For the purposes of this document, the following definitions apply:
| Term | Definition |
|------|------------|
| **Personal Data** | Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
| **Processing** | Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| **Data Controller** | The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
| **Data Processor** | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. |
| **Data Subject** | An identified or identifiable natural person whose personal data is being processed. |
| **Consent** | Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. |
| **Personal Data Breach** | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. |
| **Supervisory Authority** | An independent public authority established by a Member State or, in the case of Monaco, the Autorité de Protection des Données Personnelles (APDP). |
| **Pseudonymisation** | The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. |
| **Anonymisation** | The irreversible process of altering personal data in such a way that the data subject cannot be identified directly or indirectly, either by the data controller alone or in collaboration with any other party. Anonymised data is not considered personal data under GDPR. |
| **Special Categories of Personal Data** | Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. |
| **Recipient** | A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. |
| **Third Party** | A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. |
| **APDP** | Autorité de Protection des Données Personnelles - Monaco's data protection supervisory authority, established under Law 1.565 of December 3, 2024, replacing the former CCIN. |
| **Platform** | The MOPC web application accessible at monaco-opc.com, including all associated services, APIs, and infrastructure. |
| **Competition** | The Monaco Ocean Protection Challenge, an annual competition for ocean conservation projects. |
The Monaco Ocean Protection Challenge is organized jointly by the following entities, who act as joint controllers for the processing of participant data:
1.**International University of Monaco** (IUM)
2.**Oceanographic Institute** (Institut océanographique, Fondation Albert Ier, Prince de Monaco)
3.**Prince Albert I of Monaco Foundation**
4.**Monaco Impact**
5.**Prince Albert II of Monaco Foundation**
### 2.3 Joint Controller Arrangement
In accordance with Article 26 of the GDPR, the joint controllers have determined their respective responsibilities for compliance with data protection obligations:
- **The Monaco Ocean Protection Challenge Organization** is the primary point of contact for data subjects and bears responsibility for:
- Providing transparent information to data subjects
### 2.4 Data Protection Contact
For all data protection inquiries, data subject requests, and privacy-related matters:
**Email:** gdpr@monaco-opc.com
Data subjects may contact any of the joint controllers regarding their rights, but the above email serves as the central contact point for efficiency.
---
## 3. Legal Framework
### 3.1 Applicable Laws
The Platform's data processing activities are subject to the following legal frameworks:
#### Monaco Law
- **Law No. 1.565 of December 3, 2024** on the Protection of Personal Data
- Entered into force in 2025
- Replaces the former Law No. 1.165 of December 23, 1993
- Aligns with Convention 108+ and GDPR principles
- Establishes the APDP as the supervisory authority
- **Law No. 1.566 of December 3, 2024** ratifying the amending protocol to Convention 108
- Monaco ratified Convention 108+ on March 6, 2025
#### European Union Law
- **Regulation (EU) 2016/679** (General Data Protection Regulation - GDPR)
- Applicable to processing of EU residents' data
- Applicable due to server location in Austria (EU)
- **Directive 2002/58/EC** (ePrivacy Directive)
- Applicable to electronic communications
#### Territorial Scope
The Platform processes data of individuals located in:
- The Principality of Monaco
- European Union Member States
- Other countries (competition is open internationally)
Due to the server infrastructure being located in Austria (EU) and the international nature of participants, GDPR standards are applied as the baseline for all data processing activities.
### 3.2 Supervisory Authority
**Primary Supervisory Authority:**
**Autorité de Protection des Données Personnelles (APDP)**
Principality of Monaco
The APDP was established under Law 1.565 of December 3, 2024, replacing the former Commission de Contrôle des Informations Nominatives (CCIN). The APDP has the following powers:
- Investigation and control powers
- Access to premises where data processing is carried out
- Authority to request relevant documents
- Power to issue warnings, formal notices, and processing restrictions
- Authority to impose administrative fines up to €10 million
### 3.3 EU Adequacy Status
As of February 2026, Monaco has formally requested an EU adequacy decision. The European Commission is reviewing Monaco's framework following the ratification of Convention 108+ and the adoption of Law 1.565. An adequacy decision would streamline EU-Monaco data flows.
