Request for an opinion | Doc. 14389 | 30 August 2017

Draft Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and its explanatory report

Author(s): Committee of Ministers

1. Letter from the Chair of the Ministers’ Deputies to the President of the Parliamentary Assembly (Strasbourg, 6 July 2017)

Mr President,

At their 1291st meeting (5 July 2017), the Ministers’ Deputies agreed to transmit the draft Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and its draft Explanatory Report, as they appear in documents CM(2016)123-prov4 (see also GR-J(2016)14-rev4) and CM(2016)123-addrev7, to the Parliamentary Assembly and invited the Assembly to give its opinion on the draft Convention as soon as possible.

Please find enclosed the draft Protocol and, for information, its draft Explanatory Report, along with a consolidated version of Convention No. 108 as amended.

I would point out that, in the draft Protocol, and in the accompanying texts, some paragraphs are highlighted as “under examination”, as the negotiations on these provisions have not yet been finalised by the Committee of Ministers. Nevertheless, considering the importance of this draft treaty and the need to reach a decision as soon as possible, the Committee of Ministers believed that it was important to consult the Parliamentary Assembly at this stage of the discussion.

The paragraphs highlighted “under examination” may be found in Article 14, Article 17, paragraph 2, Article 29, paragraphs 3 and 4, Article 30, paragraph 2, and Article 35, paragraphs 3 and 4. The relevant provisions may be found in Article 9, paragraph 3, Article 12, paragraph 1, Article 20, paragraphs 3, 4 and 8, Article 21, paragraph 7, and the final clauses regarding signature and entry into force, paragraphs 3 and 4, of the consolidated version of the draft Convention.

On behalf of the Ministers’ Deputies, I would like to thank you in advance for your attention to this matter.

I look forward to receiving the Assembly’s opinion.

…

[signed]

Emil Ruffer, Chair of the Ministers’ Deputies

Appendix 1 – Draft Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108)

(open)

Preamble

The member States of the Council of Europe and the other Parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, opened for signature in Strasbourg on 28 January 1981 (hereinafter referred to as “the Convention”),

Having regard to Resolution No. 3 on data protection and privacy in the third millennium adopted at the 30th Council of Europe Conference of Ministers of Justice (Istanbul, Turkey, 24-26 November 2010);

Having regard to Resolution 1843 (2011) of the Parliamentary Assembly of the Council of Europe on “The protection of privacy and personal data on the Internet and online media” and Resolution 1986 (2014) on “Improving user protection and security in cyberspace”;

Having regard to Opinion No. … adopted by the Parliamentary Assembly of the Council of Europe on … …;

Considering that new challenges to the protection of individuals with regard to the processing of personal data have emerged since the Convention was adopted;

Considering the need to ensure that the Convention continues to play its pre-eminent role in protecting individuals with regard to the processing of personal data, and more generally in protecting human rights and fundamental freedoms,

Have agreed as follows:

Article 1

1. The third recital of the Preamble of the Convention shall be replaced by the following:

“Considering that it is necessary to secure the human dignity and protection of the human rights and fundamental freedoms of every individual and, given the diversification, intensification and globalisation of data processing and personal data flows, personal autonomy based on a person’s right to control his or her personal data and the processing of such data;”

2. The fourth recital of the Preamble of the Convention shall be replaced by the following:

“Recalling that the right to protection of personal data is to be considered in respect of its role in society and that it has to be reconciled with other human rights and fundamental freedoms, including freedom of expression;”

3. The following recital shall be added after the fourth recital of the Preamble of the Convention:

“Considering that this Convention permits account to be taken, in the implementation of the rules laid down therein, of the principle of the right of access to official documents;”

4. The fifth recital of the Preamble of the original Convention shall be deleted. New sixth and seventh recitals shall be added, which read as follows:

“Recognising that it is necessary to promote at the global level the fundamental values of respect for privacy and protection of personal data, thereby contributing to the free flow of information between peoples;”

“Recognising the interest of a reinforcement of international co-operation between the Parties to the Convention;”

Article 2

The text of Article 1 of the Convention shall be replaced by the following:

“The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.”

Article 3

1. Littera b of Article 2 of the Convention shall be replaced by the following:

“b. “data processing” means any operation, or set of operations, which is performed on personal data, such as the collection, storage, preservation, alteration, retrieval, disclosure, making available, erasure, or destruction of, or the carrying out of logical and/or arithmetical operations on such data;”

2. Littera c of Article 2 of the Convention shall be replaced by the following:

“c. where automated processing is not used, data processing means an operation or set of operations performed upon personal data within a structured set of such data which are accessible or retrievable according to specific criteria;”

3. Littera d of Article 2 of the Convention shall be replaced by the following:

“d. “controller” means the natural or legal person, public authority, service, agency or any other body which, alone or jointly with others, has the decision-making power with respect to data processing;”

4. The following new litterae shall be added after littera d of Article 2 of the Convention:

“e. “recipient” means a natural or legal person, public authority, service, agency or any other body to whom data are disclosed or made available;

f. “processor” means a natural or legal person, public authority, service, agency or any other body which processes personal data on behalf of the controller.”

Article 4

1. Paragraph 1 of Article 3 of the Convention shall be replaced by the following:

“1. Each Party undertakes to apply this Convention to data processing subject to its jurisdiction in the public and private sectors, thereby securing every individual’s right to protection of his or her personal data.”

2. Paragraph 2 of Article 3 of the Convention shall be replaced by the following:

“2. This Convention shall not apply to data processing carried out by an individual in the course of purely personal or household activities.”

3. Paragraphs 3 to 6 of Article 3 of the Convention shall be deleted.

Article 5

The title of Chapter II of the Convention shall be changed to the following:

“Chapter II – Basic principles for the protection of personal data”.

Article 6

1. Paragraph 1 of Article 4 of the Convention shall be replaced by the following:

“1. Each Party shall take the necessary measures in its law to give effect to the provisions of this Convention and secure their effective application.”

2. Paragraph 2 of Article 4 of the Convention shall be replaced by the following:

“2. These measures shall be taken by each Party and shall have come into force by the time of ratification or accession to this Convention.”

3. A new paragraph shall be added after paragraph 2 of Article 4 of the Convention:

“3. Each Party undertakes:

a. to allow the Convention Committee provided for in Chapter VI to evaluate the effectiveness of the measures it has taken in its law to give effect to the provisions of this Convention; and

b. to contribute actively to this evaluation process.”

Article 7

1. The title of Article 5 shall be changed to the following:

“Article 5 – Legitimacy of data processing and quality of data”.

2. The text of Article 5 of the Convention shall be replaced by the following:

“1. Data processing shall be proportionate in relation to the legitimate purpose pursued and reflect at all stages of the processing a fair balance between all interests concerned, whether public or private, and the rights and freedoms at stake.

2. Each Party shall provide that data processing can be carried out on the basis of the free, specific, informed and unambiguous consent of the date subject or of some other legitimate basis laid down by law.

3. Personal data undergoing processing shall be processed lawfully.

4. Personal data undergoing processing shall be:

a. processed fairly and in a transparent manner;

b. collected for explicit, specified and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is, subject to appropriate safeguards, compatible with those purposes;

c. adequate, relevant and not excessive in relation to the purposes for which they are processed;

d. accurate and, where necessary, kept up to date;

e. preserved in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which those data are processed.”

Article 8

The text of Article 6 of the Convention shall be replaced by the following:

“1. The processing of:

– genetic data;

– personal data relating to offences, criminal proceedings and convictions, and related security measures;

– biometric data uniquely identifying a person;

– personal data for the information they reveal relating to racial or ethnic origin, political opinions, trade union membership, religious or other beliefs, health or sexual life;

shall only be allowed where appropriate safeguards are enshrined in law, complementing those of this Convention.

2. Such safeguards shall guard against the risks that the processing of such sensitive data may present for the interests, rights and fundamental freedoms of the data subject, notably a risk of discrimination.”

Article 9

The text of Article 7 of the Convention shall be replaced by the following:

“1. Each Party shall provide that the controller, and where applicable the processor, takes appropriate security measures against risks such as accidental or unauthorised access to, destruction, loss, use, modification or disclosure of personal data.

2. Each Party shall provide that the controller shall notify, without delay, at least the competent supervisory authority within the meaning of Article 15 of this Convention, of those data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects.”

Article 10

A new Article 8 shall be added after Article 7 of the Convention as follows:

“Article 8 – Transparency of processing

1. Each Party shall provide that the controller informs the data subjects of:

a. the controller’s identity and habitual residence or establishment;

b. the legal basis and the purposes of the intended processing;

c. the recipients or categories of recipients of the personal data, if any; and

d. the means of exercising the rights set out in Article 9;

as well as any necessary additional information in order to ensure fair and transparent processing of the personal data.

2. Paragraph 1 shall not apply where the data subject already has the relevant information.

3. Where the personal data are not collected from the data subjects, the controller shall nonetheless not be required to provide such information where the processing is expressly prescribed by law or this proves to be impossible or involves disproportionate efforts.”

Article 11

1. Article 8 will be renumbered to Article 9 of the Convention and the title shall be changed to the following:

“Article 9 – Rights of the data subject”.

2. The text of the original Article 8 of the Convention shall be replaced by the following:

“1. Every individual shall have a right:

a. not to be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration;

b. to obtain, on request, at reasonable intervals and without excessive delay or expense, confirmation of the processing of personal data relating to him or her; the communication in an intelligible form of the data processed; all available information on their origin, on the preservation period as well as any other information that the controller is required to provide in order to ensure the transparency of processing in accordance with Article 8, paragraph 1;

c. to obtain, on request, knowledge of the reasoning underlying data processing where the results of such processing are applied to him or her;

d. to object at any time, on grounds relating to his or her situation, to the processing of personal data concerning him or her unless the controller demonstrates legitimate grounds for the processing which override his or her interests or rights and fundamental freedoms;

e. to obtain, on request, free of charge and without excessive delay, rectification or erasure, as the case may be, of such data if these are being or have been processed contrary to the provisions of this Convention;

f. to have a remedy under Article 12 where his or her rights under this Convention have been violated;

g. to benefit, whatever his or her nationality or residence, from the assistance of a supervisory authority within the meaning of Article 15, in exercising his or her rights under this Convention.

2. Paragraph 1.a shall not apply if the decision is authorised by a law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests.”

Article 12

A new Article 10 shall be added after the new Article 9 of the Convention as follows:

“Article 10 – Additional obligations

1. Each Party shall provide that controllers and, where applicable, processors take all appropriate measures to comply with the obligations of this Convention and be able to demonstrate, in particular to the competent supervisory authority provided for in Article 15, that the data processing under their control is in compliance with the provisions of this Convention.

2. Each Party shall provide that controllers and, where applicable, processors, examine the likely impact of intended data processing on the rights and fundamental freedoms of data subjects prior to the commencement of such processing, and shall design the data processing in such a manner as to prevent or minimise the risk of interference with those rights and fundamental freedoms.

3. Each Party shall provide that controllers, and, where applicable, processors, implement technical and organisational measures which take into account the implications of the right to the protection of personal data at all stages of the data processing.

