Version of 26 november 2018 The General Data Protection Regulation 2016/679 (GDPR or RGPD, for the règlement général sur la protection des données in French) is the new European framework for the processing and circulation of personal data. This text, applicable from 25 May 2018, which standardises the laws governing personal data of the Member States of the European Union, is intended to provide all residents of the European Union more control over their personal data, to increase the accountability of those responsible for the processing whilst reducing the preliminary formalities with the regulators, and to reinforce the role of the Supervisory Authorities.

To whom the GDPR applies?

  • Material scope application
Pursuant to Article 2 of the GDPR, the context concerns all personal data of an identified or identifiable natural person whether the processing is implemented by a natural or legal person of public or private law.

However, it does not apply:

a. In the context of an activity that falls outside the scope of the Union law;

b. To Member States in the context of activities falling within the scope of application of chapter 2 of Title V of the treaty on European Union, namely the specific provisions concerning the common foreign and security policy;

c. To a natural person in the context of a strictly private or domestic activity;

d. To the competent authorities for the purpose of preventing and detecting criminal offenses, investigations and prosecutions or the execution of criminal sanctions, including the protection against threats to public safety and the prevention of such threats.
  • Territorial scope application
The GDPR also applies, in virtue of the establishment criteria, to data processing performed in the context of activities of a data controller or a data processor located on the territory of the European Union, regardless of whether the processing takes place in the Union or not.

Furthermore, the GDPR applies, in virtue of the target criteria, to data processing relating to data subjects who are in the territory of the Union by a data controller or data processor not established in the Union when the processing activities relate to:

  • The supply of goods or services to those data subjects in the Union, regardless of whether a payment is required or not, or
  • The monitoring of the behaviour of these persons, insofar as the behaviour takes place in the Union.
For example: You are a company established only in Monaco and you do not target people in the European Union: You are not concerned by the GDPR.

NB: Contracting with employees who reside on the territory of the European Union, for the needs of a company based in Monaco, does not amount to an offer of goods or services to persons located on the territory of the European Union.

Does Law No. 1.165 of 23 December 1993 still apply in the Principality?

YES Pending the reform of national legislation, the protection of personal data in the Principality continues to be governed by Law No. 1.165 of 23 December 1993.

Pursuant to this text, any public or private entity wishing to operate an automated processing of personal data must first carry out the formalities with the CCIN. There are 5 formalities: simplified declaration, ordinary declaration, authorisation request, legal advisory request, and transfer authorisation request.

Is the Principality of Monaco impacted by the GDPR?

YES A data controller or a data processor based in Monaco can, as well as being subject to the obligations of Law No. 1.165 of 23 December 1993, also be subject to the obligations provided by the GDPR in virtue of the two criteria provided for in Article 3 of the said text territorial scope.

Publication on the 23rd of November 2018 of the European Data Protection Board’s «Guidelines» on the territorial scope of the GDPR (Article 3 of the Regulation). Only available in English. This document is currently submitted for public consultation:
  • Establishment criteria:
  • The data controller or data processor is in Monaco but has an establishment in the European Union. The GDPR then applies in the course of these activities in the establishment, whether the processing is in the Union or not.
For example: A Monegasque company has a branch in France, the GDPR applies to the activities of this branch, even if the processing is carried out by the company headquarters in Monaco.
The recital 22 of the GDPR states that « Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. »

For example: A Monegasque company hosting in Monaco personal data on behalf of a French company under a subcontracting contract. The GDPR applies to the Monegasque company because it is subcontracting for a company based in the European Union.
  • Conversely, for a company based in Monaco to use a service provider located on the territory of the European Union is not sufficient in itself for this company to be subject to the GDPR. However, the data processor shall be submitted to the GDPR according to the establishment criteria.
  • Target criteria :
  • From the moment a data controller (or even a data processor) based in Monaco offers goods and services to people in the European Union, he or she must respect the new obligations of the GDPR.

For example: A Monegasque company sells products to people domiciled in France and Italy through an online sales site available in French and Italian. The GDPR then applies because the said company offers goods and services to residents in the European Union.

