letsbe
/
MOPC-App
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
MOPC-App/docs/gdpr/platform-gdpr-compliance.md

49 KiB
Raw Permalink Blame History

MOPC Platform - GDPR Compliance Documentation

Document Version: 2.0 Last Updated: February 2026 Classification: Internal / Compliance

Table of Contents

  1. Definitions
  2. Data Controller Information
  3. Legal Framework
  4. Personal Data Inventory
  5. Legal Basis for Processing
  6. Data Processing Purposes
  7. Data Subject Categories
  8. Third-Party Data Sharing & Subprocessors
  9. International Data Transfers
  10. Data Subject Rights
  11. Security Measures
  12. Data Retention Policy
  13. Cookies and Tracking Technologies
  14. Data Protection Impact Assessments
  15. Data Breach Notification Procedures
  16. Training and Awareness
  17. Documentation and Records
  18. Contact Information
  19. Document Control

1. Definitions

For the purposes of this document, the following definitions apply:

Term Definition
Personal Data Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Subject An identified or identifiable natural person whose personal data is being processed.
Consent Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal Data Breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Supervisory Authority An independent public authority established by a Member State or, in the case of Monaco, the Autorité de Protection des Données Personnelles (APDP).
Pseudonymisation The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Anonymisation The irreversible process of altering personal data in such a way that the data subject cannot be identified directly or indirectly, either by the data controller alone or in collaboration with any other party. Anonymised data is not considered personal data under GDPR.
Special Categories of Personal Data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Recipient A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Third Party A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
APDP Autorité de Protection des Données Personnelles - Monaco's data protection supervisory authority, established under Law 1.565 of December 3, 2024, replacing the former CCIN.
Platform The MOPC web application accessible at monaco-opc.com, including all associated services, APIs, and infrastructure.
Competition The Monaco Ocean Protection Challenge, an annual competition for ocean conservation projects.

2. Data Controller Information

2.1 Primary Data Controller

Field Details
Organisation Name The Monaco Ocean Protection Challenge Organization
Legal Status Non-profit organization
Country of Establishment Principality of Monaco
Data Protection Contact gdpr@monaco-opc.com

2.2 Joint Controllers

The Monaco Ocean Protection Challenge is organized jointly by the following entities, who act as joint controllers for the processing of participant data:

  1. International University of Monaco (IUM)
  2. Oceanographic Institute (Institut océanographique, Fondation Albert Ier, Prince de Monaco)
  3. Prince Albert I of Monaco Foundation
  4. Monaco Impact
  5. Prince Albert II of Monaco Foundation

2.3 Joint Controller Arrangement

In accordance with Article 26 of the GDPR, the joint controllers have determined their respective responsibilities for compliance with data protection obligations:

  • The Monaco Ocean Protection Challenge Organization is the primary point of contact for data subjects and bears responsibility for:

    • Maintaining the Platform and its data security
    • Responding to data subject requests
    • Managing the technical infrastructure
    • Coordinating with subprocessors

  • All joint controllers share responsibility for:

    • Determining the purposes of processing
    • Ensuring lawful basis for processing
    • Providing transparent information to data subjects

2.4 Data Protection Contact

For all data protection inquiries, data subject requests, and privacy-related matters:

Email: gdpr@monaco-opc.com

Data subjects may contact any of the joint controllers regarding their rights, but the above email serves as the central contact point for efficiency.

3. Legal Framework

3.1 Applicable Laws

The Platform's data processing activities are subject to the following legal frameworks:

Monaco Law

  • Law No. 1.565 of December 3, 2024 on the Protection of Personal Data

    • Entered into force in 2025
    • Replaces the former Law No. 1.165 of December 23, 1993
    • Aligns with Convention 108+ and GDPR principles
    • Establishes the APDP as the supervisory authority

  • Law No. 1.566 of December 3, 2024 ratifying the amending protocol to Convention 108

    • Monaco ratified Convention 108+ on March 6, 2025

European Union Law

  • Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR)

    • Applicable to processing of EU residents' data
    • Applicable due to server location in Austria (EU)

  • Directive 2002/58/EC (ePrivacy Directive)

    • Applicable to electronic communications

Territorial Scope

The Platform processes data of individuals located in:

  • The Principality of Monaco
  • European Union Member States
  • Other countries (competition is open internationally)

Due to the server infrastructure being located in Austria (EU) and the international nature of participants, GDPR standards are applied as the baseline for all data processing activities.

