|
MINISTERS’ DEPUTIES |
Resolutions |
CM/Res(2022)14 |
15 June 2022 |
|
Resolution CM/Res(2022)14 (Adopted by the Committee of Ministers on 15 June 2022 |
The Committee of Ministers, under the terms of Article 16 of the Statute of the Council of Europe,
Bearing in mind the provisions of the Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (“Convention 108+”) as adopted by the Deputies at the 128th Session of the Committee of Ministers (Elsinore, Denmark, 17-18 May 2018);
Determined to respect the principles of data protection contained in the Convention 108+ within the Council of Europe itself;
Concerned to promote within the Council of Europe the right to respect for private life and correspondence enshrined in Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms as interpreted by the European Court of Human Rights;
Having regard to Article 2.1.3 of the Staff Regulations adopted by Resolution CM/Res(2021)6 of the Committee of Ministers on 22 September 2021;
Considering that the Secretary General’s Regulation of 17 April 1989 instituting a system of data protection for personal data files at the Council of Europe is outdated and shall be replaced by new Data Protection Regulations of the Council of Europe;
On the proposal of the Secretary General, the Staff Committee having been consulted in accordance with Article 6, paragraph 1, of the Regulations on Staff Participation (Appendix I to the Staff Regulations);
Decides:
Article 1
The Regulations on the Protection of Personal Data as set out below are hereby adopted with the effective date of 1 January 2023.
Article 2
The Secretary General shall ensure that processing of personal data already under way on the date these Regulations enter into force are brought into conformity with these Regulations within a two-year period.
Article 3
The Data Protection Commissioner in office on the date of the entry into force of these Regulations shall continue exercising his duties until the expiry of his mandate, without prejudice to the possibility of him or her being re-elected pursuant to the provisions of the present Regulations.
Article 4
Pending the entry into force of the Convention 108+, the Data Protection Commissioner will be elected by the representatives of the member States in the Convention Committee established under Article 18 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). The annual report of the Data Protection Commissioner’s activities shall also be presented to the said Convention Committee.
Article 5
The Regulation of 17 April 1989 instituting a system of data protection for personal data files at the Council of Europe shall be repealed with the effective date of 1 January 2023.
Appendix to Resolution CM/Res(2022)14
REGULATIONS ON THE PROTECTION OF PERSONAL DATA
Section I – General Provisions
Article 1
Object and purpose
In accordance with these Regulations, the Council of Europe, hereinafter referred to as “the Organisation”, shall ensure protection of all individuals, whatever their nationality or residence, with regard to the processing of their personal data by the Organisation, thereby contributing to respect for their human rights and fundamental freedoms, and in particular their right to privacy.
Article 2
Definitions
For the purposes of this Regulation:
2.1 “personal data” means any information relating to an identified or identifiable individual (“data subject”); an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to her or his physical, physiological, mental, economic, cultural or social identity; an individual is not considered identifiable if her or his identification would require unreasonable time, effort or means;
2.2 “data processing” means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure, destruction or the carrying out of logical and/or arithmetical operations on such data;
2.3 where automated processing is not used, “data processing” means an operation or set of operations performed upon personal data within a structured set of such data which are accessible or retrievable according to specific criteria;
2.4 “controller” means any administrative entity, organ, institution or authority within the Organisation which alone or jointly with others has the decision-making power with respect to data processing, whether this power derives from a legal designation, delegation or factual circumstances;
2.5 “recipient” means a natural or legal person, public authority or any other body to whom data are disclosed or made available;
2.6 “processor“ means a legal or natural person (other than a member of the Organisation’s Secretariat), public authority or any other body which processes personal data on behalf of the controller;
2.7 “internal legal framework” means a system of legally binding instruments such as regulations, rules, policies and procedures defining, in particular, the Organisation’s governance structure; operational aspects of the Organisation’s activities; budget and financial management; and conditions of employment by the Organisation;
2.8 “the data subject’s consent” means any freely given, unambigious, specific and informed indication, either by a statement or by a clear affirmative action, signifying agreement to the processing of personal data related to them or to individuals for whom they exercise legal authority.
