The Commission for the Protection of Personal Data – CCIN - invited by the Monegasque Association for Financial Activities - AMAF

2016-03 agnes

On 9 March last, AMAF invited the CCIN to meet its members for a conference on the subject of the automatic exchange of information. The event was brilliantly orchestrated by Mrs Agnès LEPAULMIER, Secretary General of the CCIN, and Messrs AOUIZERAT and MENINI, Legal Administrators specialising in finance. You will find below a transcript of what was said.

I am delighted with the wonderful relations built up with AMAF. We discuss on a regular basis and hold quarterly meetings. This enables us, I believe, to find fundamental solutions to the issues at hand. I would like to remind you that our main wish is to help banks and asset management companies to comply with the law.

The first topic we will discuss is the implementation of provisions on the automatic exchange of information. What type of information must you pass on to the Monegasque authorities? What information must you give to your clients?

This draft "Agreement between the European Community and the Principality of Monaco foreseeing measures equivalent to those in Council Directive 2003/48/CE" was submitted to the CCIN which issued an opinion on 16 December 2015.

This draft law comprises:

  • a preamble;
  • 10 articles;
  • an Annex I – Common standards in matters of declarations and due diligence concerning information relating to financial accounts, which comprises 9 sections;
  • an Annex II – Complementary rules in matters of declarations and due diligence concerning information relating to financial accounts;
  • an Annex III devoted to "Extra guarantees in matters of protecting and processing data collected and exchanged within the framework of the agreement";
  • an Annex IV – List of competent authorities of the parties to the contract.

Without entering into the details of the various measures, the law stands out for the considerable number of references made to protecting personal data and also the inclusion of an Annex III devoted entirely to that subject.

Here is the OECD's definition of the automatic exchange of information:
"Automatic exchange of information (also called routine exchange by some countries) involves the systematic and periodic transmission of “bulk” taxpayer information by the source country to the residence country concerning various categories of income (e.g. dividends, interest, royalties, salaries, pensions, etc.)."

Also from the OECD:

"The systematic and periodic transmission of “bulk” information concerning various categories of income (dividends, interest, royalties, salaries, pensions, etc.) by the source country to the taxpayer's country of residence. The automatic exchange of information can provide timely information on non-compliance where tax has been evaded either on an investment return or the underlying capital sum. It can help detect cases of noncompliance even where tax administrations have had no previous indications of such."

It is important to note the systematic nature of information sharing by the competent tax authorities in signatory States, without being triggered by a request, as per the OECD Common Reporting Standard (CRS).

It is clear that the system is entirely founded on the role played by banks and financial institutions. They are fully responsible.

Signatory States will have to put the onus on financial institutions to collect from non-resident clients (identified as such in accordance with the CRS rules) certain pieces of information relating to the identification of clients and their financial assets (account number, balance or value of the account, etc.)  and forwarding said information to their tax authority.
Only subsequently will the tax authority pass collected information to competent authorities in the partner jurisdiction where the client resides for tax purposes.

There are two immediate consequences.

The extreme vigilance that is necessary when implementing the CRS. The information communicated by the reporting institution is passed on by the competent tax authority to its counterparts.
The need to take stock of the Automatic Processing of Personal Data by financial institutions. What information is covered by the Automatic Processing of Personal Data?

  • in the absence of documentary proof of the current place of residence of the account holder, the financial institution "must examine the data that it keeps and that may be searched electronically with a view to finding one or more indications";
  • indications are likely to be found in existing electronic processes, in paper files or by collecting intelligence from customer account managers;
  • in certain cases, an in-depth examination is carried out by searching electronically and in paper files, notably "the most recent documentation obtained by the reporting financial institution in accordance with Procedures aiming to identify clients and combat money laundering (KYC/AML) or for other legal reasons."

Such processing may have other characteristics, such as updating existing processes, updating information, better advising concerned individuals in advance, implementing new comparisons or interconnections, calling upon specific service providers.

Why you should do it; or the art of motivation:

Article 10-1 of amended law 1.165 states that "personal data must be collected and processed accurately and according to the law."
Exploiting data from an illegal source or resulting from illegal processing would be incompatible with the measures in article 10-1 of law 1.165 and also with the draft Agreement:
"Serious breaches" include "non-compliance with the confidentiality and data safeguard provisions of this Agreement…"
Vices inherent in primary information collection will be propagated into the subsequent processing of this data at successive levels.

The draft Agreement states that "each Member-State, or Monaco, may allow Reporting Financial Institutions to use service providers to fulfil the reporting and due diligence obligations imposed on such Reporting Financial Institutions, as contemplated in domestic law, but these obligations shall remain the responsibility of the Reporting Financial Institutions."   Nevertheless, certain conditions apply to the use of service providers:

  • "if a data controller or its representative uses the services of one or more service providers, it must ensure that the latter can satisfy the obligations [relating to information processing security] mentioned in the above two paragraphs";
  • "data processing by a service provider must be governed by a written contract between the service provider and the data controller or its representative, stipulating in particular that the service provider and the members of its staff are only acting at the request of the data controller or its representative and that the obligations detailed in the first two paragraphs of the present article are also incumbent upon it";  
  • "if the service provider wishes to use one or more sub-contractors to carry out all or part of the services covered by the abovementioned contract, the measures in the above paragraph apply to the latter."

The CCIN will certainly be involved in putting these changes in place and will endeavour to assist you with their implementation. Assistance and anticipation will ensure compliance with the law.

The second subject pertains to the CCIN's powers of investigation. As you know, we have some new powers, but also some new obligations. And you have rights. The right to oppose, for example, and to adversarial procedures, which are reinforced.

But first of all, why were previous powers withdrawn?

The Criminal Court sentences a company head after an investigation.
The company head goes to the Appeal Court and asks for the powers of investigation to be withdrawn for the following reasons:

  • They are not subject to any judicial control and are contrary to the principal of the inviolability of the home;
  • The lack of prior judicial authorisation and of control during operations;
  • The company was not informed of its right to oppose the investigation;
  • Violation of the adversarial principle.

The Appeal Court acknowledges the preliminary issue and refers the case to the Supreme Court:
Three Supreme Court decisions dated 25 October 2013:  

  • Article 18 of law 1.165 constitutes "to the principle of the inviolability of the home, enshrined in article 21 of the Constitution, an infringement that cannot be regarded as proportional to the general interest goal pursued by law 1.165."  
  • because "of the scope of the powers of investigation and penal sanctions, in the absence of any guarantee mentioned in the preliminary issue by the ruling of the Court of 18 March 2013, invoked by the applicant company, or equivalent guarantees."

There are now two distinct control procedures

  • "Preventive" inspection (art 18-1):  right of opposition for private professional premises.
  • Inspection in the wake of a complaint (art 18-2):  no right of opposition, but inspection exclusively with prior authorisation from a Judge.  

And a common base:

  • Time frame for inspections:  between 6am and 9pm, or outside these hours if open to the public or an activity underway.
  • Applying professional secrecy as defined in article 308 of the Penal Code. If professional secrecy is invoked: specify the legislative or regulatory measures to which people are referring and the information they feel is covered by these measures.  

Invoking professional secrecy without founding is an offence.

  • Tasks during an inspection: carry out all necessary verifications, consult all processes, ask for all professional documents in whatsoever form or take copies, using any means, and collect information of value to the mission from any competent person. Access computer programmes and information and ask for them to be transcribed, using any suitable technology, into documents that can be used directly for the needs of the inspection.
  • Personal medical information can only be communicated to a doctor.
  • On-line inspections are possible.

Adversarial procedures are greatly reinforced:

  • Art 18: at the end of inspection operations on site, a report is drawn up after due hearing of the parties.
  • Art 19: if irregularities are detected, a report is sent to the data controller, who has one month in which to make any comments.

At the end of this period, the Chair can send:

  • a warning in the event of non-compliance with obligations inherent in law 1.165;


  • a formal demand to put an end to the irregularities in the event of an intentional refusal to comply.

In the event of non-compliance before the deadline stipulated by the Chair, the CCIN can, after inviting the data controller to provide explanations within a further period of one month, issue an injunction to end data processing or to remove the effects thereof.
If this injunction is not acted upon, the Chair of the CCIN can ask the President of the Court of the First Instance to order the cessation of data processing or the removal of its effects, possibly with a fine.

The Chair can decide to publish the sanctions, but in this case, the data controller may appeal to the Judge, who can order the withdrawal of the publication in the event of a serious and disproportional invasion of privacy or infringement of public safety or the legitimate interests of the individuals concerned.

Finally, ways of simplifying formalities are currently being sought for data processing that manifestly does not entail any infringement of fundamental freedom or rights.

These simplifications could notably concern staff representative elections, the administrative management of employees, professional messaging services, websites, etc.