News
ACTIVITY OF THE PERSONAL DATA SUPERVISORY AUTHORITY OF MONACO (CCIN) IN 2023/24
This article is devoted to the positions of principle of the personal data supervisory authority of Monaco (hereinafter “CCIN”) formulated in the context of complaints or requests for authorisation to implement data processing in 2023 (I), as well as its recommendations and practical information sheets published in the first quarter of 2024 (II).
1. Positions of principle of the CCIN formulated in the context of complaints or requests for authorisation to implement data processing in 2023
The CCIN recalled the principles governing the use of communication tools in connection with the professional environment (1) and the data processing implemented in the fight against money laundering and the financing of terrorism (2).
1.1. Principles governing the use of communication tools linked to the professional environment
a) Good practice in electronic messaging when an employee leaves permanently:
The CCIN has issued a reminder of the best practices to adopt in the event of an employee's permanent departure, given that it is more and more often approached by former employees who have noticed that their professional email address is still active even though they left their job several months ago:
- When an employee leaves the company for good, his or her email inbox should be "blocked" (i.e. he or she should no longer be able to receive or send emails), with the exception of an automatic message informing the sender of the email that the person no longer works for the company, and that he or she should henceforth send his or her emails to a given address. This can be practised for a maximum of 3 months, depending on the duties and degree of responsibility of the former employee.
- At the end of this period, the former employee's personal email address will be deactivated (deleted).
- The employer must allow the employee to retrieve any private emails that may be in the employee's nominative professional email inbox.
b) Principles governing the right of access to a private chat and to personal data processed:
Employees of a company had set up a private chat on their personal telephones, to discuss a proposed restructuring of their company. One of the employees had informed the employer of the content of this chat. Employees and also the employer referred the matter to the CCIN to find out which employee had given the information. The CCIN refused access to the content of the private chat and to seek out the employee who had given the information to the employer, pointing out that the employer could not in any way draw consequences from a private chat between employees of which he should not have been aware.
Faced with recurring complaints relating to the right of access, the CCIN has reiterated the basic principles for responding to a request for access to personal data processed:
- under Monegasque law, the right of access does not entitle the holder to obtain a copy of all documents concerning him or her;
- the response to a request for right of access must respect the rights of third parties (the right of access must not be a means for the applicant to obtain personal information about third parties);
- a copy (in black and white, crossed out) of an identity document may only be requested when there are doubts about the identity of the person requesting access.
1.2. Principles governing the data processing carried out in the context of the fight against money laundering and the financing of terrorism
In 2023, the CCIN issued 18 deliberations on data processing as part of the fight against money laundering and the financing of terrorism (AML/CFT), most of which concerned banking institutions, in addition to chartered accountants, ship lessors and lawyers for activities relating to their clients' financial or real estate transactions.
The CCIN pays particular attention to the strict application of, and compliance with, the texts governing the AML/CFT field.
a) In this context, the CCIN very often has to request that the scope and coverage of the due diligence measures provided for by law not be extended:
The purpose of the processing chosen by the data controller is generally precise and explicit (e.g. "Management of the identification/verification of persons subject to the AML/CFT - KYC"; "Responding to requests for information from the Monegasque Financial Security Authority (AMSF)" or "Management of suspicious transaction reports").
However, with regard to the scope of the due diligence measures, the CCIN is often called upon to point out that the employees of the entities subject to the law are only concerned by the processing in their capacity as transaction managers, and that they should not be subject to the due diligence measures put in place in the context of AML/CFT processing (AML/CFT risks must be taken into account when recruiting staff, and according to the level of responsibilities exercised).
b) With regard to checks on Politically Exposed Persons (PEPs), the CCIN must frequently reiterate its legal scope:
In their applications for authorisation, data controllers tend to use the broad concept of "all persons of interest", the contours of which are uncertain, whereas the law draws up a list of persons who qualify as PEPs, persons deemed to be members of their family and persons closely associated with them.
When data controllers omit certain categories of persons subject to due diligence measures, the CCIN reinstates them so as not to place the entities subject to the law AML/CFT at legal risk.
c) The origin of the information processed, and the risk assessment profile often call for comments from the CCIN:
Data controllers very often mention doing research on the Internet in order to fulfil their due diligence obligations and completing KYC documentation on prospects or their clients.
