Exchanges of data between countries may be defined as personal data transfers. With the globalisation of commercial relations and with the increase of externalisation, we assist in an increase of transfers of personal data. The transfer may be performed by copying, by moving the data via an intermediary network or from one media to another (for example, from the hard drive of a computer to a server). Access to data may also be considered as data transfer.
The Monegasque Legislation distinguishes two types of data transfers that are subject to different rules.
Data transfers to countries with “adequate protection”
Data transfers to countries that do provide adequate protection as defined by Article 20 of the law number 1.165 amended are not subject to the authorisation of the CCIN. Nevertheless, they must be declared in a formal document.
Data transfers to countries without “adequate protection”
During the plenary session held on 15 April 2015, the Commission adopted a position of principle the terms of which data transfers pertaining to personal data to a country or an organisation that does not provide adequate protection shall be, in all circumstances, subject to a data transfer authorisation request, regardless of whether they fall under paragraph 1 or 2 of the Article 20-1 of law number 1.165, amended.
This decision was motivated by the report established by the Legislation Commission on the draft bill number 804, amending the law number 1.165 du 23 December 1993, wherein the said law recognized that “in all events, any transfer to a country or organisation that does not provide adequate protection shall be authorised by the CCIN, who will decide on the basis of a reasoned request, the data controller shall obviously comply to the decision taken by the Commission without further discussion".
During the plenary session held on 16 March 2016, the Commission established that shall be subject to a data transfer authorisation request accesses to data made from a country that does not provide sufficient protection.
Hence, the Commission draws the attention to data controllers of this stand which may influence their future interactions with the Commission.