|
Ministers’ Deputies
CM Documents
CM(2002)199 Addendum 20 December 2002
——————————————
825 Meeting, 22 January 2003
10 Legal questions
10.3 Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (T-PD)
b. Guide to the preparation of contractual clauses governing data protection during the transfer of personal data to third parties not bound by an adequate level of data protection
——————————————
TABLE OF CONTENTS
I. Background 2
II. Guide to the preparation of contractual clauses governing data protection during the
transfer of personal data to third paties not bound by an adequate level of data protection 7
III. Principles to be taken into account when preparing contractual clauses governing data protection during the transfer of personal data to third parties not bound by an adequate level of protection 8
Appendices
Appendix I Convention 108 12
Appendix II Additional Protocol 19
Appendix III Model clauses for inclusion in a m odel contract 21
Appendix IV Standard contractual clauses (for the purposes of Article 26(2) of Directive 95/46/EC
for the transfer of personal data to third countries which do not ensure an adequate
level of protection) 23
Appendix V Standard contractual clauses (processors) (for the purposes of Article 26(2) of
Directive 95/46/EC for the transfer of personal data to third countries which do
not ensure an adequate level of protection) 24
Appendix V List of the data protection supervisory authorities of Parties to Convention 108 25
1. Introduction
1. The Council of Europe’s Convention for the Protection of Individuals with Regard to Automatic Processing of Personal data [ETS No.108] (hereinafter Convention 108) was opened for signature on 28 January 1981 and has the purpose of securing in the territory of each Party respect for the rights and fundamental freedoms of every individual, whatever his/her nationality or place of residence, and in particular his/her right to privacy, with regard to automatic processing of personal data relating to him/her.
2. In principle, it should make no difference to data subjects whether data processing operations take place in one or several countries. The same fundamental rules should apply and data subjects should be given the same safeguards for the protection of their rights and interests. In practice, however, the protection of an individual’s data is weakened when the geographic area is widened. Therefore it became necessary to establish mechanisms which provide an adequate protection to individuals when data concerning them flow across borders.
3. If any changes in the processing of personal data deserve mention since Convention 108 was adopted, they are those that derive from the advances made in information technology, combined with the developments in telecommunications, which have opened up new possibilities for processing data on an international scale. The developments in electronic data processing and in the setting up of extensive data banks have increasingly facilitated the dissemination of information in several countries. They help to overcome the various barriers to communication between different States: distance, time, language and cost. As a result, the free international flow of information may enhance cultural and economic relationships worldwide.
4. Nevertheless, as the personal data protection principles laid down in Convention 108 are not yet enshrined in the legislation, common law and social practices of the great majority of third countries, potential risks to the rights of data subjects of the countries that are Party to Convention 108 may arise when the processing of personal data of those individuals is carried out in such third countries. Therefore, it is important to find specific legal solutions that seek to maintain the balance between the requirements of the effective protection of personal data and the principle of free flow of information, regardless of frontiers, notwithstanding that the former is a fundamental right of the individual and therefore deserves specific legal protection.
5. These solutions may be of the utmost importance where there is a controller or a processor that is committed to applying the data protection principles of Convention 108 in a country that does not yet recognise those principles as part of their legal system; but this does not prevent that controller or processor from voluntarily accepting to be bound by them. This may also enhance social and commercial respect for those principles, which may be the source of customary law. However the use of contractual clauses should not be seen as a long-term substitute for domestic law protecting personal data.
2. The Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data
6. Article 12 of Convention 108 was drafted with the aim of finding a balance between the protection of personal data and the free flow of information in the context of transborder flows of these data:
“Article 12 – Transborder flows of personal data and domestic law
1 The following provisions shall apply to the transfer across national borders, by whatever medium, of personal data undergoing automatic processing or collected with a view to their being automatically processed.
2 A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party.
3 Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph 2:
a insofar as its legislation includes specific regulations for certain categories of personal data or of
automated personal data files, because of the nature of those data or those files, except where the
regulations of the other Party provide an equivalent protection;
b when the transfer is made from its territory to the territory of a non Contracting State through the
intermediary of the territory of another Party, in order to avoid such transfers resulting in
circumvention of the legislation of the Party referred to at the beginning of this paragraph.”
7. Article 12 specifies the notion set out in the Preamble of Convention 108 which states “[…] Reaffirming at the same time their commitment to freedom of information regardless of frontiers; Recognising that it is necessary to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples […]”. In summary, this provision on transborder data flows has as its primary objective the protection of privacy without posing an excessive burden on the free flow of information so as to avoid negative effects on international relations, be they cultural, economic or of another kind.
8. Therefore, Article 12 establishes the principle of the free flow of personal data between Contracting States, but goes on to grant each Party to Convention 108 the right to prohibit or restrict transfrontier flows in respect of certain categories of data covered by specific regulations, except where the regulations of the recipient state provide equivalent protection. At the same time, it provides for the restriction or prohibition of the flow of personal data across national borders into non Contracting States passing through the intermediary of a Contracting State.
9. However, this provision does not provide a full solution to the need to protect the fundamental rights and freedoms of the data subject as regards the processing of his/her personal data in connection with transborder data flows as the spectacular increase in such data flows which has occurred during the last decade will probably increase in the near future. The transfer of personal data across borders is facilitated by the existence of digital communication systems and is rendered inevitable by the internationalisation of the economy.
3. The model contract of 1992 to ensure equivalent data protection in the context of transborder data flows
10. In order to prevent the level of privacy protection from being reduced as a result of automated processing of personal data in third countries, the Council of Europe’s Consultative Committee of Convention 108 started to reflect in 1989 on the possibility of using contractual techniques to ensure the protection of the individual’s privacy in the context of transborder data flows. This contractual technique had already been referred to in several sectorial recommendations on data protection adopted by the Committee of Ministers (e.g. Recommendation No R (86) 1 on the protection of personal data used for social security purposes; Recommendation No R (89) 2 on protection of personal data used for employment purposes).
11. Taking into account the above mentioned considerations, the Council of Europe jointly with the Commission of the European Communities and the International Chamber of Commerce, prepared a study in 1992 which contains a “model contract to ensure equivalent data protection in the context of transborder data flows” (see the data protection web site of the Council of Europe at the following address: http://www.coe.int/dataprotection ). As mentioned in this study, the obligations of the licensor and licensee under the model contract were based on the guarantees established by the Council of Europe's Convention 108, which also appear in the OECD Guidelines on the protection of privacy and transborder flows of personal data. The objectives of the model contract to ensure equivalent data protection in the context of transborder data flows were as follows:
- to provide an example of one way of resolving the complex problems which arise following the transfer of personal data subjected to different protection regimes;
- to facilitate the free circulation of personal data in the respect of privacy;
- to allow the transfer of data in the interest of international commerce;
- to promote a climate of security and certainty of international transactions involving the transfer of personal data.
