Questions Answers

Who is the data controller?

The person in charge of the processing or 'data controller' shall be considered as the natural or legal person, governed by private law or public law, public authority, agency or any other body which alone or jointly with others determines the purposes of the data processing and means used and decides that it is to be carried out.

What is personal data?

Personal data, in all of its forms, is any information that can be used to determine a natural person’s identity (specific or identifiable). Is recognized as identifiable, a person who can be identified, directly or indirectly, in particular with reference to an identification number or one or more specific marks that form the person’s own physical, physiological, psychic, economic, cultural, or social identity.

This identification may be done through referencing a simple identifier, such as, for example, a social security number, an internal serial number, and so on; or more specific forms pertaining to an individual (first name, address, phone number, number plate, and so on).

What is automated processing?

Automated processing includes all activities pertaining to personal information, whether through :
  • Collecting, recording, organising, modifying, storing, extracting, accessing, or destroying information;
  • Exploitation, interconnection or approximation, the communication or the disclosure of such information or by any other means of making it available.

A processing is considered automated when the information is processed through technical and technological means (computer, badge reader, video surveillance system, and so on).

Who is the recipient?

The recipient of the processed data shall be considered as the natural or legal person, governed by private law or public law, public authority, agency or other body that receives disclosed data, other than the data subject, data controller, subcontractors and persons who, under the direct authority of the controller or subcontractor, are authorised to process the data.

Who is concerned by the processing?

The person concerned by the processing of personal data (the ‘data subject’) is the person to whom the data being processed pertains.

What is the register of processing?

The register of processing is a public register that consolidates a list of all of the automated processing in application in the public sector and in the private sector. Any person interested may consult the public register of processing by going directly to the Secretariat of the CCIN or by making an appointment. The CCIN can then verify whether the computerised processing has been declared or not, and whether or not it is legal.

The processing relating to public security with regards to offences, convictions, or security measures and/or concerning the prevention, investigation, observations or the investigation or the prosecution or convictions of criminal offences executed by a judicial or administrative authority, are not recorded in the public register of processing records. Thus, you cannot consult them.

Nevertheless, to find out whether such processing exists, you can check the annual Ministerial Order related to the automated processing of personal data implemented by natural or legal entities governed by public (common) law, public authorities or organisations governed by private law entrusted with a mission of general interest or a concessionaire of public utility which is published in the Journal of Monaco before the 1 April every year.

What is sensitive or confidential information?

Sensitive or confidential information corresponds to data that is likely to reveal political, religious or philosophical beliefs, trade union membership, racial or ethnic origin, or data relating to health, including genetic data, data concerning the party's sex life, lifestyle or relating to social welfare measures (article 12 of the law).

The use or exploitation of such data is prohibited. A limited number of exceptions are provided by law, requiring the freely written and expressed consent of the data subject.

What is meant by the consent of the data subject?

The consent is an important term in the data protection legislation: “Unambiguous consent” is one of the criteria that can legitimise the processing of personal data.

Consent can be given verbally, written or in any other appropriate form. Before being able to take into consideration that the data subject has freely given his consent for a specific processing, the data subject must have received sufficient information to be able to fully understand the implications and repercussions of his consent, including the advantages and disadvantages of the processing.

Other than the fact that the consent must be given freely, it must be specific, leaving no doubt as to whether the consent was given or not. Furthermore, the consent is strictly related to the processing of which the data subject has been informed. It cannot later be extended upon the authorisation of another person and consequently cannot be given for something of which the data subject was not informed. It can in principle be withdrawn without retroactive effect.

What is the right to the information?

All persons are entitled to the information when that person is the data subject of the processing and to learn the purpose of the processing. This right is essential as it determines the exercise of other rights as provided by the article 14 of the law number 1.165.

The right to the information refers to information which is provided to the interested person, regardless of whether the data were collected from this person or not.

The information that must be provided relates to the identity of the data controller, the purposes of the data processing, the recipients to whom the information is disclosed, as well as the existence of a right to access and modify personal data.

The right to information by the interested person may be limited in certain situations (for example, for public security measures or for the prevention, investigation or the prosecution and conviction of criminal offences).

What is the right to access?

The right to access is the right for any data subject to obtain from the data controller, the confirmation that the data of which the person is the subject are indeed being processed, as well as the purposes of the processing, the types of data concerned by the processing, and the recipients to whom the data are disclosed.

This right also authorises the person to obtain this information, in written, non-coded, and conforming to the stored data.

What is the right of indirect access?

The right of indirect access is the derogation regime to the right of direct access. Indeed, the data subject (person concerned) is not entitled to a direct access to the data only relevant to himself in processing:
  • Public security interest
  • Relating to offences, convictions, or security measures;
  • Concerning the prevention, investigation, observations or the investigation or the prosecution or convictions of criminal offences.
Access to the data is carried out according to a procedure referred to in article 15 of the law number 1.165 by a member of the CCIN.

What is the right to amend?

The right to amend is the right to obtain from the data controller the rectification of personal data that is inaccurate or incomplete.

As an essential part to the right of access, the right to amend is important in that it ensures the high level in terms of quality of the data.

What is the right to oppose?

The right to oppose is the right for any data subject to oppose the exploitation of his personal data (with the exception of certain situations, such as specific legal obligations). If the opposition is justified, founded on legitimate reasons, the processing shall no longer include these data.

The right to oppose can be exercised at the same time the data is collected (for example, when completing a form), or afterwards, by contacting the data controller.

What is the storage period of the data?

The storage of data designates the obligation for the data controller of the processing to store personal data for specific purposes.

What is a data transfer?

By data transfer, we mean the transmission or the communication of data to a recipient, by whatever means.

