Obligation to safeguard the security and confidentiality of the information

An obligation of general security

In application of the article 17 of the law, the data controller must ensure the security and confidentiality of the data. That is, he “must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, corruption, unauthorised disclosure or access”

“The measures implemented must ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.”

In the event that the data controller works with one or more service providers, the security measures in place must adhere to the same conditions.

Furthermore, the implementation of processing by a service provider must be governed by a written agreement between the service provider and the data controller that stipulates specifically that the service provider and his employees work under the sole directive of the data controller, and that he is also accountable for the obligations relating to the security of the processing.

An obligation of enhanced security

The article 17-1 of the law enforces additional security measures for the processing:

• Of interest to public security relating to offences, convictions, or security measures and/or which have the purpose of preventing, investigating, establishing or prosecuting criminal offences or the execution of criminal convictions (Article 11);
• Relating to suspected unlawful activities, offences or security measures or including biometric data required to check persons’ identities, or for the purpose of surveillance (Article 11-1);

The data controller must implement the appropriate technical and organisational measures as stipulated by Sovereign Ordinance.

In particular, these measures shall be aimed to establish a list of names of authorised persons who alone shall have access, strictly limited to the accomplishment of their duties, to the premises and facilities used for processing and to the data being processed.

The data controller shall also ensure that the recipients of processed data can be clearly identified.

Obligation of information

For each treatment, the persons from whom personal data is collected must be informed of:

• The identity of the data controller and, if applicable, the identity of their representative in Monaco;
• The purpose of processing (that is, the reason why the data was collected);
• The obligatory or optional nature of replies;
• The consequences for them of failure to reply;
• The identity of recipients or categories of recipients;
• Their right to oppose, access and amend their data;

Where personal data is not collected directly from the data subject, the data controller or their representative must provide the data subject with the information listed in the previous paragraph, except where:

• The data subject has already been informed;
• It is impossible to inform the data subject;
• The communication involves disproportionate measures with regard to the utility of the action;
• If the collection or disclosure of the data has been expressly provided for by legislative or regulatory provisions.

This right to access information does not apply to processing relating to:

• Suspected unlawful activities, offences, and security measures (protection);
• Including biometric data required to check persons’ identities;
• For the purpose of surveillance.

Obligation to ensure a right to access

The data collector must establish required measures to ensure, to all data subjects, the right to access their personal data.

This information must be communicated in written, non-coded form, conforming to the stored data within a delay not exceeding 30 days.

This right to access information does not apply to data processing implemented by judicial and administrative authorities, relating to data of interest to public security, data relating to offences, convictions or security measures and/or data that have the purpose of preventing, investigating, establishing or prosecuting criminal offences or the execution of criminal offences.

Only the right to indirect access is possible. This can be obtained through the CCIN.

Obligation to rectify and to delete data

The data controller must ensure that the personal data being processed are accurate (of good quality).  He must take all required measures to amend, complete, update, when the said data are erroneous or incomplete.

He must also delete the personal nature of the information when the storage period fixed by the Commission expires.