4. Each Party may, having regard to the risks arising for the interests, rights and fundamental freedoms of the data subjects, adapt the application of the provisions of paragraphs 1, 2 and 3 in the law giving effect to the provisions of this Convention, according to the nature and volume of the data, the nature, scope and purpose of the processing and, where appropriate, the size of the controller or processor.”

Article 13

Articles 9 to 12 of the original Convention shall be renumbered to Articles 11 to 14 of the Convention.

Article 14

The text of the original Article 9 of the Convention (new Article 11) shall be replaced by the following:

“1. No exception to the provisions set out in this chapter shall be allowed except to the provisions of Articles 5, paragraph 4, 7, paragraph 2, 8, paragraph 1 and Article 9 when such an exception is provided for by law, respects the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society for:

a. the protection of national security, defence, public safety, important economic and financial interests of the State, the impartiality and independence of the judiciary or the prevention, investigation and prosecution of criminal offences and the execution of criminal penalties, and other essential objectives of general public interest;

b. the protection of the data subject or the rights and fundamental freedoms of others, notably freedom of expression.

2. Restrictions on the exercise of the provisions specified in Articles 8 and 9 may be provided for by law with respect to data processing archiving purposes in the public interest, scientific or historical research purposes or statistical purposes when there is no recognisable risk of infringement of the rights and fundamental freedoms of data subjects.

3. Under examination.

Article 15

The text of the original Article 10 of the Convention (new Article 12) shall be replaced by the following:

“Each Party undertakes to establish appropriate judicial and non-judicial sanctions and remedies for violations of the provisions of this Convention.”

Article 16

The title of Chapter III shall be changed to the following:

“Chapter III – Transborder flows of personal data”.

Article 17

1. The title of the original Article 12 of the Convention shall be changed to the following:

“Article 14 – Transborder flows of personal data”.

2. The text of the original Article 12 of the Convention (new Article 14) shall be replaced by the following:

“1. Under examination.

2. When the recipient is subject to the jurisdiction of a State or international organisation which is not Party to this Convention, the transfer of personal data may only take place where an appropriate level of protection based on the provisions of this Convention is secured.

3. An appropriate level of protection can be secured by:

a. the law of that State or international organisation, including the applicable international treaties or agreements; or

b. ad hoc or approved standardised safeguards provided by legally binding and enforceable instruments adopted and implemented by the persons involved in the transfer and further processing.

4. Notwithstanding the provisions of the previous paragraphs, each Party may provide that the transfer of personal data may take place if:

a. the data subject has given explicit, specific and free consent, after being informed of risks arising in the absence of appropriate safeguards; or

b. the specific interests of the data subject require it in the particular case; or

c. prevailing legitimate interests, in particular important public interests, are provided for by law and the transfer constitutes a necessary and proportionate measure in a democratic society; or

d. it constitutes a necessary and proportionate measure in a democratic society for freedom of expression.

5. Each Party shall provide that the competent supervisory authority, within the meaning of Article 15 of this Convention, is provided with all relevant information concerning the transfers of data referred to in paragraph 3 littera b and, upon request, paragraph 4 litterae b and c.

6. Each Party shall also provide that the supervisory authority is entitled to request that the person who transfers data demonstrates the effectiveness of the safeguards or the existence of prevailing legitimate interests and that the supervisory authority may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject to conditions such transfers.”

3. The text of the original Article 12 of the Convention (new article 14) includes the provisions of the Article of the additional Protocol of 2001 (ETS No. 181) on transborder flows of personal data to a recipient which is not subject to the jurisdiction of a Party to the Convention (Article 2 of the additional Protocol).

Article 18

A new Chapter IV shall be added after Chapter III of the Convention, as follows:

“Chapter IV – Supervisory authorities”.

Article 19

A new Article 15 includes the provisions of the Article of the additional Protocol of 2001 (ETS No.181) on supervisory authorities (Article 1 of the additional Protocol) and reads as follows:

“Article 15 – Supervisory authorities

1. Each Party shall provide for one or more authorities to be responsible for ensuring compliance with the provisions of this Convention.

2. To this end, such authorities:

a. shall have powers of investigation and intervention;

b. shall perform the functions relating to transfers of data provided for under Article 14, notably the approval of standardised safeguards;

c. shall have powers to issue decisions with respect to violations of the provisions of this Convention and may, in particular, impose administrative sanctions;

d. shall have the power to engage in legal proceedings or to bring to the attention of the competent judicial authorities violations of the provisions of this Convention;

e. shall promote:

i. public awareness of their functions and powers, as well as their activities;

ii. public awareness of the rights of data subjects and the exercise of such rights;

iii. awareness of controllers and processors of their responsibilities under this Convention;

specific attention shall be given to the data protection rights of children and other vulnerable individuals.

3. The competent supervisory authorities shall be consulted on proposals for any legislative or administrative measures which provide for the processing of personal data.

4. Each competent supervisory authority shall deal with requests and complaints lodged by data subjects concerning their data protection rights and shall keep data subjects informed of progress.

5. The supervisory authorities shall act with complete independence and impartiality in performing their duties and exercising their powers and in doing so shall neither seek nor accept instructions.

6. Each Party shall ensure that the supervisory authorities are provided with the resources necessary for the effective performance of their functions and exercise of their powers.

7. Each supervisory authority shall prepare and publish a periodical report outlining its activities.

8. Members and staff of the supervisory authorities shall be bound by obligations of confidentiality with regard to confidential information they have access to or have had access to in the performance of their duties and exercise of their powers.

9. Decisions of the supervisory authorities may be appealed against through the courts.

10. In accordance with the provisions of Chapter V, the supervisory authorities shall co-operate with one another to the extent necessary for the performance of their duties and exercise of their powers, in particular by:

a. providing mutual assistance by exchanging relevant and useful information and co‑operating with each other under the condition that, as regards the protection of personal data, all the rules and safeguards of this Convention are complied with;

b. co-ordinating their investigations or interventions, or conducting joint actions;

c. providing information and documentation on their law and administrative practice relating to data protection.

11. The information referred to in paragraph 10 littera a shall not include personal data undergoing processing unless such data are essential for co-operation, or where the data subject concerned has given explicit, specific, free and informed consent to its provision.

12. In order to organise their co-operation and to perform the duties set out in the preceding paragraphs, the supervisory authorities of the Parties shall form a network.

13. The supervisory authorities shall not be competent with respect to processing carried out by bodies when acting in their judicial capacity.”

Article 20

1. Chapters IV to VII of the original Convention shall be renumbered to Chapters V to VIII of the Convention.

2. Articles 13 to 27 of the original Convention shall be renumbered to Articles 16 to 30 of the Convention.

Article 21

1. Paragraph 2 of the original Article 13 of the Convention (new Article 16) shall be replaced by the following:

“2. For that purpose:

a. each Party shall designate one or more supervisory authorities within the meaning of Article 15 of this Convention, the name and address of each of which it shall communicate to the Secretary General of the Council of Europe;

b. each Party which has designated more than one supervisory authority shall specify the competence of each authority in its communication referred to in the previous sub-paragraph.”

2. Paragraph 3 of the original Article 13 of the Convention shall be deleted.

Article 22

1. The title of the original Article 14 of the Convention shall be changed to:

“Article 17 – Assistance to data subjects”.

2. The text of the original Article 14 of the Convention (new Article 17) shall be replaced by the following:

“1. Each Party shall assist any data subject, whatever his or her nationality or residence, to exercise his or her rights under Article 9 of this Convention.

2. Where a data subject resides in the territory of another Party, he or she shall be given the option of submitting the request through the intermediary of the supervisory authority designated by that Party.

3. The request for assistance shall contain all the necessary particulars, relating inter alia to:

a. the name, address and any other relevant particulars identifying the data subject making the request;

b. the processing to which the request pertains, or its controller;

c. the purpose of the request.”

Article 23

1. The term “authorities” in the title of the original Article 15 (new Article 18) shall be changed to “supervisory authorities”.

2. The text of the original Article 15 of the Convention (new Article 18) shall be replaced by the following:

“1. A supervisory authority designated by a Party which has received information from a supervisory authority designated by another Party either accompanying a request for assistance or in reply to its own request for assistance shall not use that information for purposes other than those specified in the request for assistance.

2. In no case may a designated supervisory authority be allowed to make a request for assistance on behalf of a data subject of its own accord and without the express approval of the data subject concerned.”

Article 24

1. The recital of the original Article 16 (new Article 19) shall be replaced by the following:

“A designated supervisory authority to which a request for assistance is addressed under Article 16 of this Convention may not refuse to comply with it unless:”

2. Littera a of the original Article 16 of the Convention shall be replaced by the following:

“a. the request is not compatible with its powers.”

3. Littera c of the original Article 16 of the Convention shall be replaced by the following:

“c. compliance with the request would be incompatible with the sovereignty, national security or public order of the Party by which it was designated, or with the rights and fundamental freedoms of individuals under the jurisdiction of that Party.”

Article 25

1. Paragraph 1 of the original Article 17 of the Convention (new Article 20) shall be replaced by the following:

“1. Mutual assistance which the Parties render each other under Article 16 and assistance they render to data subjects under Articles 9 and 17 shall not give rise to the payment of any costs or fees other than those incurred for experts and interpreters. The latter costs or fees shall be borne by the Party which has designated the supervisory authority making the request for assistance.”

2. The terms “his or her” shall replace “his” in paragraph 2 of the original Article 17 of the Convention.

Article 26

The title of the original Chapter V of the Convention shall be changed to the following:

“Chapter VI – Convention Committee”.

Article 27

1. The terms “Consultative Committee” in paragraph 1 of the original Article 18 of the Convention (new Article 21) shall be replaced by “Convention Committee”.

2. Paragraph 3 of the original Article 18 of the Convention (new Article 21) shall be replaced by the following:

“3. The Convention Committee may, by a decision taken by a majority of two thirds of the representatives of the Parties, invite an observer to be represented at its meetings.”

3. A new paragraph 4 shall be added after paragraph 3 of the original Article 18 of the Convention:

“4. Any Party which is not a member of the Council of Europe shall contribute to the funding of the activities of the Convention Committee according to the modalities established by the Committee of Ministers in agreement with that Party.”

Article 28

1. The terms “Consultative Committee” in the recital of the original Article 19 of the Convention (new Article 22) shall be replaced by “Convention Committee”.

2. The term “proposals” in littera a of the original Article 19 of the Convention shall be replaced with the term “recommendations”.

3. References to “Article 21” in littera b and “Article 21 paragraph 3” in littera c of the original Article 19 of the Convention shall be replaced respectively by references to “Article 24” and “Article 24 paragraph 3”.

4. Littera d of the original Article 19 of the Convention shall be replaced by the following:

“d. may express an opinion on any question concerning the interpretation or application of this Convention;”.

5. The following additional litterae shall be added following littera d of the original Article 19 of the Convention:

“e. shall prepare, before any new accession to the Convention, an opinion for the Committee of Ministers relating to the level of personal data protection of the candidate for accession and where necessary recommend measures to take to reach compliance with the provisions of this Convention;

f. may, at the request of a State or an international organisation, evaluate whether the level of personal data protection the former provides is in compliance with the provisions of this Convention and where necessary recommend measures to take to reach such compliance;

g. may develop or approve models of standardised safeguards referred to in Article 14;

h. shall review the implementation of this Convention by the Parties and recommend measures to take where a Party is not in compliance with this Convention;

i. shall facilitate, where necessary, the friendly settlement of all difficulties related to the application of this Convention.”