Article 3
Scope
3.1 The present Regulations shall apply to the processing of personal data by the Organisation, including the Headquarters and all external offices established by the Organisation.
3.2 The processing of personal data by the European Court of Human Rights in the framework of its judicial activities shall be regulated by the Court’s own rules.
3.3 The processing of personal data by the Administrative Tribunal of the Council of Europe in the framework of its judicial activities shall be regulated by the Statute of the Tribunal and its own rules.
Section II – Principles for the protection of personal data
Article 4
Legitimacy of data processing and quality of data
4.1 Data processing shall be proportionate in relation to the legitimate purpose pursued and reflect at all stages of the processing a fair balance between all interests concerned, whether public or private, and the rights and freedoms at stake.
4.2 Data processing can be carried out:
4.2.1 on the basis laid down by the Council of Europe legal instruments or internal legal framework where it is necessary for the performance of the Organisation’s tasks and activities in furtherance of its aim as set out in Article 1 of the Statute, including the discharge of its statutory functions or of the functions of entities established by resolution or decision of the statutory organs or otherwise established by the member States; performance of other activities of international co-operation including with other international organisations, and ancillary operations including internal administrative functions;
4.2.2 where it is necessary for compliance with a legal obligation to which the Organisation is subject;
4.2.3 on the basis of the data subject’s consent or that of her or his legal representative;
4.2.4 where it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
4.2.5 where it is necessary in order to protect the vital interests of the data subject or another individual;
4.2.6 where it is necessary for the purposes of the legitimate interests pursued by the Organisation, except where such interests are overridden by the interests or human rights and fundamental freedoms of the data subject.
4.3. Personal data undergoing processing shall be:
4.3.1 processed lawfully, fairly and in a transparent manner;
4.3.2 collected for explicit, specified and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving, historical, statistical and scientific purposes is compatible with those purposes, subject to appropriate additional safeguards to be taken by the controller;
4.3.3 adequate, relevant and not excessive in relation to the purposes for which they are processed;
4.3.4 accurate and, where necessary, kept up to date;
4.3.5 preserved in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.
Article 5
Processing of special categories of data
5.1 The processing of sensitive data shall only be carried out where additional appropriate safeguards, provided by the Organisation’s internal legal framework, protect against the risks that the processing of sensitive data may present for the interests, rights and fundamental freedoms of the data subject, notably a risk of discrimination.
5.2 Sensitive data include:
5.2.1 genetic data;
5.2.2 personal data relating to offences, criminal proceedings and convictions, disciplinary proceedings and any related measures;
5.2.3 biometric data uniquely identifying a person;
5.2.4 personal data for the purpose of revealing information relating to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life.
Article 6
Data security
6.1 The controller and, where applicable, the processor shall take appropriate security measures against risks such as accidental or unauthorised access, destruction, loss, use, modification or disclosure of personal data. Such appropriate measures may be of technical or organisational character and include, as appropriate:
6.1.1 the pseudonymisation and encryption of personal data;
6.1.2 measures aimed at ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
6.1.3 measures aimed at restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident;
6.1.4 a process for regularly testing, assessing and evaluating the effectiveness of the measures.
6.2 In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
6.3 Any data breach shall be immediately notified by the controller to the Data Protection Officer. The notification shall, as a minimum:
6.3.1 describe the nature of the personal data breach including, where possible, the categories and estimated number of data subjects concerned and the categories and approximate number of personal data records concerned;
6.3.2 describe the likely consequences of the personal data breach;
6.3.3 describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
6.4 The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
6.5. The Data Protection Officer shall notify, without delay, the Data Protection Commissioner and the affected data subject(s) of those data breaches which may seriously interfere with their rights and fundamental freedoms.
