CCIN Monaco: Formalities, Declaration Regimes, and Procedures
The four declaration procedure regimes at the CCIN
To bring your organization into compliance with the amended Law No. 1.165 of December 23, 1993, governing the processing of personal data in Monaco, four declaration regimes are available to you:
- The standard declaration
- The simplified declaration
- The authorization request
- The opinion request.
1. Standard declaration regime of the CCIN
The so-called «standard» regime is the common framework for private individuals and legal entities, covering all cases not addressed by other formal frameworks.
According to Article 8 – 7° of Law No. 1.165, it must be stated «the measures taken to ensure the security of processing and information and the guarantee of secrets protected by law.»
This standard declaration regime consists of compiling and submitting a complete file in accordance with Article 8 – 7° of Law No. 1.165 to the CCIN.
To be complete, this file must notably and mandatorily list “the measures taken to ensure the security of processing and information and the guarantee of secrets protected by law.”
This file must include, in particular, the following elements:
- Identification of the data processing manager and the signer
- All relevant information about the company
- Justification for processing personal data
- Identification/password policy
- The entity’s IT charter
- Presence of confidentiality clauses: contracts with employees and third parties (suppliers and clients, IT service providers and subcontractors…)
- Systems for security and protection of access and data (antivirus, encryption, firewall use, password security, biometrics…).
If approved by the President of the CCIN, the data processing manager receives a receipt of implementation. If the file is incomplete, it is returned for regularization.
2. Simplified declaration regime of the CCIN
Contrary to some misconceptions, the simplified declaration regime can be complex to implement and applies only in specific cases.
Indeed, the formalities of simplified declaration must conform in all respects and match the exact conditions determined by a specific Ministerial Order.
This formality is particularly available and useful for specific declarations related to the administrative management of employees, payroll file management, employee representative elections, supplier file management, or data related to the management and negotiation of real estate properties.
However, even in these cases, it is important to note that any single element not conforming to the conditions of the Ministerial Order can render the use of simplified declaration null and void.
Furthermore, recourse to simplified declaration compliance does not in any way exempt the data processing manager from implementing the necessary technical measures to ensure the security of the processing and personal information it contains.
3. Authorization request regime of the CCIN
The CCIN’s authorization request procedure is generally reserved for specific cases of automated processing of personal data relating to suspicions of illicit activities, offenses, or security measures.
Concretely, this formality is commonly used for prior authorization to install video surveillance systems or secure access through biometrics.
The implementation of such devices is subject to a comprehensive list of specific constraints governed by Article 7 of the amended Law No. 1.165 of December 23, 1993, for example, in the case of installing surveillance cameras, summarized here by the CCIN in its 10 commandments on video surveillance.
Furthermore, the authorization request regime applies to all processing involving data transfers to countries that do not have an adequate level of protection.
If the Commission refuses the authorization file, the processing cannot be implemented, and no operations can be carried out.
4. Opinion request regime of the CCIN
The CCIN’s opinion request procedure is a formality strictly used in the health sector and only within the context of personal data processing related to medical research.
Thus, under Article 7.1 of the amended Law No. 1.165 of December 23, 1993: «The processing managers, whether individuals or legal entities, may only implement automated processing of personal information for the purpose of research in the health sector after receiving a reasoned opinion from the commission for the control of personal information.»
The purpose of processing medical data must also be limited to specific and regulated uses (preventive medicine, diagnosis, care, drug prescriptions, health services, foresight, research…), and is possible only after written and express consent.
The only exceptions are the public disclosure of this information by the concerned individual, the defense of a right in court, or a legal obligation.
This regime also undergoes specific procedures, notably in terms of modification or deletion. For example, as soon as a change occurs in any of the elements of the automated processing, the processing manager must compile a new file and submit a new declaration.