12. The clauses of the model contract were designed to allow the transfer of personal data between independent economic entities and it was left to the Parties whether to use the clauses or not; the clauses were optional. Parties should adapt the clauses to specific conditions. The clauses could serve as a basis for the establishment and development of appropriate rules e.g. for transfers within the same group of firms or between a file controller and a data processing service. The study also mentioned that Parties were free to choose the law applicable to the contract between licensor and licensee. They should always stipulate explicitly the law which they have chosen. When the applicable domestic law ensures a better protection of the personal data, the licensor was recommended to check whether he/she must complete the clauses accordingly.
4. The Additional Protocol to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data Regarding Supervisory Authorities and Transborder Data Flows
13. This “model contract” prepared in 1992 was the first step for the preparation of similar model contractual clauses in another international forum. However, the need to improve “the application of the principles set forth in the Convention [which] has become necessary because of the increase in exchanges of personal data across national borders between states which are Parties to the Convention and states or entities which are not” 1 was one of the reasons for the preparation of the Additional Protocol to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data [ETS No.108] Regarding Supervisory Authorities and Transborder Data Flows [ETS No. 181] which was opened for signature on 8 November 2001.
14. The Explanatory Report of this Additional Protocol to Convention 108 states that the “increase in the flow of data across national borders is a consequence of the ever-growing volume of international exchanges on a global scale, together with technological progress and its numerous applications. At the same time, therefore, a constant effort is needed to improve the effective protection of the rights guaranteed by the Convention. Effective protection in turn requires international harmonisation not only of the basic principles of data protection but also, to a certain extent, of the means of implementing them in such a rapidly changing, highly technical field and of the conditions in which the transfers of personal data can be made across national borders. […] The flow of information is at the very core of international co-operation. However, the effective protection of privacy and personal data also means that there should in principle be no transborder flows of personal data to recipient countries or organisations where the protection of such data is not guaranteed” 2 .
15. As said above, Article 12 of Convention 108 establishes the principle of the free flow of personal data between the Parties subject to the possibilities for derogation provided for in sub-paragraph 3. Article 2 of the Additional Protocol to Convention 108 establishes the principle that transborder flows of data to a recipient which is not under the jurisdiction of a Party to Convention 108 are subject to the condition of an adequate level of protection in the recipient country or organisation. However, Parties to Convention 108 have the possibility to determine derogations from the principle of an adequate level of protection. One of these derogations concerns the provision of safeguards by the controller responsible for the transfer and can in particular result from contractual clauses (see Article 2, paragraph 2, littera b. of the Additional Protocol of Convention 108).
16. The problematic issue is to define the meaning of an “adequate level of protection”. The Explanatory Report of the Additional Protocol to Convention 108, in particular the paragraphs concerning Paragraph 1 of Article 2, gives some indications of when it could be considered that an adequate level of data protection exists in a third country. This can be established via a general assessment or via an assessment on a case-by-case basis.
17. The adequacy of the level of data protection can be established by a general assessment: Paragraph 28 of the Explanatory Report of the Additional Protocol states that “an assessment of adequacy can similarly be made for a whole state or organisation thereby permitting all data transfers to these destinations. In that case, the adequate level of protection is determined by the competent authorities of each Party”.
18. The adequacy of the level of data protection can be established by an assessment on a case-by-case basis. Paragraph 26 of the Explanatory Report states that “the adequacy of the level of protection must be assessed in the light of all the circumstances relating to the transfer”. Paragraph 27 continues “the level of protection should be assessed on a case-by-case basis for each transfer or category of transfer made. Thus the circumstances of the transfer should be examined and, in particular,
the type of data,
- the purposes and duration of processing for which the data are transferred,
- the country of origin and the country of final destination,
- the general and sectoral rules of law applicable in the state or organisation in question and the --- professional and security rules which obtain there. ”
19. However, according to Paragraph 2 of Article 2 of the Additional Protocol to Convention 108, the transfer of personal data to countries which do not ensure an adequate level of protection is possible if domestic law provides for it because of specific interests of the data subject; or legitimate prevailing interests, especially important public interests; or if safeguards are provided by the controller responsible for the transfer.
20. In that context it is important to examine what the ‘legitimate prevailing interests, especially important public interests’ provided for by domestic law could be. Paragraph 31 of the Explanatory Report says that “The parties have discretion to determine derogations from the principle of an adequate level of protection. The relevant domestic law provisions must nevertheless respect the principle inherent in European law that clauses making exceptions are interpreted restrictively, so that the exception does not become the rule. Domestic law exceptions can therefore be made for a legitimate prevailing interest. That interest may be to protect an important public interest, such as is specified in the context of Article 8 paragraph 2 of the European Convention on Human Rights and Article 9 paragraph 2 of Convention ETS No. 108; the exercise or defence of a legal claim; or the extraction of data from a public register. Exceptions may also be made for the specific interest of the data subject as for the fulfilment of a contract with the data subject or in his interest, or for protecting his vital interest or when he has given his consent. In this case, before consenting, the data subject would have to be informed in an appropriate way about the intended transfer”.
21. Another option for the situation where the recipient country does not ensure an adequate level of data protection could be safeguards provided by the controller, in particular such as those resulting from contractual clauses. Paragraphs 32 and 33 of the Explanatory Report state “each party may provide for the transfer of personal data to a recipient which is not subject to the jurisdiction of a Party and does not ensure an adequate level of protection, provided that the person in charge of the transfer supplies sufficient safeguards. These safeguards must be found adequate by the competent supervisory authorities according to domestic law. Such safeguards may in particular be the result of contractual clauses binding the controller who makes the transfer and the recipient who is not subject to the jurisdiction of a Party” and “The content of the contracts concerned must include the relevant elements of data protection. Moreover, in procedural terms, contract terms could be such, for example, that the data subject has a contact person on the staff of the person responsible for the transfer, whose responsibility it is to ensure compliance with the substantive standards of protection. The subject would be free to contact this person at any time and at no cost and, where applicable, obtain assistance in exercising his or her rights”.
5. Contractual clauses for protection of personal data in the context of transborder data flows to third countries prepared by other international organisations
22. As mentioned above, the Commission of the European Communities participated, together with the Council of Europe and the International Chamber of Commerce, in the preparation of the model contract of 1992. Afterwards, the Working Party on Protection of Individuals with Regard to the Processing of Personal Data established under Directive 95/46/EC issued guidelines in order to aid with the assessment of the adequate level of protection required in the transfer of personal data to the third countries 3 . Following these guidelines, the European Commission adopted Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries. This Commission Decision sets out “standard contractual clauses ensuring adequate safeguards for personal data transferred from the European Union to countries outside the Union. The Decision obliges member States to recognise that companies or organisations using such standard clauses in contracts concerning personal data transfers to countries outside the European Union are offering “adequate protection” to the data. […]Use of these standard contractual clauses will be voluntary but will offer companies and organisations a straightforward means of complying with their obligation to ensure “adequate protection” for personal data transferred to countries outside the European Union which have not been recognised by the Commission as providing adequate protection for such data” 4 . This Commission Decision covers only the transfer of personal data between data controllers. Commission Decision 2002/16/EC of 27 December 2001 on Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries is intended to cover the transfer to data processors.