Article 29

1. Paragraph 1 of the original Article 20 of the Convention (new Article 23) shall be replaced by the following:

“1. The Convention Committee shall be convened by the Secretary General of the Council of Europe. Its first meeting shall be held within twelve months of the entry into force of this Convention. It shall subsequently meet at least once a year and in any case when one third of the representatives of the Parties request its convocation.”

2. The terms “Consultative Committee” in paragraph 2 of the original Article 20 of the Convention shall be replaced by “Convention Committee”.

3. Paragraph 3 of the original Article 20 shall be replaced by the following:

“3. Under examination.”

4. The following new paragraphs shall be added after paragraph 3 stating the following:

“4. Under examination.

5. Decisions concerning procedural issues shall be taken by a simple majority.

6. After each of its meetings, the Convention Committee shall submit to the Committee of Ministers of the Council of Europe a report on its work and on the functioning of this Convention.

7. The Convention Committee shall draw up its own Rules of Procedure and establish, in particular, the procedures for evaluation and review referred to in Article 4, paragraph 3, and Article 22, littera e, f and h on the basis of objective criteria. The adoption of the Rules of Procedure and any amendments thereto shall require a two-thirds majority of the Parties.

8. Under examination.”

Article 30

1. Paragraphs 1 to 4 of the original Article 21 of the Convention (new Article 24) shall be replaced by the following:

“1. Amendments to this Convention may be proposed by a Party, the Committee of Ministers of the Council of Europe or the Convention Committee.

2. Any proposal for amendment shall be communicated by the Secretary General of the Council of Europe to the Parties to this Convention, to the other member States of the Council of Europe, to the European Union and to every non-member State or international organisation which has been invited to accede to this Convention in accordance with the provisions of Article 26.

3. Moreover, any amendment proposed by a Party or the Committee of Ministers shall be communicated to the Convention Committee, which shall submit to the Committee of Ministers its opinion on that proposed amendment.

4. The Committee of Ministers shall consider the proposed amendment and any opinion submitted by the Convention Committee and may approve the amendment.”

2. Additional paragraph 7 shall be added after paragraph 6 of the original Article 21 of the Convention as follows:

“7. Under examination.”

Article 31

1. Paragraph 1 of the original Article 22 of the Convention (new Article 25) shall be replaced by the following:

“1. This Convention shall be open for signature by the member States of the Council of Europe and by the European Union. It is subject to ratification, acceptance or approval. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the Council of Europe.”

2. The terms “member State” in paragraph 3 of the original Article 22 shall be replaced by “Party”.

Article 32

1. The title and the text of the original Article 23 of the Convention shall be replaced as follows:

“Article 26 – Accession by non-member States and international organisations

1. After the entry into force of this Convention, the Committee of Ministers of the Council of Europe may, after consulting the Parties to this Convention and obtaining their unanimous agreement and in light of the opinion prepared by the Convention Committee in accordance with Article 22.e, invite any State not a member of the Council of Europe or an international organisation to accede to this Convention by a decision taken by the majority provided for in Article 20.d of the Statute of the Council of Europe and by the unanimous vote of the representatives of the Contracting States entitled to sit on the Committee of Ministers.

2. In respect of any State or international organisation acceding to this Convention according to paragraph 1 above, the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of accession with the Secretary General of the Council of Europe.”

Article 33

Paragraphs 1 and 2 of the original Article 24 of the Convention (new Article 27) shall be replaced by the following:

“1. Any State, the European Union or other international organisation may at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, specify the territory or territories to which this Convention shall apply.

2. Any State, the European Union or other international organisation may at any later date, by a declaration addressed to the Secretary General of the Council of Europe, extend the application of this Convention to any other territory specified in the declaration. In respect of such territory the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of receipt of such declaration by the Secretary General.”

Article 34

1. The term “State” in the recital of the original Article 27 shall be replaced by “Party”.

2. References to “Articles 22, 23 and 24” in littera c shall be replaced by references to “Articles 25, 26 and 27”.

Article 35 – Signature and entry into force

1. This Protocol shall be open for signature by the Parties to the Convention. It shall be subject to ratification, acceptance or approval. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the Council of Europe.

2. This Protocol shall enter into force on the first day of the month following the expiration of a period of [three] months after the date on which all Parties to the Convention have expressed their consent to be bound by the Protocol in accordance with the provisions of paragraph 1 of this article.

3. Under examination.

4. Under examination.

5. From the entry into force of this Protocol, with respect to a Party having entered one or more declarations in pursuance of Article 3 of the original Convention, such declaration(s) will lapse.

6. From the date of the entry into force of this Protocol, the additional Protocol to the Convention shall be considered an integral part of the Convention as amended by the Protocol.

7. From the date of the entry into force of this Protocol, the Amendments to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, approved by the Committee of Ministers, in Strasbourg, on 15 June 1999, have lost their purpose.

Article 36 – Notifications

The Secretary General of the Council of Europe shall notify the member States of the Council of Europe and any other Party to the Convention of:

a. any signature;

b. the deposit of any instrument of ratification, acceptance or approval;

c. any date of entry into force of this Protocol in accordance with Article 35;

d. the other act, notification or communication relating to this Protocol.

In witness whereof the undersigned, being duly authorised thereto, have signed this Protocol.

Done at […..], this [………], in English and in French, both texts being equally authentic, in a single copy which shall be deposited in the archives of the Council of Europe. The Secretary General of the Council of Europe shall transmit certified copies to each member State of the Council of Europe, to other Parties to the Convention and any State invited to accede to the Convention.

Appendix 2 – Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) – Draft Explanatory Report

(open)

This document was prepared on the basis of the consolidated text of the draft modernised Convention 108 (see document GR-J(2016)14-rev4) and the numbering of the articles does not correspond to the draft Amending Protocol of the Convention.

Introduction

1. In the thirty five years that have elapsed since the Convention for the Protection of individuals with Regard to Automated Processing of Personal Data, also known as Convention 108 (hereafter also referred to as “the Convention”) was opened for signature, the Convention has served as the foundation for international data protection law in over 40 European countries. It has also influenced policy and legislation far beyond Europe’s shores. With new challenges to human rights and fundamental freedoms, notably to the right to private life, arising every day, it appeared clear that the Convention should be modernised in order to better address emerging privacy challenges resulting from the increasing use of new information and communication technologies, the globalisation of processing operations and the ever greater flows of personal data, and, at the same time, to strengthen the Convention’s evaluation and follow-up mechanism.

2. Broad consensus on the following aspects of the modernisation process emerged: the general and technologically neutral nature of the Convention’s provisions must be maintained; the Convention’s coherence and compatibility with other legal frameworks must be preserved; and the Convention’s open character, which gives it a unique potential as a universal standard, must be reaffirmed. The text of the Convention is of a general nature and can be supplemented with more detailed soft-law sectoral texts in the form notably of Committee of Ministers’ Recommendations elaborated with the participation of interested stakeholders.

3. The modernisation work was carried out in the broader context of various parallel reforms of international data protection instruments and taking due account of the 1980 (revised in 2013) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of the Organisation for Economic Co‑operation and Development (OECD), the 1990 United Nations Guidelines for the Regulation of Computerized Personal Data Files, the European Union’s (EU) framework (1995 onwards

), the Asia-Pacific Economic Cooperation Privacy framework (2004) and the 2009 ”International Standards on the Protection of Privacy with regard to the processing of Personal Data”.

With regard to the EU data protection reform package in particular, the works ran in parallel and utmost care was taken to ensure consistency between both legal frameworks. The EU data protection framework gives substance and amplifies the principles of Convention 108 and takes into account accession to Convention 108, notably with regard to international transfers.

4. The Consultative Committee set up by Article 18 of the Convention prepared draft modernisation proposals which were adopted at its 29th Plenary meeting (27-30 November 2012) and submitted to the Committee of Ministers. The Committee of Ministers subsequently entrusted the ad hoc Committee on data protection (CAHDATA) with the task of finalising the modernisation proposals. This was completed on the occasion of the 3rd meeting of the CAHDATA (1-3 December 2014). Further to the finalisation of the EU data protection framework, another CAHDATA was established with a view to examine outstanding issues. The last CAHDATA meeting (15-16 June 2016) finalised its proposals and transmitted them to the Committee of Ministers for consideration and adoption.

5. The text of this explanatory report does not constitute an instrument providing an authoritative interpretation of the Convention but rather contains information intended to guide and assist application of its provisions. The legal obligations of the Parties derive from the text of the Convention and no provision of the present report is to be understood as restricting, lowering or extending the rights and obligations laid down in the Convention.

This Protocol has been open for signature in..., on...

II. Commentaries

1. The purpose of this Protocol is to modernise the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No.108) and its additional protocol on supervisory authorities and transborder flows (ETS No. 181), and to strengthen their application.

2. The explanatory reports to Convention 108 and to its additional protocol remain relevant in so far as they provide historical context and describe the evolution of both instruments, and they can be read in conjunction with the present one for those purposes.

Preamble

1. The Preamble reaffirms the commitment of the signatory States to human rights and fundamental freedoms.

2. A major objective of the Convention is to put individuals in a position to know, to understand and to control the processing of their personal data by others. Accordingly, the Preamble expressly refers to the right to personal autonomy and the right to control one’s personal data, which stems in particular from the right to privacy, as well as to the dignity of individuals. Human dignity requires that safeguards be put in place when processing personal data, in order for individuals not to be treated as mere objects.

3. Taking into account the role of the right to protection of personal data in society, the Preamble underlines the principle that the interests, rights and fundamental freedoms of individuals have, where necessary, to be reconciled with each other. It is in order to maintain a careful balance between the different interests, rights and fundamental freedoms that the Convention lays down certain conditions and restrictions with regard to the processing of information and the protection of personal data. The right to data protection is for instance to be considered alongside the right to ‘freedom of expression’ as laid down in Article 10 of the European Convention on Human Rights, which includes the freedom to hold opinions and to receive and impart information. Furthermore, the Convention confirms that the exercise of the right to data protection, which is not absolute, should not be used as a general means to prevent public access to official documents.

4. Convention 108, through the principles it lays down and the values it enshrines, protects the individual while providing a framework for international data flows. This is important as global information flows play an increasingly significant role in modern society, enabling the exercise of fundamental rights and freedoms while triggering innovation and fostering social and economic progress, while also playing a vital role in ensuring public safety. The flow of personal data in an information and communication society must respect the fundamental rights and freedoms of individuals. Furthermore, the development and use of innovative technologies should also respect those rights. This will help to build trust in innovation and new technologies and further enable their development.

5. As international cooperation between supervisory authorities is a key element for effective protection of individuals, the Convention aims to reinforce such cooperation, notably by requiring Parties to render mutual assistance, and providing the appropriate legal basis for a framework of cooperation and exchange of information for investigations and enforcement.

Chapter I – General provisions

Article 1 – Object and purpose

1. The first article describes the Convention's object and purpose. This article focuses on the subject of protection: individuals are to be protected when their personal data is processed.

