News

MONACO STRENGTHENS ITS LEGAL FRAMEWORK FOR THE PROTECTION OF PERSONAL DATA: NEW LAW 1.565 OF 3 DECEMBER 2024

This article outlines Monaco Law no. 1.565 of 3 December 2024 on personal data protection, and the activity of the new Personal Data Protection Authority (APDP) in the first half of 2025.

The new Monaco Law no. 1.565 of 3 décembre 2024 repeals and replaces Law no. 1.165 of 23 December 1993. This reform is part of a process of convergence with European standards, stemming from the Council of Europe (Convention 108+ ratified by Monaco) and the European Union (GDPR, Directive “Police-Justice” with a view to obtaining an adequacy decision from the European Commission). It is accompanied by the creation of three supervisory authorities by sector. (1)

Since beginning its mandate, the Personal Data Protection Authority (APDP), which serves as the general supervision authority,  has released several significant opinions and recommendations. It is also progressively establishing a supportive framework aimed at assisting professionals in adapting to the new rules throughout this transitional year. (2)

 

1. Key points of Monaco Law, in line with European standards

Law no. 1.565 transposes the obligations arising from Convention 108+ ratified by Monaco on 6 March 2025, and is structured around the fundamental principles stemming from the GDPR. It will be supplemented by regulations (Sovereign Order, Ministerial Order).

Compliance deadlines of one year are set for personal data processing carried out regularly before its entry into force on 14 December 2024.

Monaco law provides for a division of powers between three supervisors, depending of the nature of the data processing concerned:

1. The “Autorité de Protection des Données Personnelles” (APDP) is responsible for the majority of processing operations carried out by private and public bodies;
2. The “Commission Spéciale de Sécurité Nationale” (CSSN) supervises processing carried out for safety, defence or national security purposes;
3. The “Délégué Judiciaire à la Protection des Données” is responsible for processing carried out by the courts, the public prosecutor's office or in the context of international mutual legal assistance.

1.1. Scope of Law no. 1.565

The scope of application of Monaco law in accordance with Convention 108+, enables convergence with the GDPR and the Directive (EU) “Police Justice”.

Personal and material scope

Law no. 1.565 (L.) covers the processing of personal data (whether wholly or partly automated, or non-automated) of natural persons, whether implemented by private or public entities. It includes processing in the context of criminal law, national defence and security, the courts and the public prosecutor's office, and international mutual legal assistance procedures.

It does not apply to processing carried out for strictly personal and domestic purposes as the storage of family photos, private photos on a terminal. (Article 2 L.)

The personal scope of application has been restricted in comparison with previous legislation, which also protected the personal data of legal persons. The practical difficulties of this protection led to its removal.

The Law refers to data contained or intended to be contained in files.

Territorial and extraterritorial scope

Law no. 1.565 incorporates the GDPR criteria. (Article 3 L.) It applies to processing:

-    implemented by a controller or processor established in Monaco, whether or not the processing takes place in Monaco (establishment criterion);

-    relating to data subjects on the territory of Monaco and carried out by a controller or processor established outside the territory of Monaco where the processing activities relate to the offering of goods or services or to monitoring the behaviour of those data subjects (targeting criterion).

1.2. Main principles of protection

Monaco Law incorporates the main principles set out in European texts (Article 4 L.):

1. lawfulness, fairness and transparency;
2. purpose limitation;
3. data minimisation;
4. accuracy of data;
5. limitation of data retention;
6. security.

Specific provisions apply to the consent of minors under the age of 15 in relation to information society services (contracts and other services concluded or transmitted online).

1.3. Rights of data subjects

The rights of the data subjects are substantially aligned with those of the GDPR:

1. right to be informed (Articles 10 and 11 L.) ;
2. right of access (Article 12 L.);
3. right to rectification (Article 13 L.);
4. right to erasure ("right to be forgotten") (Article 14 L.);
5. right to restrict (Article 15 L.);
6. right to object (Article 17 L.);
7. right to data portability (Article 18 L.);
8. right related to automated decision making including profiling (Article 19 L.).

Specific rules apply to the processing of personal data of deceased persons.