23. Other international organisations also examined this issue, for instance the Working Party on Information Security and Privacy of the OECD prepared a Report on Transborder Data Flow contracts in the Wider Framework of Mechanisms for privacy Protection in Global Networks in 2000.
24. In 1999, the International Chamber of Commerce prepared a Model Clauses for Use in Contracts Involving Transborder Data Flows. The International Chamber of Commerce and other business organisations are currently preparing a set of proposed standard clauses for the transfer of personal data from the European Union to third countries. These proposed standard clauses are currently being discussed with the Commission of the European Communities.
II. Guide to the preparation of contractual clauses governing data protection during the transfer
of personal data to third parties not bound by an adequate level of data protection
25. In view of the legislative and technological developments which have occurred in the field of data protection since the preparation of the “Model Contract” in 1992, the Council of Europe’s Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD) decided to re-examine the issue of the contractual clauses to be used when transferring personal data to third countries which do not ensure an adequate level of protection. The T-PD instructed an independent expert to prepare a report on this issue. Professor Jerôme Huet prepared a study on “Contracts involving the transfer of personal data between parties to Convention ETS No.108 and third countries not providing and adequate level of protection” as well as some recommendations made in the light of this study. This Study is available on the data protection website of the Council of Europe (http://www.coe.int/dataprotection).
26. On the basis of this Study as well as the new international instruments recently adopted, in particular the Additional Protocol to Convention 108 and the two Commission decisions mentioned above, the T-PD decided to prepare the present Guide. The T-PD agreed that it would not be appropriate at present to revise the “Model Contract to ensure equivalent data protection in the context of transborder data flows” which the T-PD had drafted in co-operation with the Commission of the European Communities and the International Chamber of Commerce in 1992, since to do so might duplicate the European Commission’s work on drafting model clauses for the transfer of personal data to third countries under Directive 95/46/EC (cf. Commission Decision of 15 June 2001 and Commission Decision of 27 December 2001).
27. The purpose of this Guide is to assist parties in the drawing up of contractual clauses conforming to the protection requirements deriving from Convention 108 and inform data controllers and data subjects concerned by transborder flows of what they need to look out for as well as to provide assistance for data subjects seeking to assert their rights in the data protection field.
28. The main objective of the principles contained in this Guide is to contribute to ensuring an adequate level of protection when processing personal data in cases of transfer to countries which do not ensure this level.
29. These principles could also supply a useful tool and a supplementary guarantee for specific transfers between countries which ensure an adequate level of protection (e.g. the transfer of a specific category of data or in other cases for specifying the purposes of the processing).
30. Therefore the present Guide does not replace the contractual clauses included in the model contract of 1992 but instead completes or specifies the 1992 contractual clauses and therefore both documents should be read together.
31. The principles contained in this Guide, which are based on the principles of Convention 108, should be primarily taken into account in cases where in the State where the importer is established there is a lack of legislation or other regulations deemed satisfactory to provide an adequate level of personal data protection. This means that they are intended to be applied where the recipient of data (the importer) :
- is established in a State which has not ratified Convention 108 and lacks the legislation providing the adequate level of protection that is envisaged in Article 2 paragraph 1 in fine of the Additional Protocol to Convention 108 regarding supervisory authorities and transborder data flows; or
- operates in a sector of activity that is not subject to other regulations deemed satisfactory as
regards personal data protection in a State which has not ratified Convention 108 5 ; or
- is established in a State that has ratified Convention 108 in cases where the State where the
exporter of data is established may have applied the derogations referred to in Article 12.3.a) of
Convention 108 to certain kinds of transfers.
32. The parties to these transfers are encouraged to apply these principles to any transfers of personal data other than those mentioned above in order to supplement the legal provisions on data protection which govern them. For example, these principles could be useful for specifying the purposes of the processing in cases of data transfers between countries which have ratified Convention 108 or which have an adequate level of protection.
33. This Guide applies to transfers of personal data between controllers. It will be periodically evaluated by the T-PD.
iii. Principles to be taken into account when preparing contractual clauses governing data protection during the transfer of personal data to third parties not bound by an adequate level of protection
For the purposes of these principles the terms below will be understood as follows:
“Personal data” means any information relating to an identified or identifiable individual (“data subject”) 6 . An individual shall not be regarded as “identifiable” if the identification requires an unreasonable amount of time and manpower.
“Sensitive data” means personal data revealing racial origin, political opinions, religious or other beliefs, as well as personal data concerning health, sexual life or criminal convictions, and other data defined as sensitive by domestic law in the exporter’s country.
“Processing” means any operation or set of operations applied to personal data, such as storage, conservation, adaptation or alteration, extraction, consultation, utilisation, communication, matching or interconnection and erasure or destruction.
“Data exporter” means the controller who transfers the personal data.
“Data importer” means the controller who receives personal data from the data exporter.
“Controller” means the natural or legal person, public authority, agency, or any other body which, alone, or in collaboration with others, determines the purposes of and means used in the collection and processing of personal data.
The reference to “contract” in this guide refers exclusively to the relevant contractual clauses for the protection of personal data.
Principle 1 – General Provision
Data transfers are a form of processing personal data within the meaning of Convention 108. They may go ahead only if processing is carried out as specified in the data protection legislation to which the exporter is subject and, in particular, if the planned transfer is lawful under the terms of that legislation.
The contract should be drawn up taking account of the legal situation (concerning the general legislation and, where applicable, any specific legislation on data protection) of the country in which the data importer is located. To enable the exporter to make sure that the importer continues to be able to honour the contract, the contract should include an obligation for the importer to inform the exporter of any relevant legal change in his or her country subsequent to the conclusion of the contract which may significantly adversely affect the safeguards afforded by the contractual clauses.
Explanatory note:
The importer should inform the exporter of the changes about which he/she could reasonably be expected to know.
Principle 2 – Information to the data subject
The exporter of data should take appropriate measures to inform data subjects, before the data transfer takes place, of the identity of the importer, the purposes for which the data are to be processed and any other information insofar as it is necessary to ensure fair processing, unless this information has already been provided by the exporter of the data. In addition, the data subject should, at his/her request, be informed about the existence of a contract. If data subjects so request, the exporter of data should give data subjects a copy of the contractual clauses relating to data protection.
Explanatory note:
Article 5.a (fair collection and processing of data) of Convention 108 sets out the general principle of transparency in data processing. Article 8 sets out the individual’s right to know about the existence of processing of personal data, its principal purposes, as well as the identity and habitual residence or principal place of business of the controller of the file. The principle of transparency is particularly important in connection with personal data transfers to countries that do not offer an adequate level of protection. The domestic law of some Parties to the Convention and certain Council of Europe recommendations require information to data subjects on the possibility of transfer of their data to a third country. Furthermore, some Parties provide for an obligation to notify the transfer and/or the contractual clauses to the national data protection authority. When carrying out this obligation to inform data subjects, account should be taken of the specific circumstances.
Principle 3 – Details of the transfer
The contract should specify all relevant details of the transfer and, in particular:
- the identity of the exporter and importer of data;
- the categories of personal data to be transferred (sensitive data should be specified);
- the purposes for which the personal data are transferred;
- the categories of data subjects whose personal data are transferred;
- the recipients of the data (where necessary, this should be specified for each category of data);
- the storage limit applicable to the data transferred.
