# MOPC Platform - GDPR Compliance Documentation **Document Version:** 2.0 **Last Updated:** February 2026 **Classification:** Internal / Compliance --- ## Table of Contents 1. [Definitions](#1-definitions) 2. [Data Controller Information](#2-data-controller-information) 3. [Legal Framework](#3-legal-framework) 4. [Personal Data Inventory](#4-personal-data-inventory) 5. [Legal Basis for Processing](#5-legal-basis-for-processing) 6. [Data Processing Purposes](#6-data-processing-purposes) 7. [Data Subject Categories](#7-data-subject-categories) 8. [Third-Party Data Sharing & Subprocessors](#8-third-party-data-sharing--subprocessors) 9. [International Data Transfers](#9-international-data-transfers) 10. [Data Subject Rights](#10-data-subject-rights) 11. [Security Measures](#11-security-measures) 12. [Data Retention Policy](#12-data-retention-policy) 13. [Cookies and Tracking Technologies](#13-cookies-and-tracking-technologies) 14. [Data Protection Impact Assessments](#14-data-protection-impact-assessments) 15. [Data Breach Notification Procedures](#15-data-breach-notification-procedures) 16. [Training and Awareness](#16-training-and-awareness) 17. [Documentation and Records](#17-documentation-and-records) 18. [Contact Information](#18-contact-information) 19. [Document Control](#19-document-control) --- ## 1. Definitions For the purposes of this document, the following definitions apply: | Term | Definition | |------|------------| | **Personal Data** | Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. | | **Processing** | Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. | | **Data Controller** | The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. | | **Data Processor** | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. | | **Data Subject** | An identified or identifiable natural person whose personal data is being processed. | | **Consent** | Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. | | **Personal Data Breach** | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. | | **Supervisory Authority** | An independent public authority established by a Member State or, in the case of Monaco, the Autorité de Protection des Données Personnelles (APDP). | | **Pseudonymisation** | The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. | | **Anonymisation** | The irreversible process of altering personal data in such a way that the data subject cannot be identified directly or indirectly, either by the data controller alone or in collaboration with any other party. Anonymised data is not considered personal data under GDPR. | | **Special Categories of Personal Data** | Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. | | **Recipient** | A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. | | **Third Party** | A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. | | **APDP** | Autorité de Protection des Données Personnelles - Monaco's data protection supervisory authority, established under Law 1.565 of December 3, 2024, replacing the former CCIN. | | **Platform** | The MOPC web application accessible at monaco-opc.com, including all associated services, APIs, and infrastructure. | | **Competition** | The Monaco Ocean Protection Challenge, an annual competition for ocean conservation projects. | --- ## 2. Data Controller Information ### 2.1 Primary Data Controller | Field | Details | |-------|---------| | **Organisation Name** | The Monaco Ocean Protection Challenge Organization | | **Legal Status** | Non-profit organization | | **Country of Establishment** | Principality of Monaco | | **Data Protection Contact** | gdpr@monaco-opc.com | ### 2.2 Joint Controllers The Monaco Ocean Protection Challenge is organized jointly by the following entities, who act as joint controllers for the processing of participant data: 1. **International University of Monaco** (IUM) 2. **Oceanographic Institute** (Institut océanographique, Fondation Albert Ier, Prince de Monaco) 3. **Prince Albert I of Monaco Foundation** 4. **Monaco Impact** 5. **Prince Albert II of Monaco Foundation** ### 2.3 Joint Controller Arrangement In accordance with Article 26 of the GDPR, the joint controllers have determined their respective responsibilities for compliance with data protection obligations: - **The Monaco Ocean Protection Challenge Organization** is the primary point of contact for data subjects and bears responsibility for: - Maintaining the Platform and its data security - Responding to data subject requests - Managing the technical infrastructure - Coordinating with subprocessors - **All joint controllers** share responsibility for: - Determining the purposes of processing - Ensuring lawful basis for processing - Providing transparent information to data subjects ### 2.4 Data Protection Contact For all data protection inquiries, data subject requests, and privacy-related matters: **Email:** gdpr@monaco-opc.com Data subjects may contact any of the joint controllers regarding their rights, but the above email serves as the central contact point for efficiency. --- ## 3. Legal Framework ### 3.1 Applicable Laws The Platform's data processing activities are subject to the following legal frameworks: #### Monaco Law - **Law No. 1.565 of December 3, 2024** on the Protection of Personal Data - Entered into force in 2025 - Replaces the former Law No. 1.165 of December 23, 1993 - Aligns with Convention 108+ and GDPR principles - Establishes the APDP as the supervisory authority - **Law No. 1.566 of December 3, 2024** ratifying the amending protocol to Convention 108 - Monaco ratified Convention 108+ on March 6, 2025 #### European Union Law - **Regulation (EU) 2016/679** (General Data Protection Regulation - GDPR) - Applicable to processing of EU residents' data - Applicable due to server location in Austria (EU) - **Directive 2002/58/EC** (ePrivacy Directive) - Applicable