THE GENERAL DATA PROTECTION REGULATION (GDPR) AND ITS IMPACTS IN MONACO

Version of 26 november 2018 The General Data Protection Regulation 2016/679 (GDPR or RGPD, for the règlement général sur la protection des données in French) is the new European framework for the processing and circulation of personal data. This text, applicable from 25 May 2018, which standardises the laws governing personal data of the Member States of the European Union, is intended to provide all residents of the European Union more control over their personal data, to increase the accountability of those responsible for the processing whilst reducing the preliminary formalities with the regulators, and to reinforce the role of the Supervisory Authorities.

To whom the GDPR applies?

  • Material scope application
Pursuant to Article 2 of the GDPR, the context concerns all personal data of an identified or identifiable natural person whether the processing is implemented by a natural or legal person of public or private law.

However, it does not apply:

a. In the context of an activity that falls outside the scope of the Union law;

b. To Member States in the context of activities falling within the scope of application of chapter 2 of Title V of the treaty on European Union, namely the specific provisions concerning the common foreign and security policy;

c. To a natural person in the context of a strictly private or domestic activity;

d. To the competent authorities for the purpose of preventing and detecting criminal offenses, investigations and prosecutions or the execution of criminal sanctions, including the protection against threats to public safety and the prevention of such threats.
 
  • Territorial scope application
The GDPR also applies, in virtue of the establishment criteria, to data processing performed in the context of activities of a data controller or a data processor located on the territory of the European Union, regardless of whether the processing takes place in the Union or not.

Furthermore, the GDPR applies, in virtue of the target criteria, to data processing relating to data subjects who are in the territory of the Union by a data controller or data processor not established in the Union when the processing activities relate to:

  • The supply of goods or services to those data subjects in the Union, regardless of whether a payment is required or not, or
  • The monitoring of the behaviour of these persons, insofar as the behaviour takes place in the Union.
For example: You are a company established only in Monaco and you do not target people in the European Union: You are not concerned by the GDPR.

NB: Contracting with employees who reside on the territory of the European Union, for the needs of a company based in Monaco, does not amount to an offer of goods or services to persons located on the territory of the European Union.

Does Law No. 1.165 of 23 December 1993 still apply in the Principality?

YES Pending the reform of national legislation, the protection of personal data in the Principality continues to be governed by Law No. 1.165 of 23 December 1993.

Pursuant to this text, any public or private entity wishing to operate an automated processing of personal data must first carry out the formalities with the CCIN. There are 5 formalities: simplified declaration, ordinary declaration, authorisation request, legal advisory request, and transfer authorisation request.

La Principauté de Monaco est-elle impactée par le RGPD ?

OUI Un responsable de traitement ou un sous-traitant situé à Monaco peut, en plus des obligations prévues par la Loi n°1.165 du 23 décembre 1993, être également soumis aux obligations prévues par le RGPD en vertu des deux critères prévus à l’article 3 dudit texte sur le champ d’application territorial.

Publication le 23 novembre 2018 par le Comité Européen à la protection des données, des « Lignes Directrices » sur la portée extraterritoriale du RGPD (article 3 du Règlement). Version anglaise uniquement disponible. Ce document est actuellement soumis à consultation publique : https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en
 
  • Critère d’établissement : 
  • Le responsable de traitement ou le sous-traitant est à Monaco mais a un établissement dans l’Union européenne. Le RGPD s’applique alors dans le cadre des activités de cet établissement, que le traitement ait lieu ou non dans l’Union.
Exemple : Une société monégasque a une succursale en France, le RGPD s’applique aux activités de cette succursale, même si le traitement est effectué par la société du siège à Monaco.
 
Le Considérant 22 du RGPD précise que « L’établissement suppose l’exercice effectif et réel d’une activité au moyen d’un dispositif stable. La forme juridique retenue pour un tel dispositif, qu’il s’agisse d’une succursale ou d’une filiale ayant la personnalité juridique, n’est pas déterminante à cet égard. » 

Exemple : Une société monégasque héberge à Monaco des données personnelles pour le compte d’une société française en vertu d’un contrat de sous-traitance. Le RGPD est applicable à la société monégasque car elle est  sous-traitante d’une  entreprise établie dans l’Union européenne.           
  • A l'inverse le fait pour une entreprise située à Monaco d'avoir recours à un prestataire situé sur le territoire de l'Union européenne ne suffit pas à lui seul à soumettre cette entreprise au RGPD. Toutefois le sous-traitant sera pour sa part soumis au RGPD en application du critère d'établissement.
  • Critère de ciblage :
  • Dès lors qu’un responsable de traitement (ou bien un sous-traitant ) situé à Monaco offre des biens ou des services à des personnes se trouvant au sein de l’Union européenne, il devra respecter les nouvelles obligations du RGPD.

