<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Monaco Law on the Protection of Personal Information 

Law No. 1.165

Book a Demo

What is Law No. 1.165 of Monaco?

Law No. 1.165, enacted on December 23, 1993, governs the protection of personal data in Monaco. It establishes the principles, definitions, and obligations related to the automated or non-automated processing of personal data to ensure that such processing does not infringe on the fundamental rights and freedoms of individuals.

 

How does Law No. 1.165 of Monaco define Personal Information and what are other key definitions?

Monaco’s privacy law defines personal data as “any information that can be used to determine the identity of a natural person, either directly or indirectly. This includes data that can identify an individual through an identification number or specific marks related to their physical, physiological, psychic, economic, cultural, or social identity.”

There is no definition for what constitutes sensitive personal information, however Article 12 states that processing, whether automated or not, is not allowed for information “revealing, directly or indirectly, opinions or political, racial or ethnic, religious, philosophical or trade union affiliations, or data relating to health, including genetic data, sexual life, morals, or measures of a social nature.”

Monaco’s Law defines what a ‘data controller’ is, namely “the natural or legal person, whether private or public, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing and decides on its implementation,” but makes no mention of a ‘data processor.’

A ‘data subject’ is “the person concerned by the processing of personal information is the person to whom the information being processed relates,” and processing of personal information is “any operation or set of operations relating to such information, regardless of the process used,” relating to “the collection, recording, organization, modification, storage, extraction, consultation or destruction of information, as well as the exploitation, interconnection or reconciliation, communication of information by transmission, dissemination or any other form of making it available.” 

 

Who does Law No. 1.165 of Monaco apply to?

Monaco’s Law 1.165 applies to the automated processing of personal data carried out by data controllers established in Monaco, as well as processing carried out in Monaco even if this processing is only intended for use abroad, or for the automated processing of personal information by a controller who is established abroad, but uses processing means located in Monaco.

It also applies to non-automated files likely to be included in a structured set of personal data accessible according to determined criteria.

Talk to one of our experts today about your compliance needs! Speak to an Expert →

Who does Law No. 1.165 of Monaco exempt?

Law No. 1.165 does not apply to data processing carried out pursuant to Article 15 of the Constitution, processing done by judicial authorities for legal proceedings, or for personal or domestic activities by a natural person. 

The law also exempts processing related to literary and artistic expression, journalistic activities, and certain public interest activities.

Data Subject Requests (DSRs): Your Complete Guide

6-things-to-know-about-data-subject-access-requests
What are the requirements for businesses under Law No. 1.165?

Under Monaco’s data privacy law, covered businesses have a series of obligations such as declaring the processing of personal data to the supervisory authority, the Commission de Contrôle des Informations Nominatives (CCIN), obtaining necessary authorizations, ensuring data accuracy, and maintaining data security. In addition to the text of the law, the CCIN has also issued guidelines to help covered entities understand their obligations under the law or the procedure for submitting a request with the CCIN.

Data controllers, natural persons or legal entities under private law that wish to conduct automated processing of personal data have to notify the chairman of the CCIN. The notification has to confirm that the data processing meets the requirements of the law and the Commission will issue a receipt which allows the automated processing of personal data but does not exempt the notifying entity of liability. 

In the case of public authorities or certain private bodies that want to use automated systems to process personal data, these must get approval from the CCIN, who reviews and issues an opinion following a notification submitted with them, which  is then published in the official Journal de Monaco, along with the Commission's opinion. 

When it comes to health research, any entity—public or private—must first seek the Commission’s opinion before processing personal data. Should the Commission disapprove, government approval becomes necessary to move forward. It's important to note that these rules do not apply to medical research as defined  by Law No. 1,265 of 23 December 2002., which follows a different set of regulations.

In either case, in order to submit a valid request, entities have to include the following:

      • Who is submitting the request (their identity, the data controller's, and their representative if in Monaco).
      • What the data processing involves (purpose, name, and justification).
      • Who manages the data and how people can access it.
      • Who has access to the data.
      • What data is processed, where it comes from, how long it's kept, and who receives it.
      • If data is linked or transferred to others.
      • Security measures taken.
      • If data is sent abroad.