3.2 Supervisory Authority

Primary Supervisory Authority:

Autorité de Protection des Données Personnelles (APDP) Principality of Monaco

The APDP was established under Law 1.565 of December 3, 2024, replacing the former Commission de Contrôle des Informations Nominatives (CCIN). The APDP has the following powers:

  • Investigation and control powers
  • Access to premises where data processing is carried out
  • Authority to request relevant documents
  • Power to issue warnings, formal notices, and processing restrictions
  • Authority to impose administrative fines up to €10 million

3.3 EU Adequacy Status

As of February 2026, Monaco has formally requested an EU adequacy decision. The European Commission is reviewing Monaco's framework following the ratification of Convention 108+ and the adoption of Law 1.565. An adequacy decision would streamline EU-Monaco data flows.

4. Personal Data Inventory

4.1 Categories of Personal Data Processed

4.1.1 User Account Data

Data Element Category Source Mandatory
Email address Contact data User registration Yes
Full name Identity data User registration Yes
Phone number Contact data User profile No
Profile photograph Image data User upload No
User role System data Administrator assignment Yes
Account status System data System generated Yes
Password hash Security data User registration Yes (if password auth used)
Last login timestamp Usage data System generated Yes
Account creation date System data System generated Yes

4.1.2 Project/Application Data

Data Element Category Source Mandatory
Project title Content data Applicant submission Yes
Project description Content data Applicant submission Yes
Team name Identity data Applicant submission Yes
Team member names Identity data Applicant submission Yes
Team member emails Contact data Applicant submission Yes
Team member roles Professional data Applicant submission No
Organisation/Institution Professional data Applicant submission No
Country Location data Applicant submission Yes
Geographic zone Location data Applicant submission No
Project founding date Temporal data Applicant submission No
Competition category Classification data Applicant selection Yes
Ocean issue focus Classification data Applicant selection Yes
Project tags Classification data Applicant submission No
Uploaded files Document data Applicant upload Varies
Video pitch Media data Applicant upload No
External links Reference data Applicant submission No

4.1.3 Evaluation Data

Data Element Category Source Mandatory
Evaluation scores Assessment data Jury member Yes
Written comments Assessment data Jury member Yes
Evaluation timestamp Temporal data System generated Yes
Evaluator identity Identity data System generated Yes
Evaluation version System data System generated Yes

4.1.4 Technical and Security Data

Data Element Category Source Retention
IP address Network data Automatic collection 12 months
User agent string Device data Automatic collection 12 months
Session tokens Security data System generated Session duration
Magic link tokens Security data System generated 15 minutes
Audit log entries Security data System generated 12 months
Error logs Technical data System generated 30 days

4.1.5 AI Processing Data

Data Element Category Source Retention
Anonymised project data Derived data System processing Not stored
AI usage logs System data System generated 12 months
Token consumption System data System generated 12 months

Note: Personal data is never sent to AI services. All AI processing uses anonymised data only. See AI Data Processing for details.

4.2 Special Categories of Personal Data

The Platform does not intentionally collect or process special categories of personal data as defined in Article 9 of the GDPR. However, applicants may voluntarily include such information in free-text fields (e.g., project descriptions mentioning health-related ocean conservation work).

Mitigation measures:

  • No specific fields request special category data
  • Privacy notice advises against including sensitive personal information
  • AI anonymisation strips personally identifying information before processing

4.3 Children's Data

The Platform is not directed at children under the age of 16. The Competition is intended for adult participants, teams, and organisations. Registration requires confirmation that the user is at least 18 years of age or has parental/guardian consent.

5. Legal Basis for Processing

5.1 Overview of Legal Bases

The Platform relies on the following legal bases for processing personal data under Article 6(1) of the GDPR:

Legal Basis GDPR Article Description
Contract Performance Art. 6(1)(b) Processing necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
Legitimate Interests Art. 6(1)(f) Processing necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Consent Art. 6(1)(a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Legal Obligation Art. 6(1)(c) Processing necessary for compliance with a legal obligation to which the controller is subject.