1.4. Obligations of data controllers

Law no. 1.565 adopts the accountability approach of the GDPR.

Monaco law removes a very large number of prior formalities to which data controllers were subject under the former legislation (management of customer files, of AML obligations, etc.).

With some exceptions:

1. Particularly sensitive processing (criminal matters, genetic or biometric data required for authentication or identity control, health research): ADPD prior opinion (Article 58 L.);
2. Transfer of data to a country, territory or international organisation that does not ensure an adequate level of protection when the guarantees and conditions are not met:  APDP prior authorisation (Article 58 L.);
3. Video surveillance systems: immediately notified to the APDP (places not open to the public) or Minister of State prior authorisation (places open to the public) (Article 85 L.).

Monaco law incorporates GDPR compliance tools

1. Appointment in certain cases of a representative in Monaco or, failing that, in an EU Member State (Article 25 L.);
2. Appointment in certain cases of a Data Protection Officer (DPO) (Articles 28, 29 and 30 L.);
3. Keeping a Record of Processing Activities (Article 27 L.);
4.  Privacy by design and by default (Article 23 L.);
5. Obligation to notify data breaches likely to result in a risk to the rights and freedoms of the data subjects (Article 32 L.);
6. Obligation to carry out an impact assessment for processing operations that entail a high risk to the rights and freedoms of data subjects (Articles 35 and 36 L.);
7. Possibility of adhering to a code of conduct (Article 33 L.);
8. Possibility of obtaining certification (Article 34 L.).
9. Implementation of appropriate technical and organisational measures to guarantee a level of security appropriate to the risks.

1.5.    Obligations of sub-processors

Law no. 1.565 is more precise than the previous legislation, which placed responsibility solely on the data controller. It provides a new framework for sub-contracting and incorporates joint responsibility.

Inspired by the GDPR, any use of a sub-processor must be governed by a contract, the minimum clauses of which are set out (Article 26 L.).

The sub-processor:

1. must provide sufficient guarantees: implementation of appropriate technical and organisational measures to guarantee a level of security appropriate to the risks;
2. must: in certain cases, appoint a representative in Monaco, a DPO; keep a Record of Processing Activities.

1.6. Administrative sanctions

Monaco has increased the penalties that can be imposed by the APDP, which are adapted to local economic realities:

1. warning;
2. obligation to bring the processing into compliance or to meet the needs of the data subject, which may be subject to a penalty of up to € 10,000 /calendar day of delay;
3. temporary or definitive restriction of processing;
4. withdrawal of authorisation or an injunction to refuse certification or to withdraw the certification granted;
5. withdrawal of the certification issued;
6. total or partial suspension of the decision to approve binding corporate rules (BCR);
7. suspension of data flows to a recipient located abroad;
8. administrative fine of up to €5,000,000 (or, in the case of a company, up to 2% of the total worldwide annual turnover for the previous financial year) or €10,000,000 (or, in the case of a company, up to 4% of the total worldwide annual turnover for the previous financial year) (Articles 53 and 54 L.).

1.7. Right to compensation and jurisdiction

Any person who has suffered material or non-material damage as a result of a breach of Law no. 1.565 may obtain compensation from the data controller or sub-processor.

Law no. 1.565 provides for a right of representation: the data subject may appoint a non-profit-making body, organisation or association, authorised in Monaco or recognised, whose statutory objectives are in the public interest and which is active in the field of protecting the rights and freedoms of data subjects with regard to the protection of their personal data, to act on his or her behalf.

It does not provide for a right of collective action independently of any mandate given by a data subject.

The Monegasque courts have jurisdiction to hear actions against a data controller or sub-processor:

1. with an establishment in Monaco where the processing in question was carried out ;
2. where the data subject is habitually resident in Monaco.

Monaco data protection law has been brought into line with European standards to obtain an adequacy decision from the European Commission and simplify data transfers, by eliminating the need for additional guarantees.

