Convention 108 Plus
Full text of Convention 108 plus – Consolidated version
Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data
128th Session of the Committee of Ministers (Elsinore, Denmark, 17-18 May 2018)
Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data – Consolidated text
The member States of the Council of Europe, and the other signatories hereto,
Considering that the aim of the Council of Europe is to achieve greater unity between its members, based in particular on respect for the rule of law, as well as human rights and fundamental freedoms;
Considering that it is necessary to secure the human dignity and protection of the human rights and fundamental freedoms of every individual and, given the diversification, intensification and globalisation of data processing and personal data flows, personal autonomy based on a person’s right to control of his or her personal data and the processing of such data;
Recalling that the right to protection of personal data is to be considered in respect of its role in society and that it has to be reconciled with other human rights and fundamental freedoms, including freedom of expression;
Considering that this Convention permits account to be taken, in the implementation of the rules laid down therein, of the principle of the right of access to official documents;
Recognising that it is necessary to promote at the global level the fundamental values of respect for privacy and protection of personal data, thereby contributing to the free flow of information between people;
Recognising the interest of a reinforcement of international co-operation between the Parties to the Convention,
Have agreed as follows:
Chapter I – General provisions
Article 1 – Object and purpose
The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.
Article 2 – Definitions
For the purposes of this Convention:
a. “personal data” means any information relating to an identified or identifiable individual (“data subject”);
b. “data processing” means any operation or set of operations performed on personal data, such as the collection, storage, preservation, alteration, retrieval, disclosure, making available, erasure, or destruction of, or the carrying out of logical and/or arithmetical operations on such data;
c. Where automated processing is not used, “data processing” means an operation or set of operations performed upon personal data within a structured set of such data which are accessible or retrievable according to specific criteria;
d. “controller” means the natural or legal person, public authority, service, agency or any other body which, alone or jointly with others, has decision-making power with respect to data processing;
e. “recipient” means a natural or legal person, public authority, service, agency or any other body to whom data are disclosed or made available;
f. “processor” means a natural or legal person, public authority, service, agency or any other body which processes personal data on behalf of the controller.
Article 3 – Scope
1. Each Party undertakes to apply this Convention to data processing subject to its jurisdiction in the public and private sectors, thereby securing every individual’s right to protection of his or her personal data.
2. This Convention shall not apply to data processing carried out by an individual in the course of purely personal or household activities.
Chapter II – Basic principles for the protection of personal data
Article 4 – Duties of the Parties
1. Each Party shall take the necessary measures in its law to give effect to the provisions of this Convention and secure their effective application.
2. These measures shall be taken by each Party and shall have come into force by the time of ratification or of accession to this Convention.
3. Each Party undertakes:
a. to allow the Convention Committee provided for in Chapter VI to evaluate the effectiveness of the measures it has taken in its law to give effect to the provisions of this Convention; and
b. to contribute actively to this evaluation process.
Article 5 – Legitimacy of data processing and quality of data
1. Data processing shall be proportionate in relation to the legitimate purpose pursued and reflect at all stages of the processing a fair balance between all interests concerned, whether public or private, and the rights and freedoms a stake.
2. Each Party shall provide that data processing can be carried out on the basis of the free, specific, informed and unambiguous consent of the data subject or of some other legitimate basis laid down by law.
3. Personal data undergoing processing shall be processed lawfully.
4. Personal data undergoing processing shall be:
a. processed fairly and in a transparent manner;
b. collected for explicit, specified and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is, subject to appropriate safeguards, compatible with those purposes;
c. adequate, relevant and not excessive in relation to the purposes for which they are processed;
d. accurate and, where necessary, kept up to date;
e. preserved in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed.
Article 6 – Special categories of data
1. The processing of:
– genetic data;
– personal data relating to offences, criminal proceedings and convictions, and related security measures;
– biometric data uniquely identifying a person;
– personal data for the information they reveal relating to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life,
shall only be allowed where appropriate safeguards are enshrined in law, complementing those of this Convention.
2. Such safeguards shall guard against the risks that the processing of sensitive data may present for the interests, rights and fundamental freedoms of the data subject, notably a risk of discrimination.
Article 7 – Data security
1. Each Party shall provide that the controller, and, where applicable the processor, takes appropriate security measures against risks such as accidental or unauthorised access to, destruction, loss, use, modification or disclosure of personal data.
2. Each Party shall provide that the controller notifies, without delay, at least the competent supervisory authority within the meaning of Article 15 of this Convention, of those data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects.
