Activity of the personal data supervisory authority of Monaco in 2021
The Personal Data Supervisory Authority (hereinafter "CCIN") has published its 13th Activity Report covering the year 2021. This article outlines the interventions of the CCIN regarding complaints addressed to it by data subjects (1) and the decisions of the Monegasque courts related to personal data protection (2).
1. Complaints to the CCIN
The number of complaints addressed to the CCIN has increased, with 28 complaints recorded in 2021 (19 complaints in 2020) involving the right of deletion of online content (14 complaints), the right of access (2), commercial prospecting (2), professional e-mail after the employee has left the company (1), access by an employer to the private data of one employee (1), video surveillance devices operated by private entities (7), the taxi fare management system (1).
- Complaints concerning the right of deletion of online content (14)
Of these fourteen complaints, three were found to be inadmissible due to lack of evidence to deal with and three were resolved directly by the complainants with the media concerned even before the CCIN had to intervene.
- Of the eight requests finally processed by the CCIN, six concerned social networks:
The first case involved five fake accounts (two on Facebook, one on Instagram, one on LinkedIn and one on Twitter) created in the name of a high-level personality of the Principality. These fake accounts were used, among other things, to post comments on other official pages, which not only undermined the personality but also misled Monegasque residents into thinking that these accounts were official media, as more and more of them subscribed to them.
Another case involved the deletion of two Instagram accounts that had been hacked and used to send sexually explicit photos of minors.
The third case involved a fake LinkedIn account that usurped, again, the identity of a very high-profile person for the purpose of fraud.
The fourth case concerned a request from a Monegasque athlete to recover a Facebook and Instagram account that had been hacked. The athlete, who was publicly known, had started the procedure for certification of her Instagram account through the official application of the social network. In response to her request, however, she was asked to provide a copy of her ID and to change the email address associated with her account. Following these two actions, the hackers were able to take control of this account as well as the Facebook account associated with it.
In the last two cases, two Monegasque institutions seized the CCIN to recover their respective official accounts which were no longer accessible.
Following the intervention of the CCIN, all these accounts were promptly deleted or recovered.
- The other two complaints were about fake websites:
In the first case, a fake website had been created on Wix in the name of a student to post sexual content. The student did not appear in the images and videos posted, but her photo was used as a profile icon and cover page. The site was removed within 24 hours of the CCIN's intervention.
The second case involved two fake websites created on Google, each in the name of two different people, in order to spread unjustified accusations against them.
Google granted the first de-listing request because, although the site referred to the professional role of the person concerned, it considered that the complainant was not a public figure and that other elements of his private life were present on the URL.
However, the search engine refused to delist the second site, saying it was not in a position to comment on the accuracy of the statements made against the complainant, especially as other publishers, including the International Consortium of Investigative Journalists, had reported on related issues concerning him.
- Complaints concerning the right of access (2)
The first complaint was lodged by an individual registered with a temporary employment agency who had not responded to his request for the names of the entities to which his application had been forwarded, on the grounds that these recipient entities wished to keep this information confidential, in a competitive sector of activity.
The second complaint concerned access to telephone recordings by a former employee, in the context of a conflict with his hierarchy.
On instruction from the CCIN, the data controllers had to transmit the data, in the first case directly to the complainant, in the second case to the complainant's duly mandated counsel.
- Complaints concerning commercial prospecting (2)
Two people referred the matter to the CCIN after receiving advertising emails and SMS from entities they did not know. The advertising messages concerned commercial brands unknown to the complainants but marketed by brands of which they were customers.
The CCIN invited these entities to make more visible and accessible the links allowing to unsubscribe from their mailing lists.
- Complaint concerning professional e-mail after the employee has left the company (1)
The CCIN was seized by a former employee who had noticed several months after his departure that his professional email address was still active, which allowed his former employer to reply to messages he had received, as well as to take cognizance of messages of a private nature sent on his professional email.
The CCIN intervened to have the former employee's email address deactivated immediately.
- Complaint concerning access by an employer to the private data of one employee (1)
In this case, the complainant found that his former employer had accessed his personal e-mail account from his former work computer, had not logged off immediately and had copied some messages and forwarded them to third parties.
In view of the seriousness of this invasion of privacy, the CCIN immediately referred the matter to the Public Prosecutor.
- Complaints concerning video surveillance devices operated by private entities (7)
- Two complaints concerned video surveillance systems operated in residential buildings:
In both cases, the CCIN imposed the reorientation of the cameras so that they did not film the public domain, and in particular the traffic lanes and the surrounding pavements.
In addition, in one case, the CCIN requested the installation of a standby device for the display screen in the caretaker's lodge, as well as an access authorisation system to record the data of connection to the images.
- Four other complaints were lodged by employees or trade unions, concerning the use of cameras to monitor employees' work:
In two cases, the cameras were installed without any prior formality. They were immediately deactivated pending the issuance of operating authorisations by the Minister of State and the CCIN.
In the third case, the cameras were installed above the guards' workstations, subjecting them to constant and inappropriate surveillance. At the request of the CCIN, the system was regularised, and the cameras were reoriented.
The fourth case concerned a video surveillance system authorised by the CCIN but whose images were used to monitor the work and working hours of employees. In addition, the access rights to the images had been extended from the scope of the initial authorisation. The situation was regularised, with the CCIN requesting that persons with access to the images, and in particular the immediate superiors, be explicitly informed that the images may under no circumstances be used for any purpose other than the preservation of the security of persons and property.
- One complaint was lodged by a client of a shop:
The client had noticed that cameras had been installed without any information (no pictogram at the entrance). The cameras were deactivated following the intervention of the CCIN.
- Complaint concerning the taxi fare management system (1)
Personal data have been illegitimately communicated to the Professional Association of Taxi Drivers.