As with the risk assessment profile, the CCIN must frequently point out that Internet searches are not categorised as "reliable sources" by the law AML/CFT.
d) The retention periods for information processed in the AML-FT-C domain is the point that calls for the most comments and requests from the CCIN:
The law AML/CFT expressly provides for retention periods, in terms of knowledge of clients, verification of transactions, or concerning prospective clients. However, the CCIN must frequently ask entities subject to the law to comply with the 5-year time limit and to extend it only in the limited cases provided for by law and justified on a case-by-case basis.
The CCIN's requests also concern the retention periods for requests for information from the Monegasque Financial Security Authority (AMSF), the Bar Council (Conseil de l’Ordre des Avocats), the Public Prosecutor (Procureur Général) or the Examining Magistrate (Juge d’instruction), for which the maximum retention period is 1 year. The CCIN limits this 1-year retention period not only to the request for information itself, but also to information relating to the person who is the subject of the request, whether or not this person is known to the professional subject to the law AML/CFT.
However, as there is no legal framework for the retention of information relating to suspicious transaction reports filed by reporting entities, the CCIN has set the following retention periods:
- 5 years after a suspicious transaction report has been filed but no action has been taken by the AMSF;
- 6 months after the AMSF informs the reporting entity of the existence of a judicial decision that has become final;
- a maximum of 1 year from the date of the alert if the alert does not give rise to a suspicious transaction report.
On 18 March 2024, a meeting was held to launch thematic working groups with the Banks to answer recurring questions and harmonise practices within a common document, which could be used to draw up a Code of Conduct once the new legislation on personal data is adopted (see our previous publications).
2. CCIN recommendations and practical information sheets published in the first quarter of 2024
The CCIN has issued recommendations concerning the publication in the Official Journal (Journal de Monaco) of disciplinary sanctions and disability retirement measures for public sector personnel with regard to the right to be forgotten and the right to restriction of processing (1) and published three practical information sheets on "Cloud computing", "The security of processing: a global approach" and "The criterion of establishment" of the data controller in Monaco (2).
2.1. Recommendations concerning the publication in the Official Journal (Journal de Monaco) of disciplinary sanctions and disability retirement measures for public sector personnel
a) Disciplinary sanctions published in the Journal de Monaco: right to be forgotten (dereferencing by de-indexation):
In its Deliberation no. 2024-72 of 20 March 2024, the CCIN recommended changes to Monegasque legislation leading to the automatic publication of certain disciplinary sanctions for public sector personnel in the Journal de Monaco and the implementation of a right to be forgotten.
As Monegasque data protection legislation does not expressly provide for a right to be forgotten, the CCIN has based its recommendation on the case law of the European Court of Human Rights (ECHR), which balances in particular : the nature of the information archived, the time elapsed since the facts, the first publication and posting online, the contemporary interest in the information contained in the publication, the public interest in accessing this information, the notoriety of the person and the negative repercussions of the posting online on the person concerned, as well as the impact of the omission measure (for example Gd Ch, Hurbain v. Belgium, judgment of 4 July 2023, Application no. 57292/16, §§ 200-211).
The CCIN also relied on article R221-16 of the French Code of relations between the public and the administration, which states that "(...) may only be published in the Official Journal of the French Republic under conditions guaranteeing that they are not indexed by search engines (....) 4° Administrative and disciplinary sanctions; (...)".
The CCIN therefore recommended that Monegasque legislation be amended to make publicity an autonomous sanction which is not automatic, and that the right to be forgotten be applied to the publication in the Journal de Monaco of disciplinary sanctions, which should be de-indexed from the Journal de Monaco website within a maximum of 2 years of their publication.
Following this recommendation, a government bill tabled on 22 May 2024 provides for certain categories of individual acts (to be determined by regulation) to be published under conditions guaranteeing that they are not indexed by search engines.
b) Retirement on grounds of invalidity published in the Journal de Monaco: right to privacy and restrictions on the processing of health-related data
In its Deliberation no. 2024-71 of 20 March 2024, the CCIN recommended that measures of retirement on grounds of invalidity published in the Journal de Monaco should no longer mention the reason for the retirement.
The CCIN considered that the fact of indicating that retirement was due to invalidity constituted processing of nominative information revealing data relating to the health of the person concerned, resulting in an infringement of the right to privacy guaranteed by article 22 of the Constitution, article 22 of the Civil Code, article 8 of the European Convention on Human Rights, and article 1 of Monegasque legislation on personal data protection. The dissemination of this type of information revealing a person's medical incapacity to hold a job, in addition to the personal and moral damage, can have significant objective practical consequences for the person concerned in his or her daily life.