All personal data collected on the Monegasque territory in the context of processing pertaining to an ordinary declaration, an legal advisory or an authorisation request may be subject to a transfer to a country without specific procedures, if the said country has an adequate level of protection (refer to the list of countries with an adequate level of protection).

On the other hand, data transfers from a country with an adequate level of protection are subject to the authorisation of the CCIN except if the data subject of the personal data being transferred has freely given his consent to the transfer.

The transfer may also be carried out without the authorisation of the CCIN if it is essential:

  • To safeguard that person's life;
  • To safeguard public interest;
  • By compliance with legal obligations with regards to the recording, exercising or defence of legal rights;
  • To consult, under proper conditions, a public register which by virtue of legislative or regulatory provisions, is intended to provide information to the public and which can be consulted either by the public in general or by any person who can provide proof of a legitimate interest;
  • As part of a contract between the data controller or representative and the data subject, or pre-contractual measures taken at the latter's request;
  • The conclusion or as part of a contract concluded or to be concluded in the interests of the data subject, between the data controller or representative and a third party.

What are the particular procedures that require the Commission’s authorisation?

The specific processing subject to the authorisation of the CCIN are those that are implemented by data controllers, other judicial or administrative authorities, who:
  • Relating to suspected unlawful activities, offences, and security measures (protection);
  • Including biometric data required to check persons’ identities;
  • For the purpose of surveillance.

Why submit automated processing to the CCIN?

In respect to the fundamental rights and freedoms, the law enforces the declaration, the authorisation request, or the legal advisory request for all automated processing. The objective is to:
  • Ensure the transparent implementation of a file;
  • Bring to light the nature of the information collected;
  • Bring to light the purpose of this processing;
  • Ensure the appropriate use of this data;
  • Identify their recipients;
  • Identify the storage period of the data;

…and most importantly, to ensure that personal data are not collected without the data subjects knowledge for reasons that are unlawful and dangerous for their privacy.

Which data can only be used by judicial or administrative authorities?

Only the judicial or administrative authorities have the right, within the limit of the mission for which they were conferred, collect, record, or use personal data:
  • Of interest to public security;
  • Relating to offences, convictions, or security measures
  • Concerning to the prevention, investigation, observations or the investigation or the prosecution or convictions of criminal offences.

What are the penalties incurred for breaching the law on the protection of personal data?

The law number 1.165 provides for penalties.

Shall be subject to one to six months imprisonment and a fine as provided for by the Criminal Code, any natural or legal entities governed by private law who:

  • Carry out or attempt to carry out the automated processing of personal data or continue or attempt to continue to carry out such processing without having performed the required prior formal procedure or having obtained the authorizations
  • Voluntarily refrain from communicating to a data subject their personal data, or from amending or deleting any of such information which has proved to be imprecise, incomplete, equivocal or collected in violation of the law;
  • As a result of imprudent or negligent behaviour, do not maintain or cause to be maintained the security of personal data or divulge or allow to be divulged data which has the effect of damaging the reputation of a person or encroaching upon their private or family life;
  • Retain personal data beyond the storage period indicated in the declaration, the legal advisory request or the authorisation request or the storage period fixed by the Commission de Contrôle des Informations Nominatives (CCIN);
  • Transfer personal data or cause it to be transferred to countries or organizations without an adequate level of protection;
  • Collect personal data without the data subject having been informed, except where informing that person proves to be impossible or involves disproportionate efforts, or if the collection or disclosure of such data is expressly provided for by applicable legislative or regulatory provisions.

Shall also be subject from three months to one year imprisonment and a fine as provided for by the Criminal Code, any natural or legal entities governed by private law who:
  • Collect or cause to be collected, record or cause to be recorded, store or cause to be stored, use or cause to be used, personal data that is reserved for certain authorities, establishments, organizations and natural persons or data which is likely to reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data in the field of health, including genetic data, data pertaining to sex life, lifestyle or social welfare measures;
  • Collect or cause to be collected personal data by using or inciting to be used fraudulent, injurious or unlawful means;
  • Deliberately prevent or hinder investigations carried out in application of the law or do not provide information or documents requested;
  • Knowingly communicate or cause to be communicated inaccurate information or documents either to data subjects or to the persons in charge of the necessary investigations;
  • Collect or cause to be collected, record or cause to be recorded, store or cause to be stored, use or cause to be used personal data despite the opposition of data subjects, apart from the cases provided for by the law;
  • With the exception of the competent authorities, knowingly collect or cause to be collected, record or cause to be recorded, store or cause to be stored, use or cause to be used personal data with or without biometric data in respect of offences, convictions or security measures or which have the purpose of preventing, investigating, establishing or prosecuting criminal offences or the execution of criminal convictions or security measures;
  • Knowingly, collect or cause to be collected, record or cause to be recorded, store or cause to be stored, use or cause to be used personal data relating to suspected unlawful activities, offences, security measures or including biometric data required to check persons' identities or for the purposes of surveillance without having obtained the authorisation;
  • Knowingly communicate with unqualified persons in order to receive information from them data the disclosure of which may damage the reputation of a natural person or encroach upon their private and family life;
  • Knowingly use or cause to be used personal data for other purposes than those described in the declaration, request for an opinion or application for authorisation.

Included in the same context, the persons in charge of processing who communicate information to people not qualified that if disclosed may violate the reputation of a person, or who uses the collected information for another final purpose other than the one that is mentioned in the declaration, legal advisory request, or authorisation request.

Any conviction may cause the results of the declaration to cease and its cancellation in the register of processing data.

When should one submit automated processing to the CCIN?

The fundamental rights and freedoms of the person serve to include the protection of personal data from the start of the specifications and system architecture and information technologies and communication.

Thus, the law enforces that automated processing must be submitted to the control of the CCIN prior to its implementation, that is at its use.