The rise of digital technology has led to profound and multifaceted transformations affecting almost every aspect of modern life. While these developments open up many opportunities to improve quality of life, they also pose major challenges requiring constant attention and adaptation of regulatory frameworks.
By addressing these dynamics, all relevant stakeholders can effectively collaborate within the digital market while minimizing inherent risks.
The law of December 3, 2024, No. 1.565 on data protection, published in the Journal de Monaco on December 13, 2024, is therefore essential to provide the Principality of Monaco with a legislative framework suited to current concerns, arising from the proliferation of digital spaces for circulation, communication, and consumption.
-
Data as a true economic asset
In recent years, new challenges have emerged alongside the traditional obligations of business activities. Among these key issues, data protection has taken center stage. Moreover, allowing customers to control their data has now become a guarantee of trust.
The Principality of Monaco had already recognized the importance of data protection, given the significant collection and processing of users' personal data made possible by the expansion of the digital sphere.
Indeed, Law No. 1.165 of December 23, 1993, on the protection of personal information, had already introduced data protection rules into Monegasque law. It was later amended in 2008 to adapt to technological developments. However, due to the rapid pace of technological progress, Monaco was no longer fully aligned with all European regulatory standards. Ultimately, the adoption of new provisions was highly anticipated in the Principality to reaffirm its solid economic model.
With the new Data Protection Law of December 3, 2024, there is an increase in obligations for data controllers and processors to ensure long-term accountability. The goal is to strengthen individuals' rights, particularly the right to information and the right to erasure. This marks a true paradigm shift in the approach to data protection.
-
Key contributions of Law No. 1.565
The density of the internet tends to erase borders, making regular monitoring particularly challenging. However, understanding risks requires the ability to anticipate them to mitigate the negative consequences of potential breaches.
To ensure effective oversight of new corporate obligations, the law establishes the Personal Data Protection Authority (APDP), which replaces the Commission for the Control of Personal Information (CCIN). Its primary mission is to ensure compliance with personal data processing regulations and provide guidance to all stakeholders. To enable optimal oversight, the new authority is granted extensive powers, including enhanced sanctioning capabilities, comparable to its European counterparts.
The law also eliminates the need for prior declaration or authorization formalities. However, special attention will be given to data transfers to countries with insufficient protection and to the processing of sensitive data.
These legislative changes also include updates to terminology and an alignment with several terms from the General Data Protection Regulation (GDPR). This ensures better definition of certain obligations while facilitating smoother interaction between different legal frameworks. Notably, the term "personal information" is replaced with "personal data," signaling Monaco’s commitment to aligning with the highest standards of data protection.
-
Compliance with European standards
The December 3, 2024, law is substantially inspired by the GDPR, which came into force on May 25, 2018, with the objective of harmonizing data protection laws across EU member states.
Law No. 1.565 incorporates key GDPR principles such as consent, the right to be forgotten, and data portability for individuals whose personal data is processed. The primary goal is to strengthen individuals' rights while also securing a European Commission adequacy decision, which would facilitate data transfers between the EU and Monaco. This strategic approach is particularly noteworthy.
Furthermore, the GDPR applies to all companies and organizations processing personal data within an EU-based subsidiary or offering goods and services to EU residents, even if they are based outside the EU. Although Monaco is a third country to the EU, its strong ties to the Union across various sectors inevitably bring it under the influence of European regulations. Therefore, Monaco’s extensive adoption of GDPR principles is not surprising.
Additionally, the GDPR plays a crucial role in fostering innovation, encouraging small businesses to develop and scale their digital market projects. Thus, digital sovereignty—closely linked to innovation—finds an echo in Monaco’s legislative modernization, as driven by the new December 3, 2024, law. This reform strengthens Monaco’s economic appeal while ensuring increased security in personal data usage.
It is also worth noting that Law No. 1.565 incorporates requirements from the Council of Europe’s Convention 108+ on the protection of individuals concerning the automated processing of personal data, further demonstrating Monaco’s strong commitment to data protection.
Conclusion
Monaco’s determination to adapt to European regulatory changes is not new, but the law of December 3, 2024, formalizes the modernization of its legal framework, ensuring a secure and trustworthy digital environment.
It will be essential to closely monitor the implementation of these new provisions by businesses to assess compliance and long-term effectiveness. While the law takes immediate effect, a transition period is provided for compliance.
Ultimately, the adoption of Law No. 1.565 reaffirms Monaco’s unwavering commitment to acting optimally, concretely demonstrating its willingness to provide the best possible guarantees for its citizens and businesses.
Additional Obligations
Law No. 1.165 introduces a Chapter IV on the obligations of data controllers and processors to ensure compliance with data protection principles. In addition to previously mentioned requirements, data controllers must:
- Maintain a record of all processing activities and categories of processing activities carried out on behalf of controllers, including specific details;
- Conduct a data protection impact assessment before processing operations that may pose a high risk to individuals' rights and freedoms;
- Appoint a Data Protection Officer under the same criteria as defined in the GDPR;
- Notify the supervisory authority of personal data breaches.