to electronic communications #### Territorial Scope The Platform processes data of individuals located in: - The Principality of Monaco - European Union Member States - Other countries (competition is open internationally) Due to the server infrastructure being located in Austria (EU) and the international nature of participants, GDPR standards are applied as the baseline for all data processing activities. ### 3.2 Supervisory Authority **Primary Supervisory Authority:** **Autorité de Protection des Données Personnelles (APDP)** Principality of Monaco The APDP was established under Law 1.565 of December 3, 2024, replacing the former Commission de Contrôle des Informations Nominatives (CCIN). The APDP has the following powers: - Investigation and control powers - Access to premises where data processing is carried out - Authority to request relevant documents - Power to issue warnings, formal notices, and processing restrictions - Authority to impose administrative fines up to €10 million ### 3.3 EU Adequacy Status As of February 2026, Monaco has formally requested an EU adequacy decision. The European Commission is reviewing Monaco's framework following the ratification of Convention 108+ and the adoption of Law 1.565. An adequacy decision would streamline EU-Monaco data flows. --- ## 4. Personal Data Inventory ### 4.1 Categories of Personal Data Processed #### 4.1.1 User Account Data | Data Element | Category | Source | Mandatory | |--------------|----------|--------|-----------| | Email address | Contact data | User registration | Yes | | Full name | Identity data | User registration | Yes | | Phone number | Contact data | User profile | No | | Profile photograph | Image data | User upload | No | | User role | System data | Administrator assignment | Yes | | Account status | System data | System generated | Yes | | Password hash | Security data | User registration | Yes (if password auth used) | | Last login timestamp | Usage data | System generated | Yes | | Account creation date | System data | System generated | Yes | #### 4.1.2 Project/Application Data | Data Element | Category | Source | Mandatory | |--------------|----------|--------|-----------| | Project title | Content data | Applicant submission | Yes | | Project description | Content data | Applicant submission | Yes | | Team name | Identity data | Applicant submission | Yes | | Team member names | Identity data | Applicant submission | Yes | | Team member emails | Contact data | Applicant submission | Yes | | Team member roles | Professional data | Applicant submission | No | | Organisation/Institution | Professional data | Applicant submission | No | | Country | Location data | Applicant submission | Yes | | Geographic zone | Location data | Applicant submission | No | | Project founding date | Temporal data | Applicant submission | No | | Competition category | Classification data | Applicant selection | Yes | | Ocean issue focus | Classification data | Applicant selection | Yes | | Project tags | Classification data | Applicant submission | No | | Uploaded files | Document data | Applicant upload | Varies | | Video pitch | Media data | Applicant upload | No | | External links | Reference data | Applicant submission | No | #### 4.1.3 Evaluation Data | Data Element | Category | Source | Mandatory | |--------------|----------|--------|-----------| | Evaluation scores | Assessment data | Jury member | Yes | | Written comments | Assessment data | Jury member | Yes | | Evaluation timestamp | Temporal data | System generated | Yes | | Evaluator identity | Identity data | System generated | Yes | | Evaluation version | System data | System generated | Yes | #### 4.1.4 Technical and Security Data | Data Element | Category | Source | Retention | |--------------|----------|--------|-----------| | IP address | Network data | Automatic collection | 12 months | | User agent string | Device data | Automatic collection | 12 months | | Session tokens | Security data | System generated | Session duration | | Magic link tokens | Security data | System generated | 15 minutes | | Audit log entries | Security data | System generated | 12 months | | Error logs | Technical data | System generated | 30 days | #### 4.1.5 AI Processing Data | Data Element | Category | Source | Retention | |--------------|----------|--------|-----------| | Anonymised project data | Derived data | System processing | Not stored | | AI usage logs | System data | System generated | 12 months | | Token consumption | System data | System generated | 12 months | **Note:** Personal data is **never** sent to AI services. All AI processing uses anonymised data only. See [AI Data Processing](./ai-data-processing.md) for details. ### 4.2 Special Categories of Personal Data The Platform does **not** intentionally collect or process special categories of personal data as defined in Article 9 of the GDPR. However, applicants may voluntarily include such information in free-text fields (e.g., project descriptions mentioning health-related ocean conservation work). **Mitigation measures:** - No specific fields request special category data - Privacy notice advises against including sensitive personal information - AI anonymisation strips personally identifying information before processing ### 4.3 Children's Data The Platform is not directed at children under the age of 16. The Competition is intended for adult participants, teams, and organisations. Registration requires confirmation that the user is at least 18 years of age or has parental/guardian consent. --- ## 5. Legal Basis for Processing ### 5.1 Overview of Legal Bases The Platform relies on the following legal bases for processing personal data under Article 6(1) of the GDPR: | Legal Basis | GDPR Article | Description | |-------------|--------------|-------------| | **Contract Performance** | Art. 