News
Monaco: the 2019 Report of the Personal Data Protection Authority published
The Monegasque Data Protection Authority (hereinafter “CCIN”) has just published its 11th Activity Report covering the year 2019, of which here is an overview.
Ongoing reform of data protection law in the light of the EU-GDPR
Preparatory work on the overhaul of personal data protection legislation continued via the ad hoc working group set up at the beginning of 2018, bringing together the State services and those of the CCIN on a regular basis.
The CCIN hopes that the "specific points of attention with regard to the European standards governing the subject (...) will be taken into account in the final text" (Activity Report, p. 1).
The CCIN specifies that the entry into force of the new text will profoundly modify its missions.
One objective for Monaco, Non-EU Member State, is also to obtain an adequacy decision from the European Commission, and thereby facilitate the cross-border data transfers. Monaco's main trading partners are European countries.
This reform is eagerly awaited by the private sector, which is often subject, in addition to Monegasque law (system of prior declaration), to the EU-GDPR (record of processing activities), when there is an offer of goods or services to persons located in the territory of the European Union.
The banking and financial sector of the Principality is particularly concerned. Many establishments located in Monaco are subject to the obligations arising from the GDPR, such as the formation, designation, and location of the DPO and the sharing of nominative data between entities of the same group (Activity Report, p. 24).
Processing of personal data and the activity of the CCIN in figures
The total number of personal data processing listed in the Principality's public register was 5,660 on December 31, 2019, of which 447 were newly registered in 2019 (Activity Report, p. 26-31).
During 2019, the CCIN issued 206 deliberations, of which:
- 107 authorised the implementation or modification of data processing, 3 refused to authorise the implementation or modification of data processing;
- 50 gave a favourable opinion on the implementation or modification of data processing, and 3 an unfavourable opinion;
- 28 authorised a transfer of personal data to a country without an adequate level of protection (the largest part related to the banking sector);
- 4 gave an opinion on draft legislative and regulatory texts transmitted by the Minister of State;
- 4 on an investigating mission;
- 2 on a recommendation (see below);
- 4 on a decision on the time limits for storing personal data, 1 on the internal functioning of the CCIN.
New recommendations and practical sheets
The CCIN adopted the following recommendations (Activity Report, p. 64-67):
- Recommendation on how to deposit and how long cookies and other tracers should be kept on the terminals of users of electronic communication networks (Deliberation No. 2019-083 of 15 May 2019);
- Recommendation on the security to be applied to credit card payments for the sale of goods or the provision of services at a distance, as well as to websites (Deliberation No. 2019-084 of 15 May 2019).
Moreover, the CCIN has issued the following fact sheets (Activity Report, p. 78-95):
- Good use of archiving, with, for example, the management and supervision of professional messaging, the litigation management, the case of cloud computing;
- Offering online services to children, based on the Working Paper on Online Services for Children adopted in April 2019 in Bled (Slovenia) by the International Working Group on Data Protection in Telecommunications (“Berlin Group” open to national data protection authorities, but also to representatives of the private sector and NGOs).
Complaints, investigations, sanctions, and fines
The CCIN received 24 complaints in 2019 from both individuals and legal entities, an increase from 2018 (15 complaints), which the CCIN attributes to its awareness-raising campaign (Activity Report, p. 32-41).
The CCIN has been seized on the following basis:
- Right of access, concerning information held by a sports federation over a period of 20 years;
- Right of deletion, concerning: an online auction catalogue containing the portrait of a deceased person who had served as a model for a painter; the photo and contact details of an employee who had still been on the website of her former employer for several months; comments deemed defamatory by Google and Facebook; search engines and the name of a person who was the subject of a freezing of funds measure that ended in 2018; the creation of a fraudulent Facebook page in the name of a car sales company; an unfavourable comment published on the Google My Business page of a service provider; requests to delete from e-mail distribution lists (sending slanderous letters targeting several personalities in the Principality, associations, employers);
- Use of automated processing of personal data, concerning: video surveillance systems operating in a restaurant, a shop, and a residential building; the application by banks and similar institutions of the regulations on the automatic exchange of information in tax matters and MiFID II for transactions in financial instruments; the system for managing taxi drivers' journeys; the loss of connection identifiers to access the results of medical examinations.
On-site inspections of video surveillance equipment were carried out with the authorisation of the Court of First Instance, following: a complaint about possible remote access by management which could have allowed permanent monitoring of staff without their knowledge; and an alert for the installation of cameras in the sanitary facilities of a restaurant.
The Chairman of the CCIN issued one sanction (formal notice for the immediate deactivation of an illegally operated surveillance system). Moreover, considering the numerous irregularities noted during the inspection and the attempt to conceal documents in an employee's file, he forwarded this case to the Public Prosecutor.
In May 2019, the CCIN carried out an online investigation campaign concerning 10 websites. The checks carried out showed a lack of knowledge or mastery of the tools installed on the websites (functionalities, data transfers operated by certain tools used, information to be provided to clients).
The Criminal Court ordered an employer to pay a fine of 18,000 euros and 15,000 euros in damages to a former employee who was unable to obtain tally data.
Source (in French) : CCIN, 2019 Public Report, available at: https://www.ccin.mc/fr/ccin/notre-actualite/197-11eme-rapport-public-2
Article provided by: Thomas Giaccardi and Anne Robert (GIACCARDI & BREZZO Avocats, Monaco)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010