Principle 4 – Obligations of the data importer
The contract should specify that the importer undertakes in particular :
- to process the data transferred fairly and lawfully ;
- to process the data only for the purposes for which they have been transferred ;
Explanatory note:
The contract should list all the purposes for which the exporter authorises the importer to process the data transferred. “Process” comprises subsequent use and further transfer.
- to make sure that the data transferred remain accurate, adequate, relevant and not excessive in relation to the purposes for which they have been transferred and that they are updated where necessary;
Explanatory note:
The data importer will be able to guarantee that the data are accurate only in relation to the form in which he/she receives them.
- to keep the data for no longer than is necessary for the purposes for which the data have been transferred;
- to give data subjects a copy of the contractual clauses relating to data protection if they so request.
Principle 5 – Sensitive data
The contract should provide all the appropriate additional safeguards when sensitive data are to be transferred.
Explanatory note:
Sensitive data should be transferred only where this is necessary to meet the purposes of the processing. Such transfer, moreover, should be accompanied by additional protective measures, including appropriate security measures such as encoding the data for transfer or listing the conditions governing access to sensitive data.
Principle 6 – Security of the data
The contract should require the importer to take all appropriate technical and organisational security measures for protection of the personal data transferred to him or her, in order to prevent their accidental or unauthorised destruction, as well as to prevent unauthorised access, modification or diffusion of the data. These measures should ensure a level of security appropriate to the potential risks and should take account of the state of technology and the costs involved.
Principle 7 – Rights of access, rectification, erasure and blocking of data
The contract should define the obligations of the exporter and the importer towards the data subject. In particular, the importer of the data should respond to reasonable inquiries regarding the data processing made by the data subjects and should ensure that data subjects have the right of access to data concerning them, including the right of rectification and erasure or the right to block personal data processed in breach of the contract. In relation to these rights, the exporter and the importer should inform each other of requests by data subjects and of the manner in which they have been dealt with.
Principle 8 – Third party beneficiary clause
The contract should include a third-party beneficiary clause enabling data subjects to assert their rights vis-à-vis the exporter and/or the importer.
Principle 9 - Liability
The contract should provide for compensation for data subjects who suffer damage when their data are processed in breach of the contract.
Explanatory note:
An effective compensation system is one which provides for joint and several liability of the importer and the exporter ; other systems, such as a system of insurance, may also be effective. Claims for compensation must arise from a breach of the contractual data protection clauses. Compensation may be sought not only for pecuniary damage but also for non-pecuniary damage.
Principle 10 – Applicable law
The contract should stipulate that the law governing relations under the contract is the law in the exporter’s country, provided that the law provides for a third party beneficiary clause. Where such a clause is not permitted by the law of the exporter’s country, the contract should stipulate that the law applicable to relations under the contract is the law of a country which is a party to Convention 108 for the protection of individuals with regard to automatic processing of personal data, whose law provides for the inclusion of a third party beneficiary clause.
Principle 11 –Jurisdiction and mediation
The contract should afford data subjects the right to bring any dispute regarding performance of the contract with the exporter and/or the importer of the data before the competent courts of the country where the exporter is established, without prejudice to the data subject’s procedural or substantive right to obtain compensation according to other provisions of national or international law. The contract should also make provision for data subjects, in the event of a dispute not resolved by friendly settlement, to seek an extra-judicial mechanism for settlement of disputes (such as arbitration or mediation).
Explanatory note:
Mediation could also be provided by the competent data protection authority. Data subjects should be able to retain the possibility of recourse to the courts, irrespective of agreements between the parties on the settlement of disputes.
Principle 12 - Disclosure of data
The contract should limit disclosures to third parties of the data transferred to those which are necessary to meet the purposes of the transfer. Such disclosures should be subject to conditions guaranteeing an equivalent level of data protection to that offered by the clauses of the original contract. The transfer could also be made if the data subject gave his or her consent. If such disclosure concerns sensitive data, the explicit consent of the data subject should be required.
Explanatory note :
The disclosure should be made only for the purposes for which the data were transferred. The new importer could accede to the original contract with the original exporter.
Principle 13 – Control and co-operation with supervisory authorities
The contract should authorise the exporter to check compliance with the contractual clauses on data protection or to have it checked. The contract could also provide for the possibility for the importer to supply information concerning the processing of the transferred data to the data protection authority of the exporter’s country upon request, as well as the obligation to abide by the opinion of this same authority as regards the processing of the data transferred.
Explanatory note:
The exporter may carry out a check himself or herself. He or she may also entrust this task to an independent and qualified third party. In order to ensure that the data protection authority does not order the contract to be suspended, it is preferable that the importer agree to follow the instructions of this authority with a view to improving compliance with the contractual clauses. “Data protection authority” means the supervisory authority responsible for ensuring compliance with the measures in its domestic law giving effect to the principles stated in Convention 108 and its Additional Protocol.
Principle 14 – Termination of the contract
Termination of the contract should be possible, in particular where:
- changes in the importer’s national law or any serious event occurring in his or her country make it impossible to abide by the contractual clauses;
- the data protection authority of the exporter’s country orders cessation of the data transfer to the importer;
- the importer is insolvent or declared bankrupt.
The contract should provide that when it expires or is terminated, the exporter and the importer remain bound by the obligations and the conditions provided for in the contract with regard to the processing of the data which have been transferred.
Convention for the protection of individuals with regard to automatic processing of personal data
Preamble
The member States of the Council of Europe, signatory hereto,
Considering that the aim of the Council of Europe is to achieve greater unity between its members, based in particular on respect for the rule of law, as well as human rights and fundamental freedoms;
Considering that it is desirable to extend the safeguards for everyone's rights and fundamental freedoms, and in particular the right to the respect for privacy, taking account of the increasing flow across frontiers of personal data undergoing automatic processing;
Reaffirming at the same time their commitment to freedom of information regardless of frontiers;
Recognising that it is necessary to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples,
Have agreed as follows:
Chapter I – General provisions
Article 1 – Object and purpose
The purpose of this convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him (“data protection”).
Article 2 – Definitions
For the purposes of this convention:
a “personal data” means any information relating to an identified or identifiable individual (“data subject”);
b “automated data file” means any set of data undergoing automatic processing;
c “automatic processing” includes the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination;
d “controller of the file” means the natural or legal person, public authority, agency or any other body who is competent according to the national law to decide what should be the purpose of the automated data file, which categories of personal data should be stored and which operations should be applied to them.
Article 3 – Scope
1. The Parties undertake to apply this convention to automated personal data files and automatic processing of personal data in the public and private sectors.
2. Any State may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, or at any later time, give notice by a declaration addressed to the Secretary General of the Council of Europe:
a. that it will not apply this convention to certain categories of automated personal data files, a list of which will be deposited. In this list it shall not include, however, categories of automated data files subject under its domestic law to data protection provisions. Consequently, it shall amend this list by a new declaration whenever additional categories of automated personal data files are subjected to data protection provisions under its domestic law;
b. that it will also apply this convention to information relating to groups of persons, associations, foundations, companies, corporations and any other bodies consisting directly or indirectly of individuals, whether or not such bodies possess legal personality;
c. that it will also apply this convention to personal data files which are not processed automatically.