2. Activity of the new Personal Data Protection Authority (APDP) in the first half 2025

Since the beginning of its mandate, the APDP has taken a position on the use of EU Standard Contractual Clauses (SCCs) governing the transfer of personal data to third countries that do not provide an adequate level of protection, and i.a. on the draft regulatory text specifying the application of certain provisions of the new law no. 1.565. Moreover, the APDP is gradually putting in place measures to help professionals comply during this year of transition.

2.1. Recommendations on the EU standard contractual clauses (SCCs)

In its Deliberation no. 2025-002 of 22 January 2025, the APDP specified the conditions under which the EU SCCs set out in the annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 may be used to provide a framework for a transfer of personal data from Monaco to a third country that does not have an adequate level of protection (the United States in this case) with regard to Monaco Law.

EU SCCs cannot be equated with the SCCs referred to in Article 98 of Law no. 1.565, on the grounds that:

1. The SCCs presuppose formal adoption or approval by the APDP, which is not the case for those emanating from a foreign authority;
2. At the date of the deliberation, no contractual clause had been recognised as a SCC by the APDP in application of Article 98.

The EU SCCs are specific clauses within the meaning of Article 100 of Law no. 1.565, making the transfer subject to the prior authorisation of the APDP.

Although the APDP recognises that EU SCCs offer data subjects guarantees corresponding to the highest standards, it notes that data subjects located in Monaco only benefit from the rights provided for in the GDPR and that these are only legally enforcable within the EU.

The APDP therefore requires the insertion of specific additional clauses, aimed at:

1. contractually extend to the data subjects in Monaco the rights recognised by Law no. 1.565;
2. guarantee that these rights can be exercised effectively on Monegasque territory;
3. organising the obligation to inform the APDP in the event of a personal data breach involving data subjects in Monaco;
4. ensure the cooperation of the data controller or sub-processor with the APDP.

Lastly, the APDP points out that these contractual additions are compatible with the EU SCCs, as expressly permitted by Recital 3 of Decision (EU) 2021/914, provided that they do not contradict the content of the EU SCCs or undermine the fundamental rights of data subjects.

The EU SCCs together with the guarantees specific to Monaco must be sent to the APDP for authorisation of the transfer.

2.2. Opinion on the draft Sovereign Order implementing provisions of the new Law no. 1.565

In its Deliberation no. 2025-004 of 19 March 2025, the APDP analysed the draft regulatory text implementing the new Law no. 1.565, in the light of the reference criteria for adequacy under Regulation (EU) 2016/679 (GDPR) (wp254rev.01) and Directive (EU) 2016/680 “Police Justice” (Recommendations 01/2021), given the Monegasque Government's stated objective of obtaining an adequacy decision from the European Commission.

The APDP has drawn attention to the shortcomings in the draft regulation and the adjustments needed to ensure compliance with EU legislation, in particular:

