Update 12. Oktober 2016:
Das Ad hoc Committee on Data Protection (CAHDATA) hat am 40. Meeting vom 30. November 2016 zum 2. Dezember 2016 die Revision der Konvention weiter beraten. Im Vorfeld wurde der aktuelle Stand des Entwurfs vom 12. September 2016 veröffentlicht (PDF).
Update 17. Mai 2016:
Das Ad hoc Committee on Data Protection (CAHDATA) hat mit Datum vom 3. Mai 2016 einen konsolidierten Entwurf der Konvention 108 vorgelegt.
Nicht nur das EU-Datenschutzrecht, sondern auch die Europarats-Konvention 108 zum Schutz des Menschen bei der automatischen Verarbeitung personenbezogener Daten befindet sich in Revision. In der Schweiz ist diese Konvention seit 1998 in Kraft (umgesetzt durch die damalige Teilrevision des DSG; in Kraft seit 1. Januar 2008; Botschaft BBl 2003 2101). Sie definiert unter anderem, was die Schweiz unter angemessenem Datenschutz i.S.v. Art. 6 Abs. 1 DSG (dazu → Auslandsbekanntgabe) versteht. Die Konvention wurde bis heute von rund 50 Staaten ratifiziert.
Eine Übersicht zum Revisionsprozess findet sich auf der Website des Europarats. Am 1. April 2015 das Ad hoc Committee on Data Protection (CAHDATA) den heutigen Stand des Entwurfs gutgeheissen (Text s. unten). Der Entwurf wird voraussichtlich im Laufe von 2016 verabschiedet. Die Schweiz wird die Revision mit allergrösster Wahrscheinlichkeit ratifizieren. Grössere Änderungen des schweizerischen Datenschutzrechts werden sich dabei aber voraussichtlich nicht ergeben. Die wichtigsten Neuerungen betreffen folgende Punkte (vgl. dazu David Rosenthal auf deutsch und auf englisch und die Hervorhebungen im folgenden Text der Konvention):
- Der Begriff der besonders schützenswerten Personendaten wird etwas breiter (z.B. betr. genetische und biometrische Daten)
- die Transparenzanforderungen werden strenger;
- der Gegenstand des Auskunftsrechts wird erweitert;
- Anhörungsrecht bei automatisierten Entscheidungen
- Meldepflicht bei Verstössen (breach notification).
Nach heutigem Stand hat der revidierte Text der Konvention folgenden Wortlaut:
Chapter I General provisions
Article 1 – Object and purpose
The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of the personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular their right to privacy.
Article 2 – Definitions
For the purposes of this Convention:
a.“personal data” means any information relating to an identified or identifiable individual (“data subject”);
b.“data processing” means any operation or set of operations which is performed on personal data, such as the collection, storage, preservation, alteration, retrieval, disclosure, making available, erasure, or destruction of, or the carrying out of logical and/or arithmetical operations on such data; Where automated processing is not used, data processing means an operation or set of operations performed upon personal data within a structured set of such data which are accessible or retrievable according to specific criteria;
c.“controller” means the natural or legal person, public authority, service, agency or any other body which, alone or jointly with others, has the decisionmaking power with respect to data processing;
d. “recipient” means a natural or legal person, public authority, service, agency or any other body to whom data are disclosed or made available;
e. “processor” means a natural or legal person, public authority, service, agency or any other body which processes personal data on behalf of the controller.
Article 3 – Scope
1. Each Party undertakes to apply this Convention to data processing subject to its jurisdiction in the public and private sectors, thereby securing every individual’s right to protection of his or her personal data.
1bis. This Convention shall not apply to data processing carried out by an individual in the course of [purely] personal or household activities.
Chapter II – Basic principles for the protection of personal data
Article 4 – Duties of the Parties
1.Each Party shall take the necessary measures in its law to give effect to the provisions of this Convention and secure their effective application.
2.These measures shall be taken by each Party and shall have come into force by the time of ratification or accession to this Convention.
3. Each Party undertakes:
a. to allow the Convention Committee provided for in Chapter V to evaluate the effectiveness of the measures it has taken in its law to give effect to the provisions of this Convention; and
b. to contribute actively to this evaluation process.
