The Principality of Monaco modernizes its data protection legislation with the adoption of Bill 1954 on November 28. Inspired by the European General Data Protection Regulation (GDPR), this ambitious reform strengthens individual rights and increases corporate accountability.

Key Provisions of the Law

Expanded Scope : The new law applies to the processing of personal data by data controllers or processors established in Monaco, as well as those located outside the Principality that process data of individuals within Monaco's territory.

: The new law applies to the processing of personal data by data controllers or processors established in Monaco, as well as those located outside the Principality that process data of individuals within Monaco's territory. Strengthening Individual Rights : The rights of individuals are significantly enhanced, including the right to data portability, the right to erasure, and the right to restrict processing.

: The rights of individuals are significantly enhanced, including the right to data portability, the right to erasure, and the right to restrict processing. Creation of the Personal Data Protection Authority (APDP) : The law establishes the APDP, which succeeds the Commission for the Control of Personal Information (CCIN). This new authority, composed of 8 expert members, will primarily oversee compliance with personal data processing and advise data controllers, processors, and individuals.

: The law establishes the APDP, which succeeds the Commission for the Control of Personal Information (CCIN). This new authority, composed of 8 expert members, will primarily oversee compliance with personal data processing and advise data controllers, processors, and individuals. Elimination of Formalities with the Regulator : The bill largely eliminates the need for prior declarations or authorizations for processing, with certain exceptions for data transfers to countries that do not ensure an adequate level of protection, public space video surveillance, and particularly sensitive or high-risk data processing.

: The bill largely eliminates the need for prior declarations or authorizations for processing, with certain exceptions for data transfers to countries that do not ensure an adequate level of protection, public space video surveillance, and particularly sensitive or high-risk data processing. Appointment of a Data Protection Officer (DPO) : The law requires companies to appoint a DPO in certain cases, particularly for public bodies or when processing involves regular and systematic large-scale monitoring of individuals.

: The law requires companies to appoint a DPO in certain cases, particularly for public bodies or when processing involves regular and systematic large-scale monitoring of individuals. Maintenance of a Processing Activities Register : Companies with at least fifty employees must maintain a register of processing activities accessible to the APDP, with some exceptions.

: Companies with at least fifty employees must maintain a register of processing activities accessible to the APDP, with some exceptions. Conducting Impact Assessments: In certain situations explicitly mentioned by the law or when a type of processing is likely to pose a high risk to the rights and freedoms of individuals, an impact assessment must be conducted.

Sanctions for Non-Compliance

The bill significantly strengthens the sanctions regime:

The APDP will have the power to impose administrative fines of up to 10 million euros.

Criminal penalties are also provided for the most serious offenses.

These sanctions aim to ensure effective enforcement of the law and encourage companies to take their data protection obligations seriously.

Application of the Law Over Time

The new law is immediately applicable but provides compliance deadlines for certain data controllers and obligations.

Data controllers who have regularly implemented personal data processing before the law's effective date have one year to comply with the new obligations, including maintaining a processing activities register, appointing a DPO, and implementing security obligations.

A three-year period is also granted to conduct the impact assessments required by the law.

This reform represents a major step forward for data protection in Monaco. It is crucial for companies to prepare effectively to avoid any sanctions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.