Data & Privacy - Monaco

Law No. 1.565 (118 articles, 10 chapters) entered into force in December 2024, aligning Monaco with the GDPR, the EU Law Enforcement Directive (2016/680), and Council of Europe Convention 108+. It replaced Law No. 1.165 of 23 December 1993.

The Autorité de Protection des Données Personnelles (APDP) is the new independent supervisory authority, formally replacing the Commission de Contrôle des Informations Nominatives (CCIN). It advises controllers and processors, handles data-subject complaints, and conducts enforcement.

Law 1.565 introduces rights not present in the 1993 law: right to data portability, right to erasure ('right to be forgotten'), and right to restrict processing, alongside existing rights of access, rectification, and objection.

Controllers must maintain records of processing activities, apply data-protection-by-design and by-default, conduct DPIAs for high-risk processing, designate a DPO where required, and formalise contracts with processors. Sovereign Ordinance No. 11.327 of 10 July 2025 and Ministerial Order No. 2025-361 of 14 July 2025 provide implementing rules.

Controllers must notify the APDP of any personal data breach likely to risk data-subject rights within 72 hours of becoming aware; where notification is delayed, reasons must accompany it. High-risk breaches must also be communicated to affected individuals.

The APDP can impose fines up to €5 million / 2% of global turnover (lower tier) or €10 million / 4% of global turnover (upper tier), mirroring GDPR levels. Monaco is seeking an EU adequacy decision; the European Commission review is in progress as of 2026, so cross-border EU-Monaco data transfers currently require appropriate safeguards such as SCCs.