Exemple : Une société monégasque vend des produits à des personnes domiciliées en France et en Italie par le biais d’un site de vente en ligne disponible en français et en italien. Le RGPD est alors applicable car ladite société offre des biens et des services à des résidents de l’Union européenne.

Le RGPD n’offre pas de définition de la notion d’offre de biens et de services. En revanche dans son considérant 23, il recommande de prendre en compte un faisceau d’indices comprenant par exemple : «  l’utilisation d’une langue ou d’une monnaie d’usage courant dans un ou plusieurs Etas membres, avec la possibilité de commander des biens et des services dans cette autre langue, la mention de clients ou d’utilisateurs qui se trouvent dans l’Union ».
 
  • Par ailleurs, un responsable de traitement (ou bien un sous-traitant ) situé à Monaco devra également respecter les nouvelles obligations du RGPD dès lors qu’il traite des données personnelles dans un but de suivi du comportement des personnes concernées au sein de l’Union européenne.
Exemple : Une société monégasque crée une application mobile disponible en plusieurs langues (français, anglais, espagnol et italien) qui collecte les habitudes, préférences et loisirs des utilisateurs afin de leur offrir une expérience personnalisée.  Le RGPD est alors applicable car la société a mis en œuvre un traitement visant à suivre le comportement de personnes, dont certaines résident dans l’Union européenne.
 
Le RGPD n’offre pas de définition de la notion de suivi du comportement.  Toutefois, dans son considérant 24, il indique qu’ « il y a lieu d’établir si les personnes physiques sont suivies sur internet, ce qui comprend l’utilisation ultérieure éventuelle de techniques de traitement des données à caractère personnel qui consistent en un profilage d’une personne physique, afin notamment de prendre des décisions la concernant ou d’analyser ou de prédire ses préférences, ses comportements et ses dispositions d’esprit ».

What are the new obligations of the data controller in virtue of the GDPR?

The GDPR imposes the following new obligations:


What are the new obligations of the data processor under the GDPR?

The contract between the data controller and the data processor must now specify the obligations imposed on the data processor, namely:

  • The appointment of a representative in the European Union when the data processor is not established there;
  • The definition of the processing (its objectives, duration, nature, final purpose, the type of data, the categories of data subjects, the rights and obligations of the data controller);
  • The compliance of the data processor with the security and confidentiality requirements of the data imposed by the regulation as well as the obligation to assist the data controller to ensure compliance by the data controller with his obligations in this respect (in particular, security and impact assessment);
  • The obligation for the data processor to assist the data controller in the event of a breach to personal data ;
  • The obligation of the data processor to notify the data controller of all breaches to personal data;
  • The obligation of the data processor to assist the data controller in responding to the requests from data subjects exercising their rights;
  • The data processing done by the data processor on the documented instruction only from the data controller;
  • The need for a prior written authorisation, specific or general from the data controller for the data processor to hire another subcontractor (in case of a general authorisation, there is then the obligation to inform the data controller of any change);
  • The deletion by the data processor or the returning of the data to the data controller at the end of the mission;
  • The obligation of confidentiality of the persons authorised to process the data for the data processor;
  • The obligation of the data processor to task the subsequent subcontractors with the same obligations under his responsibility as those provided for in the contract;
  • The condition stipulated by the data controller to the data processor to provide proof of his compliance with his obligations and to allow audits to be carried out.

What does the general security requirement of the GDPR include?

Pursuant to Article 32 of the GDPR, the data controller and data processor must guarantee, for each processing, an adequate level of security for the rights and freedoms of data subjects. This obligation includes as needed:

  • The pseudonymisation and encryption;
  • Puttin in place measures to safeguard confidentiality, integrity, availability of the processing systems and services, and access to data;
  • The implementation of procedures for testing and evaluating technical and organizational measures relating to data security.
In order to comply with this obligation, several means can be used :

  • The adoption and application of a code of conduct or certification mechanism to demonstrate compliance with these requirements;
  • The appropriate drafting of contracts when using service providers;
  • Risk analysis and safety audits.

What is a personal data breach?

By personal data breach, it is to be understood any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data or unauthorised access to such data.

What to do in case of a personal data breach?