More recently, data protection has been included as a fundamental right in Article 8 of the Charter of Fundamental Rights of the European Union as well as in the constitutions of several Parties to the Convention.

2. The guarantees set out in the Convention are extended to every individual regardless of nationality or residence. No discrimination between citizens and third country nationals in the application of these guarantees is allowed.

Clauses restricting data protection to a State’s own nationals or legally resident foreign nationals would be incompatible with the Convention.

Article 2 – Definitions

1. The definitions used in this Convention are meant to ensure the uniform application of terms to express certain fundamental concepts in national legislation.

Litt. a – ‘personal data’

2. "Identifiable individual" means a person who can be directly or indirectly identified. An individual is not considered ’identifiable’ if his or her identification would require unreasonable time, effort or resources. Such is the case for example when identifying a data subject would require excessively complex, long and costly operations. The issue of what constitutes “unreasonable time, efforts or resources” should be assessed on a case-by-case basis. For example, consideration could be given to the purpose of the processing and taking into account objective criteria such as the cost, the benefits of such an identification, the type of controller, the technology used, etc. Furthermore, technological and other developments may change what constitutes ‘unreasonable time, effort or other resources’.

3. The notion of ‘identifiable’ does not only refer to the individual’s civil or legal identity as such, but also to what may allow to “individualise” or single out (and thus allow to treat differently) one person from others. This “individualisation” could be done, for instance, by referring to him or her specifically, or to a device or a combination of devices (computer, mobile phone, camera, gaming devices, etc.) on the basis of an identification number, a pseudonym, biometric or genetic data, location data, an IP address, or other identifier. The use of a pseudonym or of any digital identifier/digital identity does not lead to anonymisation of the data as the data subject can still be identifiable or individualised. Pseudonymous data is thus to be considered as personal data and is covered by the provisions of the Convention. The quality of the pseudonymisation techniques applied should be duly taken into account when assessing the appropriateness of safeguards implemented to mitigate the risks to data subjects.

4. Data is to be considered as anonymous only as long as it is impossible to re-identify the data subject or if such re-identification would require unreasonable time, effort or resources, taking into consideration the available technology at the time of the processing and technological developments. Data that appears to be anonymous because it is not accompanied by any obvious identifying element may, nevertheless in particular cases (not requiring unreasonable time, effort or resources), permit the identification of an individual. This is the case, for example, where it is possible for the controller or any person to identify the individual through the combination of different types of data, such as physical, physiological, genetic, economic, or social data (combination of data on the age, sex, occupation, geolocation, family status, etc.). Where this is the case, the data may not be considered anonymous and is covered by the provisions of the Convention.

5. When data is made anonymous, appropriate means should be put in place to avoid re-identification of data subjects, in particular, all technical means should be implemented in order to guarantee that the individual is not or no longer identifiable. They should be regularly re-evaluated in light of the fast pace of technological development.

Litt. b and c – ‘data processing’

6. "Data processing” starts from the collection of personal data and covers all operations performed on personal data, whether partially or totally automated. Where automated processing is not used, data processing means an operation or set of operations performed upon personal data within a structured set of such data which are accessible or retrievable according to specific criteria, allowing the controller or any other person to search, combine or correlate the data related to a specific data subject.

Litt. d – ‘controller’

7. "Controller” refers to the person or body having the decision-making power concerning the purposes and means of the processing, whether this power derives from a legal designation or factual circumstances that are to be assessed on a case by case basis. In some cases, there may be multiple controllers or co-controllers (jointly responsible for a processing and possibly responsible for different aspects of that processing). When assessing whether the person or body is a controller, special account should be taken of whether that person or body determines the reasons justifying the processing, in other terms its purposes and the means used for it. Further relevant factors for this assessment include whether the person or body has control over the processing methods, the choice of data to be processed and who is allowed to access it. Those who are not directly subject to the controller and carry out the processing on the controller's behalf, and solely according to the controller’s instructions, are to be considered processors. The controller remains responsible for the processing also where a processor is processing the data on his or her behalf.

Litt. e – ‘recipient’

8. ”Recipient” is an individual or an entity who receives personal data or to whom personal data is made available. Depending on the circumstances, the recipient may be a controller or a processor. For example, an enterprise can send certain data of employees to a government department that will process it as a controller for tax purposes. It may send it to a company offering storing service and acting as a processor. The recipient can be a public authority or an entity that has been granted the right to exercise a public function but where the data received by the authority or entity is processed in the framework of a particular inquiry in accordance with the applicable law, that public authority or entity shall not be regarded as a recipient. Requests for disclosure from public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data protection rules according to the purposes of the processing.

Litt. f – ‘processor’

9. ”Processor” is any natural or legal person (other than an employee of the data controller) who processes data on behalf of the controller and according to the controller’s instructions. The instructions given by the controller establish the limit of what the processor is allowed to do with the personal data.

Article 3 – Scope

1. According to paragraph 1, each Party should apply the Convention to all processing – within the public or private sector alike – subject to its jurisdiction.

2. Making the scope of the protection dependent on the notion of ‘jurisdiction’ of the Parties, is justified by the objective of better standing the test of time and accommodating continual technological developments.

3. Paragraph 1bis excludes processing carried out for purely personal or household activities from the scope of the Convention. This exclusion aims at avoiding the imposition of unreasonable obligations on data processing carried out by individuals in their private sphere for activities relating to the exercise of their private life. Personal or household activities are activities which are closely and objectively linked to the private life of an individual and which do not significantly impinge upon the personal sphere of others. These activities have no professional or commercial aspects and relate exclusively to personal or household activities such as storing family or private pictures on a computer, creating a list of the contact details of friends and family members, corresponding, etc. The sharing of data within the private sphere encompasses notably the sharing between a family, a restricted circle of friends or a circle which is limited in its size and based on a personal relationship or a particular relation of trust.

4. Whether activities are ‘purely personal or household activities’ will depend on the circumstances. For example, when personal data is made available to a large number of persons or to persons obviously external to the private sphere, such as a public website on the Internet, the exemption will not apply. Likewise, the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his or her family home for the purposes of protecting the property, health and life of the home owners, but which covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, cannot be regarded as an activity which is a purely ‘personal or household’ activity.

5. The Convention nonetheless applies to data processing carried out by providers of the means for processing personal data for such personal or household activities.

6. While the Convention concerns data processing relating to individuals, the Parties may extend the protection in their domestic law to data relating to legal persons in order to protect their legitimate interests. The Convention applies to living individuals: it is not meant to apply to personal data relating to deceased persons. However, this does not prevent Parties from extending the protection to deceased persons.

Chapter II – Basic principles of data protection

Article 4 – Duties of the Parties

1. As this article indicates, the Convention obliges Parties to incorporate its provisions into their law and secure their effective application in practice; how this is done depends on the applicable legal system and the approach of incorporation of international treaties.

2. The term “law of the Parties” denotes, according to the legal and constitutional system of the particular country, all enforceable rules, whether of statute law or case law. It must meet the qualitative requirements of accessibility and previsibility (or ‘foreseeability’). This implies that the law should be sufficiently clear to allow individuals and other entities to regulate their own behaviour in light of the expected legal consequences of their actions, and that the persons who are likely to be affected by this law should have access to it. It encompasses rules that place obligations or confer rights on persons (whether natural or legal) or which govern the organisation, powers and responsibilities of public authorities or lay down procedure. In particular, it includes States' constitutions and all written acts of legislative authorities (laws in the formal sense) as well as all regulatory measures (decrees, regulations, orders and administrative directives) based on such laws. It also covers international conventions applicable in domestic law, including European Union law. Further, it includes all other statutes of general nature, whether of public or private law (including law of contract), together with court decisions in common law countries, or in all countries, established case law interpreting a written law.

In addition, it includes any act of a professional body under powers delegated by the legislator and in accordance with its independent rule-making powers.

3. Such “law of the Parties” may be usefully reinforced by voluntary regulation measures in the field of data protection, such as codes of good practice or codes for professional conduct. However, such voluntary measures are not by themselves sufficient to ensure full compliance with the Convention.

4. Where international organisations are concerned

, in some situations, the law of such international organisations may be applied directly at the national level of the member States of such organisations depending on each national legal system.

5. The effectiveness of the application of the measures giving effect to the provisions of the Convention is of crucial importance. The role of the supervisory authority (or authorities), together with any remedies that are available to data subjects, should be considered in the overall assessment of the effectiveness of a Party’s implementation of the Convention’s provisions.

6. It is further stipulated in paragraph 2 that the measures giving effect to the Convention shall be taken by the Parties concerned and shall have come into force by the time of ratification or accession, i.e. when a Party becomes legally bound by the Convention. This provision aims to enable the Convention Committee to verify whether all “necessary measures” have been taken, to ensure that the Parties to the Convention observe their commitments and provide the expected level of data protection in their national law. The process and criteria used for this verification are to be clearly defined in the Convention Committee’s rules of procedure.

7. Parties commit in paragraph 3 to contribute actively to the evaluation of their compliance with their commitments, with a view to ensuring regular assessment of the implementation of the principles of the Convention (including its effectiveness). Submission of reports by the Parties on the application of their data protection law could be one possible element of this active contribution.

8. 37. In exercising its powers under paragraph 3, the Convention Committee shall not evaluate whether a Party has taken effective measures, to the extent it has made use of exceptions and restrictions in accordance with the provisions of this Convention. It follows that under Article 9 paragraph 3 a Party shall not be required to provide classified information to the Convention Committee.

9. The evaluation of a Party’s compliance will be carried out by the Convention Committee on the basis of an objective, fair and transparent procedure established by the Convention Committee and fully described in its rules of procedure.

Article 5 – Legitimacy of data processing and quality of data

1. Paragraph 1 provides that data processing must be proportionate, that is, appropriate in relation to the legitimate purpose pursued and having regard to the interests, rights and freedoms of the data subject or the public interest. Such data processing should not lead to a disproportionate interference with these interests, rights and freedoms. The principle of proportionality is to be respected at all stages of processing, including at the initial stage, i.e. when deciding whether or not to carry out the processing.

2. Paragraph 2 prescribes two alternate essential pre-requisites for a lawful processing: the individual’s consent or a legitimate basis prescribed by law. Paragraphs 1, 2, 3 and 4 of Article 5 are cumulative and must be respected in order to ensure the legitimacy of the data processing.

3. The data subject’s consent must be freely given, specific, informed and unambiguous. Such consent must represent the free expression of an intentional choice, given either by a statement (which can be written, including by electronic means, or oral) or by a clear affirmative action and which clearly indicates in this specific context the acceptance of the proposed processing of personal data. Mere silence, inactivity or pre-validated forms or boxes should not, therefore, constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes (in the case of multiple purposes, consent should be given for each different purpose). There can be cases with different consent decisions (e.g. where the nature of the data is different even if the purpose is the same – such as health data versus location data: in such cases the data subject may consent to the processing of his or her location data but not to the processing of the health data).The data subject must be informed of the implications of his or her decision (what the fact of consenting entails and the extent to which consent is given).

