Loi 1.565 vs GDPR for Marketing Operators in Monaco: A Practical Compliance Guide

Monaco is not in the European Union. It is not in the European Economic Area. The General Data Protection Regulation (GDPR) does not apply directly to data processing carried out on Monégasque soil. What does apply is Loi n° 1.565 du 3 décembre 2024 relative à la protection des données personnelles — the law that replaced the older Loi 1.165 in late 2024 and brought Monaco's data protection regime closer to, but not identical with, the GDPR.

For marketing operators — agencies, in-house teams, freelancers running campaigns into Monaco — this distinction matters. A standard "GDPR cookie banner" will not, on its own, satisfy Loi 1.565. A consent management platform tuned for EU jurisdictions will not, on its own, satisfy the APDP (Autorité de protection des données personnelles) inspection criteria. And the cross-border data transfer rules that govern your CRM, your ad platforms, your analytics, and your email service provider operate under different legal premises in Monaco than in France.

This guide is the practical version. It is not a legal opinion, and it is not a substitute for advice from a Monaco-licensed attorney. What it does is name the gaps a marketing operator will encounter when moving from a pure-GDPR mental model to a Loi 1.565 operational reality, and the controls that close them.

What Loi 1.565 actually is

Loi 1.565 was promulgated on 3 December 2024 and replaces the earlier Loi 1.165 of 1993 (which had been amended several times, most significantly in 2008 and 2021). The new law restructures Monaco's data protection regime around principles that are recognisably aligned with the GDPR: lawful basis for processing, data subject rights, data minimisation, accountability, security obligations, breach notification, and a competent supervisory authority.

The supervisory authority is the APDP. Its powers under Loi 1.565 include investigation, on-site inspection, the issuance of binding decisions, and the imposition of administrative sanctions. The APDP also operates a public registry of data processing declarations, and certain categories of processing — including a number that touch marketing operations directly — require prior authorisation rather than the simple notification model that EU operators may be familiar with from pre-GDPR days.

What this means in practice: in Monaco, the question is not just "do we have a lawful basis?" The question is also "do we have the right APDP filing on the books for this processing activity?" The two questions can have different answers.

Where Loi 1.565 and GDPR converge

The convergence is meaningful. Marketing operators familiar with GDPR will find the foundational concepts intact:

• Lawful basis requirement. Processing personal data still requires a defined legal ground — consent, contract, legal obligation, vital interests, public task, or legitimate interests. The list overlaps almost entirely with GDPR Article 6.
• Data subject rights. Access, rectification, erasure, restriction, portability, and objection are all preserved. The procedures and time limits are broadly comparable.
• Special categories of data. Health, ethnic origin, political opinions, religious beliefs, sexual orientation, and biometric data carry heightened restrictions, paralleling GDPR Article 9.
• Breach notification. Personal data breaches likely to result in a risk to data subjects must be notified to the APDP without undue delay.
• Accountability and documentation. Data controllers must be able to demonstrate compliance — meaning records of processing, impact assessments where relevant, and contractual safeguards with processors.

If you have a working GDPR programme, roughly 70–80% of the operational machinery — privacy notices, data inventory, processor contracts, data subject request handling, breach response — transfers directly. The remaining 20–30% is where Monaco-specific work begins.

Where Loi 1.565 and GDPR diverge — and why it matters for marketing

Cross-border data transfers

This is the largest practical gap. Under GDPR, transfers from an EU controller to a country outside the EU/EEA require an "adequate" jurisdiction or an appropriate transfer mechanism (Standard Contractual Clauses, Binding Corporate Rules, etc.). Monaco was found adequate by the European Commission in 2010, meaning EU-to-Monaco transfers can flow under that adequacy decision.

Monaco-to-elsewhere transfers, however, run on Loi 1.565's own framework. The law distinguishes between transfers to states that Monaco recognises as offering an "adequate level of protection" (a list maintained and updated by the APDP) and transfers to other states. For other states, the controller must rely on contractual safeguards approved or recognised by the APDP, on explicit consent of the data subject, or on a narrow set of derogations.