5.2 Processing Activities and Legal Bases

Processing Activity Legal Basis Justification
User account creation and management Contract Performance Necessary to provide access to the Platform and enable participation in the Competition
Project submission processing Contract Performance Necessary to accept and process Competition entries
Jury evaluation and scoring Contract Performance Necessary to conduct the Competition judging process
Email notifications (competition-related) Contract Performance Necessary to communicate essential information about submissions and results
AI-powered project filtering Legitimate Interests Efficient processing of large numbers of applications; balanced by anonymisation measures
AI-powered jury assignment Legitimate Interests Optimal matching of jury expertise to projects; balanced by human oversight
AI-powered mentor matching Legitimate Interests Effective mentor-project pairing; balanced by anonymisation
Security logging and monitoring Legitimate Interests Protection of Platform, users, and data from unauthorised access
Analytics (aggregated, anonymised) Legitimate Interests Understanding Platform usage to improve services
WhatsApp notifications Consent Optional communication channel requiring explicit opt-in
Profile photograph Consent Optional personalisation feature
Marketing communications Consent Only with explicit opt-in consent

5.3 Legitimate Interests Assessment (LIA)

For processing based on legitimate interests, the following assessment has been conducted:

AI-Powered Processing (Filtering, Assignment, Matching)

Purpose: Efficient evaluation of competition entries and optimal assignment of reviewers

Legitimate Interest:

  • Organisational efficiency in processing large numbers of applications
  • Fairness in matching reviewer expertise to project topics
  • Cost-effective use of resources

Necessity:

  • Manual processing of 100+ projects would be impractical
  • AI enables consistent, scalable evaluation support
  • Human decision-making remains final

Balancing Test:

  • Risk to data subjects: Minimal - all data is anonymised before AI processing
  • Expectations: Participants expect efficient, fair evaluation processes
  • Safeguards: Anonymisation, human oversight, algorithmic fallback, audit logging
  • Conclusion: Processing is proportionate; legitimate interests are not overridden

Security Logging

Purpose: Protection of Platform and user data

Legitimate Interest:

  • Preventing unauthorised access
  • Detecting and responding to security incidents
  • Maintaining service integrity

Necessity:

  • Essential for cybersecurity
  • Required for incident response and forensics
  • Supports compliance obligations

Balancing Test:

  • Risk to data subjects: Low - logs contain minimal personal data (IP, user agent)
  • Expectations: Users expect secure platforms
  • Safeguards: Limited retention (12 months), access controls, encryption
  • Conclusion: Processing is proportionate and expected

6. Data Processing Purposes

6.1 Primary Purposes

Purpose Description Data Categories Used
Competition Management Managing the full lifecycle of the Monaco Ocean Protection Challenge, including project submissions, evaluations, and results User accounts, project data, evaluation data
User Authentication Verifying user identity and managing secure access to the Platform Email, password hash, session tokens, magic links
Communication Sending essential notifications about submissions, deadlines, evaluation status, and results Email, name, notification preferences
Evaluation Processing Enabling jury members to review and score assigned projects Project data, evaluation data, jury assignments

6.2 Secondary Purposes

Purpose Description Data Categories Used Legal Basis
AI-Assisted Processing Using AI to filter projects, suggest jury assignments, determine award eligibility, and match mentors Anonymised project data only Legitimate Interests
Platform Security Monitoring for security threats, preventing abuse, investigating incidents IP addresses, user agents, audit logs Legitimate Interests
Service Improvement Analysing aggregated, anonymised usage patterns to improve the Platform Aggregated analytics Legitimate Interests
Legal Compliance Maintaining records as required by law Varies by requirement Legal Obligation

6.3 Purpose Limitation

Personal data collected for the above purposes will not be processed in a manner incompatible with those purposes. Any new processing activity will be assessed for compatibility and, if necessary, additional consent or other legal basis will be obtained.

7. Data Subject Categories

7.1 Categories of Data Subjects

Category Description Typical Data Processed
Competition Applicants Individuals or teams submitting projects to the Competition Full account and project data
Team Members Individuals listed as members of applicant teams Name, email, role
Jury Members Experts appointed to evaluate Competition entries Account data, evaluation data, expertise tags
Mentors Professionals providing guidance to selected projects Account data, expertise tags, assignments
Observers Stakeholders with read-only access to dashboards Account data, access logs
Administrators Staff managing the Platform and Competition Account data, audit logs, full system access

7.2 Estimated Data Subject Numbers

Category Estimated Annual Volume
Competition Applicants 100-200 projects
Team Members 300-600 individuals
Jury Members 50-100 individuals
Mentors 20-50 individuals
Observers 10-30 individuals
Administrators 5-15 individuals

8. Third-Party Data Sharing & Subprocessors

8.1 Categories of Recipients

Personal data may be disclosed to the following categories of recipients:

