Law on the Protection of Personal Information Monaco

    Overview

    Monaco’s Data Protection Law, represented by the amended Loi n° 1.565 of 2024 establishes a framework for protecting personal data in line with international standards, including the EU GDPR and Council of Europe’s Convention 108+. The regulation mandates transparency, fairness, and responsibility in personal data processing, ensuring safeguards for individual rights and freedoms. The law applies to both public and private entities, with particular emphasis on sensitive personal data and cross-border transfers.

     

    Regulation Summary

    Timeline
    • December 3, 2024 – Law adopted.
    • December 13, 2024 – Law published in the Journal de Monaco.
    • December 14, 2024 – Law comes into effect.
    • December 14, 2025 – General compliance deadline for data controllers.
    • December 14, 2027 – Compliance deadline for high-risk processing risk analyses.
    What Businesses Are Affected?
    • All businesses operating in Monaco or processing data of Monaco residents.
    • Foreign businesses offering goods or services to Monaco residents.
    • Public and private sector organizations handling personal data.
    Exemptions
    • Personal or household data processing.
    • National security and law enforcement activities.
    • Anonymized data that cannot be linked to individuals.
    Responsibilities for Businesses
    • Obtain informed consent.
    • Provide clear and accessible privacy policies.
    • Implement security measures.
    • Ensure data accuracy and allow corrections.
    • Report data breaches to the Autorité de Protection des Données Personnelles (APDP).
    • Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
    • Implement privacy by design and by default principles.
    • Maintain records of processing activities.
    • Establish clear contracts with data processors outlining security and compliance measures.
    Specific Responsibilities for Website Owners
    • Publish a privacy notice.
    • Allow users to withdraw consent.
    • Ensure secure data handling.
    • Manage cookies and tracking preferences.
    • Implement mechanisms to respect user rights, including objections to automated decision-making.
    Additional Requirements
    • Restrictions on cross-border data transfers.
    • Parental consent for processing children’s data.
    • Maintain processing records.
    • Mandatory appointment of a Data Protection Officer (DPO) in certain cases.
    • Special APDP notification required for processing sensitive data, criminal offenses, genetic/biometric data, or certain health research.
    Data Subject Rights
    • Right to information & access.
    • Right to rectification & erasure (Right to be Forgotten).
    • Right to restriction & objection to processing.
    • Right to data portability & not to be subject to automated decisions.
    Enforcement
    • Regulated by Autorité de Protection des Données Personnelles (APDP).
    • Fines of up to €10 million or 4% of the company's global annual turnover, whichever is higher, for severe violations.
    • Corrective actions, including suspension of data transfers and processing limitations.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596