6(1)(b) | Processing necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract. | | **Legitimate Interests** | Art. 6(1)(f) | Processing necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. | | **Consent** | Art. 6(1)(a) | The data subject has given consent to the processing of his or her personal data for one or more specific purposes. | | **Legal Obligation** | Art. 6(1)(c) | Processing necessary for compliance with a legal obligation to which the controller is subject. | ### 5.2 Processing Activities and Legal Bases | Processing Activity | Legal Basis | Justification | |---------------------|-------------|---------------| | User account creation and management | Contract Performance | Necessary to provide access to the Platform and enable participation in the Competition | | Project submission processing | Contract Performance | Necessary to accept and process Competition entries | | Jury evaluation and scoring | Contract Performance | Necessary to conduct the Competition judging process | | Email notifications (competition-related) | Contract Performance | Necessary to communicate essential information about submissions and results | | AI-powered project filtering | Legitimate Interests | Efficient processing of large numbers of applications; balanced by anonymisation measures | | AI-powered jury assignment | Legitimate Interests | Optimal matching of jury expertise to projects; balanced by human oversight | | AI-powered mentor matching | Legitimate Interests | Effective mentor-project pairing; balanced by anonymisation | | Security logging and monitoring | Legitimate Interests | Protection of Platform, users, and data from unauthorised access | | Analytics (aggregated, anonymised) | Legitimate Interests | Understanding Platform usage to improve services | | WhatsApp notifications | Consent | Optional communication channel requiring explicit opt-in | | Profile photograph | Consent | Optional personalisation feature | | Marketing communications | Consent | Only with explicit opt-in consent | ### 5.3 Legitimate Interests Assessment (LIA) For processing based on legitimate interests, the following assessment has been conducted: #### AI-Powered Processing (Filtering, Assignment, Matching) **Purpose:** Efficient evaluation of competition entries and optimal assignment of reviewers **Legitimate Interest:** - Organisational efficiency in processing large numbers of applications - Fairness in matching reviewer expertise to project topics - Cost-effective use of resources **Necessity:** - Manual processing of 100+ projects would be impractical - AI enables consistent, scalable evaluation support - Human decision-making remains final **Balancing Test:** - **Risk to data subjects:** Minimal - all data is anonymised before AI processing - **Expectations:** Participants expect efficient, fair evaluation processes - **Safeguards:** Anonymisation, human oversight, algorithmic fallback, audit logging - **Conclusion:** Processing is proportionate; legitimate interests are not overridden #### Security Logging **Purpose:** Protection of Platform and user data **Legitimate Interest:** - Preventing unauthorised access - Detecting and responding to security incidents - Maintaining service integrity **Necessity:** - Essential for cybersecurity - Required for incident response and forensics - Supports compliance obligations **Balancing Test:** - **Risk to data subjects:** Low - logs contain minimal personal data (IP, user agent) - **Expectations:** Users expect secure platforms - **Safeguards:** Limited retention (12 months), access controls, encryption - **Conclusion:** Processing is proportionate and expected --- ## 6. Data Processing Purposes ### 6.1 Primary Purposes | Purpose | Description | Data Categories Used | |---------|-------------|---------------------| | **Competition Management** | Managing the full lifecycle of the Monaco Ocean Protection Challenge, including project submissions, evaluations, and results | User accounts, project data, evaluation data | | **User Authentication** | Verifying user identity and managing secure access to the Platform | Email, password hash, session tokens, magic links | | **Communication** | Sending essential notifications about submissions, deadlines, evaluation status, and results | Email, name, notification preferences | | **Evaluation Processing** | Enabling jury members to review and score assigned projects | Project data, evaluation data, jury assignments | ### 6.2 Secondary Purposes | Purpose | Description | Data Categories Used | Legal Basis | |---------|-------------|---------------------|-------------| | **AI-Assisted Processing** | Using AI to filter projects, suggest jury assignments, determine award eligibility, and match mentors | Anonymised project data only | Legitimate Interests | | **Platform Security** | Monitoring for security threats, preventing abuse, investigating incidents | IP addresses, user agents, audit logs | Legitimate Interests | | **Service Improvement** | Analysing aggregated, anonymised usage patterns to improve the Platform | Aggregated analytics | Legitimate Interests | | **Legal Compliance** | Maintaining records as required by law | Varies by requirement | Legal Obligation | ### 6.3 Purpose Limitation Personal data collected for the above purposes will not be processed in a manner incompatible with those purposes. Any new processing activity will be assessed for compatibility and, if necessary, additional consent or other legal basis will be obtained. --- ## 7. Data Subject Categories ### 7.1 Categories of Data Subjects | Category | Description | Typical Data Processed | |----------|-------------|------------------------| | **Competition Applicants** | Individuals or teams submitting projects to the Competition | Full account and project data | | **Team Members** | Individuals listed as