Article 7
Transparency of data processing
7.1 The controller shall inform the data subject, where the latter does not already have the information, of:
7.1.1 its identity and contact details;
7.1.2 the legal basis and the purposes of the intended processing;
7.1.3 the categories of personal data processed;
7.1.4 the recipients or categories of recipients of the personal data, if any;
7.1.5 the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
7.1.6 the existence of the right to withdraw consent at any time, where the processing is based on the data subject’s consent, without affecting the lawfulness of processing based on consent before its withdrawal;
7.1.7 the existence of any automated decision making, as well as the significance and the envisaged consequences of such processing for the data subject; and
7.1.8 the means of exercising their rights set out in Article 8, as well as any necessary additional information in order to ensure fair and transparent processing of the personal data.
7.2 Where the personal data are not collected from the data subjects themselves, the controller shall not be required to provide the information referred to in provision 7.1 of the present Article where this proves to be impossible or involves disproportionate efforts or is likely to render impossible or seriously impair the achievement of the objectives of the processing. In such cases, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests.
Article 8
Rights of the data subject
Every data subject whose personal data is processed by the Organisation shall have a right:
8.1 to obtain, on request, at reasonable intervals and without excessive delay, confirmation of the processing of personal data relating to her or him, the communication in an intelligible form of the data processed, all available information on their source, on the preservation period as well as any other information that the Organisation is required to provide in order to ensure fair and transparent processing of the personal data in accordance with Article 7.1;
8.2 to receive an explanation, on request, of the reasoning underlying data processing where the results of such processing are applied to her or him;
8.3 to object at any time, on grounds relating to her or his situation, to the processing of personal data concerning her or him; objections shall be deemed unjustified if the Organisation demonstrates legitimate grounds for the processing which override her or his interests or rights and fundamental freedoms;
8.4 to obtain, on request and without excessive delay, rectification or erasure, of such data if these are being or have been processed contrary to the provisions of these Regulations;
8.5 not to be subject to a decision significantly affecting her or him based solely on an automated processing of data without having her or his views taken into consideration, unless such decision is expressly authorised by the internal legal framework of the Council of Europe provided that it lays down suitable measures to safeguard the individuals’ rights and freedoms and legitimate interests;
8.6 to have a remedy under Section IV of these Regulations where her or his rights under these Regulations have been infringed.
Article 9
Additional obligations
9.1 The controller shall take all appropriate measures to ensure, and be able to demonstrate, that the data processing carried out by the controller, or on its behalf by a processor, complies with these Regulations.
9.2 The controller and, where applicable, the processorshall examine the likely impact of intended data processing on the rights and fundamental freedoms of data subjects prior to the commencement of such processing, and shall design the data processing in such a manner as to prevent or minimise the risk of interference with those rights and fundamental freedoms.
9.3 The controller and, where applicable, the processorshall implement technical and organisational measures which take into account the implications of the right to the protection of personal data at all stages of the data processing.
9.4 Where a type of processing of personal data is likely to result in a risk to the rights and fundamental freedoms of the data subjects due notably to the nature and volume of the data or the nature, scope and purpose of the processing, the controller shall seek the advice of the Data Protection Officer. The Data Protection Officer shall consult with the Data Protection Commissioner if, in the view of the Data Protection Officer, the risk to the rights and fundamental freedoms of the data subject(s) is particularly high.
9.5 Where a decision taken by the controller significantly affects a data subject and is based solely on an automated processing of data without the data subject’s view being taken into consideration, suitable measures shall be put in place to safeguard the data subject's rights, freedoms and legitimate interests.
9.6 The controller shall only assign the task of processing of personal data to a processor if the latter provides adequate warranties of compliance with the level of protection of the personal data set forth by these Regulations as well as in the applicable procedures.
9.7 The carrying out of data processing by a processor on behalf of the Organisation shall be governed by a contract or other legal act binding the processor to the Organisation and setting out the nature and purpose of the processing; its duration; the type of personal data; the categories of data subjects; and the obligations and rights of the Organisation and the processor.
9.8 Each controller shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
9.8.1 the name and contact details of the controller and, where applicable, the processor and the joint controller;
9.8.2 the purposes of the processing;
9.8.3 a description of the categories of data subjects and of the categories of personal data;
9.8.4 the categories of recipients to whom the personal data have been or will be disclosed including recipients in member States, third countries or international organisations;
9.8.5 where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards specified in Article 12;
9.8.6 where possible, the envisaged time limits for erasure of the different categories of data;
9.8.7 where possible, a general description of the technical and organisational security measures referred to in Article 6 .1.
