The Principality of Monaco, with Law No. 1,565 of 3 December 2024, has aligned its data protection legislation with European law by embracing the GDPR principles, rights and all the elements that seem to pave the way for an adequacy decision by the European Commission. This may prove to be a particularly useful tool for facilitating personal data transfer activities, for example for Monaco-based companies that are part of business groups or that otherwise provide services on behalf of companies that reside within the European Union and carry out activities involving personal data. The fact that there would no longer be a need for additional instruments to be applied on a case-by-case basis, such as standard data protection clauses or binding corporate rules, allows for more straightforward negotiations and, above all, leads to savings in terms of costs and time.
The effect of an adequacy decision is in fact to assess the entire legal system of the destination country by establishing that it is capable of providing adequate data protection guarantees, including providing data subjects with enforceable rights and effective remedies.
The current situation.
Today, for a Monegasque company wishing to receive personal data from other legal entities to which the GDPR applies, it is necessary to resort to so-called “adequate safeguards”. These are instruments that have to be set up individually, usually require a negotiation phase and, as a result, involve certain costs.
In the context of providing services on behalf of companies that reside in the European Union or are otherwise subject to the GDPR, but also in cases where one is part of a business group and needs access to data for management and control activities, the issue of data transfer must be addressed. In the first scenario, the solution resorted to in most cases is to enter into standard data protection clauses, in which there is an effective contractual regulation of the relationship between the various parties (importer and exporter of the personal data) so that a threshold of protection similar to that provided for by the GDPR is granted. In the second scenario, on the other hand, binding corporate rules are usually used, which define the internal rules of the business group for handling personal data but are subject to approval by a supervisory authority.
All this, it is clear, translates into operational costs, also in terms of time for the preparation of such instruments. All of which, however, would be drastically reduced in the case of an adequacy decision.
What advantages for Monegasque companies?
In the event of an adequacy decision, the main advantage for Monegasque companies would not only be limited to cost savings, but would also extend to an increased ability to position themselves within the European and international market. The element of the positive perception that other operators may have when interacting with a subject residing within a country for which there is an adequacy decision is particularly relevant, and also increases in value in the event that activities of particular value are carried out due to the quantity and quality of the personal data involved.
In addition, costs would also be lowered for entities that choose to export data to an entity residing in Munich as they would be exempted from having to carry out (and update) risk assessments for the data transfer as this has already been done, upstream, by the European Commission.
The political decision to align with the principles of European data protection law seems to have opened the door to future scenarios of unquestionable value. Above all, in the field of innovation and competitiveness.