---
## 4. Personal Data Inventory
### 4.1 Categories of Personal Data Processed
#### 4.1.1 User Account Data
| Data Element | Category | Source | Mandatory |
|--------------|----------|--------|-----------|
| Email address | Contact data | User registration | Yes |
| Full name | Identity data | User registration | Yes |
| Phone number | Contact data | User profile | No |
| Profile photograph | Image data | User upload | No |
| User role | System data | Administrator assignment | Yes |
| Account status | System data | System generated | Yes |
| Password hash | Security data | User registration | Yes (if password auth used) |
| Last login timestamp | Usage data | System generated | Yes |
| Account creation date | System data | System generated | Yes |
#### 4.1.2 Project/Application Data
| Data Element | Category | Source | Mandatory |
|--------------|----------|--------|-----------|
| Project title | Content data | Applicant submission | Yes |
| Video pitch | Media data | Applicant upload | No |
| External links | Reference data | Applicant submission | No |
#### 4.1.3 Evaluation Data
| Data Element | Category | Source | Mandatory |
|--------------|----------|--------|-----------|
| Evaluation scores | Assessment data | Jury member | Yes |
| Written comments | Assessment data | Jury member | Yes |
| Evaluation timestamp | Temporal data | System generated | Yes |
| Evaluator identity | Identity data | System generated | Yes |
| Evaluation version | System data | System generated | Yes |
#### 4.1.4 Technical and Security Data
| Data Element | Category | Source | Retention |
|--------------|----------|--------|-----------|
| IP address | Network data | Automatic collection | 12 months |
| User agent string | Device data | Automatic collection | 12 months |
| Session tokens | Security data | System generated | Session duration |
| Magic link tokens | Security data | System generated | 15 minutes |
| Audit log entries | Security data | System generated | 12 months |
| Error logs | Technical data | System generated | 30 days |
#### 4.1.5 AI Processing Data
| Data Element | Category | Source | Retention |
|--------------|----------|--------|-----------|
| Anonymised project data | Derived data | System processing | Not stored |
| AI usage logs | System data | System generated | 12 months |
| Token consumption | System data | System generated | 12 months |
**Note:** Personal data is **never** sent to AI services. All AI processing uses anonymised data only. See [AI Data Processing](./ai-data-processing.md) for details.
### 4.2 Special Categories of Personal Data
The Platform does **not** intentionally collect or process special categories of personal data as defined in Article 9 of the GDPR. However, applicants may voluntarily include such information in free-text fields (e.g., project descriptions mentioning health-related ocean conservation work).
**Mitigation measures:**
- No specific fields request special category data
- Privacy notice advises against including sensitive personal information
- AI anonymisation strips personally identifying information before processing
### 4.3 Children's Data
The Platform is not directed at children under the age of 16. The Competition is intended for adult participants, teams, and organisations. Registration requires confirmation that the user is at least 18 years of age or has parental/guardian consent.