No undue influence or pressure (which can be of an economic or other nature) whether direct or indirect, may be exercised on the data subject and consent should not be regarded as freely given where the data subject has no genuine or free choice or is unable to refuse or withdraw consent without prejudice.

4. In the context of scientific research it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

5. An expression of consent does not waive the need to respect the basic principles for the protection of personal data set in Chapter II of the Convention and the proportionality of the processing, for instance, still has to be considered.

6. The data subject has the right to withdraw the consent he or she gave at any time (which is to be distinguished from the separate right to object to processing). This will not affect the lawfulness of the data processing that occurred before the data controller has received his or her withdrawal of consent but does not allow continued processing of data, unless justified by some other legitimate basis laid down by law.

7. The notion of “legitimate basis laid down by law”, referred to in paragraph 2, encompasses inter alia data processing necessary for the fulfilment of a contract (or pre-contractual measures at the request of the data subject) to which the data subject is party, data processing necessary for the protection of the vital interests of the data subject or of another person, data processing necessary for compliance with a legal obligation to which the controller is subject, and data processing carried out on the basis of grounds of public interest or for overriding legitimate interests of the controller or of a third party.

8. Data processing carried out on grounds of public interest should be provided for by law; inter alia, for monetary, budgetary and taxation matters, public health and social security, the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties, the protection of national security, defence, the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, the enforcement of civil law claims and the protection of judicial independence and judicial proceedings. Data processing may serve both a ground of public interest and the vital interests of the data subject as, for instance, in the case of data processed for humanitarian purposes including monitoring a life-threatening epidemic and its spread or in humanitarian emergencies. The latter may occur in situations of natural disasters where processing of personal data of missing persons may be necessary for a limited time for purposes related to the emergency context – which is to be evaluated on a case-by-case basis. It can also occur in situations of armed conflicts or other violence.

The processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations can also be considered as carried out on grounds of public interest.

9. The conditions for legitimate processing are set out in paragraphs 3 and 4. Personal data should be processed lawfully, fairly and in a transparent manner. Personal data must also have been collected for explicit, specified and legitimate purposes, and the processing of that particular data must serve those purposes, or at least not be incompatible with them. The reference to specified "purposes" indicates that it is not permitted to process data for undefined, imprecise or vague purposes. What is considered a legitimate purpose depends on the circumstances as the objective is to ensure that a balancing of all rights, freedoms and interests at stake is made in each instance; the right to the protection of personal data on the one hand, and the protection of other rights on the other hand, as, for example, between the interests of the data subject and the interests of the controller or of society.

10. The concept of compatible use should not hamper the transparency, legal certainty, predictability or fairness of the processing. Personal data should not be further processed in a way that the data subject might consider unexpected, inappropriate or otherwise objectionable. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data is initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data has been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to its further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

11. The further processing of personal data, referred to in paragraph 4(b), for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is a priori considered as compatible provided that other safeguards exist (such as, for instance, anonymisation of data or data pseudonymisation, except if retention of the identifiable form is necessary, rules of professional secrecy, provisions governing restricted access and communication of data for the above-mentioned purposes, notably in relation with statistics and public archives, other technical and organisational data-security measures) and that the operations, in principle, exclude any use of the information obtained for decisions or measures concerning a particular individual. “Statistical purposes” refers to the elaboration of statistical surveys or the production of statistical, aggregated results. Statistics aim at analysing and characterising mass or collective phenomena in a considered population.

Statistical purposes can be pursued either by the public or the private sector. Processing of data for “scientific research purposes” aims at providing researchers with information contributing to an understanding of phenomena in varied scientific fields (epidemiology, psychology, economics, sociology, linguistics, political science, criminology, etc.) with a view to establishing permanent principles, laws of behaviour or patterns of causality which transcend all the individuals to whom they apply.

“Historical research purposes” includes genealogical research. ‘Archiving purposes in the public interest’ can also include archives originating from private entities, where a public interest is involved.

12. Personal data undergoing processing should be adequate, relevant and not excessive. Furthermore, the data should be accurate and, where necessary, regularly kept up to date.

13. The requirement of paragraph 4(c) that data be “not excessive” first requires that data processing should be limited to what is necessary for the purpose for which it is processed. It should only be processed if, and as long as, the purposes cannot reasonably be fulfilled by processing information that does not involve personal data. Furthermore, this requirement not only refers to the quantity, but also to the quality of personal data. Personal data which is adequate and relevant but would entail a disproportionate interference in the fundamental rights and freedoms at stake should be considered as excessive and not be processed.

14. The requirement of paragraph 4(e) concerning the time-limits for the storage of personal data means that data should be deleted once the purpose for which it was processed has been achieved or it should only be kept in a form that prevents any direct or indirect identification of the data subject.

15. Limited exceptions to Article 5 paragraph 4 are permitted under the conditions specified in Article 9 paragraph 1.

Article 6 – Special categories of data

1. Processing of certain types of data, or processing of certain data for the sensitive information it reveals, may lead to encroachments on interests, rights and freedoms. This can for instance be the case where there is a potential risk of discrimination or injury to an individual’s dignity or physical integrity, where the data subject’s most intimate sphere, such as his or her sex life or sexual orientation, is being affected, or where processing of data could affect the presumption of innocence. It should only be permitted where appropriate safeguards, which complement the other protective provisions of the Convention, are provided for by law. The requirements of appropriate safeguards, complementing the provisions of the Convention, does not exclude the possibility provided under Article 9 to allow exceptions and restrictions to the rights of data subjects granted under Article 8.

2. In order to prevent adverse effects for the data subject, processing of sensitive data for legitimate purposes need to be accompanied with appropriate safeguards (which are adapted to the risks at stake and the interests, rights and freedoms to protect), such as for instance, alone or cumulatively, the data subject’s explicit consent, a law covering the intended purpose and means of the processing or indicating the exceptional cases where processing such data would be permitted, a professional secrecy obligation, measures following a risk analysis, a particular and qualified organisational or technical security measure (data encryption for example).

3. Specific types of data processing may entail a particular risk for data subjects independently of the context of the processing. It is, for instance, the case with the processing of genetic data, which can be left by individuals and can reveal information on the health or filiation of the person, as well as of third parties. Genetic data are all data relating to the genetic characteristics of an individual which have been either inherited or acquired during early prenatal development, as they result from an analysis of a biological sample from the individual concerned: chromosomal, DNA or RNA analysis or analysis of any other element enabling equivalent information to be obtained. Similar risks occur with the processing of data related to criminal offences (which includes suspected offences), criminal convictions (based on criminal law and in the framework of criminal proceedings) and related security measures (involving deprivation of liberty for instance) which require the provision of appropriate safeguards for the rights and freedoms of data subjects.

4. Processing of biometric data, that is data resulting from a specific technical processing of data concerning the physical, biological or physiological characteristics of an individual which allows the unique identification or authentication of the individual, is also considered sensitive when it is precisely used to uniquely identify the data subject.

5. The context of the processing of images is relevant to the determination of the sensitive nature of the data. The processing of images will not generally involve processing of sensitive data as the images will only be covered by the definition of biometric data when being processed through a specific technical mean which permits the unique identification or authentication of an individual. Furthermore, where processing of images is intended to reveal racial, ethnic or health information (see the following point), such a processing will be considered as a processing of sensitive data. On the contrary, images processed by a video surveillance system solely for security reasons in a shopping area will not generally be considered as processing of sensitive data.

6. Processing of sensitive data has the potential to adversely affect data subjects’ rights when it is processed for specific information it reveals. While the processing of family names can in many circumstances be void of any risk for individuals (e.g. common payroll purposes), such a processing could in some cases involve sensitive data, for example when the purpose is to reveal the ethnic origin or religious beliefs of the individuals based on the linguistic origin of their names. Information concerning health includes information concerning the past, present and future, physical or mental health of an individual, and which may refer to a person who is sick or healthy. Processing images of persons with thick glasses, a broken leg, burnt skin or other visible health element can only be considered as processing sensitive data when the processing is based on the health information that can be extracted from the pictures.

7. Where sensitive data has to be processed for a statistical purpose it should be collected in such a way that the data subject is not identifiable. Collection of sensitive data without identification data is a safeguard within the meaning of Article 6. Where there is a legitimate need to collect sensitive data for statistical purposes in identifiable form (so that a repeat or longitudinal survey can be carried out, for example), appropriate safeguards should be put in place.

Article 7 – Data security

1. The controller or where applicable the processor should take specific security measures, both of technical and organisational nature, for each processing, taking into account: the potential adverse consequences for the individual, the nature of the personal data, the volume of personal data processed, the degree of vulnerability of the technical architecture performing the processing, the need to restrict access to the data, requirements concerning long-term storage, and so forth.

2. Security measures should take into account the current state of the art of data security methods and techniques in the field of data processing. Their cost should be commensurate to the seriousness and probability of the potential risks. Security measures should be kept under review and updated where necessary.

3. While security measures are aimed at preventing a number of risks, paragraph 2 contains a specific obligation where a data breach has nevertheless occurred that may seriously interfere with the fundamental rights and freedoms of the individual. For instance, the disclosure of data covered by professional confidentiality, or which may result in financial, reputational, or physical harm or humiliation, could be deemed to constitute a “serious” interference.

4. Where such a data breach has occurred, the controller is required to notify the relevant supervisory authorities of the incident, subject to the exception permitted under Article 9 paragraph 1. This is the minimum requirement. The controller should also notify the supervisory authorities of any measures taken and/or proposed to address the breach and its potential consequences.

5. The notification made by the controller to the supervisory authorities does not preclude other complementary notifications. For instance, the controller may also recognise the need to notify the data subjects in particular when the data breach is likely to result in a significant risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage, and to provide them with adequate and meaningful information on, notably, the contact points and possible measures that they could take to mitigate the adverse effects of the breach. In cases where the controller does not spontaneously inform the data subject of the data breach, the supervisory authority, having considered the likely adverse effects of the breach, should be allowed to require the controller to do so. Notification to other relevant authorities such as those in charge of computer systems security may also be desirable.

Article 7bis – Transparency of processing

1. The controller is required to act transparently when processing data in order to ensure fair processing and to enable data subjects to understand and thus fully exercise their rights in the context of such data processing.

2. Certain essential information has to be compulsorily provided in a proactive manner by the controller to the data subjects when directly or indirectly (not through the data subject but through a third-party) collecting their data, subject to the possibility to provide for exceptions in line with Article 9 paragraph 1. Information on the name and address of the controller (or co-controllers), the legal basis and the purposes of the data processing, the categories of data processed and recipients, as well as the means of exercising the rights can be provided in any appropriate format (either through a website, technological tools on personal devices, etc.) as long as the information is fairly and effectively presented to the data subject. The information presented should be easily accessible, legible, understandable and adapted to the relevant data subjects (in a child friendly language where necessary for instance). Any additional information that is necessary to ensure fair data processing or that is useful for such purpose, such as the preservation period, the knowledge of the reasoning underlying the data processing, or information on data transfers to a recipient in another Party or non-Party (including whether that particular non-Party provides an appropriate level of protection or the measures taken by the controller to guarantee such an appropriate level of data protection) is also to be provided.