Recipient Category Purpose Data Shared Legal Basis
Joint Controllers Competition organisation All competition-related data Contract Performance
IT Infrastructure Providers Platform hosting and operation All Platform data (encrypted at rest) Contract Performance
AI Service Providers Automated processing assistance Anonymised project data only Legitimate Interests

8.2 Subprocessor Registry

8.2.1 OpenAI

Field Details
Subprocessor OpenAI, Inc. (OpenAI Ireland Limited for EU data)
Registered Address 3180 18th Street, San Francisco, CA 94110, USA
EU Entity OpenAI Ireland Limited
Purpose AI-powered project filtering, jury assignment suggestions, award eligibility determination, mentor matching
Data Processed Anonymised data only - No personal identifiers are transmitted
Data Location European Union (Ireland) - using EU data residency feature
Data Retention Zero Data Retention (ZDR) - data not stored at rest
Security Certifications SOC 2 Type 2, ISO/IEC 27001, 27017, 27018, 27701
DPA Status OpenAI Data Processing Addendum available; EU Standard Contractual Clauses
Training Opt-Out API data is not used for model training by default

Important: Only anonymised data is sent to OpenAI. Personal identifiers (names, emails, phone numbers, addresses, URLs) are stripped before transmission. Project IDs are replaced with sequential anonymous identifiers (P1, P2, etc.). See AI Data Processing for complete details.

8.2.2 Self-Hosted Services

The following services are self-hosted on the Platform's infrastructure and do not involve third-party data processors:

Service Purpose Hosting Location
PostgreSQL Database Primary data storage Austria, EU (Private VPS)
MinIO Object Storage File storage (uploads, documents) Austria, EU (Private VPS)
Poste.io Email Server Transactional email delivery Austria, EU (Private VPS)
Nginx Reverse Proxy Web traffic management, SSL termination Austria, EU (Private VPS)

8.3 Subprocessor Due Diligence

Before engaging any subprocessor, the following assessments are conducted:

  1. Security Assessment - Review of security certifications and practices
  2. Privacy Assessment - Review of privacy policy and data handling practices
  3. Contractual Review - Execution of Data Processing Agreement with GDPR-compliant terms
  4. Technical Assessment - Verification of encryption, access controls, and data protection measures

8.4 Subprocessor Changes

Data subjects will be informed of any changes to subprocessors that materially affect the processing of their personal data. A list of current subprocessors is maintained and available upon request.

9. International Data Transfers

9.1 Data Location

Data Category Primary Location Backup Location
All Platform data Austria, EU Austria, EU
Email data Austria, EU N/A (self-hosted)
File storage Austria, EU Austria, EU
AI processing Ireland, EU (OpenAI EU data residency) N/A (zero retention)

9.2 Transfer Mechanisms

Transfers within the EU/EEA

Data transfers between Monaco and EU Member States are conducted under the assumption of adequate protection. Monaco's adoption of Law 1.565 and ratification of Convention 108+ provides a framework aligned with GDPR standards.

Transfers to OpenAI

OpenAI processes data through their EU data residency feature:

  • Processing Location: Dublin, Ireland (EU)
  • Data Retention: Zero Data Retention (ZDR) - no data stored at rest
  • Transfer Mechanism: EU Standard Contractual Clauses (incorporated in OpenAI DPA)
  • Additional Safeguards: Data anonymisation before transmission, encryption in transit (TLS 1.2+)

Transfers to Third Countries

The Platform does not transfer personal data to countries outside the EU/EEA except as described above (OpenAI with EU data residency). Any future transfers would require:

  1. Adequacy decision by the European Commission, or
  2. Appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules), or
  3. Derogations for specific situations (explicit consent, contract necessity)

9.3 Data Localisation

All personal data is stored within the European Union:

  • Primary Database: Austria
  • File Storage: Austria
  • Email Server: Austria
  • Backups: Austria

This approach minimises international transfer complexities and ensures GDPR compliance.

10. Data Subject Rights

10.1 Overview of Rights

Under the GDPR and Monaco Law 1.565, data subjects have the following rights:

Right GDPR Article Description
Right of Access Art. 15 The right to obtain confirmation of whether personal data is being processed and access to that data
Right to Rectification Art. 16 The right to have inaccurate personal data corrected and incomplete data completed
Right to Erasure Art. 17 The right to have personal data deleted in certain circumstances ("right to be forgotten")
Right to Restriction Art. 18 The right to restrict processing in certain circumstances
Right to Data Portability Art. 20 The right to receive personal data in a structured, commonly used, machine-readable format
Right to Object Art. 21 The right to object to processing based on legitimate interests or for direct marketing
Rights Related to Automated Decision-Making Art. 22 The right not to be subject to decisions based solely on automated processing with legal or significant effects