---
## 5. Legal Basis for Processing
### 5.1 Overview of Legal Bases
The Platform relies on the following legal bases for processing personal data under Article 6(1) of the GDPR:
| Legal Basis | GDPR Article | Description |
|-------------|--------------|-------------|
| **Contract Performance** | Art. 6(1)(b) | Processing necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract. |
| **Legitimate Interests** | Art. 6(1)(f) | Processing necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. |
| **Consent** | Art. 6(1)(a) | The data subject has given consent to the processing of his or her personal data for one or more specific purposes. |
| **Legal Obligation** | Art. 6(1)(c) | Processing necessary for compliance with a legal obligation to which the controller is subject. |
| User account creation and management | Contract Performance | Necessary to provide access to the Platform and enable participation in the Competition |
| Project submission processing | Contract Performance | Necessary to accept and process Competition entries |
| Jury evaluation and scoring | Contract Performance | Necessary to conduct the Competition judging process |
| Email notifications (competition-related) | Contract Performance | Necessary to communicate essential information about submissions and results |
| AI-powered project filtering | Legitimate Interests | Efficient processing of large numbers of applications; balanced by anonymisation measures |
| AI-powered jury assignment | Legitimate Interests | Optimal matching of jury expertise to projects; balanced by human oversight |
| **Competition Management** | Managing the full lifecycle of the Monaco Ocean Protection Challenge, including project submissions, evaluations, and results | User accounts, project data, evaluation data |
| **User Authentication** | Verifying user identity and managing secure access to the Platform | Email, password hash, session tokens, magic links |
| **Communication** | Sending essential notifications about submissions, deadlines, evaluation status, and results | Email, name, notification preferences |
| **Evaluation Processing** | Enabling jury members to review and score assigned projects | Project data, evaluation data, jury assignments |
| **AI-Assisted Processing** | Using AI to filter projects, suggest jury assignments, determine award eligibility, and match mentors | Anonymised project data only | Legitimate Interests |
| **Platform Security** | Monitoring for security threats, preventing abuse, investigating incidents | IP addresses, user agents, audit logs | Legitimate Interests |
| **Service Improvement** | Analysing aggregated, anonymised usage patterns to improve the Platform | Aggregated analytics | Legitimate Interests |
| **Legal Compliance** | Maintaining records as required by law | Varies by requirement | Legal Obligation |
Personal data collected for the above purposes will not be processed in a manner incompatible with those purposes. Any new processing activity will be assessed for compatibility and, if necessary, additional consent or other legal basis will be obtained.
| **DPA Status** | OpenAI Data Processing Addendum available; EU Standard Contractual Clauses |
| **Training Opt-Out** | API data is not used for model training by default |
**Important:** Only anonymised data is sent to OpenAI. Personal identifiers (names, emails, phone numbers, addresses, URLs) are stripped before transmission. Project IDs are replaced with sequential anonymous identifiers (P1, P2, etc.). See [AI Data Processing](./ai-data-processing.md) for complete details.
#### 8.2.2 Self-Hosted Services
The following services are self-hosted on the Platform's infrastructure and do not involve third-party data processors:
| Service | Purpose | Hosting Location |
|---------|---------|------------------|
| **PostgreSQL Database** | Primary data storage | Austria, EU (Private VPS) |
| **Nginx Reverse Proxy** | Web traffic management, SSL termination | Austria, EU (Private VPS) |
### 8.3 Subprocessor Due Diligence
Before engaging any subprocessor, the following assessments are conducted:
1.**Security Assessment** - Review of security certifications and practices
2.**Privacy Assessment** - Review of privacy policy and data handling practices
3.**Contractual Review** - Execution of Data Processing Agreement with GDPR-compliant terms
4.**Technical Assessment** - Verification of encryption, access controls, and data protection measures
### 8.4 Subprocessor Changes
Data subjects will be informed of any changes to subprocessors that materially affect the processing of their personal data. A list of current subprocessors is maintained and available upon request.
| AI processing | Ireland, EU (OpenAI EU data residency) | N/A (zero retention) |
### 9.2 Transfer Mechanisms
#### Transfers within the EU/EEA
Data transfers between Monaco and EU Member States are conducted under the assumption of adequate protection. Monaco's adoption of Law 1.565 and ratification of Convention 108+ provides a framework aligned with GDPR standards.
