Fact sheets

How to approach the CCIN formalities?

In a well known nursery rhyme “There was a little boat” sailors who are starving drew straws to figure out which one of them will know the evil fate.

The drawing of straws, as such of constant jurisprudence, is not open to appeal and must be executed...

Plan of action

The toolbox

Visiting the Internet site of the CCIN is an essential starting point to equip oneself with the necessary resources.

The site of the CCIN is packed with tools to help data controllers. Concretely, this may include:

  • All of the CCIN forms,
  • The legal texts that help to link the request to the forms,
  • The Ministerial Orders that help to determine the eligibility or not of the most common processing to the formality of the simplified declaration or the ordinary declaration,
  • The rulings supporting the 20 recommendations that, help the data controller step-by-step to complete the form,
  • The rulings already rendered by the Commission that help to anticipate the positioning of the Commission on a specific point.
  • The publications of the CCIN and notably the reports that help to provide more information on certain subjects (for example, processing used by banks, biometry, statistics).

The census

Visiting the Internet site of the CCIN allows you to think about how the processing is used.

For example, the reports on automated processing of personal data used by the banking establishment of Monaco is a document that can be shared by different services and departments of banking establishments to ensure that all of them carry out reporting of a specific sector of processing.

The consolidation of the different reports enables the person in charge of the CCIN formalities to count, in collaboration with the Computer service, the whole processing.

In the absence of such a report (from which you will be able to draw inspiration in all situations), the final purpose of processing pertaining to Ministerial Orders and Rulings are invaluable in helping to convey the essential parts of the processing.

Moreover, a simple questioning makes it possible to easily determine whether the processing is exploited or not:

  • Do I have employees? (Human resources, access control to the facilities, biometry, video surveillance, geolocation, election of employee delegates, social funds, and so on.);
  • Do I have clients and suppliers? (Professional messaging, management of fixed network telephony and mobile telephony, supplier management, clients/prospects files, online commerce, Internet site);
  • Am I bound by specific regulations inherent to my activity? (Anti-money laundering system, monitoring and recording of telephone conversations, professional whistle blowing system, FATCA (Foreign Account Tax Compliance Act), patient records management, and so on).

Which processing must be declared?

Any automated processing of personal data, with the exception of those implemented by a natural person in the context exclusive of his or her personal or domestic activities necessitate a formality with the CCIN.

What are the different types of formalities?

For entities in the private sector not subject to the article 7 of law no. 1.165, there are four possible formalities that may be carried out:

  • An authorisation request pertaining to processing mentioned in the article 11-1 of law no. 1.165 relating to suspected illegal or unlawful activities, security measures, or comprising biometric data to control a person’s identity, or implemented for surveillance purposes;
  • A legal advisory request relating to research in the domain of health.
  • A simplified declaration, in so long as the processing complies to all of the dispositions defined in the Ministerial Order of reference;
  • An ordinary declaration in all other cases.

Where to start?

It is often recommended to start with the simplified declaration insofar as it is the eligibility of the processing in terms of these formalities that is the question.

It is about starting to understand by practising on a simple form with few constraints.

Furthermore, it would be an opportunity to proceed with ordinary declarations if the processing differs from the scope set by the Ministerial Order, by focusing on the purpose, on the functionality, of the data exploited, the storage period, and the categories of recipients that are listed already.

Ordinary declarations that are of a purely declarative nature can be completed subsequently, with the understanding that the processing does exceed the scope of application of the Ministerial Order and is not subject to a preliminary authorisation request of the article 11-1 of law no. 1.165.

Finally, authorisation requests necessitate a thorough knowledge of the functioning of the processing and of information security. They require, very often, multiple skills and it is strongly advised that the legal or administrative staff in charge of this type of formality liaises with the service providers or IT services who are the most qualified to produce a security scheme and to provide the technical background.

Nevertheless, insofar as the ordinary declaration form and the preliminary authorisation request do not differ in terms of information security, the ordinary declarations would have provided an excellent way to gain a better understanding of the form.

I am stuck, what should I do?

It is always possible to reach an agent of the CCIN by phone or to ask the CCIN for an appointment to be helped to complete the formalities.

The security of the processing or to which degree in detail are the formalities subjected to by the CCIN?

The article 17 second paragraph of law no. 1.165 defines that “the measures implemented must ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.”

Simplified declaration form of compliance

If the data controller is not required to explain in a simplified declaration form of compliance to a Ministerial Order, the security measures applied to the processing and data, it is worth pointing out that the procedure of the simplified declaration of compliance is applicable to processing from the moment that “they implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected and answer legal requirements decreed in case of recourse of a service provider for the implementation of the processing as defined by the article 17 of law no. 1.165, aforementioned”.

The data controller is committed moreover “to take all necessary measures, according to the technical evolution, to allow an appropriate level of security for the protection of the processing and of the information to the risks represented”.

The recourse of the simplified declaration of compliance does not exonerate in any way the data controller from taking all necessary technical measures to ensure the security of the processing and of the personal data it contains.

The declaration called “ordinary” system

In conformity with article 8 - 7 of law no. 1.165 reference should be made to “the measures implemented to ensure the security of the processing and of the information and the guarantee of secrets protected by law”.

In the context of the declaration, this requirement materialises through questions related to the security of the processing using binary answers (yes/no) and then a free text field suitable to describe briefly the measures taken for this purpose.

