Data & Privacy · Monaco
Data protection & privacy law in Monaco (2026)
Monaco shaded by its data & privacy status
Data protection in Monaco: comprehensive law, under Law No. 1.565 of 3 December 2024 on the protection of personal data, implemented by Sovereign Ordinance No. 11.327 of 10 July 2025; supervisory authority: Autorité de Protection des Données Personnelles (APDP), which replaced the former CCIN..
Monaco has a comprehensive GDPR-aligned personal data protection regime under Law No. 1.565 of 3 December 2024, which entered into force in December 2024 and repealed the prior 1993 Law No. 1.165. An independent supervisory authority, the APDP, succeeded the CCIN with strong investigation and sanctioning powers, and Monaco ratified the Council of Europe's modernised Convention 108+ on 6 March 2025. An EU adequacy decision has been formally requested but, as of mid-2026, has not yet been granted, so EU–Monaco transfers still rely on appropriate safeguards.
Key points
Law No. 1.565 of 3 December 2024 (118 articles, 10 chapters) repealed Law No. 1.165 of 1993 and modernised Monaco's data protection regime in line with the EU GDPR and Convention 108+; it largely eliminates the prior declaration/authorisation requirement and shifts to an accountability-based model.
The Autorité de Protection des Données Personnelles (APDP) replaced the former Commission de Contrôle des Informations Nominatives (CCIN). It is an independent authority composed of expert members, with powers of investigation, control, warnings, formal notices, processing restrictions/bans, and administrative fines.
Sovereign Ordinance No. 11.327 of 10 July 2025 (and Ministerial Order No. 2025-361 of 14 July 2025) set out operational implementing rules for Law No. 1.565, including procedural details for APDP control, formalities, and sanctioning procedures.
Data subjects benefit from GDPR-style rights, including access, rectification, erasure, restriction, objection, and data portability. Controllers must keep a register of processing, designate a DPO where required, carry out Data Protection Impact Assessments for high-risk processing, and notify personal data breaches to the APDP.
The APDP may impose administrative fines mirroring GDPR levels — up to €10 million or 4% of worldwide annual turnover for the most serious infringements (€5 million / 2% for the lower tier) — alongside other corrective measures such as processing bans.
Prior APDP authorisation is still required for transfers to countries that do not ensure an adequate level of protection. Monaco ratified the Council of Europe's modernised Convention 108+ on 6 March 2025 and is pursuing an EU adequacy decision; that decision had not been adopted as of mid-2026, so EU-Monaco transfers continue to rely on safeguards such as Standard Contractual Clauses.
Timeline - major decisions & events
Ministerial Order No. 2025-361 of 14 July 2025 supplemented Sovereign Ordinance No. 11.327 with additional procedural rules for the APDP, covering data subject mandate procedures, identity verification, and internal processing traceability requirements for data controllers.
APDP Monaco ↗Law No. 1.578 of 1 July 2025 reinforced obligations for operators of vital importance, raised penalties to up to €150,000 per infraction for individuals (five times that for legal entities), expanded data intermediation services to cover personal data, and added new Trust Services categories in line with EU eIDAS standards.
99 Avocats associés ↗Published in the Journal de Monaco on 13 December 2024 and in force from 14 December 2024, Law No. 1.565 replaces the 1993 statute: it aligns Monaco with Convention 108+ and GDPR principles, eliminates most prior-notification requirements, grants data subjects rights to portability, erasure and restriction, and establishes the APDP with sanctioning powers up to €10 million or 4% of global turnover. Full compliance deadline for data controllers is 14 December 2025.
Gouvernement Princier de Monaco ↗Enacted on the same day as Law 1.565, Law No. 1.566 formally approved Monaco's ratification of the Protocol of Amendment (CETS No. 223) to Convention 108, completing Monaco's international commitment to the updated 'Convention 108+' framework covering AI, big data and biometrics.
Gouvernement Princier de Monaco ↗The CCIN formally sanctioned the Minister of State for unlawfully processing health data collected during the COVID-19 crisis (2020–2022) beyond its original testing purpose and without satisfying Law 1.165 requirements. This was the first time Monaco's supervisory authority publicly sanctioned the national government, establishing that no public body is above the data protection rules.
DL Corporate & Regulatory ↗Monaco was among the first signatories of CETS No. 223 on the day it opened for signature, committing to an updated international data protection standard that addresses modern technologies, mandates stronger supervisory authority powers, and introduces personal data breach notification obligations.
Council of Europe ↗Law No. 1.383 enacted a framework for Monaco's digital economy, establishing formal definitions of personal data and new obligations for electronic communications and online service providers, supplementing the 1993 data protection statute for the internet era.
Gouvernement Princier de Monaco ↗The National Council enacted Law No. 1.354, authorising Monaco to ratify both Convention 108 and the Additional Protocol on supervisory authorities and transborder data flows. Monaco deposited instruments of ratification with the Council of Europe on 24 December 2008, integrating into the European data protection community.
Gouvernement Princier de Monaco ↗Monaco - other topics
Data & Privacy in other countries
Last verified 6/28/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →