Strasbourg, 15 June / juin 2015                                                                     T-PD-BUR(2015)04

(T-PD-BUR)

Compilation of comments received on the Draft explanatory Report of the draft modernised Convention 108 / Compilation des commentaires reçus sur le Projet de Rapport Explicatif du projet de modernisation de la Convention 108.

Directorate General / Direction Générale

Human Rights and Rule of Law / Droits de l’Homme et Etat de droit


TABLE / INDEX

 

BELGIUM / BELGIQUE...................................................................................................……..3

IRELAND/IRLANDE…………………………………………………………………………………..7

ITALY/ ITALIE………………………………………………………………………………………..11

MOROCCO/MAROC………………………………………………………………………………..13

SLOVAKIA/SLOVAQUIE……………………………………………………………………………15

EUROPEAN COMMISSION/COMMISSION EUROPEENNE…………………………………..16

EUROPEAN DATA PROTECTION SUPERVISOR/ LE CONTROLLEUR EUROPEEN DE LA PROTECTION DES DONNEES……………………………………………………………………23

BELGIUM/ BELGIQUE

Preliminary remarks / Remarques préliminaires :

Concerning the Modernisation of the Convention 108 in the phrase:

“The modernisation of the Convention is highly topical, as with increasing globalisation of processing of personal data (flows of ubiquitous data) and associated legal uncertainty[SV1] as to the applicable law

Asia-Pacific Economic Cooperation (APEC) - 2004

The APEC Privacy Framework and APEC’s Cross Border Privacy Rules system (CBPRs) were considered when reflecting on the need to increase cooperation among regions and systems, in particular as regards international enforcement and transborder data tranfers [SV2].

Chapter I – General provisions

Article 2 – Definitions

Litt. a – ‘personal data’

16.        "Identifiable individual" means a person who can be directly or indirectly identified. An individual is not considered ’identifiable’ if his or her identification would require unreasonable time, effort or means. The determination of what constitutes ‘unreasonable time, effort or means’ should be assessed on a case by case basis, in light of purpose of the processing  [SV3]and taking into account objective criteria such as the cost, the benefits of such an identification, the technology used, etc .  [SV4]

17.        The notion of ‘identifiable’ does not only refer to the individual’s civil or legal identity as such, but also to what may allow to “individualise” or single out (and thus allow to treat differently) one person among others. This “individualisation” can be done for instance by referring to him or her specifically or to a device or a combination of devices (computer, mobile phone, camera, gaming devices, etc.) on the basis of an identification number , a pseudonym[SV5] , biometric or genetic data etc.)

20.        The notion of "data subject" also entails the idea that a person has a subjective right with regard to the data about himself or herself, even where this is gathered by others.

20.        In the comment under this notion of “personal data, I would here add the comments made at point 32 on living /deceased persons as well on legal persons.

22.        Controller” refers to the person or body having the decision-making power concerning the processing whether this power derives from a legal designation or factual circumstances[SV6]. In some cases, there may be multiple controllers or co-controllers (jointly responsible for a processing and/or possibly responsible for different aspects of that processing). The following factors are relevant to assess whether the person or body is a controller: that person or body should have control over for instance the reasons justifying the processing; the processing methods; the choice of data to be processed; and who is allowed to access to it.  The controller remains responsible for the data involved in a processing wherever that data are located and independently of who carries out the processing operations. In this respect, persons who are not under the controller’s authority and carry out the processing solely according to the controller’s instructions are to be considered processors.

Litt. d [/e] – ‘recipient’

25.        ”Recipient” is an individual or an entity who receives personal data or to whom personal data are made available. Depending on the circumstances[SV7], the controller, the processor, the data subject or a third party may also be a recipient. 

Article 3 – Scope

27.        This is for instance the case when the controller is established on the territory of that Party, when activities involving data processing are performed in that territory or when services involving data processing are offered to a data subject located on that territory, since the main criteria of definition of the jurisdiction is still linked to the territory[SV8]. The Convention has to be applied when the data processing is carried out within the jurisdiction of the Party, which includes, in respect of the provisions of Article 12, when transborder data flows occur, whether in the public or private sector.

32.        While the Convention concerns data processing relating to natural persons the Parties can provide in their domestic laws for an extension of the protection to the data relating to legal persons in order to protect their legitimate interests. The Convention applies to living individuals: it is not meant to apply to personal data relating to deceased persons. However, this does not prevent Parties from extending the protection to deceased persons[SV9] (e.g. to address the increasing needs for protection of the reputation or interests of the deceased person or heirs[SV10]). 

Chapter II – Basic principles of data protection

Article 4 – Duties of the Parties

34.        The term “law of the Parties” denotes, according to the legal and constitutional system of the particular country, all substantive rules, whether of statute law or case law, which meet the qualitative requirements of accessibility and previsibility (or ‘foreseeability[SV11]’).

Article 5 – Legitimacy of data processing and quality of data

43.        The mere silence or inactivity should therefore not constitute consent[SV12]. Consent should cover all processing activities carried out for the same purpose or purposes. The data subject must be fully aware of the implications of his or her decision, and have been, to this end, adequately informed. No influence or pressure (which can be of an economic nature) whether direct or indirect, may be exercised on the data subject.

45.        The data subject has the right to withdraw the consent given at any time (which is to be distinguished from the separate right to object to a processing). This will not affect the lawfulness of the data processing that occurred before his or her withdrawal of consent but will prevent from any further processing. [SV13]

Article 6 – Special categories of data

58.        The processing of photographs will not systematically be a sensitive processing[SV14] as they will only be covered by the definition of biometric data when being processed through a specific technical mean allowing the unique identification or authentication of an individual. Furthermore, where their processing will aim at revealing racial or health information (see the following point), such a processing will be considered as a sensitive one.  [SV15]

59.        Some processing can be sensitive when data are processed for specific information they reveal that has, in the circumstances at stake, the potential of harming data subjects. [SV16]While the processing of family names can in some circumstances be void of any risk for the individuals (e.g. common payroll purposes), such a processing could be sensitive, for example when the purpose is to reveal the ethnic origin or religious beliefs of the individuals based on the linguistic origin of their names. Processing data for the information they reveal concerning health includes information concerning the past, present and future, physical or mental health of an individual, and which may refer to a person who is sick or healthy. [SV17]

Article 7 – Data security

61.        The controller or where applicable[SV18] the processor should take specific security measures,

Article 8 – Rights of the data subject

75.        Littera b. Data subjects should be entitled to know about their personal data processed. While the right of access should in principle be free of charge, the wording of littera b is intended to cover various formulas followed by the legislation of the Party for appropriate cases: communication free of charge at fixed intervals as well as communication against a maximum lump-sum payment, etc.  [SV19]

82.        Furthermore, it should be noted that the specification of the purpose, the conditions for the legitimacy of the processing, the right of rectification or erasure, together with the provision on the length of time for data storage (article 5.4. littera e[SV20]) coupled with an effective right to object and the right to withdraw consent offer an effective level of protection for the data subject. This set of rights pragmatically corresponds to the effect of what is referred to as a ‘right to be forgotten’. 

Article 8bis - Additional obligations

83.        In order to ensure that the right to the protection of personal data is effective, additional obligations have to be placed on the controller as well as, where applicable[SV21], the processor(s).

86.        Paragraph 2 clarifies that before carrying out the data processing, the controller will have to examine its potential impact on the rights and fundamental freedoms of the data subjects. This examination will also have to take into account the principle of proportionality on the basis[SV22] of the comprehensive overview of the processing (considering what personal data will be processed and for which purpose, how it will be collected, how it will be used, internal flows, disclosures, security measures, etc.). In some circumstances, where a processor is involved in addition to the controller, the obligation to examine the risks may also be imposed on the processor[SV23] and the determination of the existence of such an obligation will be made taking into account the comprehensive overview of the processing.

87.        Paragraph 3 specifies that in order to better guarantee an effective level of protection, controllers, and, where applicable[SV24], processors, should see to it that data protection requirements are integrated as early as possible – i.e. ideally at the stage of architecture and system design –  in data processing operations through technical and organisational measures.

There should also be easy-to-use tools for data subjects to take their data to another provider of their choice or keep the data themselves (data portability tools). When setting up the technical requirements for default settings, controllers and processors should choose applications and software that have been designed paying due regard to the principle of data minimisation [SV25]and privacy by default.

Chapter III – Transborder flows of personal data

Article 12 – Transborder flows

100.      Most of the time, such a situation – a change of jurisdiction and applicable law – occurs when there is a data transfer from a State Party to the Convention to a foreign country. A data transfer occurs when personal data are disclosed or made available with the knowledge of the sender, [SV26]to a recipient subject to the jurisdiction of another State or international organisation

104.      In some cases, data flows will be made from a Party simultaneously to several foreign States or international organisations, some of which are Parties to the Convention and some of which are not. In those cases, the Party transferring the data, which has export procedures for non-Parties, may not be able to avoid applying those procedures also to the data destined for a Party, but it should proceed in such a way as to ensure that these procedures are not an obstacle to data transfers to the latter Party is agreed.[SV27]

106.      Both paragraphs 2 and 3 apply to all forms of appropriate protection, whether provided by law or by standardised safeguards. The content [SV28]of the law must include the relevant elements of data protection as set forth by this Convention. [SV29]

109.      Paragraph 4 enables Parties to derogate, in a particular case, from the principle of requiring an appropriate level of protection and to allow a specific transfer to a recipient which does not ensure such a protection. Such derogations are permitted in limited situations only (with the data subject’s consent or specific interest and/or where there are prevailing legitimate interests provided by law). Such derogations should not be disproportionate [SV30]and should not be used for massive or repetitive data transfers. Where massive or repetitive data transfers are involved, provisions of article 12.3 should apply.

112.      In respect of transborder flows of personal data, a specific restriction is allowed in view of protecting freedom of expression, including freedom of the press. Parties may allow exceptions to the provisions of this Article 12 [SV31]on the condition that these exceptions are provided for by law and are necessary in a democratic society to protect the freedom of expression.

Chapter III bis – Supervisory authorities

Article 12bis – Supervisory authorities

114.      The effective application of the principles of the Convention necessitates the adoption of appropriate sanctions and remedies (Article 10). Most countries which have data protection laws have set up supervisory authorities to deal with evolving and complex personal data processing in light of organisational, social and societal evolutions. This context requires an external impartial overview, with fast reactive powers and specialised expertise. Such authorities may for instance be a commissioner, a commission, an ombudsman or an inspector general. [SV32]

116.      Parties have certain discretion as to how to set up the authorities for enabling them to carry out their task. According to paragraph 2, however, they must have at least the powers of investigation and intervention and the powers to issue decisions and impose administrative[SV33] sanctions.

126.      Paragraph 4 clarifies that supervisory authorities cannot effectively safeguard individual rights and freedoms unless they exercise their functions in complete independence. A number of elements contribute to safeguarding the independence of the supervisory authority in the exercise of its functions. These should include: the composition of the authority; the method for appointing its members; the possibility for them to participate in meetings without any authorisation or instruction; the option to consult technical or other experts or to hold external consultations; the duration of exercise and conditions of cessation of their functions; the allocation of sufficient resources to the authority; or the adoption of decisions without being subject to external orders or injunctions.[SV34]

Chapter IV – Mutual assistance

Article 14 – Assistance to data subjects

133.      Paragraph 1 ensures that data subjects, whether in a Contracting State[SV35] or in a third country will be enabled to exercise their rights recognised in article 8 of the Convention regardless of their place of residence or their nationality.

IRELAND/ IRLANDE

Preamble

10.        Convention 108, through the principles it lays down and the values it holds enshrines, protects the[SV36] individuals and defines an appropriate environment for the flow of information.

Chapter I – General provisions

Article 1 – Object and purpose

12.        The first article is devoted to a description of describes the Convention's object and purpose.

13.        This article focuses on the subject of protection: the individuals are to be protected when their personal data are processed. The right to such a[SV37] protection has acquired an autonomous meaning…

14.        The guarantees set out in the Convention are extended to every individual regardless of nationality or residence. No discrimination betweenaliens [SV38]and citizens

Article 2 – Definitions

18.        Data that appears to be anonymous because it is not accompanied by any obvious identifying data may, nevertheless in particular cases, permit to identify the relatedindividual.

19.        When data are made anonymous, all means should be put in place to avoid re-identification of individuals, in particular, all technical means should be secured in order to guarantee that data will remain anonymised. The anonymity of data should be re-evaluated in time as in light of the fast pace of technological development. What could at a point in time be considered ‘unreasonable’ could after some time be considerably facilitated by technology and enable identification with reasonable ease

Litt. e [/f] – ‘processor’

26.        ”Processor” is a separate entity acting on behalf of the controller carrying out the processing in the manner that was requested by the controller and for the needs of the controller. An employee of a controller is not a processor. The instructions given by the controller draw establish the limit of what the processor is allowed to do

Article 3 – Scope

27… The Convention has to be applied when the data processing is carried out within the jurisdiction of the Party, which includes, in respect of the provisions of Article 12, when transborder data flows occur, whether in the public or private sector.[SV39]

Chapter II – Basic principles of data protection

Article 5 – Legitimacy of data processing and quality of data

50.        The further processing of personal data, referred to in paragraph 4(b), for statistical, historical or scientific purposes is a priori considered as compatible provided that other safeguards exist (such as, for instance, data anonymisation/pseudonymisation, keeping of identifiable form of data only as long as absolutely necessary, rules of professional secrecy, provisions governing restricted access and communication of data for the above mentioned purposes, notably in relation with public statistics and public archives, other technical and organisational data-security measures). and that the operations, by definition, exclude any use of the information obtained for decisions or measures concerning a particular individual. “Statistical purposes” refers to the elaboration of statistical surveys or the production of statistical results. Statistics aim at analysing and characterising mass or collective phenomena in a considered population.  Statistical purposes can be pursued either by the public or the private sector. Processing of data for “scientific purposes” aims at providing researchers with information contributing to an understanding of phenomena in varied various scientific fields…..

 52.       The requirement of paragraph 4(d) that data be not excessive in relation to the purposes for which it is processed reflects the principle of proportionality in two ways: it firstly entails that processing of data should be limited to the minimum necessary in relation to the purpose for which they are processed. ”Not excessive” refers both to the quantity and the quality of personal data. Secondly, data which would be relevant but would entail a disproportionate interference in the fundamental rights and freedoms at stake should not be processed. Such is the case, for instance, in a standard recruitment procedure where it is clearly excessive in relation to the purposes of the processing to collect HIV data of the candidates to the post, while this can be considered as relevant data (in terms of management of futures absences for instance).

Article 6 – Special categories of data

60. Collection of sensitive data without identification data is a safeguard within the meaning of Article 6 of the Convention---). Where there is a legitimate need to collect sensitive data for statistical purposes in identifiable form (so that a repeat survey can be carried out, for example), appropriate safeguards should be to put in place should be: measures to dissociate sensitive data and identification data as from the stage of collection except if not feasible, the necessity to obtain the data subject's explicit consent preceding the survey (the mere fact of providing data could not be regarded as amounting to consent) except if justified by an important public interest, and the abstention of publication and dissemination of personal data.[SV40]

Article 7bis – Transparency of processing

66.        Any additional information that is necessary to ensure a fair data processing

68.        The controller is not requested required to provide this information

69.        When such impossibility is of a practical nature, the data controller shall nonetheless use any available, reasonable and affordable means making it possible to inform data subjects in general or individually as the case may be (for instance when the controller is put in contact with the data subject for any reason, or through the website of the controller, etc.).[SV41]

Article 8 – Rights of the data subject

71         –           the right to be informed about the reasoning on which is based the processing is based (littera c)

72.        ……. the processing is based can be limited to protecting in order to protect the rights of others .

74         …. personal data before it being used ….. or other arguments factors that will have an impact on the result of the automated decision.

75.        While the right of access should in principle be free of charge, the wording of littera b is intended to cover various formulas followed by the legislation of the Party for appropriate cases: communication free of charge at fixed intervals as well as communication against a maximum lump-sum payment, [SV42]

…. It should be reasonable in order not to prevent or dissuade data subjects to exercise from exercising their rights and should in any case either be equal or inferior to less than the actual cost of the operation.

81.        Littera g aims at safeguarding an effective protection of the individuals by providing them with the assistance of a supervisory authority in exercising the rights provided by the Convention. When the person resides in the territory of another Party, he or she shall should be given the option of submitting the request through the intermediary of the authority designated by that Party. The request for assistance shall should contain .

82.        Furthermore, it should be noted that the specification of the purpose, the conditions for the legitimacy of the processing, the right of rectification or erasure, together with the provision on the length of time for data storage (article 5.4. littera e) coupled with an effective right to object and the right to withdraw consent offer an effective level of protection for the data subject. This set of rights pragmatically corresponds to the effect of what is referred to as a ‘right to be forgotten’

Article 8bis - Additional obligations

Attention: erratum of the numbering from the point 82.

Article 9 – Exceptions and restrictions

88.89.   No exceptions to the principles for protection of personal data are to be allowed[SV43].

Nevertheless, it is permitted in a strictly restrictive manner, for a limited number of provisions, to allow the benefit of derogations when such derogations are provided for by law and are necessary in a democratic society for the specific grounds exhaustively listed in litterae a and b of the first paragraph of Article 9. A measure which is "necessary in a democratic society" must pursue a legitimate aim and thus meet a pressing social need which cannot be achieved by less intrusive means. Such a measure should be proportionate to the legitimate aim being pursued and the reasons adduced by the national authorities to justify it should be relevant and sufficient. Such a measure must be prescribed by an accessible and foreseeable law, which must be sufficiently detailed.

89.90.   The necessity of such measures needs to be examined in light of limited legitimate aims only, as is detailed in littera a and b of the first paragraph. Littera a lists the major interests of the State which may require exceptions. These exceptions are very specific to avoid giving Parties unduly wide leeway with regard to the general application of the Convention[SV44]

92.93.   Littera b concerns major interests of private parties, such as those of the data subject himself or herself (for example when a data subject’s vital interests are threatened as because the data subject the/she is missing)

Chapter III – Transborder flows of personal data

Article 12 – Transborder flows

98.99.   The purpose of the transborder flow regime is to ensure that information originally processed within the jurisdiction of a Party to the Convention (data collected or stored there for instance), when the processing then subsequently appears to be submitted to the jurisdiction of a State which is not Party to the Convention, continues to be processed in line with data protection principles that are appropriate with regard to the present Convention. What is important is that data subjects originally concerned by the data processed within the jurisdiction of a Party to the Convention always remain protected by appropriate data protection principles no matter the particular law applicable to the processing at stake. While there may be a wide variety of systems that different protection nevertheless has to be of a quality sufficient to ensure that human rights are not affected by globalisation and the transborder nature of data flows.[SV45]

100.101 Article 12 only applies only to the export outflow of data, not to its the import

inflow, as for the latter, data are covered by the data protection regime of the recipient Party.

101. 102 …This is the case of member States member of the European Union …

103.104.            In some cases, data flows will be made from a Party simultaneously to several foreign States or international organisations, some of which are Parties to the Convention and some of which are not. In those cases, the Party transferring the data, which has export procedures for non-Parties, may not be able to avoid applying those procedures also to the data destined for a Party, but it should proceed in such a way as to ensure that these procedures are not an obstacle to data transfers to the latter Party is agreed.[SV46]

105.106.            Both paragraphs 2 and 3 apply to all forms of appropriate protection, whether provided by law or by standardised safeguards. The content [SV47]of the law must include the relevant elements of data protection

111.112.            In respect of transborder flows of personal data, a specific restriction exemption is allowed in view of protecting freedom of expression …

Chapter III bis – Supervisory authorities

Article 12bis – Supervisory authorities

121. 122. …. While raising awareness on data protection issues, the authorities have to be attentive to specifically address children and vulnerable public [SV48]through adapted ways and languages.

122.123.            As provided for under paragraph 2bis, supervisory authorities must be entitled to give opinions on administrative measures which provide for the processing of personal data. Only general measures are meant by this consultative power, not individual measures[SV49].

Chapter V – Convention Committee

151. 152.Where friendly settlements of disputes are concerned, the Convention Committee will seek a settlement through negotiation or any other peacefulamicable means.

Chapter VII – Final clauses

Article 26 – Denunciation

160.161.            In accordance with the United Nations Vienna Convention on the Law of Treaties, Article 80 [SV50]allows any Party to denounce the Convention.

ITALY/ITALIE

Chapter I – General provisions

Article 2 – Definitions

22.        "Controller” refers to the person or body having the decision-making power concerning the processing whether this power derives from a legal designation or factual circumstances. In some cases, there may be multiple controllers or co-controllers (jointly responsible for a processing and possibly responsible for different aspects of that processing). The following factors are relevant to assess whether the person or body is a controller: that person or body should have control over for instance the reasons justifying the processing; the processing methods; the choice of data to be processed; and who is allowed to access to it.  The controller remains responsible for the data involved in a processing wherever that data are located and independently of who carries out the processing operations. In this respect, persons who are not under the controller’s authority [SV51]and carry out the processing solely according to the controller’s instructions are to be considered processors.

26.        ”Processor” is a separate entity acting on behalf of the controller carrying out the processing in the manner that was requested by the controller and for the needs of the controller. An employee of a controller is not a processor. The instructions given by the controller draw the limit of what the processor is allowed to do. The processor who does not respect these instructions is illegally processing the data. Processors who legitimately process data for their own purposes are to be considered as controllers for the processing operations linked to those purposes. [SV52]

Chapter II – Basic principles of data protection

Article 5 – Legitimacy of data processing and quality of data

42.        Paragraph 2 prescribes two alternate essential pre-requisites to a lawful processing: the individual’s consent or a legitimate basis prescribed by law. Paragraphs 1 and [SV53]of Article 5 are cumulative and must be respected in order to ensure the legitimacy of the data processing

43.        The data subject’s consent must be freely given, specific, informed and unambiguous. The consent represents a declaration of the individual’s intention: it is the free expression of an intentional choice, given either by a statement or by a clear affirmative action and which clearly indicates in this specific context the acceptance of the proposed processing of personal data. The mere silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. The data subject must be fully aware of the implications of his or her decision, and must have have must have been, to this end, adequately informed by the controller. No influence or pressure (which can be of an economic nature) whether direct or indirect, may be exercised on the data subject.

44.        An expression of consent does not waive the need to respect the basic principles for the protection of personal data set in Chapter II of the Convention and the proportionality of the processing for instance still has to be tested .[SV54]

45.        The data subject has at any time  the right to withdraw the consent given at any time (which is to be distinguished from the separate right to object to a processing).

52.        The requirement of paragraph 4(dc) that data be not excessive …

Article 8 – Rights of the data subject

79.        The right to object may be limited by virtue of a law, for example, for the purpose of the investigation or prosecution of criminal offences. When the data processing is based on a valid consent given by the data subject, the right to object gives way to the right to withdraw consent .[SV55] Everyone may withdraw one’s consent provided that he/she assumes the consequences possibly deriving from other legal texts such as the obligation to compensate the controller.

Article 9 – Exceptions and restrictions

92.        The term "important economic and financial interests of the State" should be read restrictively and covers, in particular, tax collection requirements and exchange control. The term "prevention and suppression of criminal offences" in this littera includes the investigation as well as the prosecution of criminal offences[SV56].  

Chapter III – Transborder flows of personal data

Article 12 – Transborder flows

106.      Both paragraphs 2 and 3 apply to all forms of appropriate protection, whether provided by law or by standardised safeguards. The content[SV57]  of the lawThese instruments  must include the relevant elements of data protection.

Chapter III bis – Supervisory authorities

Article 12bis – Supervisory authorities

122.      Paragraph 2(e) deals with the awareness raising role of the the supervisory authorities. Whilst contributing to the protection of individual rights, the supervisory authority also acts as an intermediary  [SV58]between the data subject and the controller. In this context, it seems particularly important that the supervisory authority proactively ensures the visibility of its activities, functions and powers. To this end, the supervisory authority should have the power to inform the public through regular reports (see paragraph 131), the publication of opinions or any other means of communication and to issue publicly recommendations to the head of State, government and Parliament in order to improve the data protection system [SV59]. Moreover, it must provide information to individuals and to data controllers and processors about their rights and obligations concerning data protection. While raising awareness on data protection issues, the authorities have to be attentive to specifically address children and vulnerable public  [SV60]through adapted ways and languages.

131.      Paragraph 7 deals with the co-operation functions of supervisory authorities. Strengthening co-operation between the supervisory authorities would contribute to the development of the level of protection afforded by the Parties under the Convention.  This co-operation is in addition to the mutual assistance provided for in Chapter IV of the Convention and the work of the Convention Committee. Its purpose is to provide improved protection to the persons concerned.  With increasing frequency persons are directly affected by data processing operations which are not confined to one country and therefore involve the laws and authorities of more than one country. Some examples are the development of international electronic networks and increasing cross-border flows in the service industries and the work environment.  In such a context, international co-operation between supervisory authorities ensures that persons are able to exercise their rights on an international, as well as, a national level.  The promotion of co-operation could take the form of networks, taking advantage of already existing opportunities for authorities to meet and discuss matters of common interest. The importance, for those authorities, of keeping abreast of technological developments shall be stressed.

.. [SV61]

MOROCCO/MAROC

Les propositions de la Commission pour le Contrôle de la Protection des Données à caractère personnel ( CNDP) concernant le Projet de rapport explicatif de la version modernisée de la Convention 108.

1.     Article 7 bis, paragraphes 1 et 2 sur la “transparence des traitements de données personnelles

·         La CNDP suggère, en vue d’apporter plus de garanties à l’exercice du droit à l’information de la personne concernée, de préciser au niveau du paragraphe 68 du rapport explicatif que la charge de la preuve incombe au responsable de traitement. Elle propose, également, que les cas «  d’impossibilité » d’informer la personne concernée soient insérés dans le même paragraphe.

·         En ce qui concerne l’extension du champs de l’exception à certains principes de la protection des données personnelles aux domaines de la sécurité intérieure et extérieure de l’Etat et à la lutte contre «  le terrorisme, le séparatisme et l’espionnage », la CNDP trouve que cette disposition du rapport explicatif est en parfaite harmonie avec les nouvelles contraintes du milieu international relatives à la conciliation entre la sécurité des Etats et la protection de la vie privée.

2.     Article 18.4 relatif au financement des activités du Comité Conventionnel par toute partie qui n’est pas membre du CdE.

La CNDP propose d’intégrer au niveau du paragraphe 46 du rapport explicatif, l’idée que le montant de la cotisation doit être proportionnel au PIB/habitant du pays concerné, et ce en vue de prendre en considération la situation des pays en développement, candidats à l’adhésion à la Convention 108.

3.     La CNDP se réjouit de trouver dans le préambule, aux côtés du droit à la protection des données personnelles, le droit à la vie privée. Cette référence est en complète harmonie avec les dispositions de la Constitution marocaine, qui reconnaît à l’article 24 le droit de toute personne à la protection de sa vie privée, et avec la jurisprudence de la Cour européenne des droits de l’Homme.

4.     La CNDP estime que la procédure d’adhésion à la Convention 108 modernisée revêt un caractère quelque peu contraignant en comparaison avec les procédures d’adhésion des Etats aux autres Conventions des droits de l’Homme. Selon elle, l’évaluation du niveau de protection intervient une fois l’adhésion effectuée et non au moment ou avant cette même adhésion.

5.     Compte tenu du fait que le texte de la Convention modernisée n’admet pas de réserves, la CNPD suggère que le terme de réserves soit remplacé en bas de page du texte de la Convention, par celui de déclaration ou de déclaration interprétative.

6.     Il y a lieu de préciser que concernant l’article 12 relatif aux flux transfrontières des données à caractère personnel, la CNDP considère que la dernière phrase du paragraphe 1 risque de vider de sa substance le principe énoncé au niveau de la première partie de ce paragraphe relatif à la liberté des flux entre les Etats parties à la Convention. En effet, le fait d’exclure de ce principe les «  parties obéissant à des règles harmonisées contraignantes et communes à des Etats appartenant à une organisation internationale régionale «  risque d’entraver la liberté des flux. Une telle disposition pose, par ailleurs, le problème du respect du principe de la réciprocité.

7.     S’agissant de l’article 12.5, il est suggéré de ne pas limiter la notification aux cas énoncés dans ce paragraphe. Cette formulation pourrait limiter la possibilité pour une autorité de contrôle d’exiger la notification de tout transfert pour s’assurer que les conditions exigées sont bien respectées. Une telle mesure est nécessaire pour instituer une culture de la protection des données personnelles au niveau des pays qui disposent d’une législation récente en la matière.

SLOVAKIA/SLOVAQUIE

Slovakia is of the opinion that this explanatory report will have to be adjusted in accordance with the last version of the Modernisation proposals of Convention 108 taking into account comment and reservations received at the last meeting of CAHDATA, ex. Made by EU Commission to notion „explicit/unambiguous“ in article 5 or other delegations.

In relation to Draft explanatory report we have following comments.

Paragraph 24

We propose to add in the third sentence enumerating factors for assessment of controller following: „that person or body should have itself or jointly with other persons control over...“. The controller is not only a subject who meets factors mentioned in this paragraph but he also determines means and conditions of data processing.

Therefore we would like to pose a question whether wording „the processing methods “include also these two factors or not. If not, we are of the opinion that means and conditions of data processing are equally important as other factors listed in the paragraph 24 and should be added among them.

Paragraph 88

We are questioning the relation between additional obligations and the size of the processing entity. The Slovak Republic has one general act on personal data protection which is generally applicable to all controllers regardless their size or their status of public or private entity, especially so in relation to data security measures. Therefore the wording „and the size of the processing entity “should be deleted.

Paragraph 110

We are of the opinion that the appropriate level of protection should apply to the transfer of personal data as such and not only to a massive or repetitive data transfers. If we want to emphasize that the massive or repetitive data transfers represent higher risk to data safeguards and therefore need higher protection the last sentence of this paragraph should be redrafted accordingly.

EUROPEAN COMMISSION/COMMISSION EUROPEENNE

This document was prepared on the basis of the consolidated text of the modernised Convention 108 and the numbering of the articles does not correspond to the draft Amending Protocol of the Convention.

Preamble

8.          Putting individuals in a position to know, to understand and thus to control the processing of their personal data by others is a major objective of the Convention. Accordingly, the preamble expressly refers to the right to control one’s data, which stems in particular from the right to privacy, as well as to the dignity of individuals.  Individuals should be able to safeguard their privacy by means of their right to the protection of personal…

Human dignity implies that safeguards be put in place when processing personal data, in order for individuals not to be treated as mere objects.  Consequently, measures and decisions which significantly affect an individual and are based solely on the grounds of automated processing of data (including profiling) should be allowed only under strict conditions and should be subject to suitable safeguards and in particular the individual's cannot be made final without individuals having the right to have his or her their views taken into consideration…..

10.        Convention 108, through the principles it lays down and the values it holds, protects the individuals and defines an appropriate environment for the flow of information. This is important as global information flows are an important societal feature, enabling the exercise of fundamental rights and freedoms while triggering innovation and fostering social and economic progress. The flow of personal data in an information and communication society must respect the rights of the individuals with regard to their privacy and personal data. Furthermore, innovative technologies should respect those rights as well. This will help to build trust in innovations and new technologies and further enable their development.

Chapter I  – General provisions

Article 2 – Definitions

17.        The notion of ‘identifiable’ does not only refer to the individual’s civil or legal identity as such, but also to what may allow to “individualise” or single out (and thus allow to treat differently) one person among others. This “individualisation” can be done for instance by referring to him or her specifically or to a device or a combination of devices (computer, mobile phone, camera, gaming devices, etc.) on the basis of  an identification number, a pseudonym[SV62],  biometric or genetic data, location data, an IP address, etc.

19.        When data are made anonymous, all means should be put in place to avoid re-identification of individuals, in particular, all technical means should be secured in order to guarantee that the individual is not or no longer identifiable data will remain anonymised. The anonymity of data should be re-evaluated in time as in light of the fast pace of technological development. What could at a point in time be considered ‘unreasonable’ could after some time be considerably facilitated by technology and enable identification of the individual with reasonable ease. [SV63]

20.        The notion of "data subject" also entails the idea that a person has a subjective right [SV64]with regard to the data about himself or herself, even where this is gathered by others.

Litt. c [/d] – ‘controller’

22.        "Controller” refers to the person or body having the decision-making power concerning the processing whether this power derives from a legal designation or factual circumstances. In some cases, there may be multiple controllers or co-controllers (jointly responsible for a processing and possibly responsible for different aspects of that processing). The following factors are relevant to assess whether the person or body is a controller: that person or body should have control over for instance the reasons justifying the processing; the processing methods; the choice of data to be processed; and who is allowed to access to it.  The controller remains responsible for the data involved in a processing wherever that data are located and independently of who carries out the processing operations. In this respect, persons who are not under the controller’s authority and carry out the processing on the controller's behalf and solely according to his the controller’s instructions are to be considered processors.

Litt. d [/e] – ‘recipient’

25.        ”Recipient” is an individual or an entity who receives personal data or to whom personal data are made available. Depending on thecircumstances[SV65], the controller, the processor, the data subject or a third party may also be a recipient. 

26.        ”Processor” is any person (other than an employee of the data controller) who processes dataa separate entity acting on behalf and for the needs of the controller and according to his instructions.  carrying out the processing in the manner that was requested by the controller and for the needs of the controller. An employee of a controller is not a processor. The instructions given by the controller draw the limit of what the processor is allowed to do. The processor who does not respect thoese instructions is illegally processing the data. Processors who legitimately process data for their own purposes are to be considered as controllers for the processing operations linked to those purposes.

Article 3 – Scope

27.        According to paragraph 1, the Convention is to be applied by the Parties to all processing - within the public or private sector alike - subject to the jurisdiction of the concerned Party. The concept of ‘jurisdiction’ is meant to refer to the traditional competences of the State, i.e. prescriptive, adjudicative and enforcement jurisdiction on, in principle, its territory.[1]9   Any data processing carried out by a public sector entity falls directly within the jurisdiction of the Party, as it is the result of the Party’s exercise of jurisdiction. Processing carried out by controllers of the private sector fall within the jurisdiction of a Party when they have a sufficient connexion with the territory of that Party. This is for instance the case when the controller is established on the territory of that Party, when activities involving data processing are performed in that territory or are related to the monitoring of a data subject’s behaviour that takes place within that territory  or when the processing activities are related to the offer of  services involving data processing are offered or goods to a data subject located on that territory, since the main criteria of definition of the jurisdiction is still linked to the territory of the Party. The Convention has to be applied when the data processing is carried out within the jurisdiction of the Party, which includes, in respect of the provisions of Article 12, when transborder data flows occur, whether in the public or private sector.

28.        Making the The scope of the protection dependents on the notion of ‘jurisdiction’ of the Parties, is justified by the objective in order to better standing the test of time and continual technological developments, as well as the evolution of the legal concept of State jurisdiction according to international law  and to reinforce the commitment to individuals’ protection. The concept of ‘jurisdiction’ is meant to refer to the traditional competences of the State, i.e. prescriptive, adjudicative and enforcement jurisdiction. 21

29. Paragraph 1bis excludes from the scope of the Convention processing carried out for [purely[SV66]] personal or household activities.[2]2  This exclusion aims at avoiding the imposition of unreasonable obligations on data processing carried out by individuals in their private sphere for activities relating to the exercise of their private life. Personal or household activities are activities which are closely and objectively linked to the private life of an individual and which do not significantly impinge upon the personal sphere of others. These activities have no professional or commercial grounds and exclusively correspond to personal or

household activities such as storing family or private pictures on a computer, creating a list of the contact details of friends and family members, corresponding, etc.  The private sphere notably relates to a family, a restricted circle of friends or a circle which is limited in its size and based on a personal relationship or a particular relation of trust

30.        Whether activities are [‘purely[SV67]] personal or household activities’ will depend on the circumstances.

32.        While the Convention concerns data processing relating to natural persons the Parties can provide in their domestic laws for an extension of the protection to the data relating to legal persons in order to protect their legitimate interests. The Convention applies to living individuals: it is not meant to apply to personal data relating to deceased persons. However, this does not prevent Parties from extending the protection to deceased persons (e.g. to address the increasing needs for protection of the reputation or interests of the deceased person or heirs).  [SV68]

Chapter II – Basic principles of data protection

Article 4 – Duties of the Parties

34.        The term “law of the Parties” denotes, according to the legal and constitutional system of the particular country, all substantive rules, whether of statute law or case law, which meet the qualitative requirements of accessibility and previsibility (or ‘foreseeability[SV69]’). This implies that the law should be sufficiently clear to allow individuals and other entities to regulate their own behaviour in light of the expected legal consequences of their actions, and that the persons who are likely to be affected by this law should have access to it …

Article 5 – Legitimacy of data processing and quality of data

47.        Data processing carried out on important grounds of public interest should be provided for by law notably for important economic or financial interest of the State, including monetary, budgetary and taxation matters, public health and social security, the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties, the protection of national security, the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, the enforcement of civil law claims and the protection of judicial independence and judicial proceedings. Data processing may serve both important grounds of public interest and the vital interests of the data subject as, for instance, in the case of data processed for humanitarian purposes when including monitoring epidemic and its spread or in humanitarian emergencies, notably. This last case may occur in situations of natural disasters. where the processing of personal data of missing persons (for a limited time) may be necessary for the purposes related to the emergency context – which is to be evaluated o[3]n a case-by-case basis –, in situations of armed conflicts or other situations of violence.  25

50.        The further processing of personal data, referred to in  paragraph 4(b), for statistical, historical or scientific purposes is a priori considered as compatible provided that other safeguards exist (such as, for instance, data anonymisation/pseudonymisation, keeping of identifiable form of data only as long as absolutely necessary, rules of professional secrecy, provisions governing restricted access and communication of data for the above mentioned purposes, notably in relation with public statistics and public archives[SV70], other technical and organisational data-security measures) and that the operations, by definition, exclude any use of ……….

51.        Data undergoing processing should be adequate, relevant and not excessive. Furthermore, the data should be accurate and, where necessary, regularly kept up to date. 

The requirement of paragraph 4(cd) entails that  processing of data should be limited to the minimum necessary in relation to the purpose for which they are processed. They shall only be processed if, and as long as, the purposes cannot be fulfilled by processing information that does not involve personal data data be not excessive in relation to the purposes for which it is processed reflects the principle of proportionality in two ways: it firstly entails that processing of data should be limited to the minimum necessary in relation to the purpose for which they are processed. ”Not excessive” refers both to the quantity and the quality of personal data. Secondly, data which would be relevant but would entail a disproportionate interference in the fundamental rights and freedoms at stake should not be processed. Such is the case,

52.        for instance, in a standard recruitment procedure where it is clearly excessive in relation to the purposes of the processing to collect HIV data of the candidates to the post, while this can be considered as relevant data (in terms of management of futures absences for instance). [SV71]

From point 52 and following there is error of numbering.

Article 6 – Special categories of data

55.54.   In order to prevent adverse effects for the data subject, processing of sensitive data for legitimate purposes need to be accompanied with appropriate safeguards (which are adapted to the risks at stake and the interests, rights and freedoms to protect), such as, alone or  cumulatively, the data subject’s explicit consent, a specific law covering the intended purpose and means of the processing, a professional secrecy obligation[SV72], measures following a risk analysis, a particular and qualified organisational or technical security measure (data encryption for example).   

58.57.   The processing of photographs will not systematically be a sensitive processing as they will only be covered by the definition of biometric data when being processed through a specific technical mean [SV73]allowing the unique identification or authentication of an individual. Furthermore, where their processing will aim at revealing racial[SV74] or health information (see the following point), such a processing will be considered as a sensitive one. 

59.58.   The Some processing of can be sensitive data [SV75]when data are processed for specific information they reveal that has, in the circumstances at stake, has the potential to of adversely affect harming data subjects rights[SV76] when it is processed for specific information they reveal. While the processing of family names can in some circumstances be void of any risk for the individuals (e.g. common payroll purposes), such a processing could in some cases involve be sensitive data, for example when the purpose is to reveal the ethnic origin or religious beliefs of the individuals based on the linguistic origin of their names. Processing data for the information they reveal concerning health includes information concerning the past, present and future, physical or mental health of an individual, and which may refer to a person who is sick or healthy. [SV77]

60.59.   Where sensitive data have to be processed for a statistical interest (for instance in order to have equality statistics or to obtain information about the population's health), it should be collected in such a way that the data subject is not identifiable. Collection of sensitive data without identification data [SV78]is a safeguard within the meaning of Article 6 of the Convention. ). Where there is a legitimate need to collect sensitive data for statistical purposes in identifiable form (so that a repeat survey can be carried out, for example), appropriate safeguards to put in place should be: measures to dissociate sensitive data and identification data as from the stage of collection except if not feasible, the necessity to obtain the data subject's explicit consent preceding the survey (the mere fact of providing data could not be regarded as amounting to consent) except if justified by an important public interest, and the abstention of publication and dissemination of personal data.

Article 7 – Data security

64.63 The notification made by the controller to the supervisory authorities should not preclude other complementary notifications. For instance, the controller should be encouraged to notify, where necessary, the data subjects in particular when the data breach is likely to result in a high risk for the rights and freedoms of individuals…

Article 8 – Rights of the data subject

75.74.   Littera b. Data subjects should be entitled to know about their personal data processed. While the right of access should in principle be free of charge, the wording of littera b is intended to cover various formulas followed by the legislation of the Party for appropriate cases: communication free of charge at fixed intervals as well as communication against a maximum lump-sum payment, etc.  To ensure a fair exercise of the right of access, the communication “in an intelligible form” applies to the content as well as to the form of a standardised digital communication.  The term "expense" means the fee charged to the data subject. It should be exceptional and in any case, reasonable and in order not to prevent or dissuade data subjects to exercise their rights and should in any case either be equal or inferior to the actual cost of the operation.

76.75.   Littera c.  Data subjects should be entitled to know about the reasoning which led to any resulting conclusions. For instance in the case of credit scoring, [SV79]they should be entitled to know the logic underpinning the processing of their data and resulting in a ‘yes’ or ‘no’ decision, and not simply information on the decision itself. Without an understanding of these elements there could indeed be no effective exercise of other essential safeguards - the right to object and the right to complain to a competent authority.

81.80.   Littera g aims at ensuring safeguarding an effective protection of the individuals by providing them the right to an assistance of a supervisory authority in exercising the rights provided by the Convention. …

Article 8bis - Additional obligations

86.85.   Paragraph 2 clarifies that before carrying out the data processing, the controller will have to examine its potential impact on the rights and fundamental freedoms of the data subjects. This examination, which does not necessarily involve a full data protection impact assessment,[SV80] will also have to take into account the principle of proportionality on the basis of the comprehensive overview of the processing taking into account the nature, scope, context and purposes of the processing as well as the likelihood and severity of the risks for the rights and freedoms of individuals (considering what personal data will be processed and for which purpose, how it will be collected, how it will be used, internal flows, disclosures, security measures, etc.). In some circumstances, where a processor is involved in addition to the controller, the obligation to examine the risks may also be imposed on the processor [SV81]and the determination of the existence of such an obligation will be made taking into account the comprehensive overview of the processing. The assistance of IT systems developers, including security professionals, or designers, together with users and legal experts, in examining the risks would be an advantage and could reduce the burdens linked to this exercise. 

87.86.   Paragraph 3 specifies that in order to better guarantee an effective level of protection, controllers, and, where applicable, processors, should see to it that data protection requirements are integrated as early as possible – i.e. ideally at the stage of architecture and system design –  in data processing operations through technical and organisational measures (data protection by design). This implementation of data protection requirements should indeed be achieved not only as regards the technology used for processing the data, but also the related work and management processes. Easy-to-use functionalities that facilitate compliance with applicable law should be put in place. For example, online access to one’s data should be offered to data subjects where possible and relevant. There should also be easy-to-use tools for data subjects to take their data to another provider of their choice or keep the data themselves (data portability tools). When setting up the technical requirements for default settings, controllers and processors should choose privacy-friendly standard configurations so that the usage of applications and software do not infringe individuals' right to personal data protection (that have been designed paying due regard to the principle of data minimisationdata protection by default.[SV82]

Article 9 – Exceptions and restrictions

94.93.   The third paragraph leaves open the possibility of restricting the rights with regard to certain data processing carried out for historical, statistical or scientific purposes which pose no identifiable risk to the protection of personal data and where restrictions to the data subject’s rights are justified. For instance, the use of data for statistical work, in the public and private fields alike, in so far as these data are presented in aggregate form and stripped of their identifiers[SV83] enters into that hypothesis provided that appropriate data protection safeguards are in place (see paragraph 51).

Chapter III – Transborder flows of personal data

Article 12 – Transborder flows

100.99.  Most of the time, such a situation – a change of jurisdiction and applicable law – occurs when there is a data transfer from a State Party to the Convention to a foreign country. A data transfer occurs when personal data are disclosed or made available with the knowledge of the sender, to a recipient subject to the jurisdiction of another State or international organisation. [SV84]

104.103.            In some cases, data flows will be made from a Party simultaneously to several foreign States or international organisations, some of which are Parties to the Convention and some of which are not. In those cases, the Party transferring the data, which has export procedures for non-Parties, may not be able to avoid applying those procedures also to the data destined for a Party, but it should proceed in such a way as to ensure that these procedures are not an obstacle to data transfers to the latter Party is agreed.[SV85]

106.105.            Both paragraphs 2 and 3 apply to all forms of appropriate protection, whether provided by law or by standardised safeguards. The content[SV86] of the law must include the relevant elements of data protection as set forth by this Convention.

109.108.            Paragraph 4 enables Parties to derogate, in a particular case, from the principle of requiring an appropriate level of protection and to allow a specific transfer to a recipient which does not ensure such a protection. Such derogations are permitted in limited situations only (with the data subject’s consent or specific interest and/or where there are prevailing legitimate interests provided by law[SV87]). Such derogations should not be disproportionate and should not be used for massive or repetitive data transfers. Where massive or repetitive data transfers are involved, provisions of article 12.3 should apply.

112.111.            In respect of transborder flows of personal data, a specific restriction is allowed in view of protecting freedom of expression, including freedom of the press. Parties may allow exceptions to the provisions of this Article 12 on the condition that these exceptions are provided for by law and are necessary in a democratic society to protect the freedom of expression.[SV88] A measure which is "necessary in a democratic society" must pursue a legitimate aim and thus meet a pressing social need which cannot be achieved by less intrusive means. Such a measure should be proportionate to the legitimate aim being pursued and the reasons adduced by the national authorities to justify it should be relevant and sufficient. Such a measure must be prescribed by an accessible and foreseeable law, which must be sufficiently detailed.

Chapter III bis – Supervisory authorities

Article 12bis – Supervisory authorities

114.113.The effective application of the principles of the Convention necessitates the adoption of appropriate sanctions and remedies (Article 10). Most countries which have data protection laws have set up supervisory authorities to deal with evolving and complex personal data processing in light of organisational, social and societal evolutions. This context requires an external, independent and impartial entity overview, with fast reactive powers and specialised expertise

116.115.Parties have certain discretion as to how to set up the authorities for enabling them to carry out their task. According to paragraph 2, however, they must have at least the powers of investigation and intervention and the powers to issue decisions and impose administrative sanctions. [SV89]

122.121.Paragraph 2(e) deals with the awareness raising role of the the supervisory authorities.

Chapter IV – Mutual assistance

Article 14 – Assistance to data subjects 

133.132.            Paragraph 1 ensures that data subjects, whether in a Contracting State[SV90] or in a third country will be enabled to exercise their rights recognised in article 8 of the Convention regardless of their place of residence or their nationality.

EUROPEAN DATA PROTECTION SUPERVISOR/ LE CONTROLLEUR EUROPEEN DE LA PROTECTION DES DONNEES

This document was prepared on the basis of the consolidated text of the modernised Convention 108 and the numbering of the articles does not correspond to the draft Amending Protocol of the Convention.

Chapter I  – General provisions

Article 2 – Definitions

19.        When data are made anonymous, all means should be put in place to avoid re-identification of individuals, in particular, all technical means should be secured in order to guarantee that data will remain anonymised. The anonymity of data should be re-evaluated in time as in light of the fast pace of technological development. What could at a point in time be considered ‘unreasonable’ could after some time be considerably facilitated by technology and enable identification with reasonable ease. [SV91]

Chapter II – Basic principles of data protection

Article 4 – Duties of the Parties

35.        Such binding measures may usefully be reinforced by measures of voluntary regulation in the field of data protection, such as codes of good practice or codes for professional conduct.  However, such voluntary measures are not by themselves sufficient to ensure[SV92] full compliance with the Convention.

Article 5 – Legitimacy of data processing and quality of data

52.        The requirement of paragraph 4(d) that data be not excessive in relation to the purposes for which it is processed reflects the principle of proportionality in two ways: it firstly entails that processing of data should be limited to the minimum necessary [SV93]in relation to the purpose for which they are processed. ”Not excessive” refers both to the quantity and the quality of personal data. Secondly, data which would be relevant but would entail a disproportionate interference in the fundamental rights and freedoms at stake should not be processed. Such is the case, for instance, in a standard recruitment procedure where it is clearly excessive in relation to the purposes of the processing to collect HIV data of the candidates to the post, while this can be considered as relevant data (in terms of management of futures absences for instance).

Article 6 – Special categories of data

57.        The processing of biometric data, that are data resulting from a specific technical processing of data concerning the physical, biological or physiological characteristics of an individual which allows the unique identification or authentication of the latter, is also considered sensitive.

58.        The processing of photographs will not systematically be a sensitive processing as they will only be covered by the definition of biometric data when being processed through a specific technical mean allowing the unique identification or authentication of an individual. Furthermore, where their processing will aim at revealing racial or health information (see the following point), such a processing will be considered as a sensitive one.  [SV94]

Article 7bis – Transparency of processing

67.        Certain minimum information has to be compulsorily provided by the controller to the data subjects when directly or indirectly (not through the data subject) collecting their data. While the transparency requirements are compulsory, the information on the name and address of the controller, the legal basis and the purposes of the data processing, the categories of data processed and recipients (be them obvious or not), as well as the means of exercising the rights [SV95]can be rendered in any appropriate format (either through a website, technological tools on personal devices, etc.) provided that it is fairly and effectively presented to the data subject. The information presented should be easily accessible, legible, understandable and adapted to the relevant data subjects (in a child friendly language where necessary for instance[SV96]). Any additional information that is necessary to ensure a fair data processing, such as for instance the preservation period, information on data transfers to a foreign country[SV97] (including whether that particular country provides an appropriate level of protection and the measures taken by the controller to guarantee such an appropriate level of data protection) shall also be provided. 

Article 8 – Rights of the data subject

75.        Littera b. Data subjects should be entitled to know about their personal data processed. While the right of access should in principle be free of charge, the wording of littera b is intended to cover various formulas followed by the legislation of the Party for appropriate cases: communication free of charge at fixed intervals as well as communication against a maximum lump-sum payment, etc.  To ensure a fair exercise of the right of access, the communication “in an intelligible form” applies to the content as well as to the form of a standardised digital communication.  The term "expense" means the fee charged to the data subject.[SV98] It should be reasonable in order not to prevent or dissuade data subjects to exercise their rights and should in any case either be equal or inferior to the actual cost of the operation.

Article 9 – Exceptions and restrictions[SV99]

Chapter III – Transborder flows of personal data

Article 12 – Transborder flows

106.      Both paragraphs 2 and 3 apply to all forms of appropriate protection, whether provided by law or by standardised safeguards. Thecontent [SV100]of the law must include the relevant elements of data protection…..

109.      Paragraph 4 enables Parties to derogate, in a particular case, from the principle of requiring an appropriate level of protection and to allow a specific transfer to a recipient which does not ensure such a protection. Such derogations are permitted in limited situations only (with the data subject’s consent or specific interest and/or where there are prevailing legitimate interests provided by law). Such derogations should not be disproportionate and should not be used for massive or repetitive data transfers. Where massive or repetitive data transfers are involved, provisions of article 12.3 should apply.[SV101]



19 See Council of Europe Commissioner on Human Rights, “The rule of law on the Internet and in the wider digital world”, Issue Paper, CommDH/IssuePaper(2014)1, 8 December 2014, p. 50-54, pt 3.4. “Within [a contracting state’s] [territory and] jurisdiction”, specially : « A state that uses its legislative and enforcement powers to capture or otherwise exercise control over personal data that are not held on its physical territory but on the territory of another state, for example, by using the physical infrastructure of the Internet and global e-communications systems to extract those data from servers, personal computers or mobile devices in the other state, or by requiring private entities that have access to such data abroad to extract those data from the servers or devices in another country and hand them over to the state, is bringing those data – and in respect of those data, the data subjects – within its “jurisdiction” in the sense in which that term is used in the ECHR […]. » .

21.  See Council of Europe Commissioner on Human Rights, “The rule of law on the Internet and in the wider digital world”, Issue Paper, CommDH/IssuePaper(2014)1, 8 December 2014, p. 50-54, pt 3.4. “Within [a contracting state’s] [territory and] jurisdiction”, specially : « A state that uses its legislative and enforcement powers to capture or otherwise exercise control over personal data that are not held on its physical territory but on the territory of another state, for example, by using the physical infrastructure of the Internet and global e-communications systems to extract those data from servers, personal computers or mobile devices in the other state, or by requiring private entities that have access to such data abroad to extract those data from the servers or devices in another country and hand them over to the state, is bringing those data – and in respect of those data, the data subjects – within its “jurisdiction” in the sense in which that term is used in the ECHR […]. » .

22   Court of Justice of the EU, 11 December 2014, (Frantisek) C 212/13: “30. […] the directive does not cover the processing of data where the activity in the course of which that processing is carried out is a ‘purely’ personal or household activity, that is to say, not simply a personal or household activity. 31. In the light of the foregoing considerations, it must be held that […] the processing of personal data comes within the exception provided for in the second indent of Article 3(2) of Directive 95/46 only where it is carried out in the purely personal or household setting of the person processing the data. »

25 Where the four Geneva Conventions of 1949, the Additional Protocols thereto of 1977, and the Statutes of the International Red Cross and Red Crescent Movement apply.


[SV1]Is it uncertain or difficult to determine the applicable law ?

[SV2]This to refer to the increased cooperation between the institutions concerned, e.a. European DPA’s for example and APEC on BCR’s and CBPR for example. As BCR are also “appropriate safeguards” recognized by article 12, we would suggest adding these words at the end of the sentence.

[SV3]We suggest to add in addition to the purpose of the processing, the type of processing (which could be of importance) and the type of data controller as well.

[SV5]In our view, it is important to make clear that the use of a pseudonym ( or any digital identifier – digital identity) does not lead to anonymisation as the data subject can still be identifiable/ “individualized”.

[SV6]WE suggest to add that the assessment is to be made on a case by case basis.

[SV7]We are not sure to understand.  Can they also be recipient in the context of the same processing? To add an example might be useful.

[SV8]There seems to  be a need to clarify the link with the idea that “The main criteria of definition of jurisdiction is linked to the territory and the paragraph below on the concept of jurisdiction.

[SV9]In our view, data protection legislation does not need to be extended to deceased persons. In the case of deceased persons, their protection has to be/is guaranteed by other legal concepts or legislations ( reputation, dignity, honor etc. for example). In the case of genetic data, if the data relating to a deceased person also relate to their heirs, ten those data are personal data relating to these heirs as living person.

[SV10]We would rather place this comment under the comment of “personal data” (see above).

[SV11]In our view, 2 different ideas are mixed here. First, there is a reference to what is covered by the term “law”. And then the law is qualified as what it needs to be (qualitative requirements): accessible and foreseeable. But, a country could pass a law that would not meet these requirements, still it would be qualified as a law internally. The rest of the text is then clearer and says that the law should be ….

[SV12]Given this comment of the Explanatory report, we  do not  share the reservation made by the Commission on this aspect ( unambiguous / explicit). In addition to the argument bases on article 11 of the Convention, this explanation clearly refers to a clear and active indication of willingness. What would be the difference with the explicit consent?

[SV13]The idea is to be a bit more explicit on the consequences of  a withdrawal of consent.

[SV14]In this comment we have 2 formulation: sensitive data for data that are always to be considered as sensitive and “sensitive processing” when the data are processed for the  sensitive information they reveal. In the latter, sensitive data are at stake. We would recommend to be cautious with the terminology of “sensitive processing “. May be processing of sensitive data would be clearer as “sensitive processing” may be interpreted, understood as something else in a more general context.

[SV15]Why, for the sake of clarity, not add an example of when it will not be sensitive. For example, processing of images by a videosurveillance system for security reasons in a shopping area.

[SV16]Why is this idea of harm added? In our view, some data can be processed for the sensitive information they reveal in the benefit of data subjects. Of course, being sensitive, these data may always lead to harm (cf their definition) but it’s a consequence and not part of the definition. Or is a condition of the “sensitive processing”. In our view it would unduly reduce the scope of the protection.

[SV17]Why not adding an example when data will not be considered to be sensitive. For billing purposes for example?

[SV18]Is it “where applicable” or “if any”. In our view security is one of the key obligation of the processor.

[SV19]We would avoid “etc.” as having to pay a fee is the exception in our view. This idea which is mentioned in the first sentence could usefully be repeated.

[SV20]In general, the principle of proportionality plays a role here.

[SV21]If any? Or both if any and where applicable ?

[SV22]We do not perfectly understand this sentence. Could it may be reformulated?

[SV23]By the law or by the data controller himself ?

[SV24]Here again, is it “if any” or “where applicale” or possibly both ?

[SV25]May be the idea of opt-in versus opt-out could be explicitly added here ?

[SV26]What if it occurs without the knowledge of the sender (for example by the processor without being allowed ? Automatically a data breach ?

[SV27]An example could be helpful here.

[SV28]Scope, reach of the law?

[SV29]Or any other better wording that would reflect that the reference is Convention 108.

[SV30]In our view, it is not the derogation that needs to be not disproportionate but the use of it.

[SV31]§§ 1 to 5 ?

[SV32]We would formulate this idea in a different way, referring to the functioning ( a single commissioner, or a collegiate body)  and not to whom ( ombudsman for example can be misunderstood as generally speaking an ombudsman does not have competences comparable to the ones of a DPA.

[SV33]The text of the Convention says that DPA’s may impose such sanctions. Accordingly, the report should reflect that and not use the terms “must have” as far as sanctions are concerned.

[SV34]To hire its own staff according to internal rules is also of importance.

[SV35]In other parts of the Convention, the terms “a Party to the Convention” is used.

[SV36]Should state ‘the individual’ (singular) or ‘individuals’ (plural)..This comment applies every place the phrase ‘the individuals’ is used.

[SV37]Should state ‘protection’ rather than ‘a protection’. This applies to every instance where ‘a protection ‘ is used.

[SV38]The word ‘aliens’ is no longer used; ‘third country nationals’ or ‘non-citizens’ would be more appropriate

[SV39]We do not understand this sentence.

[SV40]We do not understand this text.

[SV41]This sentence needs to be clarified; specifically the first phrase is not consistent with the  rest of the sentence.

[SV42]We do not understand this text.

[SV43]This sentence is not consistent with the rest of this paragraph. We suggest that you use text along the lines of the text in the explanatory report on the existing Convention 108.

[SV44]We note that there is no reference to judicial independence.

[SV45]We do not understand this sentence.

[SV46]We are not sure what this means – is it intended to say ‘as agreed’?

[SV47]Scope, reach of the law?

[SV48]The word ‘persons’ or ‘individuals’ would be more appropriate.

[SV49]This sentence needs to be clarified.

[SV50]Is this a reference to Article 80 of the Vienna Convention? If it is it should be placed before ‘the United ..’ to ensure greater clarity.

[SV51]The reference to the “controller’s authority” does not seem to be appropriate. Should  we refer to persons acting outside the controller’s organization?

[SV52]This sentence seems to contradict the previous one.  In the previous one we speak about “illegal processing” in case the processor does not respect the instructions given by the controller. Whereas the second sentence seems to “legitimize”  the processing by the data processor for his own purposes (“legitimately”) Can we delete the second sentence?

[SV53]Shouldn’t  we include also para 3 among the paragraphs to be read cumulatively? The idea should be that once the processing is founded on a legitimate basis (either law or consent) it should also respect not only the principle of proportionality as set forth by paragraph 1 but also the other data protection principles provided for by paragraph 3

[SV54]44.           An expression of consent does not waive the need to respect the basic principles for the protection of personal data set in Chapter II of the Convention and the proportionality of the processing for instance still has to be tested .

[SV55]Is this consistent with paragraph 45 which states that withdrawal of consent  is to be distinguished from the separate right to object to a processing?

[SV56]We should include a reference to the safeguards for individuals  also in respect of this paragraph as correctly done, in the previous one, for national security, not to give the impression that the exception for economic and financial interests of the State is subject to arbitrariness.

[SV57]Scope, reach of the law?

[SV58]Does it really act as an intermediary?!

[SV59]This sentence should be redrafted:

1)             The use of the word “regular reports” may be confusing in respect of the periodical reports that supervisory authorities are obliged to publish according to para 5bis.

2)             The reference to paragraph 131 is not clear.

3)             We are not sure that the wording “supervisory authorities should have the power to inform the public” is appropriate, since it is more an obligation as provided for by Article 12, para 2 e.

[SV60]“vulnerable categories of people”

[SV61]Paragraph 9 of Article 12 bis  states that “The supervisory authorities shall not be competent with respect to processing carried out by bodies when acting in their judicial capacity”.

It would be advisable  to include in the EM that although this principle aims at safeguarding  the independence of

judges in the performance of their judicial tasks, such exemption should be strictly limited to genuine judicial activities in court cases and not apply to other activities where judges might be involved in, in accordance with national law.

[SV62]It  is important to make clear that the use of a pseudonym ( or any digital identifier – digital identity) does not lead to anonymisation as the data subject can still be identifiable/ “individualized”.

[SV63]It would be useful to distinguish between anonymous data which is not covered by the Convention and pseudonymous data which should be.

[SV64]To be checked against the case law of the ECHR

[SV65]This is not clear: can those entities be also a recipient in the context of the same processing. It would be useful to add an example.

[SV66]Use of this term depends on outcome of EU reservation with regard to Article 3.1bis (which remains between square brackets in the text of the revised Convention).

[SV67]Same comment as before

[SV68]Extension of data protection legislation to deceased persons does not seem to be justified. In the case of deceased persons, their protection has to be/is guaranteed by other legal concepts or legislations ( reputation, dignity, honor etc. for example). In the case of genetic data, if the data relating to a deceased person also relate to their heirs, ten those data are personal data relating to these heirs as living person.

[SV69]Two different ideas seem to be mixed here. First, there is a reference to what is covered by the term “law”. And then the law is qualified as what it needs to be (qualitative requirements): accessible and foreseeable. But, a State could pass a law that would not (or not fully) meet these requirements and still it would qualify as a law according to its legal and constitutional system..

[SV70]Article 5.4.b does not limit further processing only to public statistics or public archives.

[SV71]Acceptance of this paragraph  in the Explanatory Memorandum was a condition for the EU to lift its reservation on Article 5.4.c

[SV72]A risk analysis does not represent a security measure, but such analysis only leads to the realization that other security measures are necessary.

[SV73]Needs to be specified

[SV74]This is applicable to almost all pictures, as generally one can see from a picture to which race a person belongs.

[SV75]Article 6 applies to processing of sensitive data and not to "sensitive processing".

[SV76]Notion of "harm" is not a condition of an interference with data subjects' right to personal data protection

[SV77]It might be useful to add an example of non-sensitive data.

[SV78]This is not clear: do we want to refer to pseudonymous data or to anonymous data? In the latter case it is not even covered by the Convention.

[SV79]The example seems to refer only to automated processing. This should be made clear.

[SV80]This explanation is a condition for the lifting of EU reservation on Article 8bis.2

[SV81]By law or by the data controller himself?

[SV82]It would be useful to provide an example of data protection by default based on the idea of opt-in versus opt-out.

[SV83]It does not seem to qualify as personal data anymore.

[SV84]What if it occurs without the knowledge of the sender (for example by the processor without being allowed ? Automatically a data breach ?

[SV85]An example could be helpful here.

[SV86]Scope, reach of the law?

[SV87]It should be clarified that the specific interests and the prevailing legitimate interest are not those of the recipient State.

[SV88]Scope of paragraph 7  is unclear and generates serious legal uncertainty. Which exceptions are allowed? To which provisions?  To the principle that a Party bound by harmonized rules of protection shared by States belonging to an international organization may prohibit or subject to special authorization the transfer of data to another Party in para 1? To the principle established in para 2 that the transfer of data may only take place where an appropriate level of protection is secured or rather  to the derogation set out in para 4 that a transfer may take place if the data subject has given explicit consent?  Are exceptions allowed to the principle that supervisory authorities have the right to request for information on transfers  under para 5?  This paragraph of the Explanatory Memorandum does not address any of the above questions.

[SV89]Is the intention to apply administrative sanctions also to public authorities?

[SV90]In other parts of the Convention, the terms “a Party to the Convention” is used.

[SV91]In order to avoid confusion between anonymous data and pseudonimysed data, it should be clearly stated that it is impossible to reidentify the data subject on the basis of anonymous data. In cases where it is not clear whether the data have been fully/irreversibly anonymised or not, the data should be covered by the provisions of the Convention.

See EDPS' additional comments of 15 March 2013 on the data protection reform package for the definition of anonymous data and pseudonimysed data: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2013/13-03-15_Comments_dp_package_EN.pdf

[SV92]We welcome the use of the word "ensure" in place of "secure".

ENSURE: Make certain that something will occur or be the case; make certain of obtaining or providing something; legislation to ensure equal opportunities for all.

SECURE: Certain to remain safe and unthreatened; protect against threats; make safe.

[SV93]We welcome the reference to the clear limitation of the data processed to the minimum necessary (minimization principle).

[SV94]Note that the consideration of biometric data as sensitive data may imply practical implementation difficulties. While in some cases, it should be subject to additional safeguards, in other cases it could be comparable  to other ‘non sensitive’ personal data, such as a name and/or a physical description of a person.

In the EU proposed Regulation, for example, biometric data is not ‘sensitive’ but certain types of processing of biometric data are subject to a privacy impact assessment. (Note also that the European Parliament has added biometric data to the list of sensitive data, while the Council has not).

[SV95]The logic underpinning the processing should also be added.

[SV96]adapted to the relevant data subjects (in a child friendly language where necessary for instance)

[SV97]We welcome the references to the retention periods and to transfers to third countries (consistent with EU proposed Regulation).

[SV98]The rectification or erasure, if justified, must be free of charge

[SV99]It should be made clearer that paras 91 to 94 are an illustration of what constitute legitimate grounds.

The explanatory report should specify that even though a derogating measure genuinely satisfies a legitimate aim listed in litterae a and b, it does not automatically mean that the measure in question is actually necessary and proportionate. The proportionality and necessity of an interference should systematically be assessed on a case-by case basis.

See Digital Rights Ireland Judgment and Working Party 29's Working Document on surveillance of electronic communications for intelligence and national security purposes, esp. point 4.3.3 on the scope of restrictions to the fundamental rights to respect for private life and data protection (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp228_en.pdf

[SV100]Scope, reach of the law?

[SV101]The final explanatory report should specify that derogations only apply on a case by cases basis. In case of structural, repetitive or massive transfers, adequate safeguards should be put in place.