#### Transfers to OpenAI
OpenAI processes data through their EU data residency feature:
- **Processing Location:** Dublin, Ireland (EU)
- **Data Retention:** Zero Data Retention (ZDR) - no data stored at rest
- **Transfer Mechanism:** EU Standard Contractual Clauses (incorporated in OpenAI DPA)
- **Additional Safeguards:** Data anonymisation before transmission, encryption in transit (TLS 1.2+)
The Platform does not transfer personal data to countries outside the EU/EEA except as described above (OpenAI with EU data residency). Any future transfers would require:
Under the GDPR and Monaco Law 1.565, data subjects have the following rights:
| Right | GDPR Article | Description |
|-------|--------------|-------------|
| **Right of Access** | Art. 15 | The right to obtain confirmation of whether personal data is being processed and access to that data |
| **Right to Rectification** | Art. 16 | The right to have inaccurate personal data corrected and incomplete data completed |
| **Right to Erasure** | Art. 17 | The right to have personal data deleted in certain circumstances ("right to be forgotten") |
| **Right to Restriction** | Art. 18 | The right to restrict processing in certain circumstances |
| **Right to Data Portability** | Art. 20 | The right to receive personal data in a structured, commonly used, machine-readable format |
| **Right to Object** | Art. 21 | The right to object to processing based on legitimate interests or for direct marketing |
| **Rights Related to Automated Decision-Making** | Art. 22 | The right not to be subject to decisions based solely on automated processing with legal or significant effects |
**Self-Service:** Users can delete their account via Profile → Settings → Delete Account
**Anonymisation Alternative:** Where complete deletion is not possible due to legitimate retention needs, data will be anonymised so it can no longer be attributed to the data subject.
#### 10.3.4 Right to Restriction (Article 18)
**Scope:** Restriction of processing where:
- Accuracy of data is contested (during verification)
- Processing is unlawful but erasure is not requested
- Data is no longer needed but required for legal claims
- Objection is pending verification
**Procedure:**
1. Submit request to gdpr@monaco-opc.com
2. Data marked as restricted
3. Processing limited to storage only
4. Data subject notified before restriction is lifted
#### 10.3.5 Right to Data Portability (Article 20)
**Scope:** Receive personal data in structured, commonly used, machine-readable format where:
- Processing is based on consent or contract
- Processing is carried out by automated means
**Format:** JSON file containing:
- User profile data
- Project submissions
- Team memberships
- Evaluation data (for jury members)
**Procedure:**
1. Access via Profile → Settings → Export Data, or
2. Submit request to gdpr@monaco-opc.com
3. Data provided within 30 days
#### 10.3.6 Right to Object (Article 21)
**Scope:** Object to processing based on legitimate interests
**Procedure:**
1. Submit objection to gdpr@monaco-opc.com with specific grounds
2. Assessment of compelling legitimate grounds
3. Response within 30 days
4. If objection upheld: Processing ceased
5. If objection not upheld: Reasons provided
**AI Processing:** Data subjects may object to AI-assisted processing. In such cases:
- Their projects will be excluded from AI filtering
- Manual review will be conducted instead
- This will not affect evaluation quality or fairness
#### 10.3.7 Rights Related to Automated Decision-Making (Article 22)
**Statement:** The Platform does **not** make decisions based solely on automated processing that produce legal effects or similarly significantly affect data subjects.
All AI-assisted processes (filtering, assignment suggestions, eligibility determination) are:
- Supportive recommendations only
- Subject to human review and final decision
- Not binding without human approval
Data subjects may request human review of any AI-assisted recommendation by contacting gdpr@monaco-opc.com.
### 10.4 Complaints
Data subjects have the right to lodge a complaint with the supervisory authority:
**Autorité de Protection des Données Personnelles (APDP)**
Principality of Monaco
Data subjects are encouraged to contact gdpr@monaco-opc.com first to resolve any concerns directly.
The Platform is hosted on a private Virtual Private Server (VPS) located in Austria, EU. Physical security is managed by the hosting provider and includes:
Data is retained only as long as necessary for the purposes for which it was collected, subject to legal retention requirements and legitimate archival needs.
As only strictly necessary cookies are used, explicit cookie consent is not required under GDPR Article 5(3) of the ePrivacy Directive. Users are informed of cookie use in the Privacy Policy.
Data Protection Impact Assessments are conducted for processing activities that are likely to result in high risk to the rights and freedoms of natural persons, including:
- Systematic and extensive evaluation of personal aspects (profiling)
- Processing of special categories of data on a large scale
- Systematic monitoring of publicly accessible areas