In the absence of Monegasque case law on the subject, the CCIN also relied on a decision of the French Conseil d'Etat (M. A. c/ ministre de l'économie, des finances et de la relance, 10 June 2021, req. no. 431875) concerning the limitation of an online publication that indirectly revealed, through the endorsements (decree of 25 August 1995 on the recruitment of disabled workers in the civil service), health data. Once the time limit for appealing against such an act has expired, this publication may be maintained in the form of an extract not mentioning the legal basis of the appointment order, upon request.
The CCIN thus considered that the indication of the grounds of invalidity in a document made public and subject to wide circulation cannot be justified by any valid reason of a nature greater than the interest of the persons subject to the measure in having their right to privacy respected: only the fact that the civil servant has ceased his or her duties may be of interest to third parties; the public interest does not justify the publication of health data; the decision to retire on grounds of invalidity following an adversarial process may be notified to the civil servant by any means, other than publication, which may be appealed against by him or her.
2.2. Practical information sheets on "Cloud computing", "The security of processing: a global approach" and "The criterion of establishment" of the data controller in Monaco
c) Practical information sheet on "Cloud computing":
This factsheet presents the main advantages and disadvantages of the Cloud (public, private, hybrid and multi-cloud) and highlights the main issues it raises in terms of data protection:
- security risk (technical breakdowns; computer attacks considering the concentration of data in one place);
- risk of data loss during backup or storage procedures;
- risk of data leakage and loss of confidentiality, due to the number of existing servers and their relocation;
- risk of loss of control or sovereignty over the data, particularly with regard to the location of the data and its subjection to the laws and regulations in force in the national territory where the servers are located (many countries have introduced legislation or practices, such as the American Cloud Act, enabling them to access data hosted on Cloud services).
Finally, the CCIN recommends the measures to be taken to secure the Cloud, in terms of configuring the Cloud and accessing data, securing accounts and access to accounts, encrypting data, checking the security of the Cloud service provider and implementing internal procedures.
It should be noted that the Principality of Monaco has a sovereign Cloud, which currently relies on two data centres on Monegasque territory and a backup data centre in Luxembourg.
d) Practical information sheet on "The security of processing: a global approach":
This factsheet focuses on the question that many data controllers ask themselves: What do technicians want to know when analysing a file?
The CCIN identifies 6 essential stages in the analysis:
- purpose of the data processing, which requires knowledge of the type of data collected and the data flow;
- authorisations granted and traceability (possible accountability of actions), technical architecture diagram;
- security applied to the data in relation to the purpose;
- data communication media (web portals, e-mail, physical media such as USB keys, etc.).
- transfer of data to a country without adequate protection, with the security of the data concerned by this transfer;
- other related and/or interconnected data processing.
The CCIN has included a very detailed case study (a company based in Monaco submitting a video surveillance file, whose remote surveillance provider is located in Italy).
e) Practical information sheet on "The criterion of establishment" of the data controller in Monaco:
This factsheet focuses on the territorial scope of the Monaco law on data protection, the provisions of which are applicable to “automated processing of personal data implemented by a data controller established in Monaco”.
Since the criterion of establishment is not defined by the text, the CCIN specifies that the existence of an effective, real and stable exercise of activity is to be taken into consideration to retain the existence of an establishment of the data controller in Monaco. It refers to Article 3 (1) and Recital 22 of the GDPR, as well as the Guidelines 3/2018 on the territorial scope of the GDPR adopted by the European Data Protection Board (EDPB).
The CCIN also indicates that the question of the application of Monaco law must be approached differently with regard to services for connected objects and mobile applications.
It distinguishes data processing intrinsically linked to the sale of equipment (cars for example) and associated options which fall within the scope of application of Monegasque law, from data processing relating to options or tools that the buyer can choose to activate or use later (mobile application for example).
It should be finally noted that the reform of the data protection law underway in Monaco plans to adopt the GDPR criteria of establishment and targeting.
Source: Commission de Contrôle des Informations Nominatives (CCIN), Rapport d’activité 2023 www.ccin.mc/wp-content/uploads/2024/06/Rapport-CCIN-2023.pdf
Article provided by INPLP members: Thomas Giaccardi and Anne Robert (99 Avocats Associes, Monaco)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010