3. Any State which has extended the scope of this convention by any of the declarations provided for in sub-paragraph 2.b or c above may give notice in the said declaration that such extensions shall apply only to certain categories of personal data files, a list of which will be deposited.
4. Any Party which has excluded certain categories of automated personal data files by a declaration provided for in sub-paragraph 2.a above may not claim the application of this convention to such categories by a Party which has not excluded them.
5. Likewise, a Party which has not made one or other of the extensions provided for in sub-paragraphs 2b and c above may not claim the application of this convention on these points with respect to a Party which has made such extensions.
6. The declarations provided for in paragraph 2 above shall take effect from the moment of the entry into force of the convention with regard to the State which has made them if they have been made at the time of signature or deposit of its instrument of ratification, acceptance, approval or accession, or three months after their receipt by the Secretary General of the Council of Europe if they have been made at any later time. These declarations may be withdrawn, in whole or in part, by a notification addressed to the Secretary General of the Council of Europe. Such withdrawals shall take effect three months after the date of receipt of such notification.
Chapter II – Basic principles for data protection
Article 4 – Duties of the Parties
1. Each Party shall take the necessary measures in its domestic law to give effect to the basic principles for data protection set out in this chapter.
2. These measures shall be taken at the latest at the time of entry into force of this convention in respect of that Party.
Article 5 – Quality of data
Personal data undergoing automatic processing shall be:
a. obtained and processed fairly and lawfully;
b. stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
c. adequate, relevant and not excessive in relation to the purposes for which they are stored;
d. accurate and, where necessary, kept up to date;
e. preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.
Article 6 – Special categories of data
Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions.
Article 7 – Data security
Appropriate security measures shall be taken for the protection of personal data stored in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination.
Article 8 – Additional safeguards for the data subject
Any person shall be enabled:
a. to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;
b. to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form;
c. to obtain, as the case may be, rectification or erasure of such data if these have been processed contrary to the provisions of domestic law giving effect to the basic principles set out in Articles 5 and 6 of this convention;
d. to have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to in paragraphs b and c of this article is not complied with.
Article 9 – Exceptions and restrictions
1. No exception to the provisions of Articles 5, 6 and 8 of this convention shall be allowed except within the limits defined in this article.
2. Derogation from the provisions of Articles 5, 6 and 8 of this convention shall be allowed when such derogation is provided for by the law of the Party and constitutes a necessary measure in a democratic society in the interests of:
a. protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences;
b. protecting the data subject or the rights and freedoms of others.
3. Restrictions on the exercise of the rights specified in Article 8, paragraphs b, c and d, may be provided by law with respect to automated personal data files used for statistics or for scientific research purposes when there is obviously no risk of an infringement of the privacy of the data subjects.
Article 10 – Sanctions and remedies
Each Party undertakes to establish appropriate sanctions and remedies for violations of provisions of domestic law giving effect to the basic principles for data protection set out in this chapter.
Article 11 – Extended protection
None of the provisions of this chapter shall be interpreted as limiting or otherwise affecting the possibility for a Party to grant data subjects a wider measure of protection than that stipulated in this convention.
Chapter III – Transborder data flows
Article 12 – Transborder flows of personal data and domestic law
1. The following provisions shall apply to the transfer across national borders, by whatever medium, of personal data undergoing automatic processing or collected with a view to their being automatically processed.
2. A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party.
3. Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph 2:
a. insofar as its legislation includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection;
b. when the transfer is made from its territory to the territory of a non Contracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph.
Chapter IV – Mutual assistance
Article 13 – Co-operation between Parties
1. The Parties agree to render each other mutual assistance in order to implement this convention.
2. For that purpose:
a. each Party shall designate one or more authorities, the name and address of each of which it shall communicate to the Secretary General of the Council of Europe;
b. each Party which has designated more than one authority shall specify in its communication referred to in the previous sub-paragraph the competence of each authority.
3. An authority designated by a Party shall at the request of an authority designated by another Party:
a. furnish information on its law and administrative practice in the field of data protection;
b. take, in conformity with its domestic law and for the sole purpose of protection of privacy, all appropriate measures for furnishing factual information relating to specific automatic processing carried out in its territory, with the exception however of the personal data being processed.
Article 14 – Assistance to data subjects resident abroad
1. Each Party shall assist any person resident abroad to exercise the rights conferred by its domestic law giving effect to the principles set out in Article 8 of this convention.
2. When such a person resides in the territory of another Party he shall be given the option of submitting his request through the intermediary of the authority designated by that Party.
3. The request for assistance shall contain all the necessary particulars, relating inter alia to:
a. the name, address and any other relevant particulars identifying the person making the request;
b. the automated personal data file to which the request pertains, or its controller;
c. the purpose of the request.
Article 15 – Safeguards concerning assistance rendered by designated authorities
1. An authority designated by a Party which has received information from an authority designated by another Party either accompanying a request for assistance or in reply to its own request for assistance shall not use that information for purposes other than those specified in the request for assistance.
2. Each Party shall see to it that the persons belonging to or acting on behalf of the designated authority shall be bound by appropriate obligations of secrecy or confidentiality with regard to that information.
3. In no case may a designated authority be allowed to make under Article 14, paragraph 2, a request for assistance on behalf of a data subject resident abroad, of its own accord and without the express consent of the person concerned.
Article 16 – Refusal of requests for assistance
A designated authority to which a request for assistance is addressed under Articles 13 or 14 of this convention may not refuse to comply with it unless:
a. the request is not compatible with the powers in the field of data protection of the authorities responsible for replying;
b. the request does not comply with the provisions of this convention;
c. compliance with the request would be incompatible with the sovereignty, security or public policy (ordre public) of the Party by which it was designated, or with the rights and fundamental freedoms of persons under the jurisdiction of that Party.
Article 17 – Costs and procedures of assistance
1. Mutual assistance which the Parties render each other under Article 13 and assistance they render to data subjects abroad under Article 14 shall not give rise to the payment of any costs or fees other than those incurred for experts and interpreters. The latter costs or fees shall be borne by the Party which has designated the authority making the request for assistance.
2. The data subject may not be charged costs or fees in connection with the steps taken on his behalf in the territory of another Party other than those lawfully payable by residents of that Party.
3. Other details concerning the assistance relating in particular to the forms and procedures and the languages to be used, shall be established directly between the Parties concerned.
Chapter V – Consultative Committee
Article 18 – Composition of the committee
1. A Consultative Committee shall be set up after the entry into force of this convention.
2. Each Party shall appoint a representative to the committee and a deputy representative. Any member State of the Council of Europe which is not a Party to the convention shall have the right to be represented on the committee by an observer.
3. The Consultative Committee may, by unanimous decision, invite any non-member State of the Council of Europe which is not a Party to the convention to be represented by an observer at a given meeting.
Article 19 – Functions of the committee
The Consultative Committee:
a. may make proposals with a view to facilitating or improving the application of the convention;
b. may make proposals for amendment of this convention in accordance with Article 21;
c. shall formulate its opinion on any proposal for amendment of this convention which is referred to it in accordance with Article 21, paragraph 3;
d. may, at the request of a Party, express an opinion on any question concerning the application of this convention.
Article 20 – Procedure
1. The Consultative Committee shall be convened by the Secretary General of the Council of Europe. Its first meeting shall be held within twelve months of the entry into force of this convention. It shall subsequently meet at least once every two years and in any case when one-third of the representatives of the Parties request its convocation.
2. A majority of representatives of the Parties shall constitute a quorum for a meeting of the Consultative Committee.
3. After each of its meetings, the Consultative Committee shall submit to the Committee of Ministers of the Council of Europe a report on its work and on the functioning of the convention.
4. Subject to the provisions of this convention, the Consultative Committee shall draw up its own Rules of Procedure.
Chapter VI – Amendments
Article 21 – Amendments
1. Amendments to this convention may be proposed by a Party, the Committee of Ministers of the Council of Europe or the Consultative Committee.
2. Any proposal for amendment shall be communicated by the Secretary General of the Council of Europe to the member States of the Council of Europe and to every non-member State which has acceded to or has been invited to accede to this convention in accordance with the provisions of Article 23.
3. Moreover, any amendment proposed by a Party or the Committee of Ministers shall be communicated to the Consultative Committee, which shall submit to the Committee of Ministers its opinion on that proposed amendment.
4. The Committee of Ministers shall consider the proposed amendment and any opinion submitted by the Consultative Committee and may approve the amendment.
5. The text of any amendment approved by the Committee of Ministers in accordance with paragraph 4 of this article shall be forwarded to the Parties for acceptance.
6. Any amendment approved in accordance with paragraph 4 of this article shall come into force on the thirtieth day after all Parties have informed the Secretary General of their acceptance thereof.
Chapter VII – Final clauses
Article 22 – Entry into force
1. This convention shall be open for signature by the member States of the Council of Europe. It is subject to ratification, acceptance or approval. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the Council of Europe.
2. This convention shall enter into force on the first day of the month following the expiration of a period of three months after the date on which five member States of the Council of Europe have expressed their consent to be bound by the convention in accordance with the provisions of the preceding paragraph.
3. In respect of any member State which subsequently expresses its consent to be bound by it, the convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of ratification, acceptance or approval.
Article 23 – Accession by non-member States
1. After the entry into force of this convention, the Committee of Ministers of the Council of Europe may invite any State not a member of the Council of Europe to accede to this convention by a decision taken by the majority provided for in Article 20.d of the Statute of the Council of Europe and by the unanimous vote of the representatives of the Contracting States entitled to sit on the committee.
2. In respect of any acceding State, the convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of accession with the Secretary General of the Council of Europe.
Article 24 – Territorial clause
1. Any State may at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, specify the territory or territories to which this convention shall apply.
2. Any State may at any later date, by a declaration addressed to the Secretary General of the Council of Europe, extend the application of this convention to any other territory specified in the declaration. In respect of such territory the convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of receipt of such declaration by the Secretary General.
3. Any declaration made under the two preceding paragraphs may, in respect of any territory specified in such declaration, be withdrawn by a notification addressed to the Secretary General. The withdrawal shall become effective on the first day of the month following the expiration of a period of six months after the date of receipt of such notification by the Secretary General.
Article 25 – Reservations
No reservation may be made in respect of the provisions of this convention.
Article 26 – Denunciation
1. Any Party may at any time denounce this convention by means of a notification addressed to the Secretary General of the Council of Europe.
2. Such denunciation shall become effective on the first day of the month following the expiration of a period of six months after the date of receipt of the notification by the Secretary General.
Article 27 – Notifications
The Secretary General of the Council of Europe shall notify the member States of the Council and any State which has acceded to this convention of:
a. any signature;
b. the deposit of any instrument of ratification, acceptance, approval or accession;
c. any date of entry into force of this convention in accordance with Articles 22, 23 and 24;
d. any other act, notification or communication relating to this Convention.
In witness whereof the undersigned, being duly authorised thereto, have signed this Convention.
Done at Strasbourg, the 28th day of January 1981, in English and in French, both texts being equally authoritative, in a single copy which shall remain deposited in the archives of the Council of Europe. The Secretary General of the Council of Europe shall transmit certified copies to each member State of the Council of Europe and to any State invited to accede to this Convention.
Additional Protocol to the Convention for the protection of individuals with regard to automatic processing of personal data, regarding supervisory authorities and transborder data flows
Preamble
The Parties to this additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, opened for signature in Strasbourg on 28 January 1981 (hereafter referred to as "the Convention");
Convinced that supervisory authorities, exercising their functions in complete independence, are an element of the effective protection of individuals with regard to the processing of personal data;
Considering the importance of the flow of information between peoples;
Considering that, with the increase in exchanges of personal data across national borders, it is necessary to ensure the effective protection of human rights and fundamental freedoms, and in particular the right to privacy, in relation to such exchanges of personal data,
Have agreed as follows:
Article 1 – Supervisory authorities
1. Each Party shall provide for one or more authorities to be responsible for ensuring compliance with the measures in its domestic law giving effect to the principles stated in Chapters II and III of the Convention and in this Protocol.
2. a. To this end, the said authorities shall have, in particular, powers of investigation and intervention, as well as the power to engage in legal proceedings or bring to the attention of the competent judicial authorities violations of provisions of domestic law giving effect to the principles mentioned in paragraph 1 of Article 1 of this Protocol.
b. Each supervisory authority shall hear claims lodged by any person concerning the protection of his/her rights and fundamental freedoms with regard to the processing of personal data within its competence.
3. The supervisory authorities shall exercise their functions in complete independence.
4. Decisions of the supervisory authorities, which give rise to complaints, may be appealed against through the courts.
5. In accordance with the provisions of Chapter IV, and without prejudice to the provisions of Article 13 of the Convention, the supervisory authorities shall co-operate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.
Article 2 – Transborder flows of personal data to a recipient which is not subject to the jurisdiction of a Party to the Convention
1. Each Party shall provide for the transfer of personal data to a recipient that is subject to the jurisdiction of a State or organisation that is not Party to the Convention only if that State or organisation ensures an adequate level of protection for the intended data transfer.
2. By way of derogation from paragraph 1 of Article 2 of this Protocol, each Party may allow for the transfer of personal data :
a. if domestic law provides for it because of :
– specific interests of the data subject, or
– legitimate prevailing interests, especially important public interests, or
b. if safeguards, which can in particular result from contractual clauses, are provided by the controller responsible for the transfer and are found adequate by the competent authorities according to domestic law.
Article 3 – Final provisions
1. The provisions of Articles 1 and 2 of this Protocol shall be regarded by the Parties as additional articles to the Convention and all the provisions of the Convention shall apply accordingly.
