Mme Agnès LEPAULMIER is Secretary General of the CCIN (Commission de Contrôle des Informations Nominatives - the Monaco authority responsible for protecting personal data). We met with her because the CCIN has many work meetings with the AMAF, covering a wide range of issues.
The CCIN acts “in the name of the State” but remains independent...
We are the authority in charge of protecting personal data: an independent regulator and administrative authority responsible for ensuring people’s fundamental rights are respected when using their personal information. We make sure that the way this information is processed digitally does not infringe privacy or fundamental rights. Within this framework, our duties include recording and examining cases, offering advice and suggestions and, finally, oversight and investigations.
What is your relationship with the AMAF?
The AMAF, and trade bodies in general, are key for helping to disseminate information. We hold quarterly meetings with Mr Ucari and the CCIN contact group within the association. Banks know about compliance. It is part of their DNA. The AMAF therefore submits very practical and specific questions to us. We do our best to provide answers. Recently, the CCIN posted a FAQ on its website about the GDPR and its impact in Monaco. The aim was to respond to the concerns of AMAF members, whom we met twice in 2019 to discuss this topic.
Working remotely during the pandemic must have raised some questions.
Yes - going into and coming out of lockdown we have had many discussions with banks which contacted us about what security measures to implement while working remotely. We have advised on two aspects of remote work: securing remote connections and potential issues relating to monitoring employee work and hours in their homes. We review tools for measuring work activities to ensure they are not too invasive. For example, employees should not be required to have their laptop webcams permanently switched on. A “remote working and protecting personal data” recommendations sheet was produced. We responded to a wide variety of different questions: from taking temperatures to thermal cameras! Our answers are rooted first and foremost in protecting privacy.
How do you work with the SICCFIN?
If we have any particular issues with the SICCFIN, we get in touch with them and meet in a very open way. In the case of money laundering investigations, a person who has been named in a suspicious transaction report cannot directly contact the SICCFIN. If their bank account has been closed, or if their request to open an account has been refused, they can contact us to check whether they have been named in a suspicious transaction report. We then approach the SICCFIN to establish what information they have about the person in question. If this information relates to a money-laundering investigation, we are, of course, not at liberty to pass it on to them.
Are changes about to be made to Monaco law 1165 relating to personal information?
Yes, to better bring the legislation in line with European standards. We presented the main principles and potential impacts of this upcoming legislation to the AMAF. Over the past two years, we have also organised a work group on this subject in partnership with State services. The updated legislation will insist on the principle of financial institutions taking responsibility. This must be integrated into their corporate culture. Preliminary formalities, which are as much of a burden for entities (banks, asset management companies, etc.) as they are for us, will no longer exist. Financial institutions will have to look into compliance issues upstream, without first passing through the CCIN filter. CCIN oversight will be carried out in accordance with the demonstration principle. We will have access to new tools to facilitate this, such as the processing register.
The legislation is due to be submitted to the National Council by the end of the year. We will then have our work cut out explaining the new law and raising awareness of it among public and economic stakeholders. They will need to get to understand the extent of their responsibilities, because sanctions will be more serious than they currently are. Some will need to designate a data protection officer, so that we have a clear point of contact.