News
Monegasque DPA vs GDPR: Can you spot the difference?
It would be wrong to infer from the fact that the Principality of Monaco is a non-EU State, that the General Data Protection Regulation (GDPR) will not affect Monegasque companies.
The GDPR is applicable to companies established outside the EU that process personal data of natural persons in the EU for their offering of goods or services to such persons, or for monitoring the behavior of such persons in the EU.
The underlying principles of the two pieces of legislation are similar (Monegasque Data Protection Act No. 1.165 of 23 December (DPA) – consolidated since the Act No. 1.454 of 30 October 2017). However, the GDPR introduces several new and demanding requirements for the concerned Monegasque organisations that are likely to necessitate new policies, business processes and technologies.
What are the main differences?
Protected persons
The GDPR protects the personal data of natural persons exclusively, while the Monegasque DPA protects those of both natural and legal persons.
Extraterritorial application
The GDPR contains an extraterritorial application rule that does not exist under the Monegasque DPA, in order to avoid the circumvention of the European legislation by a controller or a subcontractor whose establishment is not located on the territory of the EU, but which deals with personal data relating to natural persons residing on the territory of the EU.
In order for the GDPR to be applicable to such controllers or subcontractors, the processing activities must be linked to the supply of goods or services (whether or not payment is required) to the persons concerned in the EU, or to the observation of human behavior intervening in the EU.
Legitimate interests of the controller, including those of a controller to whom personal data may be disclosed, or of a third party
The GDPR is more specific about taking into account the legitimate interest that may constitute a legal basis for the processing, and provides examples of this (existence of a relevant and appropriate link between the data subject and the data controller; transmission of personal data within a group of companies for internal administrative purposes, including the processing of personal data relating to customers or employees; processing to ensure the security of the network and information).
Consent of the person concerned
The GDPR pays particular attention to the consent of the person concerned (definition, conditions applicable to the consent) which does not appear in the Monegasque DPA.
In particular, in the context of a written consent statement, that also addresses other issues, the consent request must be in a form that clearly distinguishes it from other issues in a way that is understandable and easily accessible.
For the Monegasque organisations, this latter rule should involve a new independent consideration of "contract" and "privacy" consents. Consent to general conditions containing a data processing acceptance could thus be insufficient in the light of the GDPR.
Rights of the person concerned
The GDPR provides for a strengthened duty of information to the persons concerned by the data processing, compared with the Monegasque DPA.
- Right of information
Unlike the GDPR, the Monegasque DPA does not provide for example to specify: the legal basis of the processing, the legitimate interests, the willingness to transfer data to a third country, the absence of a decision of adequacy of the level of protection, the existence of automated decision making (profiling), the data retention period.
- Right of access
Compared with the Monegasque DPA, the GDPR innovates with regard to specific information to be given following the exercise of the right of access, expressly providing for: the retention period, the right to rectification and erasure, the right to complain to the Supervisory Authority, the particular guarantees taken for data transfers to a third country.
- Right to be forgotten
The right to erasure is contained in the Monegasque DPA, but the GDPR is clearer, and sets the conditions for the exercise of the right to digital oblivion.
In particular, to facilitate the exercise of this right, the data controller who made the data public is obliged to inform the other persons responsible for the processing, of the data subject's request to erase any link to data, copies or reproductions.
- Right of limitation
The Monegasque DPA does not provide for the right to label registered personal data, with a view to limiting their future processing, which the GDPR authorizes in enumerated cases.
- Right of opposition
The legislations differ in their approach.
The Monegasque DPA lays down the principle of the exercise of the right of opposition for legitimate reasons, and provides for exceptions.
The GDPR circumscribes the right of opposition for reasons relating to the particular situation of the person concerned to only two processing hypotheses, and the controller may conditionally refuse to implement the right of opposition.
- Right to data portability
The Monegasque DPA does not recognize the right to portability of data.
Data Controllers
The Monegasque DPA does not contain provisions equivalent to those of the GDPR below.
The GDPR expressly imposes on the controller the burden of proving the compliance of the processing activities, and the effectiveness of the technical and organizational measures taken to ensure a level of security that is appropriate to the risk, which it details.
In place of the obligation of the controller of prior notification to the Supervisory Authority, the GDPR imposes the obligation to keep a documentary record of the processing operations, with an exception for companies or organizations with fewer than 250 employees (unless the processing is regular or is likely to create a high risk for the rights and freedoms).
Obligations arise from the principles of data protection from the design of the processing (data protection by design), and the default settings (data protection by default), to ensure that the data protection measures are integrated into the products and services from the early stages of development.
The data controller has the obligation to notify the Supervisory Authority of any breaches of personal data, and to communicate to the data subject any infringements that may create a high risk for rights and freedoms.
Where a processing is likely to create a high risk for the rights and freedoms of natural persons, the controller must perform an impact assessment prior to processing.
The GDPR imposes on the controller in specific cases the obligation to appoint a Data Protection Officer.
Joint Controllers
The Monegasque DPA also addresses a joint accountability, but does not provide for a specific legal regime such as the GDPR.
Subcontractors
Compared to the Monegasque law, the GDPR amplifies the obligations of subcontractors, and organizes a subcontracting regime, which is separated from the security duties.
Law No. 1.165 only provides for the appointment of a representative of the controller established abroad.
The GDPR also provides for the obligation of the foreign-based subcontractor when the GDPR applies to its activities, to appoint an EU-based representative, with exceptions.
Transfer of personal data to third countries
The GDPR goes further than Law No. 1.165, by setting up a “right to follow”. Data transfers outside the EU are submitted to the GDPR for transfers, and for further processing and transfers.
In the absence of a European Commission decision finding an adequate level of protection, and in the context of a group of companies facing intra-group transfers of data outside the EU, the GDPR incorporates the Binding Corporate Rules’ system.
The mandatory content imposed is very broad (essential principles, enforceable rights...), which implies a revision for Monaco of the Binding Corporate Rules already adopted.
The GDPR is in everyone's minds in Monaco. Monegasque companies falling under the GDPR will have to adapt to another philosophy of data protection than that of the Monegasque DPA, which is expected to evolve.
Article provided by: Anne Robert and Thomas Giaccardi (Giaccardi Advocats)
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010