3. The controller is not required to provide this information where the data subject has already received it, or in the case of an indirect collection of data through third parties where the processing is expressly prescribed by law, or where this proves to be impossible or it involves disproportionate efforts because the data subject is not directly identifiable or the controller has no way to contact the data subject. Such impossibility can be both of a legal nature (in the context of a criminal investigation for instance) or of a practical nature (for instance when a controller is only processing pictures and does not know the names and contact details of the data subjects).

4. The data controller may use any available, reasonable and affordable means to inform data subjects collectively (through a website or public notice) or individually. If it is impossible to do so when commencing the processing, it can be done at a later stage, for instance when the controller is put in contact with the data subject for any new reason.

Article 8 – Rights of the data subject

1. This Article lists the rights that every individual should be able to exercise concerning the processing of personal data relating to him or her. Each Party shall ensure, within its legal order, that all those rights are available for every data subject together with the necessary, adequate and effective legal and practical means to exercise them.

2. These rights include the following:

the right not to be subject to a purely automated decision without having one’s views taken into consideration (littera a);

the right to request confirmation of a processing of data relating to him or her and to access the data at reasonable intervals and without excessive delay or expense (littera b);

the right to be provided, on request, with knowledge of the reasoning underlying data processing where the results of such processing are applied to him or her (littera c);

the right to object on grounds relating to his or her situation, to a processing of personal data relating to him or her, unless the controller demonstrates legitimate grounds for the processing which override his or her interests or rights and fundamental freedoms (littera d);

the right to rectification or erasure of inaccurate, false, or unlawfully processed data (littera e);

the right to a remedy if any of the previous rights is not respected (littera f);

the right to obtain assistance from a supervisory authority (littera g).

3. Those rights may have to be reconciled with other rights and legitimate interests. They can, in accordance with Article 9, be limited only where this is provided for by law and constitutes a necessary and proportionate measure in a democratic society. For instance, the right to erasure of personal data may be restricted to the extent that processing is necessary for compliance with a legal obligation which requires processing by law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. Whilst the Convention does not specify from whom a data subject may obtain confirmation, communication, rectification, etc., or to whom to object or express his or her views, in most cases, this will be the controller, or the processor on his or her behalf. In exceptional cases, the means to exercise the rights to access, rectification and erasure may involve the intermediary of the supervisory authority. Concerning health data, rights may also be exercised in a different manner than through direct access. They may be exercised for instance with the assistance of a health professional when it is in the interest of the data subject, notably to help him/her understand the data or ensure that the data subject’s psychological state is appropriately considered when imparting information – in line, of course, with deontological principles.

5. Littera a. It is essential that an individual who may be subject to a purely automated decision has the right to challenge such a decision by putting forward, in a meaningful manner, his or her point of view and arguments. In particular, the data subject should have the opportunity to substantiate the possible inaccuracy of the personal data before it is used, the irrelevance of the profile to be applied to his or her particular situation, or other factors that will have an impact on the result of the automated decision. This is notably the case where individuals are stigmatised by application of algorithmic reasoning resulting in limitation of a right or refusal of a social benefit or where they see their credit capacity evaluated by a software only. However, an individual cannot exercise this right if the automated decision is authorised by a law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests.

6. Littera b. Data subjects should be entitled to know about the processing of their personal data. The right of access should, in principle, be free of charge. However, the wording of littera b. is intended to allow the controller in certain specific conditions to charge a reasonable fee where the requests are excessive and to cover various approaches that could be adopted by a Party for appropriate cases. Such a fee should be exceptional and in any case reasonable, and not prevent or dissuade data subjects from exercising their rights. The controller or processor could also refuse to respond to manifestly unfounded or excessive requests, in particular because of their repetitive character. The controller should in all cases justify such a refusal. To ensure a fair exercise of the right of access, the communication “in an intelligible form” applies to the content as well as to the form of a standardised digital communication.

7. Littera c. Data subjects should be entitled to know the reasoning underlying the processing of their data, including the consequences of such a reasoning, which led to any resulting conclusions, in particular in cases involving the use of algorithms for automated-decision making including profiling. For instance in the case of credit scoring, they should be entitled to know the logic underpinning the processing of their data and resulting in a ‘yes’ or ‘no’ decision, and not simply information on the decision itself. Having an understanding of these elements contributes to the effective exercise of other essential safeguards such as the right to object and the right to complain to a competent authority.

8. Littera d. As regards the right to object, the controller may have a legitimate ground for data processing, which overrides the interests or rights and freedoms of the data subject. For example, the establishment, exercise or defence of legal claims or reasons of public safety could be considered as overriding legitimate grounds justifying the continuation of the processing. This will have to be demonstrated on a case-by-case basis and failure to demonstrate such compelling legitimate grounds while pursuing the processing could be considered as unlawful. The right to object operates in a distinct and separate manner from the right to obtain rectification or erasure (littera e.).

9. Objection to data processing for marketing purposes should lead to unconditional erasing or removing of the personal data covered by the objection.

10. The right to object may be limited by virtue of a law, for example, for the purpose of the investigation or prosecution of criminal offences. In this case, the data subject can, as the case may be, challenge the lawfulness of the processing on which it is based. When data processing is based on a valid consent given by the data subject, the right to withdraw consent can be exercised instead of the right to object. A data subject may withdraw his or her consent and will then have to assume the consequences possibly deriving from other legal texts such as the obligation to compensate the controller. Likewise where data processing is based on a contract, the data subject can take the necessary steps to revoke the contract.

11. Littera e. The rectification or erasure, if justified, must be free of charge. In the case of rectifications and erasures obtained in conformity with the principle set out in littera e, those rectifications and erasures should, where possible, be brought to the attention of the recipients of the original information, unless this proves to be impossible or involves disproportionate efforts.

12. Littera g aims at ensuring effective protection of data subjects by providing them the right to an assistance of a supervisory authority in exercising the rights provided by the Convention. When the data subject resides in the territory of another Party, he or she can submit the request through the intermediary of the authority designated by that Party. The request for assistance should contain sufficient information to permit identification of the data processing in question. This right can be limited according to Article 9 or adapted in order to safeguard the interests of a pending judicial procedure.

13. Limited exceptions to Article 8 are permitted under the conditions specified in Article 9 paragraph 1.

Article 8bis – Additional obligations

1. In order to ensure that the right to the protection of personal data is effective, additional obligations are imposed on the controller as well as, where applicable, the processor(s).

2. According to paragraph 1, the obligation on the controller to ensure adequate data protection is linked to the responsibility to verify and be in a position to demonstrate that data processing is in compliance with the applicable law. The data protection principles set out in the Convention, which are to be applied at all stages of processing, including the design phase, aim at protecting data subjects and are also a mechanism for enhancing their trust. Appropriate measures that the controller and processor may have to take to ensure compliance include: training employees; setting-up appropriate notification procedures (for instance to indicate when data have to be deleted from the system); establishing specific contractual provisions where the processing is delegated in order to give effect to the Convention; as well as setting up internal procedures to enable the verification and demonstration of compliance.

3. If, in accordance with Article 9, paragraph 3, a Party choses to limit the powers of a supervisory authority within the meaning of Article 12bis with reference to processing activities for national security and defence purposes, the controller has no obligation to demonstrate to such a supervisory authority compliance with data protection requirements for activities falling within the scope of the aforementioned exception.

4. A possible measure that could be taken by the controller to facilitate such a verification and demonstration of compliance would be the designation of a ‘data protection officer’ entrusted with the means necessary to fulfil his or her mandate. Such a data protection officer, whose designation should be notified to the supervisory authority, could be internal or external to the controller.

5. Paragraph 2 clarifies that before carrying out a data processing activity, the controller will have to examine its potential impact on the rights and fundamental freedoms of the data subjects. This examination can be done without excessive formalities. It will also have to consider respect of the proportionality principle on the basis of a comprehensive overview of the intended processing. In some circumstances, where a processor is involved in addition to the controller, the processor will also have to examine the risks. IT systems developers, including security professionals, or designers, together with users and legal experts could assist in examining the risks.

6. Paragraph 3 specifies that in order to better guarantee an effective level of protection, controllers, and, where applicable, processors, should ensure that data protection requirements are integrated as early as possible – i.e. ideally at the stage of architecture and system design – in data processing operations through technical and organisational measures (data protection by design). This implementation of data protection requirements should be achieved not only as regards the technology used for processing the data, but also the related work and management processes. Easy-to-use functionalities that facilitate compliance with applicable law should be put in place. For example, secure online access to one’s own data should be offered to data subjects where possible and relevant. There should also be easy-to-use tools for data subjects to take their data to another provider of their choice or keep the data themselves (data portability tools). When setting up the technical requirements for default settings, controllers and processors should choose privacy-friendly standard configurations so that the usage of applications and software does not infringe the rights of the data subjects (data protection by default), notably to avoid processing more data than necessary to achieve the legitimate purpose. For example, social networks should be configured by default so as to share posts or pictures only with restricted and chosen circles and not with the whole Internet.

7. Paragraph 4 allows Parties to adapt the additional obligations listed in paragraphs 1 to 3 taking into consideration the risks at stake for the interests, rights and fundamental freedoms of the data subjects. Such adaptation should be done considering the nature and volume of data processed, the nature, scope and purposes of the data processing and, in certain cases, the size of the processing entity. The obligations could be adapted, for example, so as not to entail excessive costs for SMEs processing only non-sensitive personal data received from customers in the framework of commercial activities and not re-using it for other purposes. Certain categories of data processing, such as processing which does not entail any risk for data subjects, may even be exempt from some of the additional obligations prescribed in this Article.

Article 9 – Exceptions and restrictions

1. No exceptions to the provisions of Chapter II are allowed except for a limited number of provisions (Articles 5.4, 7 (2), 7 bis paragraph 1 and Article 8) when such exceptions are provided for by law, respect the essence of the fundamental rights and freedoms, and are necessary in a democratic society for the grounds listed in litterae a. and b. of the first paragraph of Article 9. A measure which is "necessary in a democratic society" must pursue a legitimate aim and thus meet a pressing social need which cannot be achieved by less intrusive means. Such a measure should furthermore be proportionate to the legitimate aim being pursued and the reasons adduced by the national authorities to justify it should be relevant and adequate. Such a measure must be prescribed by an accessible and foreseeable law, which must be sufficiently detailed.

2. All processing of personal data must be lawful, fair and transparent in relation to the data subjects, and only processed for specific purposes. This does not in itself prevent the law-enforcement authorities from carrying out activities such as covert investigations or video surveillance. Such activities can be done for the purposes of the prevention, investigation, detection or prosecution of criminal offences and the execution of criminal penalties, including the safeguarding against and the prevention of threats to national security and public safety, as long as they are laid down by law and constitute a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the data subjects.

3. The necessity of such exceptions needs to be examined on a case-by-case basis and in light of the essential objectives of general public interest, as is detailed in litterae a and b of the first paragraph. Littera a lists some objectives of general public interest of the State or of the international organisation which may require exceptions.

4. The notion of "national security" should be interpreted on the basis of the relevant case-law of the European Court of Human Rights

5. The term "important economic and financial interests" covers, in particular, tax collection requirements and exchange control. The term "prevention, investigation and prosecution of criminal offences and the execution of criminal penalties" in this littera includes the prosecution of criminal offences and the application of sanctions related thereto. The term "other essential objectives of general public interest" covers inter alia, the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions and the enforcement of civil law claims.