2. This Protocol shall be open for signature by States Signatories to the Convention. After acceding to the Convention under the conditions provided by it, the European Communities may sign this Protocol. This Protocol is subject to ratification, acceptance or approval. A Signatory to this Protocol may not ratify, accept or approve it unless it has previously or simultaneously ratified, accepted or approved the Convention or has acceded to it. Instruments of ratification, acceptance or approval of this Protocol shall be deposited with the Secretary General of the Council of Europe.
3. a. This Protocol shall enter into force on the first day of the month following the expiry of a period of three months after the date on which five of its Signatories have expressed their consent to be bound by the Protocol in accordance with the provisions of paragraph 2 of Article 3.
b. In respect of any Signatory to this Protocol which subsequently expresses its consent to be bound by it, the Protocol shall enter into force on the first day of the month following the expiry of a period of three months after the date of deposit of the instrument of ratification, acceptance or approval.
4. a. After the entry into force of this Protocol, any State which has acceded to the Convention may also accede to the Protocol.
b. Accession shall be effected by the deposit with the Secretary General of the Council of Europe of an instrument of accession, which shall take effect on the first day of the month following the expiry of a period of three months after the date of its deposit.
5. a. Any Party may at any time denounce this Protocol by means of a notification addressed to the Secretary General of the Council of Europe.
b. Such denunciation shall become effective on the first day of the month following the expiry of a period of three months after the date of receipt of such notification by the Secretary General.
6. The Secretary General of the Council of Europe shall notify the member States of the Council of Europe, the European Communities and any other State which has acceded to this Protocol of:
a. any signature;
b. the deposit of any instrument of ratification, acceptance or approval;
c. any date of entry into force of this Protocol in accordance with Article 3;
d. any other act, notification or communication relating to this Protocol.
In witness whereof the undersigned, being duly authorised thereto, have signed this Protocol.
Done at Strasbourg, this 8th day of November 2001, in English and in French, both texts being equally authentic, in a single copy which shall be deposited in the archives of the Council of Europe. The Secretary General of the Council of Europe shall transmit certified copies to each member State of the Council of Europe, the European Communities and any State invited to accede to the Convention.
Model Contract to ensure Equivalent Data Protection in the context of Transborder Data Flows: Study made jointly by the Council of Europe, the Commission of the European Communities and the International Chamber of Commerce (2 November 1992) 7
MODEL CLAUSES FOR INCLUSION IN A MODEL CONTRACT
The licensor and the licensee agree on a licence giving the right to use personal data against payment of a sum of ...
The agreement between the parties shall be governed by the following conditions.
1. Obligations of the licensor
The licensor represents and warrants to the licensee that the data are lawfully transferred to the licensee and that in accordance with domestic law, they
a. have been obtained and processed fairly and lawfully;
b. have been stored for specific and legitimate purposes and are not used in a way incompatible with these purposes;
c. are adequate, relevant and not excessive in regard to the purposes for which they will be licensed;
d. are accurate and up to date;
e. are authorised to be stored for a period of ...
2. Obligations of the licensee
The licensee represents and warrants for his part that in using the data he will respect in all regards the principles set out in the representations and warrantees of the licensor and that he will prohibit any processing or use of the data which would not be in accordance with the contract. For this purpose, the licensee undertakes in particular to respect the following non-exhaustive list of obligations:
a. the licensee will use the data for the following purposes, to the exclusion of any other purposes, namely [the purposes in question would be listed];
b. the licensee shall refrain from processing personal data revealing racial origin, political opinions, or religious or other beliefs, as well as personal data concerning health or sexual life or criminal convictions unless the processing is governed by such guarantees as would have been applied under the domestic law of the licensor.
c. The licensee shall use the data exclusively for his own use and shall not communicate, either free of charge or in return for payment, the data to any other legal or natural person, except when there is an obligation under his domestic law, which shall be mentioned.
d. the licensee shall immediately rectify, delete and update the data on receiving instructions to this effect from the licensor. The licensee undertakes in particular to rectify, complete or delete all or part of the data if it appears that such measures are required by the law of the State of the licensor or are based on new circumstances occurring in the State of the licensor. The licensor shall notify and justify the circumstances to the licensee as soon as legal notice is published in the State of the licensor.
The licensee undertakes to ensure that data subjects have rights of access to and rectification and erasure of their data in the same way as they would have had under
the domestic law of the licensor.
Should the licensee refuse to allow data subjects to exercise the right of access, or refuse rectification or erasure requested by the data subject, the licensor shall
- either terminate purely and simply the contract, on the conditions and with the consequences which result from this as foreseen in clause 5,
- or set in motion the procedure for designation of an arbitrator foreseen in clause 4.
3. Liability and indemnity
The licensee shall be liable for the use made of the data which have been transferred by the licensor.
The licensee undertakes to indemnify the licensor for any breach resulting from his obligations under the contract or for any fault or manifest negligence linked to the execution of the contract.
4. Settlement of disputes
See paragraphs 37-39 "Settlement of disputes" in the explanatory memorandum.
5. Termination of the contract
Should the licensee show bad faith in the implementation of the contract or refuse to respect, in particular, the decision of the arbitrators, the licensor reserves the right to terminate the contract by registered letter with recorded delivery, or by any other equivalent means, and without prejudice to any claim for damages and interest.
On termination of the contract, the licensee shall destroy the data and inform the licensor accordingly.
In case of failure to respect the preceding clause, the licensee undertakes to pay to the licensor the sum of ...
Please see the Standard Contractual Clauses (for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to third countries which do not ensure an adequate level of protection) in the Appendices to Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC.
Please see the Standard Contractual Clauses (processors) (for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to third countries which do not ensure an adequate level of protection) in the Appendices to Commission Decision of 27 December 2001 on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC.