1. Inapplicabilty of sanctions to the State: no targeted exemptions for processing operations relating to State security or defence or those covered by the provisions of the Directive “Police Justice” (the lack of distinction between the processing operations carried out may result in the State being held irresponsible).
2. Certain serious breaches of Law no. 1.565 are not punishable under criminal law (compared with those in force in France):  carrying out processing without complying with prior formalities; continuing processing even though it has been temporarily or permanently restricted, prohibited or its authorisation withdrawn; carrying out data processing for health research purposes without having first informed individuals of their rights, or despite the opposition of the person concerned, or in the absence of the informed and express consent of the person as provided for by law, or in the case of a deceased person, despite the refusal expressed by that person during his or her lifetime.
3. Cooperation between the three supervisory authorities created (APDP, Commission Spéciale de Sécurité Nationale (CSSN) and Délégué Judiciaire à la Protection des Données): not provided for, even though issues may concern different areas of competence at the same time.
4. A single Data Protection Officer (DPO) appointed for the entire Administration, who would liaise with “technical correspondents” who are not trained in the protection of personal data: the APDP refers to a somewhat similar organisation within a group of Luxembourg companies sanctioned by the National Commission for Data Protection.
5. Rights of the data subjects: the APDP has recommended that on-site right of access be reinstated, that the time limits and conditions for requests be regulated, and that greater transparency and protection be ensured in the processing of sensitive data by the Monegasque Institute of Statistics and Economic Studies (IMSEE).
6. Obligations of data controllers and sub-processors: the APDP recommends that these obligations be strengthened by extending the security measures (in addition to pseudonymisation, other technical and organisational measures: encryption, systems to guarantee the confidentiality, integrity and availability of data), introducing an article on the appointment and information to the APDP of the representative appointed in a EU Member State (justified by the impossibility of appointing one in Monaco), specifying the information to be provided concerning the Data Protection Officer (DPO).
7. Functioning of the APDP: clarifications are recommended concerning i.a. the rules applicable to its members (absence or inability to act of the Chairman of the APDP, dismissal of a member for serious misconduct, the situation of conflict of interest), the cooperation with other (Monegasque or foreign) authorities, the extension of the scope of the APDP's internal regulations, the possibility of being heard by a videoconference or audioconference system, the rules of procedure applicable to appeals lodged against decisions of the APDP.
8. Transfers of personal data: the APDP recommends for the adequacy assessment removing the automatic reference to EU adequacy decisions as an assessment criterion (recognition by the EU does not necessarily guarantee a level of protection that complies with Monegasque requirements and should not replace a sovereign assessment by Monaco), an effective review of the implementation of international commitments, a five-yearly assessment of the level of protection, and that it be published or at least sent to the APDP (as is the case in Switzerland and the European Union); with regard to the Binding Corporate Rules (BCRs), the APDP recommends integrations to fill the gaps in relation to its GDPR model, and to specify that subsequent amendments to BCRs previously approved are submitted to it for approval; concerning BCRs validated by foreign authorities, the APDP recommends adding that all the guarantees set out in the Monegasque Sovereign Order must be effective; in the absence of an adequate level of protection, concerning the transfer of data based on the overriding legitimate interests of the data controller, it is recommended to add that all relevant information making it possible to ensure that the conditions referred to in Law no. 1.565 are met must be communicated to the APDP, which may request any additional information.

2.3. Measures to help professionals comply with the new rules stemming from Law no. 1.565

In addition to the opinions and recommendations it has issued on various other legislative texts (on provisions concerning the protection of personal data), which have been referred to it by the executive, judicial and legislative authorities, the APDP is gradually setting up a support system for professionals to help them integrate the new rules into their organisation:

1. New forms and tools: forms for data breach notification, for appointing a DPO, for declaring a video surveillance system; records of processing activities, accompanied by a list of the main processing operations, sheets, definitions and examples for each activity.
2. Professional case studies: currently focusing on human resources, workplace surveillance and video surveillance.
3. Presentations, conferences on the new legal provisions, with a focus on the status of Data Protection Officer (DPO), the compliance tools as part of the new accountability approach with the abolition of most of the formalities prior to the implementation of processing operations.
4. Launch in June of the AI virtual assistant “Céos”: it can answer questions in French, English and Italian concerning the protection and security of personal data in Monaco (Chat, free questions and list of frequently asked questions).

Now awaited to complete compliance with the new rules in Monaco is the publication of the implementing regulations (Sovereign and Ministerial Orders), the criteria triggering the Data Protection Impact Assessment (DPIA), the updated list of countries with an adequate level of protection under Monaco law, the standard contractual clauses (SCCs), the guidelines or recommendations issued by the APDP to facilitate the application of the rules set out in the new Law no. 1.565, etc.

Sources:
Monaco Law no. 1.565 of 3 December 2024 on personal data protection https://legimonaco.mc/tnc/loi/2024/12-03-1.565/
Official Website of the APDP Monaco: https://apdp.mc/
APDP Deliberation no. 2025-002 of 22 January 2025 https://apdp.mc/apdp/publications/deliberations/autorisations/
APDP Deliberation no. 2025-004 of 19 March 2025
https://apdp.mc/wp-content/uploads/2025/03/Deliberation-2025-004-portant-avis-sur-le-projet-dOS-application-Loi-1565.pdf

 

Article provided by INPLP members: Thomas Giaccardi and Anne Robert (99 AVOCATS ASSOCIES, Monaco)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)