6. Littera b. concerns the rights and fundamental freedoms of private parties, such as those of the data subject himself or herself (for example when a data subject’s vital interests are threatened because he or she is missing) or of third parties, such as freedom of expression, including freedom of journalistic, academic, artistic or literary expression, and the right to receive and impart information, confidentiality of correspondence and communications, or business or commercial secrecy and other legally protected secrets. This should apply in particular to processing of personal data in the audio-visual field and in news archives and press libraries. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.

7. The second paragraph leaves open the possibility of restricting the provisions set out in Articles 7bis and 8 with regard to certain data processing carried out for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes which pose no recognisable risk of infringement to the rights and fundamental freedoms of data subjects. For instance, this could be the case with the use of data for statistical work, in the public and private fields alike, in so far as this data is published in aggregate form and provided that appropriate data protection safeguards are in place (see paragraph 48).

8. The additional exceptions allowed to Articles 12 and 12bis in respect of processing activities for national security and defence purposes are without prejudice to applicable requirements in relation to the independence and effectiveness of review and supervision mechanisms.

Article 10 – Sanctions and remedies

1. In order for the Convention to guarantee an effective level of data protection, the duties of the controller and processor and the rights of data subjects should be reflected in the Parties’ legislation with corresponding sanctions and remedies.

2. It is left to each Party to determine the nature (civil, administrative, criminal) of these judicial as well as non-judicial sanctions. These sanctions have to be effective, proportionate and dissuasive. The same goes for remedies: data subjects must have the possibility to judicially challenge a decision or practice, the definition of the modalities to do so being left with the Parties. Non-judicial remedies also have to be made available to data subjects. Financial compensation for material and non-material damages where applicable, caused by the processing and collective actions could be considered too.

Article 11 – Extended protection

1. This article is based on a similar provision, Article 60, of the European Convention on Human Rights. The Convention confirms the principles of data protection law which all Parties are ready to adopt. The text emphasises that these principles constitute only a basis on which Parties may build a more advanced system of protection. The expression “wider measure of protection” therefore refers to a standard of protection which is higher, not lower, than that already required by the Convention.

Chapter III – Transborder flows of personal data

Article 12 – Transborder flows

1. The aim of this article is to facilitate the free flow of information regardless of frontiers (recalled in the Preamble), while ensuring an appropriate protection of individuals with regard to the processing of personal data. A transborder data transfer occurs when personal data is disclosed or made available to a recipient subject to the jurisdiction of another State or international organisation.

2. The purpose of the transborder flow regime is to ensure that personal data originally processed within the jurisdiction of a Party (data collected or stored there for instance), which is subsequently under the jurisdiction of a State which is not Party to the Convention, continues to be processed with appropriate safeguards. What is important is that data processed within the jurisdiction of a Party always remains protected by the relevant data protection principles of the Convention. While there may be a wide variety of systems of protection, protection afforded has to be of such quality as to ensure that human rights are not affected by globalisation and transborder data flows.

3. Article 12 applies only to the outflow of data, not to its inflow, since the latter are covered by the data protection regime of the recipient Party.

4. Under examination.

5. Paragraph 2 refers to transborder flows of personal data to a recipient that is not subject to the jurisdiction of a Party. As for any personal data flowing outside national frontiers, an appropriate level of protection is to be guaranteed. In cases where the recipient is not a Party to the Convention, the Convention establishes two mechanisms to ensure that the level of data protection is indeed appropriate; either by law, or by ad hoc or approved standardised safeguards that are legally binding and enforceable, as well as duly implemented.

6. Both paragraphs 2 and 3 apply to all forms of appropriate protection, whether provided by law or by standardised safeguards. The law must include the relevant elements of data protection as set out in this Convention. The level of protection should be assessed for each transfer or category of transfers. Various elements of the transfer should be examined such as: the type of data; the purposes and duration of processing for which the data are transferred; the respect of the rule of law by the country of final destination; the general and sectoral legal rules applicable in the State or organisation in question; and the professional and security rules which apply there.

7. The content of the ad hoc or standardised safeguards must include the relevant elements of data protection. Moreover, the contractual terms could be such, for example, that the data subject is provided with a contact person on the staff of the person responsible for the data transfers, whose responsibility it is to ensure compliance with the substantive standards of protection. The data subject would be free to contact this person at any time and at no cost in relation to the data processing or transfers and, where applicable, obtain assistance in exercising his or her rights.

8. The assessment as to whether the level of protection is appropriate must take into account the principles of the Convention, the extent to which they are met in the recipient State or organisation – in so far as they are relevant for the specific case of transfer – and how the data subject is able to defend his or her interests where there is non-compliance. The enforceability of data subjects’ rights and the provision of effective administrative and judicial redress for the data subjects whose personal data are being transferred should be taken into consideration in the assessment. Similarly, the assessment can be made for a whole State or organisation thereby permitting all data transfers to these destinations.

9. Paragraph 4 enables Parties to derogate from the principle of requiring an appropriate level of protection and to allow a transfer to a recipient which does not ensure such protection. Such derogations are permitted in limited situations only: with the data subject’s consent or specific interest and/or where there are prevailing legitimate interests provided by law and/or the transfer constitutes a necessary and proportionate measure in a democratic society for freedom of expression. Such derogations should respect the principles of necessity and proportionality.

10. Paragraph 5 makes provision for a complementary safeguard: namely that the competent supervisory authority be provided with all relevant information concerning the transfers of data referred to in paragraphs 3.b, and, upon request 4.b and 4.c. The authority should be entitled to request relevant information about the circumstances and justification of those transfers. Under the conditions laid down in Article 9 paragraph 3, exceptions to Article 12 paragraph 5 are permissible.

11. According to paragraph6, the supervisory authority should be entitled to request that the effectiveness of the measures taken or the existence of prevailing legitimate interests be demonstrated, and to prohibit, suspend or impose conditions on the transfer if this proves necessary to protect the rights and fundamental freedoms of the data subjects. Under the conditions laid down in Article 9 paragraph 3 exceptions to Article 12 paragraph 6 are permissible.

12. Ever increasing data flows and the related need to increase the protection of personal data also require an increase in international enforcement cooperation among competent supervisory authorities.

Chapter III bis – Supervisory authorities

Article 12bis – Supervisory authorities

1. This Article aims at ensuring the effective protection of individuals by requiring the Parties to provide for one or more independent and impartial public supervisory authorities that contribute to the protection of the individuals’ rights and freedoms with regard to the processing of their personal data. Such authorities may be a single commissioner or a collegiate body. In order for data protection supervisory authorities to be able to provide for an appropriate remedy, they need to have effective powers and functions and enjoy genuine independence in the fulfilment of their duties. They are an essential component of the data protection supervisory system in a democratic society. Other appropriate mechanisms for independent and effective review and supervision of processing activities, in so far as Article 9 paragraph 3 applies, may be provided for by the Parties.

2. Paragraph 1 clarifies that more than one authority might be needed to meet the particular circumstances of different legal systems (e.g. federal States). Specific supervisory authorities whose activity is limited to a specific sector (electronic communications sector, health sector, public sector, etc.) may also be put in place. This also applies to the processing of personal data for journalistic purposes if this is necessary to reconcile the right to the protection of personal data with the right to freedom of expression. The supervisory authorities should have the necessary infrastructure and financial, technical and human resources (lawyers, information and communication technologies’ specialists) to take prompt and effective action. The adequacy of resources should be kept under review. Article 9 paragraph 3 allows for exceptions to the powers of supervisory authorities with reference to processing activities for national security and defence purposes (where such exceptions apply, other paragraphs of this Article may as a consequence not be applicable or relevant). This is however without prejudice to applicable requirements in relation to the independence and effectiveness of review and supervision mechanisms

3. Parties have certain discretion as to how to set up the authorities for enabling them to carry out their task. According to paragraph 2, however, they must have, subject to the possibility to provide for exceptions in line with Article 9 paragraph 3, at least the powers of investigation and intervention and the powers to issue decisions with respect to violations of the provisions of the Convention. The latter may involve the imposition of administrative sanctions, including fines. Where the legal system of the Party does not provide for administrative sanctions, paragraph 2 may be applied in such a manner that the sanction is proposed by the competent supervisory authority and imposed by the competent national courts. In any event, any sanctions imposed need to be effective, proportionate and dissuasive.

4. The authority shall be endowed with powers of investigation, subject to the possibility to provide for exceptions in line with Article 9 paragraph 3, such as the possibility to ask the controller and processor for information concerning the processing of personal data and to obtain it. By virtue of Article 8, such information should be made available, in particular, when the supervisory authority is approached by a data subject wishing to exercise the rights provided for in Article 8. The latter is subject to exceptions of Article 9 paragraph 1.

5. The supervisory authority's power of intervention provided for in paragraph 1, may take various forms in the Parties’ law. For example, the authority could be empowered to oblige the controller to rectify, delete or destroy inaccurate or illegally processed data on its own account or if the data subject is not able to exercise these rights personally. The power to take action against controllers who are unwilling to communicate the required information within a reasonable time would also be a particularly effective demonstration of the power of intervention. This power could also include the possibility to issue opinions prior to the implementation of data processing operations (where processing presents particular risks to the rights and fundamental freedoms, the supervisory authority should be consulted by controllers from the earliest stage of design of the processes), or to refer cases, where appropriate, to relevant competent authorities.

6. Moreover, according to paragraph 3 every data subject should have the possibility to request the supervisory authority to investigate a claim concerning his or her rights and liberties in respect of personal data processing. This helps to guarantee the right to an appropriate remedy, in keeping with Articles 8 and 10. The necessary resources to fulfil this duty should be provided. According to their available resources, the supervisory authorities should be given the possibility to define priorities to deal with the requests and complaints lodged by data subjects.

7. The Parties should give to the supervisory authority the power either to engage in legal proceedings or to bring any violations of data protection rules to the attention of the judicial authorities, subject to the possibility to provide for exceptions in line with Article 9 paragraph 3. This power derives from the power to carry out investigations, which may lead the authority to discover an infringement of an individual’s right to protection. The Parties may fulfil the obligation to grant this power to the authority by enabling it to make decisions.

8. Where an administrative decision produces legal effects, every affected person has a right to have an effective judicial remedy in accordance with the applicable national law.

9. Paragraph 2(e) deals with the awareness raising role of the supervisory authorities. In this context, it seems particularly important that the supervisory authority proactively ensures the visibility of its activities, functions and powers. To this end, the supervisory authority must inform the public through periodical reports (see paragraph 125). It may also publish opinions, issue general recommendations concerning the correct implementation of data protection rules or use any other means of communication. Moreover, it must provide information to individuals and to data controllers and processors about their rights and obligations concerning data protection. While raising awareness on data protection issues, the authorities have to be attentive to specifically address children and vulnerable categories of persons through adapted ways and languages.

10. As provided for under paragraph 2bis, supervisory authorities are, in accordance with the applicable national law, entitled to give opinions on any legislative or administrative measures which provide for the processing of personal data. Only general measures are meant to be covered by this consultative power, not individual measures.