For marketing operators, this typically affects:

• US-hosted marketing platforms — HubSpot, Salesforce, Mailchimp, Klaviyo, Active Campaign. Transfers from a Monaco controller to a US processor require a recognised mechanism, even when the platform is GDPR-certified, because GDPR certification is not, in itself, sufficient under Loi 1.565.
• Ad platforms with global routing — Meta Ads, Google Ads, LinkedIn Ads. Custom Audiences and Lookalike Audiences raise transfer questions because the target identifiers move into the platform's global processing infrastructure.
• Analytics and tag management — Google Analytics 4, Google Tag Manager, Hotjar, FullStory. The IP-truncation and IP-anonymisation features that defused some GDPR concerns do not, on their own, resolve the Loi 1.565 transfer analysis.

The remediation pattern is operational: maintain an explicit transfer register, ensure each marketing platform contract carries the appropriate Loi 1.565 transfer language (typically alongside the EU SCCs the vendor will already offer), and, for processing activities subject to prior authorisation, file the corresponding declaration with the APDP before the activity goes live.

Consent — what "valid" looks like

The substance of consent under Loi 1.565 mirrors GDPR closely: freely given, specific, informed, and demonstrated by an affirmative act. The granularity expectations also align. Where the divergence shows up is in the documentation burden for marketing-driven consent flows.

The APDP's enforcement posture, drawing on its inspection powers under Articles 51–58 of the law, is to expect marketing controllers to be able to produce, on request:

• The exact wording presented to the data subject at the moment of consent
• The version history of that wording, with timestamps
• The technical logs showing the affirmative act (the click, the form submission)
• The scope of consent obtained — for which purposes, which channels, which third parties
• The withdrawal mechanism, with logs demonstrating that withdrawals are processed in the same window as the original consent capture

For most marketing operators running EU-style consent management platforms, items 1–4 are typically already in place. Item 5 — withdrawal logging at the same fidelity as consent capture — is where audits routinely surface gaps. A consent banner that records "user accepted" without a corresponding withdrawal-event log fails the Loi 1.565 demonstration test even when it would pass a casual GDPR audit.

Direct marketing, prospecting, and the email-vs-postal distinction

Loi 1.565 preserves the longstanding Monégasque distinction between commercial prospecting by electronic means (which generally requires opt-in consent unless a soft-opt-in carve-out applies for existing customers and similar products) and postal commercial prospecting (which can typically rely on legitimate interests with a clear opt-out). The distinction maps closely to the EU ePrivacy regime, but with two practical differences:

1. The soft-opt-in carve-out is narrower in Monaco than in some EU member states. Operators relying on the carve-out should document the chain explicitly: how the existing customer relationship was established, what "similar products" the prospecting covers, and how the unsubscribe mechanism was presented at every previous communication.
2. SMS and WhatsApp prospecting are treated as electronic prospecting by the APDP, including for B2B audiences in many configurations. Operators running B2B SMS or WhatsApp campaigns into Monaco should not assume the looser B2B email regime extends to those channels.

Sector-specific overlays — finance, healthcare, real estate

For marketing operators serving regulated sectors in Monaco, Loi 1.565 sits inside a stack of sector rules. The most operationally relevant for marketing are:

• Finance and private banking. Loi 1.338 of 2008, the AML/CFT framework, and the prudential regime supervised by the CCAF restrict what can be communicated about specific products to whom. MiFID II equivalence applies for investment-firm communications: marketing materials for investment products and services must satisfy the suitability, fair-clear-not-misleading, and target-market disclosures that MiFID II imposes.
• Healthcare and aesthetic medicine. Advertising of medical procedures is restricted by the Code de la santé publique provisions applicable in Monaco. Before-and-after imagery, comparative claims, and price advertising for medical acts carry tight constraints.
• Real estate. The Loi 1.328 of 2007 regime governs estate-agent communications. Listing presentation, fee disclosure, and the wording of off-plan sale advertising are all directly affected.

Marketing operators planning campaigns into these sectors should treat the sector overlay as the dominant layer and Loi 1.565 as the foundation. Compliance with one without the other does not produce a compliant campaign.

The APDP filing question

Loi 1.565 distinguishes between processing activities subject to simple notification, processing subject to prior authorisation, and processing exempt from declaration. The classification depends on the nature of the data, the purposes, and certain operational characteristics (volume of data subjects, cross-border transfers, automated decision-making, profiling).

