GDPR or Law 1.565? What Monaco Businesses Really Need to Comply With

Two Frameworks, One Business

Most Monaco business owners we speak to assume they fall under the GDPR. They don't — at least not by default. Monaco is not an EU member state, the GDPR is an EU regulation, and the Principality has its own data protection law: Law No. 1.565 of 3 December 2024, supervised by the APDP (Autorité de Protection des Données Personnelles).

But here is where it gets interesting. Many Monaco businesses must comply with both Law 1.565 and the GDPR — at the same time, for different parts of the same operation. If you sell to clients in France, run a multilingual website that targets Italy, or store customer data on a French cloud provider, you have entered EU regulatory territory whether you realise it or not.

This article is the practical breakdown of which framework applies, when, and what that means for your website, CRM, and digital operations.

When Law 1.565 Is the Only Law You Need

Law 1.565 governs personal data processing carried out in the context of activities established in Monaco. If your business operates entirely within the Principality — Monaco-based customers, Monaco-resident staff, Monaco-hosted infrastructure, no marketing aimed at EU residents — then Law 1.565 is your primary obligation and the APDP is your supervisory authority.

The framework was inspired by European standards. It covers lawful basis for processing, data subject rights, a processing register, breach notification, and a Data Protection Officer requirement for certain categories of business. The structure will feel familiar to anyone who has dealt with GDPR.

What is not the same is the jurisdiction. The APDP enforces Monaco law in Monaco. Complaints filed by Monaco residents go to the APDP, not to a French or Italian regulator. Local compliance documentation — privacy notices, consent records, processing registers — must reference Law 1.565 and the APDP, not the GDPR.

When the GDPR Applies On Top of Law 1.565

The GDPR has extraterritorial reach. Article 3 makes the regulation apply to non-EU businesses when they:

• Offer goods or services to individuals located in the EU — even free services, even without payment.
• Monitor the behaviour of individuals in the EU — typically through analytics, retargeting, or profiling.

For Monaco businesses, both triggers are extremely common. A restaurant in Monaco that accepts bookings from French residents through its website is offering services to EU individuals. A Monaco e-commerce store that ships to Italy is offering goods. A real estate agency that runs Meta retargeting campaigns aimed at EU buyers is monitoring behaviour.

When the GDPR applies extraterritorially, you must comply with it in addition to Law 1.565, and you may be required to appoint an EU representative under Article 27. This is a separate legal role from a DPO. Many Monaco businesses simply do not have this in place because they assume they are outside EU scope.

Sorting this out at a website level usually starts with data protection compliance and a privacy review of every form, tag, and third-party integration.

Cross-Border Data Transfers: The Quiet Risk

Even purely domestic Monaco businesses end up moving personal data across borders. The most common routes:

• EU-based cloud or SaaS providers — many CRMs, email platforms, hosting providers, and analytics tools are operated from France, Germany, Ireland, or the Netherlands.
• Cross-border marketing — Meta, Google, and LinkedIn process advertising data through EU and US infrastructure.
• Payment processors — most card processors used by Monaco merchants operate from the EU or wider EEA.

Law 1.565 sets rules on international data transfers, including transfers to countries that do not provide an adequate level of protection. If your data flows are not mapped, you cannot demonstrate compliance with those rules. A clean digital strategy treats data flow mapping as a first-month deliverable, not a yearly afterthought.

This is also where your contracts matter. If you use a third-party platform that processes personal data on your behalf — a CRM, a booking system, an email marketing tool — you typically need a data processing agreement and, depending on the route, additional transfer safeguards.

The E-Commerce and Multilingual Website Angle

E-commerce is the area where most Monaco businesses end up squarely inside EU scope. If your storefront ships to France, Italy, or Germany, you are almost certainly subject to both Law 1.565 and the GDPR for those customer interactions.

That has practical consequences:

• Your privacy policy should be drafted to cover both frameworks, not pretend one of them does not exist.
• Cookie consent must meet EU standards if you are targeting EU residents — that means rejecting non-essential cookies must be as easy as accepting them.
• Data subject rights requests can come in under either framework, and your response process needs to handle both.

For e-commerce services and multilingual websites, compliance should be baked into the build. Retrofitting cookie banners and privacy pages after launch is consistently more expensive than getting it right the first time.

Common Mistakes We See

A few patterns repeat across Monaco businesses we audit:

• Privacy policies copied from French templates that reference the CNIL and the GDPR — but never mention Law 1.565 or the APDP.
• Cookie banners that only block cookies after consent in theory but fire analytics and ad pixels on first page load anyway.
• Outdated references to the CCIN — the former regulator replaced by the APDP — in legal documents that should have been updated.
• No processing register, even when the business clearly handles enough personal data to require one.
• No EU representative in cases where Article 27 of the GDPR plainly applies.

None of these are difficult to fix. They become expensive when a complaint is filed or a customer asks for their data and the business has no documented process to respond.

A Note on Legal Advice

This article is intended as a practical orientation, not legal advice. Law 1.565 is recent, the APDP is still building case practice, and the interaction with the GDPR depends on facts specific to your operations. For binding guidance on your data protection obligations, engage a qualified legal adviser with knowledge of Monegasque law and EU regulation. Our role is to help you get your website, CRM, and digital touchpoints into a state where compliance is operationally possible — the legal interpretation is the lawyer's job.

Where to Start

If you are not sure whether your Monaco business sits under Law 1.565 only, or under both frameworks, the fastest path is a data flow audit: list every digital tool that touches personal data, identify where each one processes and stores that data, and check what the underlying contracts say. From there, your privacy policy, cookie banner, and DPO arrangements can be aligned with reality rather than guesswork.

BSS Digital Agency helps Monaco businesses bring their websites, e-commerce platforms, and marketing operations into a state where compliance is practical and provable. If you would like a structured review of where you stand, get in touch and we can scope it with you.