9.9 The records referred to in provision 9.8 of the present Article shall be in writing, including in electronic form, and shall be made available to the Data Protection Officer and/or the Data Protection Commissioner on request.
Article 10
Restrictions
10.1 The Organisation’s internal legal framework may restrict the application of the provisions of Articles 7 and 8 only when such a restriction, respects the essence of the rights and fundamental freedoms of the data subject and constitutes a necessary and proportionate measure to safeguard:
10.1.1 the management of safety and security risks to the Council of Europe staff or other individuals involved in the Organisation’s activities, or protection of the important financial interests of the Organisation;
10.1.2 the prevention of, or inquiry or investigation into, breaches of the internal legal framework and/or applicable laws and the conduct of disciplinary proceedings;
10.1.3 dispute resolution proceedings;
10.1.4 the protection of the data subject or the rights and fundamental freedoms of others, notably freedom of expression and access to information.
10.2 The Organisation may restrict the exercise of the provisions specified in Articles 7 and 8 with respect to data processing which is carried out for archiving purposes in the public interest; scientific or historical research purposes; or statistical purposes and when there is no recognisable risk of infringement of the rights or fundamental freedoms of data subjects. Whenever possible, appropriate additional safeguards shall be applied such as data minimisation, anonymisation and/or pseudonymisation.
Obligations of staff members and other members of the Secretariat
Staff members and other members of the Secretariat shall:
11.1 treat any personal data with utmost care;
11.2 refrain from any processing of personal data that is not necessary, legitimate and appropriate in the light of their professional duties, these Regulations and the implementing instruments thereof;
11.3 seek the Data Protection Officer’s advice, in a timely manner, where required by these Regulations or the related procedures and guidelines; and act in accordance with the Data Protection Officer’s recommendations;
11.4 co-operate at all times with the Data Protection Officer and the Data Protection Commissioner;
11.5 identify, at her or his level, and promptly inform her or his hierarchical superior and the Data Protection Officer of any circumstances which may result in risks for the protection of personal data.
Article 12
Transfer of personal data outside the Organisation
12.1 The transfer of personal data outside the Organisation to a recipient within a State’s jurisdiction or to another international organisation may only take place where the Secretary General, after consultation with the Data Protection Commissioner, finds that a level of protection equivalent to that of these Regulations, which are based on the provisions of the Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (“Convention 108+”), is secured.
12.2 Such a level of protection can be secured by:
12.2.1 The law of the State or international organisation, including the applicable international treaties or agreements, in particular the fact of being Party to the Convention 108+ and effectively implementing its provisions;
12.2.2 standardised or ad hoc safeguards, approved by the Data Protection Commissioner, provided by legally-binding and enforceable instruments adopted and implemented by the persons involved in the transfer and further processing of the data, including standard contractual clauses and provisions to be inserted into administrative arrangements between public authorities or bodies.
12.3 Notwithstanding the provisions of the previous paragraphs, the transfer of personal data may take place if:
12.3.1 the data subject has given her or his explicit consent to the proposed transfer, after being informed of risks arising in the absence of appropriate safeguards, or
12.3.2 the specific interests of the data subject require it in the particular case, for instance in order to protect her or his vital interests, or where she or he is physically or legally incapable of giving consent, or
12.3.3 prevailing legitimate interests, in particular important public interests, require such transfer and it constitutes a necessary and proportionate measure in a democratic society,
12.3.4 the transfer is necessary for the establishment, exercise or defence of legal claims.
12.4 The Data Protection Commissioner shall be provided with all relevant information concerning any transfer of data which are subject to ad hoc safeguards provided under 12.2.2., and, upon request, concerning transfers under provisions 12.3.2 and 12.3.3 of the present Article.
Section III – Advisory and supervisory authorities
Article 13
Data Protection Officer(s)
13.1 The Secretary General shall designate one or several Data Protection Officers on the basis of professional qualities, ability to fulfil the tasks referred to in Article 14 and, in particular, expert knowledge of data protection standards and practices.