members of applicant teams | Name, email, role | | **Jury Members** | Experts appointed to evaluate Competition entries | Account data, evaluation data, expertise tags | | **Mentors** | Professionals providing guidance to selected projects | Account data, expertise tags, assignments | | **Observers** | Stakeholders with read-only access to dashboards | Account data, access logs | | **Administrators** | Staff managing the Platform and Competition | Account data, audit logs, full system access | ### 7.2 Estimated Data Subject Numbers | Category | Estimated Annual Volume | |----------|------------------------| | Competition Applicants | 100-200 projects | | Team Members | 300-600 individuals | | Jury Members | 50-100 individuals | | Mentors | 20-50 individuals | | Observers | 10-30 individuals | | Administrators | 5-15 individuals | --- ## 8. Third-Party Data Sharing & Subprocessors ### 8.1 Categories of Recipients Personal data may be disclosed to the following categories of recipients: | Recipient Category | Purpose | Data Shared | Legal Basis | |-------------------|---------|-------------|-------------| | **Joint Controllers** | Competition organisation | All competition-related data | Contract Performance | | **IT Infrastructure Providers** | Platform hosting and operation | All Platform data (encrypted at rest) | Contract Performance | | **AI Service Providers** | Automated processing assistance | Anonymised project data only | Legitimate Interests | ### 8.2 Subprocessor Registry #### 8.2.1 OpenAI | Field | Details | |-------|---------| | **Subprocessor** | OpenAI, Inc. (OpenAI Ireland Limited for EU data) | | **Registered Address** | 3180 18th Street, San Francisco, CA 94110, USA | | **EU Entity** | OpenAI Ireland Limited | | **Purpose** | AI-powered project filtering, jury assignment suggestions, award eligibility determination, mentor matching | | **Data Processed** | **Anonymised data only** - No personal identifiers are transmitted | | **Data Location** | European Union (Ireland) - using EU data residency feature | | **Data Retention** | Zero Data Retention (ZDR) - data not stored at rest | | **Security Certifications** | SOC 2 Type 2, ISO/IEC 27001, 27017, 27018, 27701 | | **DPA Status** | OpenAI Data Processing Addendum available; EU Standard Contractual Clauses | | **Training Opt-Out** | API data is not used for model training by default | **Important:** Only anonymised data is sent to OpenAI. Personal identifiers (names, emails, phone numbers, addresses, URLs) are stripped before transmission. Project IDs are replaced with sequential anonymous identifiers (P1, P2, etc.). See [AI Data Processing](./ai-data-processing.md) for complete details. #### 8.2.2 Self-Hosted Services The following services are self-hosted on the Platform's infrastructure and do not involve third-party data processors: | Service | Purpose | Hosting Location | |---------|---------|------------------| | **PostgreSQL Database** | Primary data storage | Austria, EU (Private VPS) | | **MinIO Object Storage** | File storage (uploads, documents) | Austria, EU (Private VPS) | | **Poste.io Email Server** | Transactional email delivery | Austria, EU (Private VPS) | | **Nginx Reverse Proxy** | Web traffic management, SSL termination | Austria, EU (Private VPS) | ### 8.3 Subprocessor Due Diligence Before engaging any subprocessor, the following assessments are conducted: 1. **Security Assessment** - Review of security certifications and practices 2. **Privacy Assessment** - Review of privacy policy and data handling practices 3. **Contractual Review** - Execution of Data Processing Agreement with GDPR-compliant terms 4. **Technical Assessment** - Verification of encryption, access controls, and data protection measures ### 8.4 Subprocessor Changes Data subjects will be informed of any changes to subprocessors that materially affect the processing of their personal data. A list of current subprocessors is maintained and available upon request. --- ## 9. International Data Transfers ### 9.1 Data Location | Data Category | Primary Location | Backup Location | |---------------|------------------|-----------------| | All Platform data | Austria, EU | Austria, EU | | Email data | Austria, EU | N/A (self-hosted) | | File storage | Austria, EU | Austria, EU | | AI processing | Ireland, EU (OpenAI EU data residency) | N/A (zero retention) | ### 9.2 Transfer Mechanisms #### Transfers within the EU/EEA Data transfers between Monaco and EU Member States are conducted under the assumption of adequate protection. Monaco's adoption of Law 1.565 and ratification of Convention 108+ provides a framework aligned with GDPR standards. #### Transfers to OpenAI OpenAI processes data through their EU data residency feature: - **Processing Location:** Dublin, Ireland (EU) - **Data Retention:** Zero Data Retention (ZDR) - no data stored at rest - **Transfer Mechanism:** EU Standard Contractual Clauses (incorporated in OpenAI DPA) - **Additional Safeguards:** Data anonymisation before transmission, encryption in transit (TLS 1.2+) #### Transfers to Third Countries The Platform does not transfer personal data to countries outside the EU/EEA except as described above (OpenAI with EU data residency). Any future transfers would require: 1. Adequacy decision by the European Commission, or 2. Appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules), or 3. Derogations for specific situations (explicit consent, contract necessity) ### 9.3 Data Localisation All personal data is stored within the European Union: - **Primary Database:** Austria - **File Storage:** Austria - **Email Server:** Austria - **Backups:** Austria This approach minimises international transfer complexities and ensures GDPR compliance. --- ## 10. Data Subject Rights ### 10.1 Overview of Rights Under the GDPR and Monaco Law 1.565, data subjects have