All data processing activities are documented in a registry that records the dates and key details of each process. This registry is accessible to the public, and is updated every year before April 1st, although some sensitive information might be excluded to protect privacy.

In addition to this, Monaco Law No. 1.165 also establishes obligations for covered entities related to the way personal data is processed: 

      • personal data has to be collected and handled fairly, with a clear and lawful purpose, and it should be kept accurate and up to date; 
      • personal data should only be retained for as long as necessary to fulfill its intended purpose;
      • data processing can only be conducted based on the consent of the individual, legal obligations, public interest, the execution of a contract, or a legitimate interest that does not infringe on the rights and freedoms of individuals; 
      • sensitive data, such as information related to public security or criminal offenses, can only be processed by judicial or administrative authorities within their legal mandates. In exceptional cases, other entities may process such data with the Commission’s approval, provided it is essential for a legitimate purpose and respects the rights of those involved.
      • processing personal data that reveals sensitive aspects like political opinions, religion, race, or health is strictly controlled and can only be processed with explicit consent from the individual or under specific legal justification;
      • for the purpose of security and confidentiality in personal data processing, covered entities have to implement appropriate technical and organizational measures to protect it from unauthorized access, loss, or destruction; 
      • if third-party services are used, these services must also adhere to the same stringent security standards and the same applies where subcontractors are used; this is only allowed if  they comply with the same security obligations as the primary service providers.

See how Clym can facilitate compliance with Monaco's Law No. 1.165 

Book a Demo

What are the consumer rights under Law No. 1.165?

Under Monaco's personal information protection law, data subjects have the right to:

  • Access  
  • Correct
  • Delete
  • Object to the processing of their personal data for legitimate reasons 
  • Object to the sharing of their personal data with third parties for commercial purposes.

How to respond to consumer requests under Law No. 1.165?

Data controllers must respond to consumer requests within one month, providing the requested information in a clear and accessible format. If a request is deemed abusive due to its frequency, the Commission may grant an exemption from the obligation to respond. 

The law makes no mention of any extension possible.

Easy Ways to Manage Your of Data Subject Access Requests (DSARs)

data subject access request clym

Law No. 1.165 enforcement and penalties

The Commission de Contrôle des Informations Nominatives is responsible for monitoring compliance and can issue warnings, formal notices, and injunctions. 

Violations of the law can result in penalties, including imprisonment for up to one year and fines as prescribed by the country’s Penal Code. The Commission may also order the destruction of data or prohibit further data processing. 

Data Subject Rights - GDPR vs. Law No. 1.165

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 50+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

 

See Clym in action today!

FAQs about Monaco's Law No. 1.165

What does Monaco's Law No. 1.165 apply to?
Monaco’s Law 1.165 applies to the automated processing of personal data carried out by data controllers established in Monaco, as well as processing carried out in Monaco even if this processing is only intended for use abroad, or for the automated processing of personal information by a controller who is established abroad, but uses processing means located in Monaco. It also applies to non-automated files likely to be included in a structured set of personal data accessible according to determined criteria.
What is exempt under Monaco's Law No. 1.165?

Law No. 1.165 does not apply to data processing carried out pursuant to Article 15 of the Constitution, processing done by judicial authorities for legal proceedings, or for personal or domestic activities by a natural person. 

The law also exempts processing related to literary and artistic expression, journalistic activities, and certain public interest activities.




What data subject rights does Monaco's Law No. 1.165 grant?

Under the Monaco data privacy law, data subjects have the right to:

  • Access  
  • Correct
  • Delete
  • Object to the processing of their personal data for legitimate reasons 
  • Object to the sharing of their personal data with third parties for commercial purposes.
What are the penalties for non-compliance with Monaco's Law No. 1.165?

Violations of Monaco's privacy law can result in penalties, including imprisonment for up to one year and fines as prescribed by the country’s Penal Code.

illustration of means of contact

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596