13.2 The Data Protection Officer(s) may be (a) staff member(s) or fulfil the tasks on the basis of a service contract. The other professional tasks of the Data Protection Officer(s) shall be compatible with their tasks as Data Protection Officer(s) and shall not result in a conflict of interests.
13.3 The Organisation shall publish the contact details of the Data Protection Officer(s) and communicate them to the Data Protection Commissioner.
13.4 The Secretary General shall ensure that the Data Protection Officer(s):
13.4.1 enjoy wide-spread visibility within the Secretariat;
13.4.2 perform the tasks independently, do not receive any instructions as regards the exercise of their functions and are not dismissed or penalised for performing their tasks;
13.4.3 in performing their tasks have direct access to the highest management level of the Organisation;
13.4.4 are provided with the resources necessary to carry out their tasks and to access personal data and processing operations.
Article 14
Tasks of the Data Protection Officer
14.1 The Data Protection Officer shall be involved, properly and in a timely manner, in all issues involving the Organisation which relate to the protection of personal data.
14.2 The Data Protection Officer shall be entrusted with the following tasks:
14.2.1 to inform and advise the controllers, processors and data subjects of their rights and obligations pursuant to these Regulations and to keep records of such communications;
14.2.2 to ensure that data subjects are informed of their rights and obligations pursuant to these Regulations;
14.2.3 to advise on the implementation, interpretation and application of these Regulations, in particular as to the requirements related to transparency, effective exercise of data subject rights and security of personal data processing;
14.2.4 to advise on the adoption and implementation of the Organisation’s legal framework in relation to the protection of personal data;
14.2.5 to identify and evaluate the Organisation’s data processing operations and maintain records thereof;
14.2.6 to monitor the documentation, notification and communication of personal data breaches pursuant to Article 6.3;
14.2.7 to provide advice and assistance in order to allow the controllers to comply with the obligations under Article 9.2;
14.2.8 to act as the contact point for and to co-operate with the Data Protection Commissioner on issues related to processing of personal data and to monitor and co-ordinate the response to requests from the latter;
14.2.9 to advise on the processing of personal data referred to in Article 9.4;
14.2.10 to promote awareness in the Organisation of data protection principles, such as rights of data subjects and obligations in the processing of personal data.
Article 15
Data Protection Commissioner
15.1 The Data Protection Commissioner shall be an independent supervisory authority overseeing the compliance of personal data processing carried out by the Organisation within the provisions of these Regulations. The Data Protection Commissioner shall be elected by representatives of the member States in the Convention Committee established under Article 22 of the Convention 108+, on the basis of experience and expert knowledge of data protection standards and practices, and skills required to perform the duties specified in Article 16.
15.2 The Convention Committee shall elect the Data Protection Commissioner from a list of names drawn up by the Secretary General of the Council of Europe following a public call for candidates.
15.3 The term of office of the Data Protection Commissioner shall be four years, and may be renewed once.
15.4 The Data Protection Commissioner shall act with complete independence and impartiality in performing her or his functions and exercising her or his powers pursuant to the present Regulations and, in doing so, shall neither seek nor accept instructions.
15.5 The Data Protection Commissioner shall refrain from any action incompatible with her or his functions and powers and shall not, during her or his term of office, engage in any incompatible occupation, whether gainful or not.
15.6 The operational costs of the Data Protection Commissioner shall be borne by the Organisation in accordance with the modalities established by the Committee of Ministers.
15.7 The Data Protection Commissioner shall be provided with adequate secretariat support necessary for the effective performance of her or his functions and exercise of her or his powers.
15.8 The Organisation shall assist the Data Protection Commissioner in the performance of her or his functions and in the exercise of her or his powers.
Article 16
Functions and powers of the Data Protection Commissioner
16.1 The Data Protection Commissioner shall have the following functions:
16.1.1 to monitor and ensure the application of the provisions of these Regulations;
16.1.2 to examine complaints from data subjects concerning alleged infringement of their rights under the present Regulations and to order remedial action as necessary;
16.1.3 to conduct inquiries into the application of these Regulations, either on her or his own initiative, or in order to examine a complaint from a data subject;
16.1.4 to formulate opinions at the request of the Data Protection Officer or a controller on any matter relating to the implementation of these Regulations;
16.1.5 to make recommendations to a controller who shall subsequently report to the Commissioner on their implementation;
16.1.6 to co-operate with national or international data protection authorities or with data protection authorities of international organisations to the extent necessary for the performance of her or his functions and the exercise of her or his powers;
16.1.7 upon request, participate in the work of the Convention Committee established under Article 22 of the Convention 108+ as well as in the work of other convention committees or intergovernmental committees.
16.2 The Data Protection Commissioner shall have the power to:
16.2.1 request from the Organisation and access all personal data and all information necessary for the performance of her or his functions and the exercise of her or his powers;
16.2.2 access the Organisation’s premises, including any data processing equipment and means, where there are reasonable grounds for presuming that an activity covered by these Regulations is being carried out there;
16.2.3 impose a temporary or definitive limitation on data processing;
16.2.4 order that processing operations are brought into compliance with the provisions of these Regulations, in particular by rectifying, erasing or destroying all data when they have been processed in contravention of the provisions of these Regulations;
16.2.5 order the Organisation to comply with the data subject’s requests in the exercise of her or his rights pursuant to this Regulation;
16.2.6 order the Organisation to communicate a personal data breach to the data subject;
16.2.7 order that recipients of disclosed personal data be notified of rectification or erasure of such data by the Organisation pursuant to Article 8.4.
Article 17
Activity report
17.1 The Data Protection Commissioner shall prepare and publish an annual report outlining her or his activities.
17.2 The report shall be presented for information to the Convention Committee established under Article 22 of the Convention 108+; transmitted to the Secretary General; and made public.
Section IV – Remedies and sanctions
Article 18
Complaints and appeals
18.1 Any data subject may lodge a complaint with the Data Protection Commissioner if she or he considers that her or his rights under the present Regulations have been contravened.
18.2 The complaint shall have no suspensive effect on the data processing operation(s) complained of. Nor shall it have a suspensive effect on investigative or any other activities carried out within the framework of the Staff Regulations or other instruments of the internal legal framework.
18.3 Upon receipt of a complaint, the Data Protection Commissioner shall examine it and shall, within a reasonable period of time and not later than two months from the date of receipt of the complaint, communicate her or his reasoned findings to the Secretary General. The findings may include ordering any remedial action set out in Article 16.2. The two-month time-limit may be extended in situations where additional information is required from the data subject with respect to the complaint received.
18.4 The Data Protection Commissioner’s findings shall be final and binding. The Secretary General shall take a decision in accordance with the findings of the Data Protection Commissioner and notify the decision, together with the findings of the Data Protection Commissioner, to the data subject who lodged the complaint. The Secretary General may decide to award compensation for damages in justified cases.
18.6 Should any dispute arise from a decision of the Secretary General taken in accordance with Article 18.4 with regard to a data subject other than a staff member, former staff member, claimant of their rights or job candidate, an amicable settlement should be sought. If no amicable settlement can be reached within three months, the dispute shall be settled by final and binding arbitration in accordance with the Permanent Court of Arbitration Optional Rules for Arbitration between International Organisations and Private Parties, as in effect on the date of the receipt of the claim. The appointing authority shall be the Secretary-General of the Permanent Court of Arbitration. One arbitrator shall be appointed. The language to be used in the arbitral proceedings shall be either English or French. The place of arbitration shall be The Hague (the Netherlands). The applicable law to this arbitration shall be the provisions of these Regulations and any other relevant implementing provisions adopted by the Organisation. The arbitration award shall be final and binding on both the Organisation and the claimant.
Article 19
Disciplinary action
Any failure to comply with the obligations arising from these Regulations, whether intentionally or through negligence on her or his part, shall render a staff member liable to disciplinary action, in accordance with the rules and procedures laid down in the Staff Regulations.