All natural or legal entities governed by public law and equivalent who want to implement automated data processing that includes personal information must first complete the required procedure with the CCIN.

For natural or legal entities governed by public law

The legal advisory request procedure

The legal advisory request complemented with appendices and other supporting documents will help the Commission to evaluate the lawfulness of the processing and the quality of the personal information must be addressed to the CCIN by the postal service (registered letter with return receipt) or by hand to the Secretariat of the CCIN in return for a receipt.

When the file is considered incomplete, it is returned to the data controller to be regularised.

In the case where the file is considered admissible, the Commission has two months from the date of reception to adjudicate. This delay can be extended once for the same duration.

After analysing the file, if the Commission gives its authorisation, the processing can only be implemented after it is published in the Journal of Monaco by the data controller, the legal advisory request from the CCIN, and the decision to implement the processing.

If the Commission issues an unfavourable opinion, the processing cannot be implemented. Only a reasoned Ministerial Order will be able to authorise its implementation when appropriate.

The natural and legal entities governed by public law are exclusively subjected to follow the procedure of legal advisory request!

If the data transfers are not adequately protected

Data transfers subject to authorisation

This procedure concerns only data processing pertaining to data transfers to countries that do not have an adequate level of protection. That is, the legislation is not equivalent to the Monegasque Legislation relating to the protection of personal data.
List of countries with an adequate level of protection.

Data transfers must be indicated in an appendix entitled “Authorisation request to transfer data”, which must be enclosed with the legal advisory request.

After the preliminary investigation of the authorisation request of the transfer, the Commission may or may not authorise the transfer of the said data.

In case the authorisation is refused, the transfer shall in no way take place.

For natural or legal entities governed by private law assimilated with the public sector

These organisations can be subject to two distinct procedures:

• The legal advisory request
• The authorisation request

The legal advisory request

This procedure is identical to the one described for natural and legal entities governed by public law.

The authorisation request

Are subject for authorisation by the Commission all processing handled by private companies with a duty of general public interest or public service concession holders:

• Relating to suspected unlawful activities, offences, and security measures;
• Including biometric data required to check persons’ identities;
• For the purpose of surveillance.

When the authorisation file is ready, it must be addressed, with appendices and any other supporting document, to the CCIN by the postal service (registered letter with return receipt) or by hand to the Secretariat of the CCIN in return for a receipt.

When the file is considered incomplete, it is returned to the data controller to be regularised.
In the case where the file is considered admissible, the Commission has two months (excluding data transfers) from the date of reception to adjudicate. This delay can be extended once for the same duration.

After analysing the file, if the Commission gives its authorisation, the data controller is legally authorised to exploit the given computerised file.

This authorisation may be subject to specific conditions that must be strictly adhered to. It should be noted that in case of failure to comply with the provisions of the amended law number 1.165, the authorisation may be withdrawn at any time.

If the Commission refuses the authorisation, the processing cannot be implemented nor any other operation.

For data transfers without an adequate level of protection

The procedure is identical as the one described for natural or legal entities governed by public law.