Since 3 December 2024, the Principality has had a fully modernised data protection framework. For an Artificial Intelligence project, this is no legal footnote: it is the foundation that determines what you are allowed to do with your data.
Law n°1.565 replaces the previous regime and aligns Monaco with the European GDPR and Convention 108+. The supervisory authority, the APDP, succeeds the CCIN with extended powers. Any organisation that processes personal data, and all the more so one that entrusts it to an AI system, falls within its scope.
What changes in practice
- A legal basis required for every processing operation (consent, contract, legal obligation, legitimate interest).
- Strengthened individual rights: information, access, rectification, erasure, objection.
- An obligation of security and traceability of processing, proportionate to the risk.
- A framework for transfers of data outside the Principality.
- Sanctions in the event of breach, and a reputational risk the Place does not forgive.
AI and personal data: 5 reflexes
1. Map before you model
Before any deployment, know which data is at stake, where it comes from and who can access it. A model is never more compliant than the data entrusted to it.
2. Minimise
An AI agent does not need to see everything to be useful. Limit the data exposed to the strict minimum: it is the single best way to reduce risk.
3. Keep control of hosting
Choose a sovereign architecture (local providers, a private European cloud or on-premise) to keep control over location and jurisdiction.
4. Log everything
Trace processing operations, access and decisions. Traceability is not a formality: it is what allows you to prove your compliance.
5. Document
Keep a record of processing activities and carry out an impact assessment (DPIA) whenever the processing presents a high risk.
Compliance is not the enemy of innovation: done well, it is the argument that reassures your clients.
Do you need an impact assessment?
As soon as an AI processing operation involves sensitive data, operates at scale or includes a degree of automated decision-making, a data protection impact assessment is strongly recommended. Conducted upfront, it costs little; endured after the fact, it can block an entire project. Minervia builds this dimension in from the scoping phase, without substituting for legal advice.