10.2 Exercising Rights

10.2.1 How to Submit a Request

Data subjects may exercise their rights by:

  1. Email: gdpr@monaco-opc.com
  2. Platform: Profile → Settings → Privacy (where applicable)

10.2.2 Identity Verification

To protect personal data from unauthorised access, identity verification is required for all data subject requests:

  • Requests from registered email addresses may be verified through magic link authentication
  • Requests from other channels may require additional verification (e.g., copy of ID document)

10.2.3 Response Timeframes

Request Type Initial Response Maximum Completion
Simple requests 72 hours 30 days
Complex requests 72 hours 90 days (with notification)
Rectification via Platform Immediate Immediate

10.3 Right-Specific Procedures

10.3.1 Right of Access (Article 15)

Scope: Data subjects may request:

  • Confirmation of whether their data is processed
  • A copy of their personal data
  • Information about processing purposes, categories, recipients, retention, and rights

Procedure:

  1. Submit request to gdpr@monaco-opc.com
  2. Identity verification completed
  3. Data compiled within 30 days
  4. Data provided in commonly used electronic format (JSON or PDF)

Self-Service: Users can export their data via Profile → Settings → Export Data

10.3.2 Right to Rectification (Article 16)

Scope: Correction of inaccurate data or completion of incomplete data

Procedure:

  1. Self-service: Most data can be corrected via Profile → Settings → Edit Profile
  2. Supported: For data that cannot be self-corrected, submit request to gdpr@monaco-opc.com
  3. Corrections applied within 72 hours

10.3.3 Right to Erasure (Article 17)

Scope: Deletion of personal data where:

  • Data is no longer necessary for original purpose
  • Consent is withdrawn (where consent was the legal basis)
  • Data subject objects and no overriding legitimate grounds exist
  • Data was unlawfully processed
  • Legal obligation requires erasure

Exceptions: Erasure may be refused where processing is necessary for:

  • Compliance with legal obligations
  • Establishment, exercise, or defence of legal claims
  • Archiving in the public interest (Competition historical records)

Procedure:

  1. Submit request to gdpr@monaco-opc.com
  2. Identity verification completed
  3. Assessment of applicable exceptions
  4. If approved: Data deleted within 30 days
  5. Confirmation provided to data subject

Self-Service: Users can delete their account via Profile → Settings → Delete Account

Anonymisation Alternative: Where complete deletion is not possible due to legitimate retention needs, data will be anonymised so it can no longer be attributed to the data subject.

10.3.4 Right to Restriction (Article 18)

Scope: Restriction of processing where:

  • Accuracy of data is contested (during verification)
  • Processing is unlawful but erasure is not requested
  • Data is no longer needed but required for legal claims
  • Objection is pending verification

Procedure:

  1. Submit request to gdpr@monaco-opc.com
  2. Data marked as restricted
  3. Processing limited to storage only
  4. Data subject notified before restriction is lifted

10.3.5 Right to Data Portability (Article 20)

Scope: Receive personal data in structured, commonly used, machine-readable format where:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

Format: JSON file containing:

  • User profile data
  • Project submissions
  • Team memberships
  • Evaluation data (for jury members)

Procedure:

  1. Access via Profile → Settings → Export Data, or
  2. Submit request to gdpr@monaco-opc.com
  3. Data provided within 30 days

10.3.6 Right to Object (Article 21)

Scope: Object to processing based on legitimate interests

Procedure:

  1. Submit objection to gdpr@monaco-opc.com with specific grounds
  2. Assessment of compelling legitimate grounds
  3. Response within 30 days
  4. If objection upheld: Processing ceased
  5. If objection not upheld: Reasons provided

AI Processing: Data subjects may object to AI-assisted processing. In such cases:

  • Their projects will be excluded from AI filtering
  • Manual review will be conducted instead
  • This will not affect evaluation quality or fairness

10.3.7 Rights Related to Automated Decision-Making (Article 22)

Statement: The Platform does not make decisions based solely on automated processing that produce legal effects or similarly significantly affect data subjects.

All AI-assisted processes (filtering, assignment suggestions, eligibility determination) are:

  • Supportive recommendations only
  • Subject to human review and final decision
  • Not binding without human approval

Data subjects may request human review of any AI-assisted recommendation by contacting gdpr@monaco-opc.com.