Article 5 – Legitimacy of data processing and quality of data
1. Data processing shall be proportionate in relation to the legitimate purpose pursued and reflect at all stages of the processing a fair balance between all interests concerned, whether public or private, and the rights and freedoms at stake.
2. Each Party shall provide that data processing can be carried out on the basis of the free, specific, informed and unambiguous consent of the data subject or of some other legitimate basis laid down by law.
3. Personal data undergoing processing shall be processed lawfully.
4. Personal data undergoing processing shall be:
a. processed fairly and in a transparent manner;
b. collected for explicit, specified and legitimate purposes and not processed in a way incompatible with those purposes; further processing for historical, statistical and scientific purposes is, subject to appropriate safeguards, compatible with those purposes;
c. adequate, relevant and not excessive in relation to the purposes for which they are processed;
d. accurate and, where necessary, kept up to date;
e. preserved in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed.
Article 6 – Special categories of data
1. The processing of:
genetic data;
personal data relating to offences, criminal proceedings and convictions, and related security measures;
biometric data uniquely identifying a person;
personal data for the information they reveal relating to racial origin, political opinions, trade
union membership, religious or other beliefs, health or sexual life;
shall only be allowed where specific and additional appropriate safeguards are enshrined in law, complementing those of this Convention.
2. Such safeguards shall guard against the risks that the processing of such sensitive data may present to the interests, rights and fundamental freedoms of the data subject, notably a risk of discrimination.
Article 7 – Data security
1. Each Party shall provide that the controller, and, where applicable the processor, takes appropriate security measures against risks such as accidental or unauthorised access to, destruction, loss, use, modification or disclosure of personal data.
2. Each Party shall provide that the controller shall notify, without delay, at least the competent supervisory authority within the meaning of Article 12bis of this Convention, of those data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects.
Article 7bis – Transparency of processing
1. Each Party shall provide that the controller informs the data subjects of:
a. the controller’s identity and habitual residence or establishment;
b. the legal basis and the purposes of the intended processing;
c. the categories of personal data processed;
d. the recipients or categories of recipients of the personal data, if any; and
e. the means of exercising the rights set out in Article 8; as well as any necessary additional information in order to ensure fair and transparent processing of the personal data.
1bis.Paragraph 1 shall not apply where the data subject already has the relevant information.
2. Where the personal data are not collected from the data subjects, the controller shall nonetheless not be required to provide such information where the processing is expressly prescribed by law or this proves to be impossible or involves disproportionate efforts.
Article 8 – Rights of the data subject
Every individual shall have a right:
a. not to be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration;
b. to obtain, on request, at reasonable intervals and without excessive delay or expense, confirmation of the processing of personal data relating to him or her; the communication in an intelligible form of the data processed; all available information on their origin, on the preservation period as well as any other information that the controller is required to provide in order to ensure the transparency of processing in accordance with Article 7bis, paragraph 1;
c. to obtain, on request, knowledge of the reasoning underlying data processing where the results of such processing are applied to him or her;
d. to object at any time to the processing of personal data concerning him or her unless the controller demonstrates legitimate grounds for the processing which override his or her interests or rights and fundamental freedoms;
e. to obtain, on request, free of charge and without excessive delay, rectification or erasure, as the case may be, of such data if these are being or have been processed contrary to the provisions of this Convention;
f. to have a remedy under Article 10 where his or her rights under this Convention have been violated;
g. to benefit, whatever his or her nationality or residence, from the assistance of a supervisory authority within the meaning of Article 12bis, in exercising his or her rights under this Convention.
Article 8bis – Additional obligations
1. Each Party shall provide that controllers and, where applicable, processors take all appropriate measures to comply with the obligations of this Convention and be able to demonstrate, in particular to the competent supervisory authority provided for in Article 12bis, that the data processing under their control is in compliance with the provisions of this Convention.
2. Each Party shall provide that controllers and, where applicable, processors, examine the likely impact of intended data processing on the rights and fundamental freedoms of data subjects prior to the commencement of such processing, and shall design the data processing in such a manner as to prevent or minimise the risk of interference with those rights and fundamental freedoms.