List of data protection supervisory authorities of parties to Convention 108
AUSTRIA
Büro der Datenschutzkommission und des Datenschutzrates
Bundeskanzleramt
Ballhausplatz 1
A - 1014 VIENNA
Tel: 43 1 - 531 15 25 28
Fax: 43 1 - 531 15 26 90
E-mail : [email protected]
Internet: http://www.bka.gv.at/datenschutz/
BELGIUM
Commission de la Protection de la vie privée
Boulevard de Waterloo 115 / Avenue de la Porte de Hal 5 - 8
B - BRUXELLES 1000 / B - Bruxelles 1060
Tel: 32 2 542 72 00
Fax: 32 2 542 72 12 / 7201
E-mail : [email protected]
Internet: www.privacy.fgov.be
BULGARIA
Personal Data Protection Commission
1, "Dondukov" Blvd
1000 SOFIA
Tel: +359 2 940 2046
Fax: +359 2 940 2191
[email protected]
CZECH REPUBLIC
The Office for the Personal Data Protection
Havelkova 22
CZ - 130 00 PRAGUE 3
Tel : 420 2 - 21 00 82 88
Fax : 420 2 - 24 23 14 85
E-mail : [email protected]
Internet : http://www.uoou.cz
CYPRUS
The Office of the Personal Data Protection Commissioner
40 Th. Dervis Street
1066 NICOSIA
Tel : 357 22 818 456
Fax : 357 22 304 565
E-mail :
DENMARK
Datatilsynet
Borgergade 28
1300 København K
Tel.: +45 33 19 32 00
Fax +45 33 19 32 18
E-mail : [email protected]
Internet : www.datatilsynet.dk
ESTONIA
Inspection of Data Protection
Väike-Ameerika 19
EE 10129 - TALLINN
Tel : 372 62 74 135
Fax : 372 62 74 137
E-mail : [email protected]
Internet : www.dp.gov.ee
FINLAND
Office of the Data Protection Ombudsman
Albertinkatu 25, 3rd Floor, P.O. Box 315
FIN - 00181 HELSINKI
Tel: 358 9 182 51
Fax: 358 9 182 57 835
E-mail: [email protected]
Internet: www.tietosuoja.fi
FRANCE
Commission Nationale de l'Informatique et des Libertés
21, rue Saint -Guillaume
F - 75340 PARIS CEDEX 7
Tel: 33 1 53 73 22 22
Fax: 33 1 53 73 22 00
Minitel: 36-15 code CNIL
Internet: www.cnil.fr
GERMANY
Der Bundesbeauftragte für den Datenschutz
Friedrich-Ebert-Str. 1
D - 53173 BONN (Bad Godesberg)
Tel: 49 1888 - 7799 - 0
Fax: 49 1888 - 7799 - 550
E-mail: [email protected]
Internet: www.datenschutz.de
GREECE
Data Protection Commission
Omirou 8
GR - 105 64 Athens
Tel: 30 1 33 52 604
Fax: 30 1 33 52 617
E-mail: [email protected]
Internet: www.dpa.gr
HUNGARY
The Hungarian Data Protection Commissioner
Nádor u. 22.
H - 1051 BUDAPEST
Tel: 36 1 475 71 86
Fax: 36 1 269 35 41
E-mail: [email protected]
Internet: www.obh.hu
ICELAND
Persónuvernd (The Data Processing Authority
Rauðarárstíg 10
IS-105, Reykjavik
Tel: 354 510 96 00
Fax: 354 510 9606
E-mail: [email protected]
Internet: www.personuvernd.is
IRELAND
Data Protection Commissioner
Block 4 Irish Life Centre
Talbot Street
IRL - DUBLIN 1
Tel: 353 1 874 85 44
Fax: 353 1 874 54 05
E-mail: [email protected]
Internet: www.dataprivacy.ie
ITALY
Garante per la protezione dei dati personali
Piazza Monte Citorio, n. 121
I - 00186 ROMA
Tel: 39 06 69 67 71
Fax: 39 06 69 67 77 15
E-mail: [email protected]
Internet: http://www.garanteprivacy.it
LATVIA
Data State Inspection
Kr. Barona Street 5/4
LV-1050 RIGA
Tel: +371 7223131
Fax: +371 7223556
E-mail: [email protected]
Internet: http://www.dvi.gov.lv
LITHUANIA
State Data Protection Inspectorate
under the Ministry of Public Administration Reforms and Local Authorities
Gedimino Ave. 27/2
2600 VILNIUS
Tel.: 370 2 22 75 32
Fax.: 370 2 61 94 94
E-mail: [email protected]
Internet: http://www.ada.lt/en/
LUXEMBOURG
Commission à la Protection des Données Nominatives
Ministère de la Justice
Boulevard Royal , 15
Tel.: 352 478 45 46
Fax: 352 22 76 61
E-mail: - / -
Internet: - / -
NETHERLANDS
College Bescherming Persoonsgegevens -CBP-
P.O. Box 93 374
NL - 2509 AJ DEN HAAG
Tel: 31 70 381 13 00
Fax: 31 70 381 13 01
E-mail: [email protected]
Internet: www.cbpweb.nl
NORWAY
Datatylsinet / The Data Inspectorate
P.O. Box 8177 Dep
N - 0034 OSLO
Tel: 47 22 42 19 10
Fax: 47 22 42 23 50
E-mail: [email protected]
Internet: www.datatilsynet.no
POLAND
The Bureau of the Inspector General for the Protection of Personal Data
PL. Powstancow Warsawy 1
00 030 WARSAWA
POLAND
Tel : 48 22 827 88 10
Fax : 48 22 827 88 11
E-mail : [email protected]
Internet: www.giodo.gov.pl
PORTUGAL
Commissão Nacional de Protecção de Dados
Rua de São Bento 148, 3º
P - 1200 LISBOA
Tel: 351 21 392 84 00
Fax: 351 21 397 68 32
E-mail: [email protected]
Internet: www.cnpd.pt
ROMANIA
People's Advocate
B-dul Iancu de Hunedoara, nr 3-5
Sector 1
71204 BUCHAREST
Tel: 40 1 231 5001
Fax: 40 1 231 50 00
E-mail: [email protected]
Internet: http://www.avp.ro
SLOVAK REPUBLIC
Commissioner For Personal Data Protection,
Úrad vlády Slovenskej republiky
Námestie slobody 1
813 70 BRATISLAVA
tel: +421 7 59379 378
fax: +421 7 59379 266
e-mail: [email protected]
Internet : www.dataprotection.gov.sk
SLOVENIA
Ministry of Justice
Zupanciceva 3
SLO - 1000 LJUBLJANA
Tel : 386 61 17 85 549
Fax : 386 61 12 61 050
E-mail : [email protected]
SPAIN
Agencia de Protección de Datos
C/ Sagasta, 22
ESP - MADRID 28004
Tel: + 34 91 399 62 00
Fax: + 34 9 1 308 46 92
E-mail: [email protected]
Internet: http://www.agenciaprotecciondatos.org
SWEDEN
Datainspektionen/The Data Inspection Board
Box 8114
S - 104 20 STOCKHOLM
Tel: 46 8 - 657 61 00
Fax: 46 8 652 86 52
E-mail: [email protected]
Internet: http://www.datainspektionen.se/
SWITZERLAND
Eidgenössischer Datenschutzbeauftragter /Swiss Federal Data Protection Commissioner
Feldeggweg 1
CH - 3003 BERNE
Tel: 41 31 322 43 95
Fax: 41 31 325 99 96
E-mail: [email protected]/ [email protected]
Internet: www.edsb.ch
UNITED KINGDOM
Information Commissioner
Wycliffe House, Water Lane , Wycliffe House
UK - WILMSLOW - CHESHIRE SK9 5AF
Tel: 44 (0) 1625 545 745
Fax: 44 (0) 1625 524 510
E-mail: [email protected]
Internet: http://www.dataprotection.gov.uk
3 WP 4 (5020/97) ‘First orientations on transfers of personal data to third countries working document — possible ways forward in assessing adequacy’, a discussion document adopted by the Working Party on 26 June 1997.
WP 7 (5057/97) ‘Judging industry self regulation: when does it make a meaningful contribution to the level of data protection in a third country?’, working document: adopted by the Working Party on 14 January 1998.
WP 9 (3005/98) ‘Preliminary views on the use of contractual provisions in the context of transfers of personal data to third countries’, working document: adopted by the Working Party on 22 April 1998.