law aiming to reform the Monegasque law on personal data protection, after two years of exchanges between the CCIN and the Government (see our previous publications). The aim is to bring Monegasque legislation closer to the European data protection package (GDPR and the EU “Police Justice” Directive) while considering the provisions of the Council of Europe's modernised Convention 108, which is applicable in Monaco.
The Principality is seeking to obtain an adequacy decision from the European Commission, in order to facilitate data transfers to Monaco, which is in the process of developing its digital service offerings.
• The draft law provides for the disappearance of a large number of prior formalities with the CCIN, which until now have been the responsibility of data controllers, in favour of the principle of accountability (a posteriori control), with the exception of the most sensitive data processing, such as those implemented for the prevention and detection of criminal offences, investigation and prosecution of criminal offences or the execution of criminal sanctions (including the protection against and prevention of threats to public security), involving genetic or biometric data or relating to research in the health field. It should be noted that health data will be the subject of a specific text.
• With regard to "police-justice" processing, the CCIN is of the opinion that the dissemination of the mechanism in several provisions could affect the intelligibility of the norm, its understanding, and therefore its application.
• The right to data portability would also be introduced, but the CCIN expressed reservations about its scope in the draft law.
• The draft law also provides for the appointment of a Data Protection Officer, an impact assessment and the strengthening of the obligations incumbent on data controllers and their processors, including the keeping of a register of processing activities. The CCIN considered that this last obligation should be more generalised given the Monegasque economic context.
• The CCIN is also of the opinion that the rights of deceased persons are not sufficiently considered by the draft law envisaged by the government.
• The Autorité de Protection des Données Personnelles - APDP ("Personal Data Protection Authority") would replace the CCIN. The latter has taken a position on the question of the future normative powers of the APDP, pointing out that the planned exclusion from its scope of control of the implementation of certain processing operations (intelligence and preservation of national security) would require the creation of an independent administrative authority to be responsible for this, unless this would contradict the international commitments entered into by Monaco under Convention 108+ of the Council of Europe.
• With regard to the publication of the CCIN's opinions concerning the drafting of texts relating to the protection of personal data or the implementation of processing of such data, the processing implemented by the judicial or administrative authorities concerning public security or relating to offences, convictions or security measures, or having as its purpose the prevention, investigation, observation or surveillance of the use of personal data, the CCIN stressed that the draft provisions remained unsatisfactory in terms of transparency. It deplores that in most cases the publication of the opinion is left to the discretion of the consulting administrative authority, and notes that the mere publication of the meaning of the APDP’s opinion would be detrimental to the data subjects.
The draft law on personal data has just been tabled in Parliament ("Conseil National") and will of course be the subject of a future publication.
Article provided by INPLP member: Thomas Giaccardi and Anne Robert (GIACCARDI & BREZZO AVOCATS, Monaco)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)