The GDPR does not offer a definition of the concept of supply of goods and services. On the other hand, in recital 23, it recommends taking into account a number of factors including for example: « the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union ».
  • In addition, a data controller (or even a data processor) based in Monaco must also respect the new obligations of the GDPR insofar as he or she processes personal data to monitor the behaviour of data subjects in the European Union.
For example: A Monegasque company developed a mobile application available in several languages (French, English, Spanish, and Italian) that collects the habits, preferences, and hobbies of its users in order to offer them a personalised experience. The GDPR therefore applies as the company implemented a processing to monitor the behaviour of people, some of whom reside in the European Union.
The GDPR does not offer a definition of the concept of monitoring the behaviour . However, in recital 24, it states that « it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours, and attitudes ».

What are the new obligations of the data controller in virtue of the GDPR?

The GDPR imposes the following new obligations:

What are the new obligations of the data processor under the GDPR?

The contract between the data controller and the data processor must now specify the obligations imposed on the data processor, namely:

  • The appointment of a representative in the European Union when the data processor is not established there;
  • The definition of the processing (its objectives, duration, nature, final purpose, the type of data, the categories of data subjects, the rights and obligations of the data controller);
  • The compliance of the data processor with the security and confidentiality requirements of the data imposed by the regulation as well as the obligation to assist the data controller to ensure compliance by the data controller with his obligations in this respect (in particular, security and impact assessment);
  • The obligation for the data processor to assist the data controller in the event of a breach to personal data ;
  • The obligation of the data processor to notify the data controller of all breaches to personal data;
  • The obligation of the data processor to assist the data controller in responding to the requests from data subjects exercising their rights;
  • The data processing done by the data processor on the documented instruction only from the data controller;
  • The need for a prior written authorisation, specific or general from the data controller for the data processor to hire another subcontractor (in case of a general authorisation, there is then the obligation to inform the data controller of any change);
  • The deletion by the data processor or the returning of the data to the data controller at the end of the mission;
  • The obligation of confidentiality of the persons authorised to process the data for the data processor;
  • The obligation of the data processor to task the subsequent subcontractors with the same obligations under his responsibility as those provided for in the contract;
  • The condition stipulated by the data controller to the data processor to provide proof of his compliance with his obligations and to allow audits to be carried out.

What does the general security requirement of the GDPR include?

Pursuant to Article 32 of the GDPR, the data controller and data processor must guarantee, for each processing, an adequate level of security for the rights and freedoms of data subjects. This obligation includes as needed:

  • The pseudonymisation and encryption;
  • Putting in place measures to safeguard confidentiality, integrity, availability of the processing systems and services, and access to data;
  • The implementation of procedures for testing and evaluating technical and organizational measures relating to data security.
In order to comply with this obligation, several means can be used :

  • The adoption and application of a code of conduct or certification mechanism to demonstrate compliance with these requirements;
  • The appropriate drafting of contracts when using service providers;
  • Risk analysis and safety audits.

What is a personal data breach?

By personal data breach, it is to be understood any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data or unauthorised access to such data.

What to do in case of a personal data breach?

  • Notify the Supervisory Authority
According According to Article 33 of the GDPR, all personal data breaches must be reported to the Supervisory Authority without undue delay, and, if possible, within 72 hours of detection at the latest after having been made aware (except if the breach is unlikely to result in a high risk to the rights and freedoms of individuals) and must indicate:

  • The nature of the breach, the number of persons and data concerned;
  • The consequences;
  • The measures taken.
  • Notify the data subject
- According to Article 34 of the GDPR, all personal data breaches must be communicated to the affected data subjects without undue delay, except if:

- Technical and organisational protection measures have been taken to render the personal data unintelligible (encryption...);
- Subsequent measures have been taken to prevent the risks to the rights and freedoms of data subjects from occurring again;
- Individual communication involves disproportionate efforts.

A traceability mechanism of security breaches must therefore be set up by the data controller and the data processor.