For example, may be indicated non-exhaustively, the existence of a policy of identifiers and/or passwords or an IT charter within the entity, of non-disclosure agreements included in the employee contracts and/or the people with whom or for whom the companies are likely to work (clients, suppliers, external service providers, notably computer services, subcontractors, and so on), computer systems destined to preserve the security of the information systems (anti-virus, cryptography, firewalls, and so on).

The main objective is to emphasise a policy of protection of personal data through organisational and technical means adapted to the risk represented and in the current level of state-of-the-art.

The authorisation and legal advisory requests systems

It is strongly recommended to associate a jurist with a technician to accomplish the formalities related to authorisation and legal advisory requests, which necessitate transversal skills.

To break the ice, the jurist may ask the technician to explain the joke raised to the rank of adage: “the more memory a computer has, the faster it can produce error messages.” (Dave Barry).

If these two systems of formalities vary in many ways, in strict terms of security, they may be very similar.

First of all, the article 17-1 of law no. 1.165 that provides, in the case of processing subject to the articles 11 et 11-1 of law abovementioned “the specific technical and organisational measures intended to guarantee data protection”, places emphasis on access and accreditation (authorisation) management.

In this regard, the processing related to “access and accreditation” is often forgotten in the formalities with the CCIN, even though the article 30 of the Sovereign Order no. 2.230 establishing the terms and conditions of application of the law no. 1.165, requires that be designated “the people responsible for establishing the accreditation profiles adapted strictly to the purpose of the processing”.

Then, with regards to the form itself, the data controller shall describe in detail the measures to ensure the security of the processing and the personal data it contains.

He will then describe the security of the general architecture of the information and communication system, the means implemented to ensure the security of the related processing and information, and finally, the security relating to the users and to access (physical and logical).

Finally, a scheme of the technical architecture of the security of the processing and a scheme of the data flow must also be enclosed in the file.

These diagrams shall enable on one hand, an easy location within the information system of the processing which is the subject of the formality, and, on the other hand, an understanding of the security measures both in general and specific terms related to the said processing.

Example of the security analysis scheme

Vade mecum of the main principles of computer security or the twelve labours of Hercules

1. Know the information system and its users

        • Make sure you have a mapping of the computer installation and keep it up-to-date.
        • Make sure you have an exhaustive inventory of privileged accounts and keep it up-to-date.
        • Write and implement arrival and departure procedures of the users (personnel, students).

2. Control the network

        • Limit the number of Internet accesses to the strict necessary (network partners)
        • Limit/control the connections to the network of personal equipment (in particular tablets and Smartphones)

3. Authenticate the user

        • Identify nominally each person who has access to the system (no generic access)
        • Apply a policy of word choice and length of passwords.
        • Apply an authentication policy (for example, blocking accounts every six months if the password has not been changed).
        • Do not keep passwords in plain-text in the information systems.
        • Systematically renew the elements of authentication by default (password, certificate) on network equipments (routers, servers, printers, and so on).

4. Secure terminal equipment

        • Use a computer park management tool that allows the deployment and updates of security policies on equipment (supervision).
        • Manage mobile (nomadic) workstations according to a security policy that is at least as strict as the one for fixed workstations.
        • Prohibit (with exceptions) remote connections on client workstations.
        • Encrypt data, especially on mobile workstations and media so called data extraction (CD, DVD, memory sticks, and so on).

5. Secure the internal network

        • Proceed frequently with an audit of the central configuration directory (for example, Active Directory in a Windows environment or LDAP).
        • Implement network partitioning (for workstations or servers that contain important company information).
        • Avoid using WIFI infrastructures (otherwise, partition the WIFI network access from the rest of the information system).
        • Systematically use secure applications and protocols (SSH, SFTP, SMTPS, HTTPS, and so on).

6. Protect the internal network from the Internet through secure interconnection gateways with the Internet.

7. Monitor the systems

        • Define supervision objectives of systems and networks (huge data transfers towards the outside, attempts to connect to a non-active or protected account, and so on).
        • Define the terms and conditions of the analysis events in the daily journaling file system (analysis of machine access, messaging accounts, and so on).

8. Secure the administration of the network

        • Prohibit Internet access to all administrator accounts (many have been victims of “hackers” who took complete control of the administrator’s workstations via the Internet).
        • No administrator privileges granted to users (to connect personal equipment, install software, and so on).
        • No remote access to the company’s network except when the company workstations provide strong authentication systems.

9. Control access to premises and physical security.

10. Define usage rules of printers and photocopiers

        • The physical presence of the person printing is required to start the printing.
        • Daily destruction of documents left on the printers or photocopiers.
        • Shred documents instead of throwing them in the waste bin.
        • Demagnetise and destroy hard disks of multimedia printers.

11. Organise regular drills in case of incidents

        • Have at your disposal a recovery plan and business continuity plan (or others).
        • Implement a warning and response system known by all participants.

12. Alert users to elementary computer hygiene rules and audit or carry out audits of the security

        • Establish a charter of use of information resources.
        • Carry out periodic security audits (minimum once every year).
        • Associate each audit with an action plan.

For whom the reading of this vade mecum only triggered little enthusiasm, it is modestly reminded that Hercules, still named Heracles, became immortal, was consecrated God of ephebes, and finally, married Hebe, goddess of youth.