The CCIN recalled good practice. The Association is only responsible for the technical management of the system, and this task does not give it access to the identifying data of members of the profession.
Moreover, the CCIN was often approached by people who, without wishing to make formal complaints, wanted to know the applicable rules, in order to know their rights or to ensure compliance with good practice, in the following areas:
- Sending medical certificates in the event of sick leave
If employees prefer to send medical certificates to their employer, the latter is responsible for communicating them to the insurer in a sealed and confidential envelope, with a formal ban on seeing the contents of the envelope.
- Obligation imposed by employers to permanently activate the web cam of employees working from home, or even in the office
Webcams should not be used all the time, but only in specific circumstances (e.g., participation in certain work meetings by video conference). In any case, employees should be able to refuse to use the camera, unless there is good reason to do so (e.g. when the nature of the meeting justifies a specific means of identifying participants). If this is not the case, the use of conference calls is an appropriate way of participating in work meetings (at home or at the office).
Videoconferences or telephone conferences should not be recorded, unless there is a specific justification for doing so, for example for evidential purposes. In this case, it must be previously declared to the CCIN, and the participants must be informed in advance.
- Use of cameras in the workplace
Any video surveillance system implemented in a workplace is subject to prior authorisation by the Minister of State and the CCIN. Such a device must only be used for the purpose of security of persons and property and must not be used to monitor the work or working time of employees. The cameras must not be directed at employees' workstations, except in a few very specific cases (e.g., handling money or valuable objects).
Employees should be informed in advance of the installation of cameras (e.g., by a visual pictogram at the entrances to the establishment).
Employees have a right of access to images concerning them. If the employee so wishes, the employer must provide him/her with a copy of the images in which the employee appears, while preserving the rights of third parties.
2. Decisions of the Monegasque Courts
In 2021 the Correctional Court ruled twice on cases for which the CCIN had referred to the Public Prosecutor.
- The first case concerned the qualification of personal data (“information nominative”), and the limitations on the exercise of the right of access.
The Correctional Court recognised that a mobile phone's boundary data constituted personal data. According to Monegasque law, “Personal data, in all of its forms, is any information that can be used to determine a natural person’s identity (specific or identifiable). Is recognised as identifiable, a person who can be identified, directly or indirectly, in particular with reference to an identification number or one or more specific marks that form the person’s own physical, physiological, psychic, economic, cultural, or social identity.”
The Court thus considered "that information, such as a mobile phone number that is linked to a single person, where it allows that person to be identified, even indirectly, is personal data within the meaning of the law.“
As the collection and recording of data from mobile phones that have "hooked" or activated terminals is necessarily automatic, the Court concluded that the operator of such equipment is a data controller, subject to the obligations regarding the implementation of automated processing.
As regards the limitations on the right of access to data, the Court noted that the request for communication concerned "information that is unquestionably part of the results of a criminal investigation because it was obtained following judicial requisitions and is therefore covered by the secrecy provided for in Article 31 of the Code of Criminal Procedure" relating to the secrecy of the investigation. The request for disclosure could not therefore be granted.
- In the second case, the Correctional Court had to rule on the validity of an investigation mission conducted by the CCIN, and on the mention of this case in the annual activity report of the CCIN.
At issue were cameras used to monitor the work and working hours of employees.
The defendants invoked the nullity of the control operations on the basis of the provisions of Article 6.1 of the European Convention for the Protection of Human Rights guaranteeing the right to a fair trial.
They argued that Article 18 of the Monegasque Law violated the right not to participate in one's own incrimination by remaining silent in that it provides that, in the context of the CCIN's investigation mission, persons questioned are required to provide the information requested except in cases where they are bound by professional secrecy as defined in Article 308 of the Criminal Code.
They also argued that the mention of this case in the CCIN's annual activity report, although anonymised, violated the principle of equality of arms, infringed the presumption of innocence and the adversarial principle, and violated the obligation of secrecy surrounding criminal investigations, insofar as the file had been transmitted to the public prosecutor.
None of these arguments were accepted by the Correctional Court.
With regard to Article 18 of the Monegasque Law, which requires respondents to provide the investigating officers with the information requested, except in the case of professional secrecy, the argument that there was a breach of equality of arms did not succeed.
The Court held that the findings made by the CCIN investigating officers had been of a purely technical and factual nature and considered that this provision allowed the members of the CCIN to carry out their mission. The Court noted that the investigators' findings had been notified to defendants, who had sufficient time to make their observations. In the present case, the material findings of the CCIN had not been contested.
The Correctional Court also ruled that the publication of an annual activity report is a legal obligation of the CCIN.
With regard to the publication in question, the Court noted that it did not mention the names and capacities of the defendants, nor the brand name operated and, more generally, no information enabling them to be identified, even though the formal notice sent to them could have been made public under the Monegasque law.
The defendants were each fined €1,000 for unlawful use of automated personal data processing and ordered to pay €2,400 in damages to the former employees who had sued for damages, insofar as it was admitted by the Correctional Court that the cameras were used to monitor the work and working hours of the employees, which is formally prohibited by the CCIN.
Finally, with regard to the reform of personal data protection legislation underway in Monaco (see our previous publications), it should be noted that the CCIN deplored the fact that some of the changes it had recommended were not considered in the final version of the bill submitted to Parliament, and that it would endeavour to obtain these changes during the parliamentary proceedings. A forthcoming publication will be devoted to this subject.
CCIN, Rapport d’activité annuel 2021, 13e rapport public, 115 pages https://www.ccin.mc/fr/publications/rapports-d-activites
Article provided by INPLP members: Thomas Giaccardi and Anne Robert (99 Avocats associés, Monaco)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
- Alle zeigen
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010