3. Each Party shall provide that controllers, and, where applicable, processors, implement technical and organisational measures which take into account the implications of the right to the protection of personal data at all stages of the data processing.
4. Each Party may, having regard to the risks arising for the interests, rights and fundamental freedoms of the data subjects, adapt the application of the provisions of paragraphs 1, 2 and 3 in the law giving effect to the provisions of this Convention, according to the nature and volume of the data, the nature, scope and purpose of the processing and, where appropriate, the size of the controller or processor.
Article 9 Exceptions and restrictions
1. No exception to the provisions set out in this Chapter shall be allowed, except to the provisions of Articles 5.4, 7.2, 7bis, paragraph 1 and Article 8 when such an exception is provided for by law and constitutes a necessary and proportionate measure in a democratic society for:
a. the protection of national security, public safety, important economic and financial interests of the State, the impartiality and independence of the judiciary or the prevention, investigation and prosecution of criminal offences;
b. the protection of the data subject or the rights and fundamental freedoms of others, notably freedom of expression.
2. Restrictions on the exercise of the provisions specified in Articles 7bis and 8 may be provided for by law with respect to data processing for historical, statistical and scientific purposes when there is no recognisable risk of infringement of the rights and fundamental freedoms of data subjects.
Article 10 Sanctions and remedies
Each Party undertakes to establish appropriate judicial and nonjudicial sanctions and remedies for violations of the provisions of this Convention.
Article 11 Extended protection
None of the provisions of this chapter shall be interpreted as limiting or otherwise affecting the possibility for a Party to grant data subjects a wider measure of protection than that stipulated in this Convention.
Chapter III Transborder flows of personal data
Article 12 Transborder flows of personal data
1. A Party shall not, for the sole purpose of the protection of personal data, prohibit or subject to special authorisation the transfer of such data to a recipient who is subject to the jurisdiction of another Party to the Convention. Such a Party may however do so if bound by harmonised rules of protection shared by States belonging to a regional international organisation9.
2. When the recipient is subject to the jurisdiction of a State or international organisation which is not party to this Convention, the transfer of personal data may only take place where an appropriate level of protection based on the provisions of this Convention is secured.
3. An appropriate level of protection can be secured by:
a. the law of that State or international organisation, including the applicable international treaties or agreements; or
b. ad hoc or approved standardised safeguards provided by legally binding and enforceable instruments adopted and implemented by the persons involved in the transfer and further processing.
4. Notwithstanding the provisions of the previous paragraphs, each Party may provide that the transfer of personal data may take place if:
a. the data subject has given explicit, specific and free consent, after being informed of risks arising in the absence of appropriate safeguards; or
b. the specific interests of the data subject require it in the particular case; or
c. prevailing legitimate interests, in particular important public interests, are provided for by law and such transfer constitutes a necessary and proportionate measure in a democratic society.
5. Each Party shall provide that the competent supervisory authority within the meaning of Article 12bis of this Convention is provided with all relevant information concerning the transfers of data referred to in paragraph 3.b and, upon request, paragraphs 4.b and 4.c.
6. Each Party shall also provide that the supervisory authority is entitled to request that the person who transfers data demonstrates the effectiveness of the safeguards or the existence of prevailing legitimate interests and that the supervisory authority may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject to condition such transfers.
7. Exceptions to the provisions of this Article are allowed insofar as they constitute a necessary and proportionate measure in a democratic society for the freedom of expression.
Chapter III bis Supervisory authorities
Article 12bis Supervisory authorities
1 Each Party shall provide for one or more authorities to be responsible for ensuring compliance with the provisions of this Convention.
2 To this end, such authorities:
a. shall have powers of investigation and intervention;
b. shall perform the functions relating to transfers of data provided for under Article 12, notably the approval of standardised safeguards:
c. shall have powers to issue decisions with respect to violations of the provisions of this Convention and may, in particular, impose administrative sanctions;
d. shall have the power to engage in legal proceedings or to bring to the attention of the competent judicial authorities violations of the provisions of this Convention;
e. shall promote:
i. public awareness of their functions and powers as well as their activities;
ii. public awareness of the rights of data subjects and the exercise of such rights;
iii. awareness of controllers and processors of their responsibilities under this Convention; specific attention shall be given to the data protection rights of children and other vulnerable individuals.