  • Notify the Supervisory Authority
According According to Article 33 of the GDPR, all personal data breaches must be reported to the Supervisory Authority without undue delay, and, if possible, within 72 hours of detection at the latest after having been made aware (except if the breach is unlikely to result in a high risk to the rights and freedoms of individuals) and must indicate:

  • The nature of the breach, the number of persons and data concerned;
  • The consequences;
  • The measures taken.
 
  • Notify the data subject
- According to Article 34 of the GDPR, all personal data breaches must be communicated to the affected data subjects without undue delay, except if:

- Technical and organisational protection measures have been taken to render the personal data unintelligible (encryption...);
- Subsequent measures have been taken to prevent the risks to the rights and freedoms of data subjects from occurring again;
- Individual communication involves disproportionate efforts.

A traceability mechanism of security breaches must therefore be set up by the data controller and the data processor.

What is a register of activities?

The register of activities is a tool provided for in Article 30 of the GDPR which includes an identity card of each processing activity and makes it possible to verify that the data protection has really been considered and processed.

The following entries must be entered in the register:

- The name and contact details of the data controller;
- The purposes of the processing;
- The categories of data subjects and the categories of the processed personal data;
- The categories of the recipients;
- Where applicable, transfers of personal data to a country not a member of the European Union.

Furthermore, where possible, the envisaged time limits for erasure of the data and the security measures put in place must also be recorded in the register.

The obligation to keep a register applies to the data controller as well as to the data processor.

The obligation to keep a register does not apply to a company or an organisation of less than 250 employees, except when the processing is likely to result in a risk to the rights and freedoms of the data subjects.

When should an impact assessment be done?

The data controller must perform an impact assessment of the processing activities on the personal data before carrying out the said processing, especially when using new technologies, and to take into account the nature, the scope, the context and purposes of the processing likely to result in a high risk to the rights and freedoms of natural persons.

Under Article 35 of the GDPR, this impact assessment is mandatory:

  • In the case of profiling (behavioural characterisation to refine and personalise product and service offerings);
  • For large-scale processing of sensitive data (racial origins, ethnic, political or union opinions, genetics, biometrics, health, sexuality) or data pertaining to criminal convictions and offences;
  • During routine surveillance of a publicly accessible area on a large scale;
  • For any processing for which prior impact assessment is made mandatory by the Supervisory Authority.
This assessment must include:

- A description of the processing;
- An assessment of the necessity and proportionality of the processing in relation to the purposes;
- A assessment of the risks to the rights and freedoms of data subjects;
- The measures envisaged to address the risks and security measures to guarantee the protection of personal data.

In which cases should a Data Protection Officer (DPO) be designated?

This new actor provided for in Article 37 and later is mandatory, both for the data controller and the data processor, in any case where:

- The processing is carried out by a public sector;
- Their core processing requires regular and routine monitoring of data subjects on a large scale;
- Their core processing requires for them to process (still on a large scale) data said to be “special” (that is, sensitive) or pertaining to criminal convictions and offences.

His missions include:
  • Informing and advising the members of the entity of the legal obligations relating to data processing;
  • Monitoring the compliance with GDPR;
  • Advising when requested with regards to the impact assessment on privacy and monitoring its execution;
  • Cooperating with the relevant Supervisory Authority;
  • Acting as the contact point for this Supervisory Authority on questions relating to the processing, including the consultation on the impact assessment on privacy;
  • Acting as the intermediary with the data subjects on questions relating to the processing of their data and in the exercise of their rights.

What are the main obligations introduced by the GDPR in terms of data of data subjects?

Pursuant to Articles 12 and following of the GDPR, the information of data subjects is reinforced by two types of obligations:
  • An obligation of transparency: The legal notices that accompany the collection of personal data shall be clearly visible et easily understandable;
  • An increase of information to be communicated to individuals during the collection of their data, whether this collection is made directly to the data subject or indirectly via a third party (for example, in the case of file rental).

How is the consent of data subjects expressed?

Pursuant to Article 7 of the DGPR, the data controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data in a « positive and clear act ». Hence:

  • The prohibition of pre-ticked boxes when consulting a website;
  • When a processing has several purposes: a tick box for each purpose.
The proof of consent is to be stored and archived.

The withdrawal of a data subject’s content must be possible at any time without justification. Furthermore, as with obtaining consent, this withdrawal must be traceable.

Finally, for children under the age of 16 years, the data controller must obtain consent from the holder of parental responsibility for the processing of personal data of children under the age of 16 years.

What is the meaning of accountability as defined by the GDPR?

