On 20 December 2023, the Monaco Data Protection Agency (“Commission de Contrôle des Informations Nominatives” – “CCIN”) has issued a warning against H.E the Minister of State of Monaco for non-compliance with Monaco Data Protection law 1.165 dated 23 December 1993 (“Monaco Data Protection Law”) during its management of Covid-19 crisis. Given the urgency, the Monaco Government has processed personal data of various Monaco nationals, residents and workers. Initially, the processing of personal data was limited to Covid-19 testing but progressively the Monaco Government has collected more data and especially heath data without fulfilling Monaco Data Protection Law requirements.
Between 2020 and 2022, the CCIN has sent several warnings to the Minister of State regarding the processing of data and especially health data. In the absence of satisfactory responses, following investigations conducted by the CCIN, the Monaco Government was sanctioned D for non-compliance with articles 7, 10-1, 14 and 17 of Monaco Data Protection Law. More precisely, the following failures were identified:
- Non-compliance with prior declaration/authorization to/from the CCIN requirement before any processing of personal data;
- Non-compliance with the recommendations issued by the CCIN regarding the processing of personal data after the declaratory filing made by the Monaco Government;
- Failure to update the “Covid-19 database”, excessive retention periods, no policy for deleting personal data;
- Absence ofinformation of the data subjects of the processing of its personal data;
- Lack of sufficient data security.
This sanction is also a warning for all Monaco data processors regarding the importance of complying with Monaco Data Protection. This is also a reminder that the CCIN holds sanction powers. Non-compliance with Monaco Data Protection Law can also lead to a sanction of imprisonment up to 1 year and fines up to 90.000 EUR.
Data protection is a sensitive and complex matter in Monaco with a prior declaration/authorization to/from the CCIN requirement before processing personal data. Monaco has its own regime and GDPR is not applicable as a third-party country. However, since 2021 a new draft bill is being discussed in order to harmonize Monaco Data Protection Law with GDPR so as to place Monaco as a jurisdiction with an “adequate level of protection” for privacy purposes (read our latest news on this exciting matter here).
Our Firm has an extensive track record on Monaco Data Protection matters with an in-house certified Data Protection Officer (DPO). We would be pleased to assist in your compliance with Monaco Data Protection Law and help you to avoid any risk of sanctions!