Data Privacy in Monaco: CCIN, Law No. 1.165 and Personal Data Protection

Overview

Monaco has maintained a comprehensive data protection framework since 1993, when Law No. 1.165 of 23 December 1993 on the protection of personal data (Loi n. 1.165 relative à la protection des informations nominatives) was enacted. This law, subsequently amended — most notably by Law No. 1.462 of 28 June 2018 — provides a framework broadly comparable to the European Union's General Data Protection Regulation (GDPR), although Monaco is not an EU or EEA member state and is not directly subject to GDPR.

The independent supervisory authority responsible for enforcing data protection in Monaco is the CCIN (Commission de Contrôle des Informations Nominatives).

The CCIN

The CCIN is Monaco's data protection authority, established by Law No. 1.165. It operates independently and is tasked with:

• Receiving and reviewing declarations and authorisation requests from data controllers
• Investigating complaints from data subjects
• Conducting audits and inspections of data processing activities
• Issuing recommendations, warnings, and sanctions
• Advising the government on data protection matters

The CCIN is composed of members appointed by Sovereign Ordinance. Its decisions and recommendations are published and available on ccin.mc.

Law No. 1.165 — key principles

Monaco's data protection law establishes principles similar to those found in GDPR:

Lawfulness and purpose limitation

Personal data must be processed lawfully and for specified, explicit, and legitimate purposes. Data must not be further processed in a manner incompatible with those purposes.

Data minimisation

Only data that is adequate, relevant, and not excessive in relation to the purpose may be collected and processed.

Accuracy

Data controllers must take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. Inaccurate data must be corrected or erased.

Storage limitation

Personal data must not be kept for longer than is necessary for the purposes for which it was collected. Specific retention periods may apply depending on the sector.

Security

Data controllers must implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction.

Data subject rights

Individuals whose data is processed in Monaco enjoy the following rights:

• Right of access — the right to obtain confirmation of whether personal data is being processed and to access that data.
• Right of rectification — the right to have inaccurate personal data corrected.
• Right of erasure — the right to request deletion of personal data in certain circumstances.
• Right to object — the right to object to processing on legitimate grounds.
• Right to information — data controllers must inform individuals about the processing of their data, including the purposes and recipients.

Data subjects exercise these rights by contacting the data controller directly. If the controller does not respond satisfactorily, a complaint may be filed with the CCIN.

Business obligations

Declaration and authorisation

Before commencing any personal data processing, data controllers established in Monaco must file a declaration (déclaration) with the CCIN. Certain categories of processing — particularly those involving sensitive data, biometric data, or large-scale profiling — require prior authorisation from the CCIN.

This declaration/authorisation system is one of the notable differences from the GDPR model, which generally relies on accountability and record-keeping rather than prior approval.

Data protection officer

While not always mandatory under Monegasque law, the appointment of a data protection officer (correspondant à la protection des données) is strongly recommended for organisations processing significant volumes of personal data. The CCIN provides guidance on when appointment is advisable.

Data transfers abroad

Transfers of personal data outside Monaco are permitted only to countries or organisations that ensure an adequate level of protection. The CCIN assesses the adequacy of foreign data protection regimes. For transfers to jurisdictions without adequate protection, specific safeguards — such as contractual clauses approved by the CCIN — must be in place.

Data breach notification

Data controllers must notify the CCIN of personal data breaches that are likely to result in a risk to the rights and freedoms of individuals. Notification must be made without undue delay.

Penalties

The CCIN has the power to impose administrative sanctions for breaches of Law No. 1.165, including:

• Formal warnings (mise en demeure)
• Orders to cease processing
• Temporary or permanent bans on processing
• Financial penalties

Additionally, criminal penalties may apply under the Monegasque Criminal Code for serious violations, including unlawful data processing, failure to comply with CCIN orders, and breach of data security obligations.

GDPR relationship

Although Monaco is not subject to the GDPR, the 2018 amendments to Law No. 1.165 brought Monegasque data protection law into closer alignment with EU standards. In practice, many Monaco-based businesses that interact with EU customers or partners choose to comply with GDPR in addition to Monegasque law.

The European Commission has not issued a formal adequacy decision regarding Monaco, which means that data transfers between the EU and Monaco may require specific safeguards under EU law.

Practical tips

• Businesses processing personal data in Monaco must file a declaration with the CCIN before commencing processing.
• Review the CCIN's published guidance at ccin.mc for sector-specific recommendations.
• If your business serves EU customers, consider dual compliance with both Monegasque law and GDPR.
• Respond promptly to data subject access requests — the CCIN takes complaints about non-response seriously.
• Maintain records of your data processing activities and data protection measures.