
Monaco's 2027 Data Deadline
Monaco Law 1.565 gives businesses until December 2027 to run data impact assessments on high-risk processing. Here's how to prepare.
Most Monaco businesses treated the arrival of Law No. 1.565 as a one-time scramble at the end of 2025. Register of processing, a data protection officer where required, tightened security — done, filed, forgotten. But the law set a second, longer clock running, and it is the one most companies have not looked at yet: the deadline to complete impact assessments on high-risk processing.
That clock runs out in December 2027, three years after the law took effect on 3 December 2024. Seventeen months sounds like plenty. It is not, if the processing you need to assess runs through your website, your CRM, or the AI tools your team started using this year.
What the 2027 deadline actually covers
Law No. 1.565 of 3 December 2024, overseen by the APDP (Autorité de Protection des Données Personnelles), gave businesses staggered transition periods rather than one hard cut-off. The register of processing activities, appointing a data protection officer where the law requires one, and core security obligations fell under a one-year window. Impact assessments were given three years — hence the December 2027 horizon.
An impact assessment is a structured review of a processing activity that is likely to create a high risk to people's rights and freedoms. It documents what you collect, why, how you protect it, and what could go wrong. It is not a form you fill in once; it is a record you are expected to be able to produce and defend.
Monaco is not an EU member state, so the GDPR does not apply to a Monaco business by default. But Law 1.565 was built to European standards, and the impact-assessment obligation closely mirrors it. Exact dates and thresholds should be confirmed with the APDP or a qualified adviser — the point here is operational: identify the processing, then plan the work.
The high-risk processing hiding in your digital stack
"High-risk processing" sounds like something only banks and hospitals do. In practice, a lot of ordinary digital activity can qualify. Look hard at:
- Large-scale profiling and tracking — behavioural analytics, ad retargeting, and lead-scoring that follow individuals across sessions.
- Sensitive categories — health, financial standing, or anything a luxury or private-wealth clientele would consider confidential.
- Automated decisions — AI tools that score, rank, or filter people (candidates, applicants, prospects) with limited human review.
- Systematic monitoring — booking systems, membership platforms, or concierge apps that build a detailed picture of a person over time.
If your business runs any of these through a website or app, that system is where your 2027 work sits. The website and platforms we build and maintain are usually where the highest-risk processing lives, because that is where data enters and accumulates.
AI adoption just widened your exposure
2026 is the year Monaco's public programmes pushed businesses hard toward artificial intelligence. That is genuinely useful — but every AI tool that touches customer or employee data is a new processing activity, and some of it will be high-risk.
A chatbot that reads support histories, a model that scores leads, an assistant that drafts personalised outreach from your contact database: each one processes personal data, often at scale, sometimes with automated decisions. If you rolled these out this year, add them to the assessment list now rather than discovering them in an audit later. When we deploy AI automation for clients, mapping the data it touches is part of the setup, not an afterthought.
A practical path to December 2027
You do not need a legal team to make real progress. You need an inventory and a plan.
- Map your processing. List every system that holds personal data — website forms, analytics, CRM and email platforms, booking tools, AI assistants. Your register from 2025 is the starting point; update it.
- Flag the high-risk items. For each system, ask whether it profiles, monitors, handles sensitive data, or makes automated decisions at scale. Those are your assessment candidates.
- Prioritise by exposure. Start with the systems holding the most sensitive data and the largest volumes.
- Document as you go. Write down purpose, data flows, safeguards, and residual risks for each. That record is the deliverable.
- Verify the specifics. Confirm which activities legally require a formal assessment, and the precise deadline, with the APDP or a data-protection professional.
Why start now, not in 2027
Three reasons. First, an impact assessment often surfaces a problem you then have to fix — a retention period that is too long, a third-party tool with weak safeguards, an integration nobody documented. Fixing takes longer than assessing. Second, doing this well tends to improve the systems themselves: cleaner data, clearer consent, less clutter. Third, it is far cheaper to build compliance into your next website or CRM migration than to retrofit it. If a rebuild or platform change is on your 2027 roadmap anyway, that is the moment to get the data architecture right.
The businesses that will find December 2027 stressful are the ones treating it as a legal event. The ones that will find it routine are treating it as a digital-operations project — which is exactly what it is.
If you want help mapping the personal data flowing through your website, CRM, and AI tools — and turning the 2027 deadline into a clear, prioritised plan — get in touch. We build the systems that hold this data, so we know where to look. For the legal specifics, always confirm with the APDP or a qualified adviser; see our overview of data protection compliance in Monaco.
Related services