the following rights: | Right | GDPR Article | Description | |-------|--------------|-------------| | **Right of Access** | Art. 15 | The right to obtain confirmation of whether personal data is being processed and access to that data | | **Right to Rectification** | Art. 16 | The right to have inaccurate personal data corrected and incomplete data completed | | **Right to Erasure** | Art. 17 | The right to have personal data deleted in certain circumstances ("right to be forgotten") | | **Right to Restriction** | Art. 18 | The right to restrict processing in certain circumstances | | **Right to Data Portability** | Art. 20 | The right to receive personal data in a structured, commonly used, machine-readable format | | **Right to Object** | Art. 21 | The right to object to processing based on legitimate interests or for direct marketing | | **Rights Related to Automated Decision-Making** | Art. 22 | The right not to be subject to decisions based solely on automated processing with legal or significant effects | ### 10.2 Exercising Rights #### 10.2.1 How to Submit a Request Data subjects may exercise their rights by: 1. **Email:** gdpr@monaco-opc.com 2. **Platform:** Profile → Settings → Privacy (where applicable) #### 10.2.2 Identity Verification To protect personal data from unauthorised access, identity verification is required for all data subject requests: - Requests from registered email addresses may be verified through magic link authentication - Requests from other channels may require additional verification (e.g., copy of ID document) #### 10.2.3 Response Timeframes | Request Type | Initial Response | Maximum Completion | |--------------|------------------|-------------------| | Simple requests | 72 hours | 30 days | | Complex requests | 72 hours | 90 days (with notification) | | Rectification via Platform | Immediate | Immediate | ### 10.3 Right-Specific Procedures #### 10.3.1 Right of Access (Article 15) **Scope:** Data subjects may request: - Confirmation of whether their data is processed - A copy of their personal data - Information about processing purposes, categories, recipients, retention, and rights **Procedure:** 1. Submit request to gdpr@monaco-opc.com 2. Identity verification completed 3. Data compiled within 30 days 4. Data provided in commonly used electronic format (JSON or PDF) **Self-Service:** Users can export their data via Profile → Settings → Export Data #### 10.3.2 Right to Rectification (Article 16) **Scope:** Correction of inaccurate data or completion of incomplete data **Procedure:** 1. **Self-service:** Most data can be corrected via Profile → Settings → Edit Profile 2. **Supported:** For data that cannot be self-corrected, submit request to gdpr@monaco-opc.com 3. Corrections applied within 72 hours #### 10.3.3 Right to Erasure (Article 17) **Scope:** Deletion of personal data where: - Data is no longer necessary for original purpose - Consent is withdrawn (where consent was the legal basis) - Data subject objects and no overriding legitimate grounds exist - Data was unlawfully processed - Legal obligation requires erasure **Exceptions:** Erasure may be refused where processing is necessary for: - Compliance with legal obligations - Establishment, exercise, or defence of legal claims - Archiving in the public interest (Competition historical records) **Procedure:** 1. Submit request to gdpr@monaco-opc.com 2. Identity verification completed 3. Assessment of applicable exceptions 4. If approved: Data deleted within 30 days 5. Confirmation provided to data subject **Self-Service:** Users can delete their account via Profile → Settings → Delete Account **Anonymisation Alternative:** Where complete deletion is not possible due to legitimate retention needs, data will be anonymised so it can no longer be attributed to the data subject. #### 10.3.4 Right to Restriction (Article 18) **Scope:** Restriction of processing where: - Accuracy of data is contested (during verification) - Processing is unlawful but erasure is not requested - Data is no longer needed but required for legal claims - Objection is pending verification **Procedure:** 1. Submit request to gdpr@monaco-opc.com 2. Data marked as restricted 3. Processing limited to storage only 4. Data subject notified before restriction is lifted #### 10.3.5 Right to Data Portability (Article 20) **Scope:** Receive personal data in structured, commonly used, machine-readable format where: - Processing is based on consent or contract - Processing is carried out by automated means **Format:** JSON file containing: - User profile data - Project submissions - Team memberships - Evaluation data (for jury members) **Procedure:** 1. Access via Profile → Settings → Export Data, or 2. Submit request to gdpr@monaco-opc.com 3. Data provided within 30 days #### 10.3.6 Right to Object (Article 21) **Scope:** Object to processing based on legitimate interests **Procedure:** 1. Submit objection to gdpr@monaco-opc.com with specific grounds 2. Assessment of compelling legitimate grounds 3. Response within 30 days 4. If objection upheld: Processing ceased 5. If objection not upheld: Reasons provided **AI Processing:** Data subjects may object to AI-assisted processing. In such cases: - Their projects will be excluded from AI filtering - Manual review will be conducted instead - This will not affect evaluation quality or fairness #### 10.3.7 Rights Related to Automated Decision-Making (Article 22) **Statement:** The Platform does **not** make decisions based solely on automated processing that produce legal effects or similarly significantly affect data subjects. All AI-assisted processes (filtering, assignment suggestions, eligibility determination) are: - Supportive recommendations only - Subject to human review and final decision - Not binding without human approval Data subjects may request human