11. In addition to this consultation foreseen under paragraph 2bis, the authority could also be asked to give its opinion when other measures concerning personal data processing are in preparation, such as for instance codes of conduct or technical norms.

12. Article 12bis does not prevent the allocation of other powers to the supervisory authorities.

13. Paragraph 4 clarifies that supervisory authorities cannot effectively safeguard individual rights and freedoms unless they exercise their functions in complete independence. A number of elements contribute to safeguarding the independence of the supervisory authority in the exercise of its functions, including the composition of the authority; the method for appointing its members; the possibility for them to participate in relevant meetings without undue restrictions; the option to consult technical or other experts or to hold external consultations; the duration of exercise and conditions of cessation of their functions; the availability of sufficient resources to the authority; the possibility to hire its own staff; or the adoption of decisions without being subject to external interference, whether direct or indirect.

14. The prohibition on seeking or accepting instructions covers the performance of the duties as a supervisory authority. This does not prevent supervisory authorities from seeking specialised advice where it is deemed necessary as long as the supervisory authorities exercise their own independent judgment.

15. Transparency on the work and activities of the supervisory authorities is required through, for instance, the publication of annual activity reports comprising inter alia information related to their enforcement actions as set out under paragraph 5bis.

16. Notwithstanding this independence, it must be possible to appeal against the decisions of the supervisory authorities through the courts in accordance with the principle of the rule of law, as provided for under paragraph 6.

17. Moreover, while supervisory authorities should have the legal capacity to act in court and seek enforcement, the intervention (or lack of) of a supervisory authority should not prevent an affected individual from seeking a judicial remedy (see paragraph 118).

18. Under paragraph 7 supervisory authorities are required to cooperate with one another. Co-operation may take various forms, some ‘hard’ forms, such as enforcement of data protection laws, in which the legality of action of each supervisory authority is indispensable, to some ‘soft’ forms, such as awareness-raising, training, staff exchange (see the “joint actions” in Article 12bis 7.b).). In cases where a Party makes use of an exception in accordance with Article 9 paragraph 3, this co-operation requirement shall not apply to the functions and powers covered by such an exception.

19. The catalogue of possible co-operation activities is not exhaustive. In the first place, supervisory authorities shall provide each other mutual assistance, especially by providing any relevant and useful information. This information could be of a twofold nature: “information and documentation on their law and administrative practice relating to data protection”, which normally does not raise any issues, such information could be exchanged freely and made publicly available, but also confidential information, including personal data.

20. As far as personal data is concerned, it can be exchanged only if its provision is essential for the co‑operation, i.e. if without its provision the co-operation would be rendered ineffective, or if the “data subject concerned has given explicit, specific, free and informed consent”. In any case, the transfer of personal data must comply with the provisions of the Convention, and in particular Chapter II (see also Article 16(b) providing for the grounds for refusal).

21. Further to the provision of relevant and useful information, the goals of co-operation can be achieved by coordinated investigations or interventions as well as joint actions. For the applicable procedures, supervisory authorities shall refer to the applicable domestic legislation such as codes of administrative, civil or criminal procedure, or supra or international commitments their jurisdictions are bound by, e.g. mutual legal assistance treaties, having assessed their legal capacity to enter into a co-operation of that type.

22. The provisions on mutual assistance among supervisory authorities shall be read in conjunction with the provisions of Articles 13 to 17, as these provisions would apply mutatis mutandis.

23. Paragraph 8 refers to a network of supervisory authorities, as a means to contribute to the rationalisation of the co-operation process and thus to the efficiency of the protection of personal data. It is important to note that the Convention refers to “a network” in singular form. This does not prohibit supervisory authorities originating from the Parties to take part in other relevant networks.

24. Paragraph 9 of Article 12bis states that supervisory authorities shall not be competent with respect to processing carried out by independent bodies when acting in their judicial capacity. Such exemption from supervisory powers should be strictly limited to genuine judicial activities, in accordance with national law.

Chapter IV – Mutual assistance

Article 13 – Co-operation between Parties

1. Chapter IV (Articles 13 to 17) forms a second set of provisions on co-operation between Parties, through their various authorities, in giving effect to the data protection laws implemented pursuant to the Convention. Mutual assistance is obligatory except in cases referred to in Article 16. Under Article 13, the Parties shall designate one or more authorities and communicate their contact details, as well as their substantive and territorial competences, if applicable, to the Secretary General of the Council of Europe. Subsequent articles provide for a detailed framework for mutual assistance.

2. While the co-operation between Parties will generally be carried out by the supervisory authorities established under Article 12bis, it cannot be excluded that a Party designates another authority to give effect to the provisions of Article 13.

3. The co-operation and general assistance is relevant for controls a priori as well as for controls a posteriori (for example to verify the activities of a specific data controller). The information exchanged may be of a legal or factual character.

Article 14 – Assistance to data subjects

1. Paragraph 1 ensures that data subjects, whether in a Party to the Convention or in a third country will be enabled to exercise their rights recognised in Article 8 regardless of their place of residence or their nationality.

2. According to paragraph 2, where the data subject resides in another Party he or she is given the option to pursue his or her rights either directly in the country where information relating to the data subject concerned is processed, or indirectly, through the intermediary of the designated authority.

3. Moreover, data subjects residing abroad may also have the opportunity to pursue their rights with the assistance of the diplomatic or consular agents of their own country.

4. Paragraph 3 specifies that requests be as specific as possible in order to expedite the procedure.

Article 15 – Safeguards concerning assistance

1. This article ensures that supervisory authorities shall be bound by the same obligation to observe discretion and confidentiality toward data protection authorities of other Parties and data subjects residing abroad.

2. Assistance from a supervisory authority on behalf of a data subject may only be given in response to a request from this data subject. The authority must have received a mandate from the data subject and may not act autonomously in his or her name. This provision is of fundamental importance for mutual trust, on which mutual assistance is based.

Article 16 – Refusal of requests for assistance

1. This article states that Parties are bound to comply with requests for assistance. The grounds for refusal to comply are enumerated exhaustively. They correspond generally with those provided for by other international treaties in the field of mutual assistance.

2. The term "compliance" which is used in littera c should be understood in the broader sense as covering not only the reply to the request, but also the action preceding it. For example, a requested authority might refuse action not only if transmission to the requesting authority of the information asked for might be harmful for the rights and fundamental freedoms of an individual, but also if the very fact of seeking the information might prejudice his or her rights and fundamental freedoms. Furthermore, a requested authority may be required by applicable national law to ensure that other public order interests are protected (e.g. ensuring the confidentiality of a police investigation). To this end a supervisory authority may be obliged to omit certain information or documents in its response to a request for assistance.

Article 17 – Costs and procedures of assistance

1. The provisions of this Article are analogous to those found in other international conventions on mutual assistance.

2. With a view to not burdening the Convention with a mass of implementing details, paragraph 3 of this Article provides that procedure, forms and language to be used can be agreed between the Parties concerned. The text of this paragraph does not require any formal procedures, but allows for administrative arrangements, which may even be confined to specific cases. Moreover, it is advisable that Parties leave to the designated authorities the power to conclude such arrangements. The forms of assistance may also vary from case to case. It is obvious that the transmission of a request for access to sensitive medical information will have requirements which differ from routine inquiries about entries in a population record.

Chapter V – Convention Committee

1. The purpose of Articles 18, 19 and 20 is to facilitate the effective application of the Convention and, where necessary, to perfect it. The Convention Committee constitutes the third means of co-operation of the Parties in giving effect to the data protection laws implemented pursuant to the Convention.

2. A Convention Committee is composed of representatives of all Parties, from the national supervisory authorities or from the government.

3. The nature of the Convention Committee and the likely procedure followed could be similar to those set up under the terms of other conventions concluded in the framework of the Council of Europe.

4. Since the Convention addresses a constantly evolving subject, it can be expected that questions will arise both with regard to the practical application of the Convention (Article 19, littera a) and with regard to its meaning (same article, littera d).

5. Under examination.

6. Under examination.

7. Under examination.

8. Under examination.

9. Under examination.

10. According to Article 21, the Convention Committee is entitled to propose amendments to the Convention and examine other proposals for amendment formulated by a Party or the Committee of Ministers (Article 19 litterae b and c).

11. In order to guarantee the implementation of the data protection principles set by the Convention, the Convention Committee will have a key role in assessing compliance with the Convention, either when preparing an assessment of the level of data protection provided by a candidate for accession (Article 19 littera e) or when periodically reviewing the implementation of the Convention by the Parties (Article 19 littera h). The Convention Committee will also have the power to assess the compliance of the data protection system of a State or international organisation with the Convention if the State or organisation requires the Committee to do so (Article 19 littera f).

12. In providing such opinions on the level of compliance with the Convention, the Convention Committee will work on the basis of a fair, transparent and public procedure detailed in its Rules of Procedure.

13. Furthermore, the Convention Committee may approve models of standardised safeguards for data transfers (Article 19 littera g).

14. Finally, the Convention Committee may help to solve difficulties arising between Parties (Article 19 littera i). Where disputes are concerned, the Convention Committee will seek a settlement through negotiation or any other amicable means.

15. Article 20 paragraph 3 has been drafted solely for the purposes of the present Convention and does not have any implications beyond its scope.

Chapter VI – Amendments

Article 21 – Amendments

1. The Committee of Ministers, which adopted the original text of this Convention, is also competent to approve any amendments.

2. In accordance with paragraph 1, the initiative for amendments may be taken by the Committee of Ministers itself, by the Convention Committee or by a Party (whether a member State of the Council of Europe or not).

3. Any proposal for amendment that has not originated with the Convention Committee should be submitted to it, in accordance with paragraph 3, for an opinion.

Chapter VII – Final clauses

Article 22 – Entry into force

1. Since for the effectiveness of the Convention a wide geographic scope is considered essential, paragraph 2 sets at five the number of ratifications by member States of the Council of Europe necessary for the entry into force.

Article 23 – Accession by non-member States and international organisations

1. The Convention, which was originally developed in close co-operation with OECD and several non-European member states, is open to any State around the globe complying with its provisions. The Convention Committee is entrusted with the task of assessing such compliance and preparing an opinion for the Committee of Ministers relating to the level of data protection of the candidate for accession.

2. Considering the frontier-less nature of data flows, accession by countries and international organisations from all over the world is sought. International organisations that can accede to the Convention are solely international organisations which are defined as organisations governed by public international law.

Article 24 – Territorial clause

1. The application of the Convention to remote territories under the jurisdiction of Parties or on whose behalf a Party can make undertakings is of practical importance in view of the use that is made of distant countries for data processing operations either for reasons of cost and manpower or in view of the utilisation of alternating night and daytime data processing capability.

Article 25 – Reservations

1. The rules contained in this Convention constitute the most basic and essential elements for effective data protection. For this reason, the Convention allows no reservations to its provisions, which are, moreover, reasonably flexible, having regard to the exceptions and restrictions permitted under certain articles.

Article 26 – Denunciation

1. Any Party is allowed to denounce the Convention at any time.

Article 27 – Notifications

1. These provisions are in conformity with the customary final clauses contained in other conventions of the Council of Europe.