Monaco Data Protection: What Every Business Must Do Under Law 1.565

Monaco Has Its Own Data Protection Law — And the Clock Is Running

Monaco is not an EU member state and is not directly subject to the GDPR. But that does not mean businesses operating in the Principality can ignore data protection obligations.

On 3 December 2024, Monaco adopted Law n° 1.565 on personal data protection — a comprehensive framework inspired by European standards but adapted to Monegasque law. The supervisory authority is now the APDP (Autorité Protectrice des Données Personnelles), which replaced the previous CCIN.

If your business collects, stores, or processes personal data in Monaco — customer contact details, payment information, website analytics, employee records — this law applies to you. Compliance deadlines are running now.

What Law 1.565 Requires

The law establishes a set of obligations broadly similar in structure to the GDPR, though it operates under Monegasque jurisdiction:

• Lawful basis for processing: You must have a valid legal ground for every type of personal data you collect.
• Processing register: You must maintain a record of all data processing activities your business carries out.
• Data subject rights: Individuals have rights to access, rectify, and in certain cases erase their data.
• Security obligations: You must implement appropriate technical and organisational measures to protect personal data.
• Data breach notification: Breaches must be reported to the APDP within set timeframes.
• Data Protection Officer: Certain categories of business are required to appoint a DPO.

The APDP can impose fines of up to €10 million for serious violations. These are not symbolic amounts for a jurisdiction the size of Monaco.

The Compliance Timelines You Need to Know

The law includes transition provisions for businesses that were already processing data before it came into force. Key timelines to understand:

• One-year transition: Existing processing operations generally have one year to be brought into compliance from the date the law took effect. For many businesses, this window is closing in 2025–2026.
• Three-year window: High-risk processing activities requiring a Data Protection Impact Assessment (DPIA) have a three-year transition period.

If you have not yet audited your data practices or updated your privacy documentation, time is running short. Businesses that started processing data after the law's entry into force have no transition grace period and must comply immediately.

When in doubt about your specific situation, consult a qualified legal adviser with knowledge of Monegasque law. Our data protection compliance service can help you assess your digital touchpoints — but for formal legal guidance, always engage a licensed professional.

Where Most Monaco Businesses Are Exposed

Many business owners assume their exposure is limited to large databases or sensitive records. In practice, data protection obligations arise from everyday digital operations:

• Your website: Contact forms, analytics cookies, newsletter sign-ups, and live chat tools all involve personal data. Your privacy policy must reflect what you actually collect and why.
• Email marketing and CRM systems: Every subscriber list, automated sequence, and customer record is subject to the law's requirements.
• Third-party tools: If you use a CRM, booking platform, or payment provider that processes data on your behalf, you likely need a data processing agreement in place.
• Online advertising: Retargeting pixels and ad platform integrations that track user behaviour are within scope.

This is particularly relevant for any business that has recently invested in AI tools or automation — data fed into AI systems is still personal data and subject to the same protections.

What to Do Now

A practical starting point for most businesses:

1. Audit your data flows: Map what personal data you collect, where it goes, and who has access. This is the foundation of your processing register.
2. Review your website: Check that your privacy policy, cookie notice, and consent mechanisms are up to date and accurate. If your site was built before December 2024, it likely needs updating.
3. Check your contracts: If you use third-party platforms or processors, ensure your agreements include appropriate data processing terms.
4. Assess DPO requirements: Understand whether your business category requires appointing a Data Protection Officer.
5. Document everything: Under Law 1.565, the ability to demonstrate compliance — not just achieve it — is essential.

A well-structured digital strategy will incorporate privacy and compliance into your operations from the outset, rather than treating it as a retroactive fix.

APDP vs CCIN: What Changed

The APDP replaced the CCIN (Commission de Contrôle des Informations Nominatives), which had supervised data protection in Monaco under the previous framework. The APDP has a broader mandate, strengthened powers, and is the body responsible for receiving breach notifications, handling complaints, and enforcing Law 1.565.

Update any internal documentation or privacy policies that still reference the CCIN as the supervisory authority — that is now out of date.

Monaco Is Not the EU — But Standards Are Comparable

A point worth emphasising for businesses operating across borders: Monaco's new law is GDPR-inspired but is not the GDPR. Monaco is not an EU member state. EU regulations do not automatically apply in the Principality. However, the GDPR may still apply to your business if you are targeting EU residents from Monaco — for example, through an e-commerce site that serves customers in France or Italy.

If you operate in both Monaco and EU markets, you may need to satisfy obligations under both frameworks. This is a legal question requiring professional advice.

The practical implication for your web design is straightforward: build your digital presence with privacy compliance built in, not bolted on afterwards. Cookie consent, privacy policies, and data handling practices should reflect where your business actually operates and who your customers are.

Get Your Digital Compliance in Order

BSS Digital Agency works with Monaco businesses to review, rebuild, and future-proof their digital presence — including the privacy and compliance elements that are increasingly non-negotiable.

If your website, CRM, or marketing operations need a compliance review, get in touch and we can assess what needs to change.