10.4 Complaints

Data subjects have the right to lodge a complaint with the supervisory authority:

Autorité de Protection des Données Personnelles (APDP) Principality of Monaco

Data subjects are encouraged to contact gdpr@monaco-opc.com first to resolve any concerns directly.

11. Security Measures

11.1 Technical Measures

11.1.1 Encryption

Layer Measure Standard
Data in Transit TLS encryption for all connections TLS 1.2 minimum, TLS 1.3 preferred
Data at Rest Database encryption AES-256
File Storage Encrypted object storage AES-256
Backups Encrypted backup files AES-256
Secrets Encrypted storage in database AES-256 with application-level key

11.1.2 Authentication and Access Control

Measure Implementation
Authentication Passwordless magic link (primary), optional password
Session Management Secure HTTP-only cookies, configurable expiry
Multi-Factor Authentication Magic link serves as second factor (email possession)
Role-Based Access Control Granular permissions by role (SUPER_ADMIN, PROGRAM_ADMIN, JURY_MEMBER, MENTOR, OBSERVER)
Principle of Least Privilege Users only access data necessary for their role
API Authentication Secure session tokens, CSRF protection

11.1.3 Network Security

Measure Implementation
Firewall Host-based firewall (iptables) restricting access
Rate Limiting 100 requests/minute per IP for API; 10 requests/minute for auth endpoints
DDoS Protection Network-level protection via hosting provider
HTTPS Only All traffic encrypted; HTTP redirected to HTTPS
Security Headers HSTS, X-Content-Type-Options, X-Frame-Options, CSP

11.1.4 Application Security

Measure Implementation
Input Validation Zod schema validation on all inputs
SQL Injection Prevention Prisma ORM with parameterised queries
XSS Prevention React's built-in escaping, Content Security Policy
CSRF Protection SameSite cookies, JSON content type requirement
Dependency Scanning Regular npm audit for vulnerable packages
Error Handling Sanitised error messages (no sensitive data exposure)

11.2 Organisational Measures

11.2.1 Access Management

Measure Implementation
Access Provisioning Role-based, approved by administrator
Access Review Quarterly review of user access rights
Access Revocation Immediate upon role change or departure
Administrator Access Limited to essential personnel

11.2.2 Audit and Monitoring

Measure Implementation
Audit Logging All sensitive actions logged with timestamp, user, IP
Log Retention 12 months for security logs
Log Protection Logs stored separately, access restricted
Monitoring Automated alerts for suspicious activity

11.2.3 Incident Response

Phase Activities
Preparation Documented procedures, contact lists, tools ready
Detection Monitoring, alerting, user reports
Containment Isolate affected systems, preserve evidence
Eradication Remove threat, patch vulnerabilities
Recovery Restore services, verify integrity
Lessons Learned Post-incident review, procedure updates

11.3 Physical Security

The Platform is hosted on a private Virtual Private Server (VPS) located in Austria, EU. Physical security is managed by the hosting provider and includes:

  • Data centre physical access controls
  • Environmental controls (fire suppression, climate control)
  • Power redundancy
  • 24/7 security monitoring

11.4 Backup and Recovery

Aspect Implementation
Backup Frequency Daily full backups
Backup Retention 90 days
Backup Encryption AES-256 encrypted
Backup Location Same geographic region (Austria, EU)
Recovery Testing Quarterly restore tests
Recovery Time Objective 4 hours
Recovery Point Objective 24 hours

12. Data Retention Policy

12.1 Retention Principles

Data is retained only as long as necessary for the purposes for which it was collected, subject to legal retention requirements and legitimate archival needs.

12.2 Retention Periods

Data Category Retention Period Basis Post-Retention Action
Active User Accounts Duration of account Contract Deletion or anonymisation on request
Inactive User Accounts 2 years after last login Legitimate Interests Notification, then anonymisation
Project Submissions 10 years from submission Legitimate Interests (historical record) Anonymisation
Evaluation Data 10 years from evaluation Legitimate Interests (audit trail) Anonymisation
Team Member Data 10 years from project submission Legitimate Interests Anonymisation
Audit Logs 12 months Legitimate Interests (security) Automatic deletion
AI Usage Logs 12 months Legitimate Interests (cost tracking) Automatic deletion
Session Data Session duration Contract Automatic expiration
Magic Link Tokens 15 minutes Contract Automatic expiration
Error Logs 30 days Legitimate Interests (debugging) Automatic deletion
Backup Data 90 days Legitimate Interests (recovery) Automatic rotation

12.3 Retention Justification

10-Year Retention for Competition Data:

The Monaco Ocean Protection Challenge maintains historical records of competition entries for the following legitimate purposes:

  1. Historical Documentation: Maintaining a record of ocean conservation initiatives
  2. Impact Assessment: Tracking long-term outcomes of supported projects
  3. Alumni Network: Enabling ongoing community engagement
  4. Audit Requirements: Supporting organisational governance and accountability
  5. Legal Protection: Preservation for potential legal claims (Monaco's general prescription period)

After 10 years, data is anonymised and retained only in aggregate statistical form.