Common marketing scenarios that typically trigger prior authorisation requirements:

• Processing of personal data for behavioural profiling that affects access to a service or the conditions of an offer
• Processing involving systematic large-scale evaluation of personal aspects (lookalike modelling at scale, predictive lead scoring on sensitive populations)
• Combining datasets in ways that may reveal special categories of data by inference (e.g., merging health-adjacent product preferences with location-of-residence data)
• Cross-border transfers to a state not on the APDP's adequate-protection list, where consent or a contractual mechanism is being relied on

The current APDP approach favours engagement before activation: filing an authorisation request is rarely instant, and operators who launch campaigns before completing the filing expose themselves to enforcement risk. The recommended posture for marketing teams is to map every campaign's processing footprint at scoping, identify activities likely to require authorisation, and time the filings into the campaign launch plan.

A practical compliance checklist

The framework below covers the marketing operations most likely to encounter Loi 1.565 questions in the first 90 days of an engagement. It is not exhaustive, and each line should be validated against the specific facts of your programme.

1. Map your data flows. For every marketing system in your stack, document the data fields collected, the lawful basis, the storage location, the cross-border transfer chain, and the retention period. The output is a data flow inventory — the foundational accountability document under Loi 1.565.
2. Audit your consent UX. Capture the exact wording, version-control it, log affirmative acts and withdrawals at the same fidelity, and ensure the withdrawal path is presented in every subsequent communication.
3. Verify your transfer mechanisms. For each non-Monaco, non-adequate-list processor, identify the contractual mechanism in force. Verify it covers Loi 1.565 obligations, not just GDPR or HIPAA equivalents.
4. Cross-reference your APDP filings. List every processing activity. For each, identify whether it requires simple notification, prior authorisation, or no filing. Reconcile against existing filings; close gaps before activating new campaigns.
5. Layer the sector regime. If you operate in finance, healthcare, real estate, gambling, or any regulated sector, identify the sector-specific marketing rules and document how each campaign satisfies them. The marketing-ops audit should produce, for each campaign, a matrix mapping campaign elements to sector requirements.
6. Establish data subject request handling. A documented workflow with owners, time limits aligned with Loi 1.565, and audit logs. The same machinery you would use for GDPR works here, but the calendar and the regulator are different.
7. Define your breach response. Who detects, who decides, who notifies the APDP, in what time frame, with what content. Tabletop the workflow before you need it.
8. Document everything. Loi 1.565 is, like GDPR, an accountability regime. Without contemporaneous documentation, the absence of a violation can be hard to demonstrate.

Where this stops — and where legal counsel begins

This guide is a marketing-operations framework, not a legal opinion. The specific application of Loi 1.565 to your business depends on facts that vary case by case: the structure of your group, the locations of your data subjects, the chain of processors, the categories of data, the marketing channels in use, and the regulated sectors involved.

For any binding determination — whether a specific filing is required, whether a specific transfer mechanism is sufficient, how to scope a particular campaign within sector constraints — engagement with a Monaco-licensed attorney is the right next step. The marketing-operations work this guide describes complements legal counsel; it does not replace it.

How Monaco Creative approaches this

Monaco Creative is, to our knowledge, the only marketing operator in Monaco that publishes a fixed-price audit specifically scoped to Loi 1.565 / APDP / MiFID II / sector marketing rules. The Monaco Marketing Compliance Audit is a 30-day engagement at €5–15k (depending on scope) that produces a written audit covering the seven marketing-operations domains most likely to surface Loi 1.565 questions, plus an explicit recommendation that any binding compliance certification proceed via legal counsel.

The audit is not a legal opinion. It is a marketing-operations review that gives you the operational map and the documented filings to walk into a legal review with substantive material rather than a blank slate. For most marketing teams operating into Monaco, this is the cheapest and fastest way to surface the gaps before they become enforcement events.

The methodology behind the audit is the same crawler-driven, public-data approach that powers our Monaco Digital Benchmark — published quarterly under a CC BY 4.0 licence so the work is reproducible and citable.

If you operate marketing programmes into Monaco and want a scoping conversation, the 30-minute scoping call is free. The audit pricing is fixed before you commit. The deliverable lands within 30 days of kickoff.

Last reviewed: 2026-05-08. Loi 1.565 was promulgated on 3 December 2024 and entered into force progressively through 2025. APDP guidance continues to evolve; consult current APDP publications and Monaco-licensed counsel before relying on this guide for any specific compliance determination.