What is a register of activities?

The register of activities is a tool provided for in Article 30 of the GDPR which includes an identity card of each processing activity and makes it possible to verify that the data protection has really been considered and processed.

The following entries must be entered in the register:

- The name and contact details of the data controller;
- The purposes of the processing;
- The categories of data subjects and the categories of the processed personal data;
- The categories of the recipients;
- Where applicable, transfers of personal data to a country not a member of the European Union.

Furthermore, where possible, the envisaged time limits for erasure of the data and the security measures put in place must also be recorded in the register.

The obligation to keep a register applies to the data controller as well as to the data processor.

The obligation to keep a register does not apply to a company or an organisation of less than 250 employees, except when the processing is likely to result in a risk to the rights and freedoms of the data subjects.

When should an impact assessment be done?

The data controller must perform an impact assessment of the processing activities on the personal data before carrying out the said processing, especially when using new technologies, and to take into account the nature, the scope, the context and purposes of the processing likely to result in a high risk to the rights and freedoms of natural persons.

Under Article 35 of the GDPR, this impact assessment is mandatory:

  • In the case of profiling (behavioural characterisation to refine and personalise product and service offerings);
  • For large-scale processing of sensitive data (racial origins, ethnic, political or union opinions, genetics, biometrics, health, sexuality) or data pertaining to criminal convictions and offences;
  • During routine surveillance of a publicly accessible area on a large scale;
  • For any processing for which prior impact assessment is made mandatory by the Supervisory Authority.
This assessment must include:

- A description of the processing;
- An assessment of the necessity and proportionality of the processing in relation to the purposes;
- A assessment of the risks to the rights and freedoms of data subjects;
- The measures envisaged to address the risks and security measures to guarantee the protection of personal data.

In which cases should a Data Protection Officer (DPO) be designated?

This new actor provided for in Article 37 and later is mandatory, both for the data controller and the data processor, in any case where:

- The processing is carried out by a public sector;
- Their core processing requires regular and routine monitoring of data subjects on a large scale;
- Their core processing requires for them to process (still on a large scale) data said to be “special” (that is, sensitive) or pertaining to criminal convictions and offences.

His missions include:
  • Informing and advising the members of the entity of the legal obligations relating to data processing;
  • Monitoring the compliance with GDPR;
  • Advising when requested with regards to the impact assessment on privacy and monitoring its execution;
  • Cooperating with the relevant Supervisory Authority;
  • Acting as the contact point for this Supervisory Authority on questions relating to the processing, including the consultation on the impact assessment on privacy;
  • Acting as the intermediary with the data subjects on questions relating to the processing of their data and in the exercise of their rights.

What are the main obligations introduced by the GDPR in terms of data of data subjects?

Pursuant to Articles 12 and following of the GDPR, the information of data subjects is reinforced by two types of obligations:
  • An obligation of transparency: The legal notices that accompany the collection of personal data shall be clearly visible et easily understandable;
  • An increase of information to be communicated to individuals during the collection of their data, whether this collection is made directly to the data subject or indirectly via a third party (for example, in the case of file rental).

How is the consent of data subjects expressed?

Pursuant to Article 7 of the DGPR, the data controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data in a « positive and clear act ». Hence:

  • The prohibition of pre-ticked boxes when consulting a website;
  • When a processing has several purposes: a tick box for each purpose.
The proof of consent is to be stored and archived.

The withdrawal of a data subject’s content must be possible at any time without justification. Furthermore, as with obtaining consent, this withdrawal must be traceable.

Finally, for children under the age of 16 years, the data controller must obtain consent from the holder of parental responsibility for the processing of personal data of children under the age of 16 years.

What is the meaning of accountability as defined by the GDPR?

Pursuant to Article 24 of the GDPR, this new essential principle of the regulation provides for the obligation of the data controller to implement the relevant technical and organisational measures in order to demonstrate that the processing is performed in accordance with the regulation. Thus, the data controller may consider submitting to an "approved" code of conduct or certification, that is "validated" by the relevant Supervisory Authority.