12.4 Anonymisation Process

When data reaches the end of its retention period:

  1. Personal Identifiers Removed:

    • Names replaced with "Anonymous"
    • Email addresses deleted
    • Phone numbers deleted
    • Team names generalised

  2. Content Preserved (Anonymised):

    • Project descriptions retained for historical record
    • Evaluation scores retained for statistical analysis
    • Geographic data retained at country level only

  3. Verification:

    • Anonymisation verified to ensure re-identification is not possible
    • Documented in anonymisation log

13. Cookies and Tracking Technologies

13.1 Cookie Policy

The Platform uses only essential cookies required for functionality. No tracking, advertising, or analytics cookies are used.

13.2 Essential Cookies

Cookie Name Purpose Duration Type
authjs.session-token User authentication session Session / Configurable Strictly Necessary
authjs.csrf-token CSRF attack prevention Session Strictly Necessary
authjs.callback-url Redirect after authentication Session Strictly Necessary

13.3 Cookies Not Used

The Platform does not use:

  • Analytics cookies (Google Analytics, etc.)
  • Advertising cookies
  • Social media tracking cookies
  • Third-party cookies
  • Fingerprinting technologies
  • Tracking pixels

13.4 Cookie Consent

As only strictly necessary cookies are used, explicit cookie consent is not required under GDPR Article 5(3) of the ePrivacy Directive. Users are informed of cookie use in the Privacy Policy.

14. Data Protection Impact Assessments

14.1 DPIA Requirement

Data Protection Impact Assessments are conducted for processing activities that are likely to result in high risk to the rights and freedoms of natural persons, including:

  • Systematic and extensive evaluation of personal aspects (profiling)
  • Processing of special categories of data on a large scale
  • Systematic monitoring of publicly accessible areas
  • Use of new technologies

14.2 Completed DPIAs

14.2.1 AI-Assisted Processing DPIA

Aspect Assessment
Processing Activity AI-powered filtering, assignment, eligibility, and matching
Risk Identified Personal data exposure to third-party AI provider
Likelihood Very Low (data is anonymised)
Severity Low (even if exposed, data is anonymised)
Mitigation Measures Full anonymisation before processing, EU data residency, zero data retention, no PII transmitted
Residual Risk Very Low
Conclusion Processing may proceed with implemented safeguards

14.2.2 Large-Scale Evaluation Processing DPIA

Aspect Assessment
Processing Activity Collection and processing of evaluation scores and comments
Risk Identified Subjective opinions about projects/individuals
Likelihood Low
Severity Medium (could affect reputation if disclosed)
Mitigation Measures Strict access controls, audit logging, evaluator confidentiality agreements
Residual Risk Low
Conclusion Processing may proceed with implemented safeguards

14.2.3 File Upload Processing DPIA

Aspect Assessment
Processing Activity Upload and storage of project documents, videos, images
Risk Identified Sensitive content in uploaded files
Likelihood Medium (users control uploads)
Severity Medium
Mitigation Measures Access controls, pre-signed URLs, file type restrictions, virus scanning
Residual Risk Low-Medium
Conclusion Processing may proceed with user guidance on appropriate content

14.3 DPIA Review Schedule

DPIAs are reviewed:

  • Annually as part of compliance review
  • When significant changes to processing occur
  • When new technologies are introduced
  • Following any relevant security incident

15. Data Breach Notification Procedures

15.1 Definition of Personal Data Breach

A personal data breach is a breach of security leading to the accidental or unlawful:

  • Destruction of personal data
  • Loss of personal data
  • Alteration of personal data
  • Unauthorised disclosure of personal data
  • Unauthorised access to personal data

15.2 Breach Detection

Potential breaches may be detected through:

  • Automated security monitoring and alerting
  • User reports
  • Administrator observation
  • Third-party notification
  • Security audit findings

15.3 Breach Response Procedure

Phase 1: Identification and Containment (0-24 hours)