Pursuant to Article 24 of the GDPR, this new essential principle of the regulation provides for the obligation of the data controller to implement the relevant technical and organisational measures in order to demonstrate that the processing is performed in accordance with the regulation. Thus, the data controller may consider submitting to an "approved" code of conduct or certification, that is "validated" by the relevant Supervisory Authority.

These measures must be reviewed and updated at regular intervals.

Furthermore, in virtue of Article 25 of the GDPR, any processing relating to personal data must guarantee, from its conception and at each use (Privacy by design & by default), even if it was not originally planned, a high level of protection to privacy and to the data of data subjects.

To do this, data controllers must implement the technical and organisational measures to:

  • Minimise the data collected;
  • Limit the data storage period to what is strictly necessary and provide rules for automatically purging data;
  • Control access to the data and guarantee their confidentiality;
  • Provide technical and organizational arrangements to respond to all requests from the data subjects.

What are the main rights to data subjects introduced by the GDPR?

  • The right to erasure or the 'right to be forgotten' : In accordance with Article 17 of the GDPR, data controllers must delete the data« without undue delay » when :
    • These are no longer useful;
    • Data subjects withdraw their consent and nothing justifies their continued storage;
    • Data subjects oppose (object) their processing;
    • The processing is unlawful;
    • It is necessary to comply with a legal obligation;
    • These were collected from a minor.
 
  • The right to restrict the processing: Pursuant to Article 18 of the GDPR, this new right allows data subjects to request that their data not be subject to further processing activities.
  • The right to data portability: This new right under Article 20 of the GDPR allows, in certain cases, any data subject to receive the personal data that he or she provided in a structured, commonly used, and machine-readable format, and to request that the said data be transmitted to another data controller.
  • The right to compensation: The data subject may take legal action on the basis of non-compliance of the regulation pursuant to Article 79 of the GDPR. This legal action may be made in parallel to filing a complaint with the Supervisory Authority competent in data protection.

What are the penalties provided by the GDPR?

The GDPR provides for two levels of administrative fines:

  • 1st level (Art. 83) 4): 10 million Euros or 2% of the total worldwide annual turnover, whichever is higher. It applies inter alia in case of non-compliance with the provisions relating to Privacy by design, Privacy by default, or impact analysis.
  • 2nd level (Art. 83) and 6)): 20 million Euros or 4% of the total worldwide annual turnover, whichever is higher. It applies to the non-respect to comply with the rights of individuals (access, amendment, the right to be forgotten, etc.) and the failure to comply with an injunction issued by the Supervisory Authority.

What is the impact of the GDPR on data transfers to and from Monaco?

  • For companies of the European Union that want to send data to the Principality: These companies should not have to complete any specific formalities to make with the Supervisory Authority as long as data protection tools are put in place between the European data controller and his or her subcontractor or subsidiary, in particular:
    • Standard data protection clauses approved by the European Commission (art.46);
    • Binding corporate rules (art.47);
    • An approved code of conduct pursuant to Article 40 of the GDPR;
    • An approved certification mechanism pursuant to Article 42 of the GDPR.
 
  • For companies that want to send data from the Principality: These companies remain subject to the data transfer formalities of the CCIN from the moment they want to send data to a country that does not have an adequate level of protection.

What are the first actions to be undertaken to comply with the GDPR?

The first actions to undertake to comply with the GDPR include the following:

  • Make a mapping of your data processing;
  • Carry out the formalities with the CCIN;
  • Decide whether it is necessary to take a representative in the European Union;
  • Verify that the conditions to designate a DPO are met;
  • Verify that the conditions for setting up a a register of activities are met;
  • Perform an impact assessment if necessary;
  • Verify the implementation conditions of the rights of data subjects and especially in terms of information and transparency;
  • Approach the Supervisory Authority/ies of the European Union country or countries impacted by the processing.

Useful links:

  • Supervisory authorities:

European Union countries

Belgium: Data Protection Authority

https://www.autoriteprotectiondonnees.be


France: Commission nationale de l’informatique et des libertés

https://www.cnil.fr


Luxembourg: National Data Protection Commission

https://cnpd.public.lu


Countries outside the European Union

Switzerland: Federal Data Protection and Information Commissioner

Switzerland: Préposé fédéral à la protection des données et à la transparence (PFPDT)

https://www.edoeb.admin.ch


Reference texts:

  • GDPR in its entirety:
https://eur-lex.europa.eu/legal-content/FR/TXT/PDF/?uri=CELEX:32016R0679&from=EN

 

  • Guidelines from Group 29 of the European Commission:
http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358