Obligation to safeguard the security and confidentiality of the information
An obligation of general security
In application of the article 17 of the law, the data controller must ensure the security and confidentiality of the data. That is, he “must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, corruption, unauthorised disclosure or access”
“The measures implemented must ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected."
In the event that the data controller works with one or more subcontractors, the security measures in place must adhere to the same conditions.
Furthermore, the implementation of processing by a subcontractor must be governed by a written agreement between the subcontractor and the data controller that stipulates specifically that the subcontractor and his employees work under the sole directive of the data controller, and that he is also accountable for the obligations relating to the security of the processing.
An obligation of enhanced security
The article 17-1 of the law enforces additional security measures for the processing:
- Of interest to public security relating to offences, convictions, or security measures and/or which have the purpose of preventing, investigating, establishing or prosecuting criminal offences or the execution of criminal convictions (Article 11);
- Relating to suspected unlawful activities, offences or security measures or including biometric data required to check a person's identity or for the purpose of surveillance (Article 11-1);
- The data controller must implement the appropriate technical and organizational measures as stipulated by Sovereign Ordinance.
More specifically, these measures shall be aimed to establish a list of names of authorised persons who alone shall have access, strictly limited to the accomplishment of their duties, to the premises and facilities used for processing and to the data being processed.
The data controller shall also ensure that the recipients of processed data can be clearly identified.
Obligation of information
In application of the article 14 of the law, the persons from whom personal data is collected must be informed of:
- The identity of the data controller and, if applicable, the identity of their representative in Monaco;
- The purpose of processing;
- The obligatory or optional nature of replies;
- The consequences of failure to reply;
- The identity of recipients or categories of recipients;
- Their right to oppose, access and amend their data;
- Your right to oppose the use of your information on behalf of a third party, or the disclosure to a third party of your personal data for the purposes of prospection, particularly, commercial prospection, and so on.
Where personal data is not collected directly from the data subject, the data controller or their representative must provide the data subject with the information listed in the previous paragraph, except where:
- The data subject has already been informed;
- It is impossible to inform the data subject;
- where the communication involves disproportionate measures with regard to the utility of the action;
- If the collection or disclosure of the data has been expressly provided for by legislative or regulatory provisions.
Obligation to ensure a right to access
The data controller or their representative must set up and communicate during the formal procedure with the CCIN, the measures required to ensure that all persons who want to exercise their right to access can do so (Article 15).
All persons justifying their identity may obtain from the data controller or his representative:
Consequently, after verifying a person’s identity, the data controller or representative may be inclined to communicate the relevant information:
- The purpose or purposes of the processing;
- The different categories of the information;
- The recipients to whom the data is disclosed.
Such data must be communicated in written, non-coded form, conforming to the stored data.
Obligation to amend and to delete data
The data controller must ensure the quality of the personal information being processed. He shall take all appropriate measures to supplement or amend, ex officio, data which is erroneous or incomplete (Article 15-2).
The data controller must also delete the named form of data upon the expiry of the storage period.
The penalties
The law number 1.165 provides for penalties.
Shall be subject to one to six months imprisonment and a fine as provided for by the Criminal Code, any natural or legal entities governed by private law who:
- Carry out or attempt to carry out the automated processing of personal data or continue or attempt to continue to carry out such processing without having performed the required prior formal procedure or having obtained the authorisations;
- Voluntarily refrain from communicating to a data subject their personal data, or from amending or deleting any of such information which has proved to be imprecise, incomplete, equivocal or collected in violation of the law;
- As a result of imprudent or negligent behaviour, do not maintain or cause to be maintained the security of personal data or divulge or allow to be divulged data which has the effect of damaging the reputation of a person or encroaching upon their private or family life;
- Retain personal data beyond the storage period indicated in the declaration, the legal advisory request or the authorisation request or the storage period fixed by the Commission de Contrôle des Informations Nominatives (CCIN);
- Transfer personal data or cause it to be transferred to countries or organizations without an adequate level of protection;
- Collect personal data without the data subject having been informed, except where informing that person proves to be impossible or involves disproportionate efforts, or if the collection or disclosure of such data is expressly provided for by applicable legislative or regulatory provisions.
Shall also be subject from three months to one year imprisonment and a fine as provided for by the Criminal Code, any natural or legal entities governed by private law who:
- Collect or cause to be collected, record or cause to be recorded, store or cause to be stored, use or cause to be used, personal data that is reserved for certain authorities, establishments, organizations and natural persons or data which is likely to reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data in the field of health, including genetic data, data pertaining to sex life, lifestyle or social welfare measures;
- Collect or cause to be collected personal data by using or inciting to be used fraudulent, injurious or unlawful means;
- Deliberately prevent or hinder investigations carried out in application of the law or do not provide information or documents requested;
- Knowingly communicate or cause to be communicated inaccurate information or documents either to data subjects or to the persons in charge of the necessary investigations;
- Collect or cause to be collected, record or cause to be recorded, store or cause to be stored, use or cause to be used personal data despite the opposition of data subjects, apart from the cases provided for by the law;
- With the exception of the competent authorities, knowingly collect or cause to be collected, record or cause to be recorded, store or cause to be stored, use or cause to be used personal data with or without biometric data in respect of offences, convictions or security measures or which have the purpose of preventing, investigating, establishing or prosecuting criminal offences or the execution of criminal convictions or security measures;
- Knowingly, collect or cause to be collected, record or cause to be recorded, store or cause to be stored, use or cause to be used personal data relating to suspected unlawful activities, offences, security measures or including biometric data required to check persons' identities or for the purposes of surveillance without having obtained the authorisation;
- Knowingly communicate information to persons unqualified to receive it, the disclosure of such data may damage the reputation of a natural person or encroach upon their private and family life;
- Knowingly use or cause to be used personal data for other purposes than those described in the declaration, request for an opinion or application for authorisation.
Included in the same context, the persons in charge of processing who communicate information to people not qualified that if disclosed may violate the reputation of a person, or who uses the collected information for another purpose other than the one that is mentioned in the declaration, legal advisory request, or authorisation request.
Any conviction may cause the results of the declaration to cease and its cancellation in the register of data processing.