review of any AI-assisted recommendation by contacting gdpr@monaco-opc.com. ### 10.4 Complaints Data subjects have the right to lodge a complaint with the supervisory authority: **Autorité de Protection des Données Personnelles (APDP)** Principality of Monaco Data subjects are encouraged to contact gdpr@monaco-opc.com first to resolve any concerns directly. --- ## 11. Security Measures ### 11.1 Technical Measures #### 11.1.1 Encryption | Layer | Measure | Standard | |-------|---------|----------| | **Data in Transit** | TLS encryption for all connections | TLS 1.2 minimum, TLS 1.3 preferred | | **Data at Rest** | Database encryption | AES-256 | | **File Storage** | Encrypted object storage | AES-256 | | **Backups** | Encrypted backup files | AES-256 | | **Secrets** | Encrypted storage in database | AES-256 with application-level key | #### 11.1.2 Authentication and Access Control | Measure | Implementation | |---------|----------------| | **Authentication** | Passwordless magic link (primary), optional password | | **Session Management** | Secure HTTP-only cookies, configurable expiry | | **Multi-Factor Authentication** | Magic link serves as second factor (email possession) | | **Role-Based Access Control** | Granular permissions by role (SUPER_ADMIN, PROGRAM_ADMIN, JURY_MEMBER, MENTOR, OBSERVER) | | **Principle of Least Privilege** | Users only access data necessary for their role | | **API Authentication** | Secure session tokens, CSRF protection | #### 11.1.3 Network Security | Measure | Implementation | |---------|----------------| | **Firewall** | Host-based firewall (iptables) restricting access | | **Rate Limiting** | 100 requests/minute per IP for API; 10 requests/minute for auth endpoints | | **DDoS Protection** | Network-level protection via hosting provider | | **HTTPS Only** | All traffic encrypted; HTTP redirected to HTTPS | | **Security Headers** | HSTS, X-Content-Type-Options, X-Frame-Options, CSP | #### 11.1.4 Application Security | Measure | Implementation | |---------|----------------| | **Input Validation** | Zod schema validation on all inputs | | **SQL Injection Prevention** | Prisma ORM with parameterised queries | | **XSS Prevention** | React's built-in escaping, Content Security Policy | | **CSRF Protection** | SameSite cookies, JSON content type requirement | | **Dependency Scanning** | Regular npm audit for vulnerable packages | | **Error Handling** | Sanitised error messages (no sensitive data exposure) | ### 11.2 Organisational Measures #### 11.2.1 Access Management | Measure | Implementation | |---------|----------------| | **Access Provisioning** | Role-based, approved by administrator | | **Access Review** | Quarterly review of user access rights | | **Access Revocation** | Immediate upon role change or departure | | **Administrator Access** | Limited to essential personnel | #### 11.2.2 Audit and Monitoring | Measure | Implementation | |---------|----------------| | **Audit Logging** | All sensitive actions logged with timestamp, user, IP | | **Log Retention** | 12 months for security logs | | **Log Protection** | Logs stored separately, access restricted | | **Monitoring** | Automated alerts for suspicious activity | #### 11.2.3 Incident Response | Phase | Activities | |-------|------------| | **Preparation** | Documented procedures, contact lists, tools ready | | **Detection** | Monitoring, alerting, user reports | | **Containment** | Isolate affected systems, preserve evidence | | **Eradication** | Remove threat, patch vulnerabilities | | **Recovery** | Restore services, verify integrity | | **Lessons Learned** | Post-incident review, procedure updates | ### 11.3 Physical Security The Platform is hosted on a private Virtual Private Server (VPS) located in Austria, EU. Physical security is managed by the hosting provider and includes: - Data centre physical access controls - Environmental controls (fire suppression, climate control) - Power redundancy - 24/7 security monitoring ### 11.4 Backup and Recovery | Aspect | Implementation | |--------|----------------| | **Backup Frequency** | Daily full backups | | **Backup Retention** | 90 days | | **Backup Encryption** | AES-256 encrypted | | **Backup Location** | Same geographic region (Austria, EU) | | **Recovery Testing** | Quarterly restore tests | | **Recovery Time Objective** | 4 hours | | **Recovery Point Objective** | 24 hours | --- ## 12. Data Retention Policy ### 12.1 Retention Principles Data is retained only as long as necessary for the purposes for which it was collected, subject to legal retention requirements and legitimate archival needs. ### 12.2 Retention Periods | Data Category | Retention Period | Basis | Post-Retention Action | |---------------|------------------|-------|----------------------| | **Active User Accounts** | Duration of account | Contract | Deletion or anonymisation on request | | **Inactive User Accounts** | 2 years after last login | Legitimate Interests | Notification, then anonymisation | | **Project Submissions** | 10 years from submission | Legitimate Interests (historical record) | Anonymisation | | **Evaluation Data** | 10 years from evaluation | Legitimate Interests (audit trail) | Anonymisation | | **Team Member Data** | 10 years from project submission | Legitimate Interests | Anonymisation | | **Audit Logs** | 12 months | Legitimate Interests (security) | Automatic deletion | | **AI Usage Logs** | 12 months | Legitimate Interests (cost tracking) | Automatic deletion | | **Session Data** | Session duration | Contract | Automatic expiration | | **Magic Link Tokens** | 15 minutes | Contract | Automatic expiration | | **Error Logs** | 30 days | Legitimate Interests (debugging) | Automatic deletion | | **Backup Data** | 90 days | Legitimate Interests (recovery) | Automatic rotation | ### 12.3 Retention Justification **10-Year Retention for