Step Action Responsible
1 Confirm breach has occurred IT Administrator
2 Contain the breach (isolate systems, revoke access) IT Administrator
3 Preserve evidence IT Administrator
4 Initial assessment of scope and severity IT Administrator
5 Notify Data Protection Contact IT Administrator

Phase 2: Assessment (24-48 hours)

Step Action Responsible
6 Identify affected data categories Data Protection Contact
7 Identify number of affected individuals Data Protection Contact
8 Assess risk to individuals Data Protection Contact
9 Document findings Data Protection Contact
10 Determine notification requirements Data Protection Contact

Phase 3: Notification (Within 72 hours of awareness)

Supervisory Authority Notification:

Required if the breach is likely to result in a risk to the rights and freedoms of natural persons.

Element Details
Authority Autorité de Protection des Données Personnelles (APDP)
Timeframe Within 72 hours of becoming aware
Content Nature of breach, categories and approximate number of data subjects and records, likely consequences, measures taken or proposed

Data Subject Notification:

Required if the breach is likely to result in a high risk to rights and freedoms.

Element Details
Timeframe Without undue delay
Method Email to affected individuals
Content Plain language description of breach, likely consequences, measures taken, recommendations for individuals, contact point

Exception: Notification to data subjects is not required if:

  • Appropriate technical measures rendered data unintelligible (encryption)
  • Subsequent measures eliminate high risk
  • Individual notification would involve disproportionate effort (public communication alternative)

Phase 4: Remediation and Review (Post-incident)

Step Action Responsible
11 Implement remediation measures IT Administrator
12 Verify effectiveness of remediation IT Administrator
13 Conduct post-incident review Data Protection Contact
14 Update procedures as needed Data Protection Contact
15 Complete breach register entry Data Protection Contact

15.4 Breach Register

All breaches, regardless of notification requirement, are documented in a breach register including:

  • Date and time of breach
  • Date and time of discovery
  • Nature of breach
  • Categories of data affected
  • Approximate number of data subjects affected
  • Likely consequences
  • Measures taken
  • Notification decisions and dates

16. Training and Awareness

16.1 Training Programme

All personnel with access to personal data receive training on:

Topic Frequency Audience
Data protection principles On boarding + Annual All staff
Platform-specific data handling On boarding All staff
Security awareness Annual All staff
Breach identification and reporting Annual All staff
Data subject rights handling Annual Administrators
DPIA methodology As needed Data Protection Contact

16.2 Awareness Activities

  • Privacy notices displayed at data collection points
  • Regular reminders about data handling practices
  • Updates on regulatory changes
  • Incident lessons learned (anonymised)

17. Documentation and Records

17.1 Records of Processing Activities (Article 30)

A record of processing activities is maintained including:

  • Controller/processor contact details
  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • Transfers to third countries
  • Retention periods
  • Security measures

17.2 Document Retention

Document Retention Period
Records of Processing Activities Duration of processing + 5 years
DPIAs Duration of processing + 5 years
Data Subject Request Records 5 years from resolution
Breach Register 5 years from incident
Consent Records Duration of processing + 5 years
Training Records 5 years from training date

18. Contact Information

18.1 Data Protection Contact

Email: gdpr@monaco-opc.com

This is the primary contact for:

  • Data subject rights requests
  • Privacy inquiries
  • Breach notifications
  • Complaints

18.2 Supervisory Authority

Autorité de Protection des Données Personnelles (APDP) Principality of Monaco

Website: [To be confirmed - APDP is newly established]

18.3 Joint Controller Contacts

Inquiries may also be directed to any of the joint controllers:

  • International University of Monaco
  • Oceanographic Institute
  • Prince Albert I of Monaco Foundation
  • Monaco Impact
  • Prince Albert II of Monaco Foundation

However, the email gdpr@monaco-opc.com serves as the efficient central point of contact.

19. Document Control

19.1 Version History

Version Date Author Changes
1.0 January 2025 - Initial version
2.0 February 2026 - Comprehensive revision: Added definitions, updated Monaco legal framework (Law 1.565, APDP), detailed all GDPR articles, expanded security measures, added DPIAs

19.2 Review Schedule

This document is reviewed:

  • Annually (minimum)
  • Following significant regulatory changes
  • Following significant changes to processing activities
  • Following security incidents

19.3 Approval

Role Name Date
Document Owner [TBD] [TBD]
Approved By [TBD] [TBD]

Appendices

Appendix A: Related Documents

Appendix B: Legal References