PERSONAL DATA PROTECTION LAW IN MONACO: A “STRUCTURAL MODIFICATION” ANNOUNCED
The CCIN’s 2018 Activity Report refers to “the structural modification in domestic law governing the protection of personal data”.
Thus, the Monegasque Authorities have a twofold objective:
- “to incorporate the amendments made to Convention 108 as they result from the Amending Protocol adopted by the Committee of Ministers of the Council of Europe in May 2018 and signed by the Monegasque Authorities on 10 October 2018”;
- ”to take into account the principles introduced on the territory of the European Union by the General Data Protection Regulation (GDPR), in order to ensure that the Principality benefits from the highest standards in this area (…) bearing in mind, of course, the adequacy benchmark on which the European Commission will base its analysis when it will have to evaluate the level of personal data protection guaranteed by the new Monegasque legislation, with regard to the GDPR”.
Monaco's geographical proximity to the territory of the European Union in practice means that a large number of Monegasque entities must comply with both Monegasque law and GDPR, which each has its own compliance logic.
Indeed, the Monegasque current domestic legislation is based on the system of preliminary formalities (ordinary or simplified declaration, authorization or legal advisory request), while the GDPR is based on the principle of accountability with self-regulatory mechanisms.
Another difference lies in the notification of a personal data breach to the personal data protection authority.
To date, the only notification obligation to the CCIN concerns breaches in personal data processed in connection with the automatic exchange of tax information.
Outside of this context, in the case of a personal data breach involving natural persons located on the territory of the European Union, the CCIN redirects the entities concerned to the competent supervisory authority.
Thus, on the recommendation of the CCIN, the French supervisory authority (Commission nationale de l’Informatique et des Libertés - CNIL) has already been seized by Monegasque entities pursuant to Article 33 of the GDPR.
Already, the GDPR has a significant influence on the CCIN’s guidance, as evidenced by its Deliberation No. 2019-083 of 15 May 2019 on the placing and storage period of cookies and other tracers on the terminals of users of electronic communication networks.
It is clear from this Deliberation, that the CCIN is oriented towards the GDPR principle of prior, explicit and specific consent to cookies.
According to the CCIN, “the banner must not be used solely for informative purposes but must allow the approval or deactivation of the placing of cookies directly on the website by a positive action of the person concerned, if possible by type of cookie (advertising, analytical, social networks, etc.) with an option allowing a global refusal expressed at once”.
Thus, the continuation of navigation on a website does not constitute valid consent to the placing of cookies.
In this respect, only cookies strictly necessary for the operation of a website may be placed in a user's terminal without his/her consent, while other cookies must be accepted before they are stored. In case of refusal by the user, the Website must remain accessible and functional.
The new Monegasque legislation on personal data protection, which will be inspired by the high standards of the GDPR, should be adopted by 2020 at the latest.
- CCIN 2018 Activity Report (French), available at: https://www.ccin.mc/images/documents/8db84881d0dc388910a0ff0e29bd477b-RAPPORT-CCIN-2018.pdf
- CCIN Deliberation No. 2019-083 of 15 May 2019 (French), available at: https://www.ccin.mc/images/documents/32c5eab5e5e3c6ead582ea38b40dc939-Delib-2019-083-Recommandation-cookies.pdf
Article provided by: Thomas GIACCARDI, Defense-Attorney, Founder; Anne ROBERT, Senior Associate (GIACCARDI & BREZZO Avocats).
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, firstname.lastname@example.org