2bis. The competent supervisory authorities shall be consulted on proposals for any legislative or administrative measures which provide for the processing of personal data.
3. Each competent supervisory authority shall deal with requests and complaints lodged by data subjects concerning their data protection rights and shall keep data subjects informed of progress.
4. The supervisory authorities shall act with complete independence and impartiality in performing their duties and exercising their powers and in doing so shall neither seek nor accept
instructions.
5. Each Party shall ensure that the supervisory authorities are provided with the resources necessary for the effective performance of their functions and exercise of their powers.
5bis. Each supervisory authority shall prepare and publish a periodical report outlining its activities.
5ter. Members and staff of the supervisory authorities shall be bound by obligations of confidentiality with regard to confidential information they have access to or have had access to in the performance of their duties and exercise of their powers.
6. Decisions of the supervisory authorities may be appealed against through the courts.
7. In accordance with the provisions of Chapter IV, the supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties and exercise of their powers, in particular
by:
a. providing mutual assistance by exchanging relevant and useful information and cooperating with each other under the condition that, as regards the protection of personal data, all the rules and safeguards of this Convention are complied with;
b. coordinating their investigations or interventions, or conducting joint actions;
c. providing information and documentation on their law and administrative practice relating to data protection.
7bis. The information referred to in paragraph 7 littera a shall not include personal data undergoing processing unless such data are essential for cooperation, or where the data subject concerned has given explicit, specific, free and informed consent to its provision.
8. In order to organise their cooperation and to perform the duties set out in the preceding paragraphs, the supervisory authorities of the Parties shall form a network.
9. The supervisory authorities shall not be competent with respect to processing carried out by bodies when acting in their judicial capacity.
Chapter IV Mutual assistance
Article 13 Cooperation between Parties
1. The Parties agree to render each other mutual assistance in order to implement this Convention.
2. For that purpose:
a. each Party shall designate one or more supervisory authorities within the meaning of Article 12bis of this Convention, the name and address of each of which it shall communicate to the Secretary General of the Council of Europe;
b. each Party which has designated more than one supervisory authority shall specify the competence of each authority in its communication referred to in the previous subparagraph.
Article 14 Assistance to data subjects
1. Each Party shall assist any data subject, whatever his or her nationality or residence, to exercise his or her rights under Article 8 of this Convention.
2. Where a data subject resides in the territory of another Party, he or she shall be given the option of submitting the request through the intermediary of the supervisory authority designated by that Party.
3. The request for assistance shall contain all the necessary particulars, relating inter alia to:
a. the name, address and any other relevant particulars identifying the data subject making the request;
b. the processing to which the request pertains, or its controller;
c. the purpose of the request.
Article 15Safeguards concerning assistance rendered by designated supervisory authorities
1. A supervisory authority designated by a Party which has received information from a supervisory authority designated by another Party either accompanying a request for assistance or in reply to its own request for assistance shall not use that information for purposes other than those specified in the request for assistance.
2. In no case may a designated supervisory authority be allowed to make a request for assistance on behalf of a data subject of its own accord and without the explicit consent of the data subject concerned.
Article 16 Refusal of requests for assistance
A designated supervisory authority to which a request for assistance is addressed under Article 13 of this Convention may not refuse to comply with it unless:
a. the request is not compatible with the powers in the field of data protection of the authorities responsible for replying;
b. the request does not comply with the provisions of this Convention;
c. compliance with the request would be incompatible with the sovereignty, national security or public order of the Party by which it was designated, or with the rights and fundamental freedoms of individuals under the jurisdiction of that Party.
Article 17 Costs and procedures of assistance
1. Mutual assistance which the Parties render each other under Article 13 and assistance they render to data subjects under Articles 8 and 14 shall not give rise to the payment of any costs or fees other than those incurred for experts and interpreters. The latter costs or fees shall be borne by the Party which has designated the supervisory authority making the request for assistance.
2. The data subject may not be charged costs or fees in connection with the steps taken on his or her behalf in the territory of another Party other than those lawfully payable by residents of that Party.
3. Other details concerning the assistance, relating in particular to the forms and procedures and the languages to be used, shall be established directly between the Parties concerned.
Chapter V Convention Committee
Article 18 Composition of the committee
1. A Convention Committee shall be set up after the entry into force of this Convention.
2. Each Party shall appoint a representative to the committee and a deputy representative. Any member State of the Council of Europe which is not a Party to the Convention shall have the right to be represented on the committee by an observer.
3. The Convention Committee may, by a decision taken by a majority of twothirds of the representatives of the Parties, invite an observer to be represented at its meetings.
4. Any Party which is not a member of the Council of Europe shall contribute to the funding of the activities of the Convention Committee according to the modalities established by the Committee of Ministers in agreement with that Party.
Article 19 Functions of the committee
The Convention Committee:
a. may make recommendations with a view to facilitating or improving the application of the Convention;
b. may make proposals for amendment of this Convention in accordance with Article 21;
c. shall formulate its opinion on any proposal for amendment of this Convention which is referred to it in accordance with Article 21, paragraph 3;
d. may express an opinion on any question concerning the interpretation or application of this Convention;
e. shall prepare, before any new accession to the Convention, an opinion for the Committee of Ministers relating to the level of personal data protection of the candidate for accession and where necessary recommend measures to take to reach compliance with the provisions of this Convention;
f. may, at the request of a State or an international organisation, evaluate whether the level of personal data protection the former provides is in compliance with the provisions of this Convention and where necessary recommend measures to take to reach such compliance;
g. may develop or approve models of standardised safeguards referred to in Article 12;
h. shall review the implementation of this Convention by the Parties and recommend measures to take where a Party is not in compliance with this Convention;
i. shall facilitate, where necessary, the friendly settlement of all difficulties related to the application of this Convention.
Article 20 Procedure
1. The Convention Committee shall be convened by the Secretary General of the Council of Europe. Its first meeting shall be held within twelve months of the entry into force of this Convention. It shall subsequently meet at least once a year and in any case when onethird of the representatives of the Parties request its convocation.
2. A majority of representatives of the Parties shall constitute a quorum for a meeting of the Convention Committee.
3. Each Party has a right to vote and shall have one vote. On questions within its competence, the European Union exercises its right to vote and casts a number of votes equal to the number of its member States that are Parties to the Convention and have transferred competencies to the European Union in the field concerned. In this case, those member States of the European Union do not vote.
4. After each of its meetings, the Convention Committee shall submit to the Committee of Ministers of the Council of Europe a report on its work and on the functioning of this Convention.
5. The Convention Committee shall draw up its own Rules of Procedure and establish, in particular, the procedures for evaluation referred to in Article 4.3 and for examination of the level of protection referred to in Article 19, on the basis of objective criteria.
Chapter VI Amendments
Article 21 Amendments
1. Amendments to this Convention may be proposed by a Party, the Committee of Ministers of the Council of Europe or the Convention Committee.
2. Any proposal for amendment shall be communicated by the Secretary General of the Council of Europe to the Parties to this Convention, to the other member States of the Council of Europe, to the
European Union and to every nonmember State or international organisation which has been invited to accede to this Convention in accordance with the provisions of Article 23.
3. Moreover, any amendment proposed by a Party or the Committee of Ministers shall be communicated to the Convention Committee, which shall submit to the Committee of Ministers its opinion on that proposed amendment.
4. The Committee of Ministers shall consider the proposed amendment and any opinion submitted by the Convention Committee and may approve the amendment.
5. The text of any amendment approved by the Committee of Ministers in accordance with paragraph 4 of this article shall be forwarded to the Parties for acceptance.
6. Any amendment approved in accordance with paragraph 4 of this article shall come into force on the thirtieth day after all Parties have informed the Secretary General of their acceptance thereof.
7. Moreover, the Committee of Ministers may, after consulting the Convention Committee, decide that a particular amendment shall enter into force at the expiration of a period of two years from the date on which it has been opened to acceptance, unless a Party notifies the Secretary General of the Council of Europe of an objection to its entry into force. If such an objection is notified, the amendment shall enter into force on the first day of the month following the date on which the Party to this Convention which has notified the objection has deposited its instrument of acceptance with the Secretary General of the Council of Europe.
8. If an amendment has been approved by the Committee of Ministers but has not yet entered into force in accordance with the provisions set out in paragraphs 6 or 7, a State, the European Union, or an international organisation may not express its consent to be bound by this Convention without at the same time accepting the amendment.
Chapter VII Final clauses
Article 22 Entry into force
1. This Convention shall be open for signature by the member States of the Council of Europe and by the European Union. It is subject to ratification, acceptance or approval. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the Council of Europe.
2. This Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date on which five member States of the Council of Europe have expressed their consent to be bound by the Convention in accordance with the provisions of the preceding paragraph.
3. In respect of any Party which subsequently expresses its consent to be bound by it, the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of ratification, acceptance or approval.
Article 23 Accession by nonmember States and international organisations
1. After the entry into force of this Convention, the Committee of Ministers of the Council of Europe may, after consulting the Parties to this Convention and obtaining their unanimous agreement and in light of the opinion prepared by the Convention Committee in accordance with Article 19.e, invite any State not a member of the Council of Europe or an international organisation to accede to this Convention by a decision taken by the majority provided for in Article 20.d of the Statute of the Council of Europe and by the unanimous vote of the representatives of the Contracting States entitled to sit on the Committee of Ministers.
2. In respect of any State or international organisation acceding to this Convention according to paragraph 1 above, the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of accession with the Secretary General of the Council of Europe.
Article 24 Territorial clause
1. Any State, the European Union or other international organisation may at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, specify the territory or territories to which this Convention shall apply.
2. Any State, the European Union or other international organisation may at any later date, by a declaration addressed to the Secretary General of the Council of Europe, extend the application of this Convention to any other territory specified in the declaration. In respect of such territory the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of receipt of such declaration by the Secretary General.
3. Any declaration made under the two preceding paragraphs may, in respect of any territory specified in such declaration, be withdrawn by a notification addressed to the Secretary General. The withdrawal shall become effective on the first day of the month following the expiration of a period of six months after the date of receipt of such notification by the Secretary General.
Article 25 Reservations
No reservation may be made in respect of the provisions of this Convention.
Article 26 Denunciation
1. Any Party may at any time denounce this Convention by means of a notification addressed to the Secretary General of the Council of Europe.
2. Such denunciation shall become effective on the first day of the month following the expiration of a period of six months after the date of receipt of the notification by the Secretary General.
Article 27 Notifications
The Secretary General of the Council of Europe shall notify the member States of the Council and any Party to this Convention of:
a. any signature;
b. the deposit of any instrument of ratification, acceptance, approval or accession;
c. any date of entry into force of this Convention in accordance with Articles 22, 23 and 24;
d. any other act, notification or communication relating to this Convention.
Article … of the Protocol: signature and entry into force
1. This Protocol shall be open for signature by the Parties to the Convention. It shall be subject to ratification, acceptance or approval. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the Council of Europe.
2. This Protocol shall enter into force on the first day of the month following the expiration of a period of [three] months after the date on which all Parties to the Convention have expressed their consent to be bound by the Protocol in accordance with the provisions of paragraph 1 of this Article.
3. However, this Protocol shall enter into force following the expiry of a period of [two] years after the date on which it has been opened for signature, unless a Party to the Convention has notified the Secretary General of the Council of Europe of an objection to its entry into force. The right to make an objection shall be reserved for those States which were Parties to the Convention at the date of opening for signature of this protocol.
4. Should such an objection be notified, the Protocol shall enter into force on the first day of the month following the expiration of a period of [three] months after the date on which the Party to the Convention which has notified the objection has deposited its instrument of ratification, acceptance or approval with the Secretary General of the Council of Europe.
5. From the entry into force of this Protocol, with respect to a Party having entered one or more declarations in pursuance of Article 2 of the original Convention, such declaration(s) will lapse.