Competition Data:** The Monaco Ocean Protection Challenge maintains historical records of competition entries for the following legitimate purposes: 1. **Historical Documentation:** Maintaining a record of ocean conservation initiatives 2. **Impact Assessment:** Tracking long-term outcomes of supported projects 3. **Alumni Network:** Enabling ongoing community engagement 4. **Audit Requirements:** Supporting organisational governance and accountability 5. **Legal Protection:** Preservation for potential legal claims (Monaco's general prescription period) After 10 years, data is anonymised and retained only in aggregate statistical form. ### 12.4 Anonymisation Process When data reaches the end of its retention period: 1. **Personal Identifiers Removed:** - Names replaced with "Anonymous" - Email addresses deleted - Phone numbers deleted - Team names generalised 2. **Content Preserved (Anonymised):** - Project descriptions retained for historical record - Evaluation scores retained for statistical analysis - Geographic data retained at country level only 3. **Verification:** - Anonymisation verified to ensure re-identification is not possible - Documented in anonymisation log --- ## 13. Cookies and Tracking Technologies ### 13.1 Cookie Policy The Platform uses only essential cookies required for functionality. No tracking, advertising, or analytics cookies are used. ### 13.2 Essential Cookies | Cookie Name | Purpose | Duration | Type | |-------------|---------|----------|------| | `authjs.session-token` | User authentication session | Session / Configurable | Strictly Necessary | | `authjs.csrf-token` | CSRF attack prevention | Session | Strictly Necessary | | `authjs.callback-url` | Redirect after authentication | Session | Strictly Necessary | ### 13.3 Cookies Not Used The Platform does **not** use: - ❌ Analytics cookies (Google Analytics, etc.) - ❌ Advertising cookies - ❌ Social media tracking cookies - ❌ Third-party cookies - ❌ Fingerprinting technologies - ❌ Tracking pixels ### 13.4 Cookie Consent As only strictly necessary cookies are used, explicit cookie consent is not required under GDPR Article 5(3) of the ePrivacy Directive. Users are informed of cookie use in the Privacy Policy. --- ## 14. Data Protection Impact Assessments ### 14.1 DPIA Requirement Data Protection Impact Assessments are conducted for processing activities that are likely to result in high risk to the rights and freedoms of natural persons, including: - Systematic and extensive evaluation of personal aspects (profiling) - Processing of special categories of data on a large scale - Systematic monitoring of publicly accessible areas - Use of new technologies ### 14.2 Completed DPIAs #### 14.2.1 AI-Assisted Processing DPIA | Aspect | Assessment | |--------|------------| | **Processing Activity** | AI-powered filtering, assignment, eligibility, and matching | | **Risk Identified** | Personal data exposure to third-party AI provider | | **Likelihood** | Very Low (data is anonymised) | | **Severity** | Low (even if exposed, data is anonymised) | | **Mitigation Measures** | Full anonymisation before processing, EU data residency, zero data retention, no PII transmitted | | **Residual Risk** | Very Low | | **Conclusion** | Processing may proceed with implemented safeguards | #### 14.2.2 Large-Scale Evaluation Processing DPIA | Aspect | Assessment | |--------|------------| | **Processing Activity** | Collection and processing of evaluation scores and comments | | **Risk Identified** | Subjective opinions about projects/individuals | | **Likelihood** | Low | | **Severity** | Medium (could affect reputation if disclosed) | | **Mitigation Measures** | Strict access controls, audit logging, evaluator confidentiality agreements | | **Residual Risk** | Low | | **Conclusion** | Processing may proceed with implemented safeguards | #### 14.2.3 File Upload Processing DPIA | Aspect | Assessment | |--------|------------| | **Processing Activity** | Upload and storage of project documents, videos, images | | **Risk Identified** | Sensitive content in uploaded files | | **Likelihood** | Medium (users control uploads) | | **Severity** | Medium | | **Mitigation Measures** | Access controls, pre-signed URLs, file type restrictions, virus scanning | | **Residual Risk** | Low-Medium | | **Conclusion** | Processing may proceed with user guidance on appropriate content | ### 14.3 DPIA Review Schedule DPIAs are reviewed: - Annually as part of compliance review - When significant changes to processing occur - When new technologies are introduced - Following any relevant security incident --- ## 15. Data Breach Notification Procedures ### 15.1 Definition of Personal Data Breach A personal data breach is a breach of security leading to the accidental or unlawful: - Destruction of personal data - Loss of personal data - Alteration of personal data - Unauthorised disclosure of personal data - Unauthorised access to personal data ### 15.2 Breach Detection Potential breaches may be detected through: - Automated security monitoring and alerting - User reports - Administrator observation - Third-party notification - Security audit findings ### 15.3 Breach Response Procedure #### Phase 1: Identification and Containment (0-24 hours) | Step | Action | Responsible | |------|--------|-------------| | 1 | Confirm breach has occurred | IT Administrator | | 2 | Contain the breach (isolate systems, revoke access) | IT Administrator | | 3 | Preserve evidence | IT Administrator | | 4 | Initial assessment of scope and severity | IT Administrator | | 5 | Notify Data Protection Contact | IT Administrator | #### Phase 2: Assessment (24-48 hours) | Step | Action | Responsible | |------|--------|-------------| | 6 | Identify affected data categories | Data Protection Contact | | 7 | Identify number of affected individuals | Data Protection Contact | | 8 | Assess risk to individuals | Data Protection Contact | | 9 | Document findings | Data Protection Contact | | 10 | Determine notification requirements | Data Protection Contact | #### Phase 3: Notification (Within 72 hours of awareness) **Supervisory Authority Notification:** Required if the breach is likely to result in a risk to the rights and freedoms of natural persons. | Element | Details | |---------|---------| | **Authority** | Autorité de Protection des Données Personnelles (APDP) | | **Timeframe** | Within 72 hours of becoming aware | | **Content** | Nature of breach, categories and approximate number of data subjects and records, likely consequences, measures taken or proposed | **Data Subject Notification:** Required if the breach is likely to result in a **high** risk to rights and freedoms. | Element | Details | |---------|---------| | **Timeframe** | Without undue delay | | **Method** | Email to affected individuals | | **Content** | Plain language description of breach, likely consequences, measures taken, recommendations for individuals, contact point | **Exception:** Notification to data subjects is not required if: - Appropriate technical measures rendered data unintelligible (encryption) - Subsequent measures eliminate high risk - Individual notification would involve disproportionate effort (public communication alternative) #### Phase 4: Remediation and Review (Post-incident) | Step | Action | Responsible | |------|--------|-------------| | 11 | Implement remediation measures | IT Administrator | | 12 | Verify effectiveness of remediation | IT Administrator | | 13 | Conduct post-incident review | Data Protection Contact | | 14 | Update procedures as needed | Data Protection Contact | | 15 | Complete breach register entry | Data Protection Contact | ### 15.4 Breach Register All breaches, regardless of notification requirement, are documented in a breach register including: - Date and time of breach - Date and time of discovery - Nature of breach - Categories of data affected - Approximate number of data subjects affected - Likely consequences - Measures taken - Notification decisions and dates --- ## 16. Training and Awareness ### 16.1 Training Programme All personnel with access to personal data receive training on: | Topic | Frequency | Audience | |-------|-----------|----------| | Data protection principles | On boarding + Annual | All staff | | Platform-specific data handling | On boarding | All staff | | Security awareness | Annual | All staff | | Breach identification and reporting | Annual | All staff | | Data subject rights handling | Annual | Administrators | | DPIA methodology | As needed | Data Protection Contact | ### 16.2 Awareness Activities - Privacy notices displayed at data collection points - Regular reminders about data handling practices - Updates on regulatory changes - Incident lessons learned (anonymised) --- ## 17. Documentation and Records ### 17.1 Records of Processing Activities (Article 30) A record of processing activities is maintained including: - Controller/processor contact details - Purposes of processing - Categories of data subjects and personal data - Categories of recipients - Transfers to third countries - Retention periods - Security measures ### 17.2 Document Retention | Document | Retention Period | |----------|------------------| | Records of Processing Activities | Duration of processing + 5 years | | DPIAs | Duration of processing + 5 years | | Data Subject Request Records | 5 years from resolution | | Breach Register | 5 years from incident | | Consent Records | Duration of processing + 5 years | | Training Records | 5 years from training date | --- ## 18. Contact Information ### 18.1 Data Protection Contact **Email:** gdpr@monaco-opc.com This is the primary contact for: - Data subject rights requests - Privacy inquiries - Breach notifications - Complaints ### 18.2 Supervisory Authority **Autorité de Protection des Données Personnelles (APDP)** Principality of Monaco Website: [To be confirmed - APDP is newly established] ### 18.3 Joint Controller Contacts Inquiries may also be directed to any of the joint controllers: - International University of Monaco - Oceanographic Institute - Prince Albert I of Monaco Foundation - Monaco Impact - Prince Albert II of Monaco Foundation However, the email gdpr@monaco-opc.com serves as the efficient central point of contact. --- ## 19. Document Control ### 19.1 Version History | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | January 2025 | - | Initial version | | 2.0 | February 2026 | - | Comprehensive revision: Added definitions, updated Monaco legal framework (Law 1.565, APDP), detailed all GDPR articles, expanded security measures, added DPIAs | ### 19.2 Review Schedule This document is reviewed: - Annually (minimum) - Following significant regulatory changes - Following significant changes to processing activities - Following security incidents ### 19.3 Approval | Role | Name | Date | |------|------|------| | Document Owner | [TBD] | [TBD] | | Approved By | [TBD] | [TBD] | --- ## Appendices ### Appendix A: Related Documents - [AI Data Processing - GDPR Compliance](./ai-data-processing.md) - [AI System Architecture](../architecture/ai-system.md) - [Privacy Policy](../legal/privacy-policy.md) [To be created] - [Cookie Policy](../legal/cookie-policy.md) [To be created] ### Appendix B: Legal References - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj) - [Monaco Law 1.565 of December 3, 2024](https://en.gouv.mc/Policy-Practice/A-Modern-State/Protection-of-personal-data) - [Convention 108+](https://www.coe.int/en/web/data-protection/convention108-and-protocol) - [OpenAI Data Processing Addendum](https://openai.com/policies/data-processing-addendum/) - [OpenAI EU Data Residency](https://openai.com/index/introducing-data-residency-in-europe/)