These measures must be reviewed and updated at regular intervals.

Furthermore, in virtue of Article 25 of the GDPR, any processing relating to personal data must guarantee, from its conception and at each use (Privacy by design & by default), even if it was not originally planned, a high level of protection to privacy and to the data of data subjects.

To do this, data controllers must implement the technical and organisational measures to:

  • Minimise the data collected;
  • Limit the data storage period to what is strictly necessary and provide rules for automatically purging data;
  • Control access to the data and guarantee their confidentiality;
  • Provide technical and organizational arrangements to respond to all requests from the data subjects.

What are the main rights to data subjects introduced by the GDPR?

  • The right to erasure or the 'right to be forgotten' : In accordance with Article 17 of the GDPR, data controllers must delete the data« without undue delay » when :
    • These are no longer useful;
    • Data subjects withdraw their consent and nothing justifies their continued storage;
    • Data subjects oppose (object) their processing;
    • The processing is unlawful;
    • It is necessary to comply with a legal obligation;
    • These were collected from a minor.
  • The right to restrict the processing: Pursuant to Article 18 of the GDPR, this new right allows data subjects to request that their data not be subject to further processing activities.
  • The right to data portability: This new right under Article 20 of the GDPR allows, in certain cases, any data subject to receive the personal data that he or she provided in a structured, commonly used, and machine-readable format, and to request that the said data be transmitted to another data controller.
  • The right to compensation: The data subject may take legal action on the basis of non-compliance of the regulation pursuant to Article 79 of the GDPR. This legal action may be made in parallel to filing a complaint with the Supervisory Authority competent in data protection.

What are the penalties provided by the GDPR?

The GDPR provides for two levels of administrative fines:

  • 1st level (Art. 83) 4): 10 million Euros or 2% of the total worldwide annual turnover, whichever is higher. It applies inter alia in case of non-compliance with the provisions relating to Privacy by design, Privacy by default, or impact analysis.
  • 2nd level (Art. 83) and 6)): 20 million Euros or 4% of the total worldwide annual turnover, whichever is higher. It applies to the non-respect to comply with the rights of individuals (access, amendment, the right to be forgotten, etc.) and the failure to comply with an injunction issued by the Supervisory Authority.

What is the impact of the GDPR on data transfers to and from Monaco?

  • For companies of the European Union that want to send data to the Principality: These companies should not have to complete any specific formalities to make with the Supervisory Authority as long as data protection tools are put in place between the European data controller and his or her subcontractor or subsidiary, in particular:
    • Standard data protection clauses approved by the European Commission (art.46);
    • Binding corporate rules (art.47);
    • An approved code of conduct pursuant to Article 40 of the GDPR;
    • An approved certification mechanism pursuant to Article 42 of the GDPR.
  • For companies that want to send data from the Principality: These companies remain subject to the data transfer formalities of the CCIN from the moment they want to send data to a country that does not have an adequate level of protection.

What are the first actions to be undertaken to comply with the GDPR?

The first actions to undertake to comply with the GDPR include the following:

  • Make a mapping of your data processing;
  • Carry out the formalities with the CCIN;
  • Decide whether it is necessary to take a representative in the European Union;
  • Verify that the conditions to designate a DPO are met;
  • Verify that the conditions for setting up a a register of activities are met;
  • Perform an impact assessment if necessary;
  • Verify the implementation conditions of the rights of data subjects and especially in terms of information and transparency;
  • Approach the Supervisory Authority/ies of the European Union country or countries impacted by the processing.

Useful links:

  • Supervisory authorities:

European Union countries

Belgium: Data Protection Authority

France: Commission nationale de l’informatique et des libertés

Luxembourg: National Data Protection Commission

Countries outside the European Union

Switzerland: Federal Data Protection and Information Commissioner

Switzerland: Préposé fédéral à la protection des données et à la transparence (PFPDT)

Reference texts:

  • GDPR in its entirety:


  • Guidelines from Group 29 of the European Commission: