In the world of data, data processing has become the ultimate sensitive subject, particularly when it comes to personal data. Agnès LEPAULMIER, Secretary-General of the CCIN, offers an update on how the Authority’s work is changing.
Do a lot of people contact the CCIN?
Yes. People are increasingly thinking about protecting their rights.
We have received numerous complaints relating to the use of work email accounts, such as using the named email addresses of some employees who have left the company. Teleworking has prompted many questions, for example on the rules for the use of webcams at home... When we receive repeated questions, we list the situations that are causing a problem and use our website to provide the necessary information. We are trying to be responsive.
What development is going to have the biggest impact on the CCIN?
It’s got to be the submission to the National Council of the bill on protecting personal data. The Minister of State must consult us on bills which have an impact on personal data. Having worked with government departments since 2018, we were officially approached in 2020 to review the bill, and then in 2021 to look at a slightly amended bill. We once again provided an opinion so that the bill could be submitted to the National Council before the end of 2021, and we are currently working on the draft implementing Sovereign Ordinance.
Why is this bill important?
It seeks to draw on the General Data Protection Regulation (GDPR), which has applied in the European Union since 2018. It’s a real paradigm shift in terms of compliance around personal data.
Currently, all organisations must complete certain formalities in advance of any automated processing of personal data. The new legislation abolishes the majority of these formalities. If audited, organisations in the Principality will need to be able to show that they comply with the law. The bill stipulates that if an organisation employs more than 50 staff, they will need to maintain a register of processing activities. In some cases, a Personal Data Protection Officer will need to be appointed and an impact analysis completed.
Can you give an example?
With regard to large-scale processing of sensitive, health-related data, organisations will need to complete an impact analysis internally, taking account of the risks associated with data processing, essential types of data and the security measures that will need to be taken to protect this data. If this impact analysis highlights the persistence of heightened risks, it will need to be submitted to us so that the measures required to maintain data security can be put in place.
Is this a positive development?
Absolutely. The formalities that have to be completed in advance are very burdensome for organisations like the CCIN. Some processing which is not detrimental to freedoms currently has to pass through the filter of preliminary CCIN checks, and this doesn’t make much sense. At the moment, Monaco is not recognised by the European Union as having a sufficient level of protection in place for personal data. Some organisations in Europe therefore have difficulties transferring their data to Monaco. This makes it all the more vital to adopt international standards, and many companies based in Monaco are already very familiar with them.
Is the CCIN going to change its name?
Yes! It will become the Personal Data Protection Authority (APDP), responsible for more audits and working to implement and explain the new legislation and new obligations, including the obligation to notify the APDP of personal data breaches as quickly as possible. The APDP will be able to impose sanctions in the form of administrative fines.
We are starting to put together an action plan for fulfilling our future role, and we will soon welcome two new members.