Article 8 – Transparency of processing
1. Each Party shall provide that the controller informs the data subjects of:
a. his or her identity and habitual residence or establishment;
b. the legal basis and the purposes of the intended processing;
c. the categories of personal data processed;
d. the recipients or categories of recipients of the personal data, if any; and
e. the means of exercising the rights set out in Article 9,
as well as any necessary additional information in order to ensure fair and transparent processing of the personal data.
2. Paragraph 1 shall not apply where the data subject already has the relevant information.
3. Where the personal data are not collected from the data subjects, the controller shall not be required to provide such information where the processing is expressly prescribed by law or this proves to be impossible or involves disproportionate efforts.
Article 9 – Rights of the data subject
1. Every individual shall have a right:
a. not to be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration;
b. to obtain, on request, at reasonable intervals and without excessive delay or expense, confirmation of the processing of personal data relating to him or her, the communication in an intelligible form of the data processed, all available information on their origin, on the preservation period as well as any other information that the controller is required to provide in order to ensure the transparency of processing in accordance with Article 8, paragraph 1;
c. to obtain, on request, knowledge of the reasoning underlying data processing where the results of such processing are applied to him or her;
d. to object at any time, on grounds relating to his or her situation, to the processing of personal data concerning him or her unless the controller demonstrates legitimate grounds for the processing which override his or her interests or rights and fundamental freedoms;
e. to obtain, on request, free of charge and without excessive delay, rectification or erasure, as the case may be, of such data if these are being, or have been, processed contrary to the provisions of this Convention;
f. to have a remedy under Article 12 where his or her rights under this Convention have been violated;
g. to benefit, whatever his or her nationality or residence, from the assistance of a supervisory authority within the meaning of Article 15, in exercising his or her rights under this Convention.
2. Paragraph 1.a shall not apply if the decision is authorised by a law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests.
Article 10 – Additional obligations
1. Each Party shall provide that controllers and, where applicable, processors, take all appropriate measures to comply with the obligations of this Convention and be able to demonstrate, subject to the domestic legislation adopted in accordance with Article 11, paragraph 3, in particular to the competent supervisory authority provided for in Article 15, that the data processing under their control is in compliance with the provisions of this Convention.
2. Each Party shall provide that controllers and, where applicable, processors, examine the likely impact of intended data processing on the rights and fundamental freedoms of data subjects prior to the commencement of such processing, and shall design the data processing in such a manner as to prevent or minimise the risk of interference with those rights and fundamental freedoms.
3. Each Party shall provide that controllers, and, where applicable, processors, implement technical and organisational measures which take into account the implications of the right to the protection of personal data at all stages of the data processing.
4. Each Party may, having regard to the risks arising for the interests, rights and fundamental freedoms of the data subjects, adapt the application of the provisions of paragraphs 1, 2 and 3 in the law giving effect to the provisions of this Convention, according to the nature and volume of the data, the nature, scope and purpose of the processing and, where appropriate, the size of the controller or processor.
Article 11 – Exceptions and restrictions
1. No exception to the provisions set out in this Chapter shall be allowed except to the provisions of Article 5 paragraph 4, Article 7 paragraph 2, Article 8 paragraph 1 and Article 9, when such an exception is provided for by law, respects the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society for:
a. the protection of national security, defense, public safety, important economic and financial interests of the State, the impartiality and independence of the judiciary or the prevention, investigation and prosecution of criminal offences and the execution of criminal penalties, and other essential objectives of general public interest;
b. the protection of the data subject or the rights and fundamental freedoms of others, notably freedom of expression.
2. Restrictions on the exercise of the provisions specified in Articles 8 and 9 may be provided for by law with respect to data processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes when there is no recognisable risk of infringement of the rights and fundamental freedoms of data subjects.
3. In addition to the exceptions allowed for in paragraph 1 of this article, with reference to processing activities for national security and defense purposes, each Party may provide, by law and only to the extent that it constitutes a necessary and proportionate measure in a democratic society to fulfill such aim, exceptions to Article 4 paragraph 3, Article 14 paragraphs 5 and 6 and Article 15, paragraph 2, litterae a, b, c and d.
This is without prejudice to the requirement that processing activities for national security and defense purposes are subject to independent and effective review and supervision under the domestic legislation of the respective Party.
Article 12 – Sanctions and remedies
Each Party undertakes to establish appropriate judicial and non-judicial sanctions and remedies for violations of the provisions of this Convention.
Article 13 – Extended protection
None of the provisions of this chapter shall be interpreted as limiting or otherwise affecting the possibility for a Party to grant data subjects a wider measure of protection than that stipulated in this Convention.
Chapter III – Transborder flows of personal data
Article 14 – Transborder flows of personal data
1. A Party shall not, for the sole purpose of the protection of personal data, prohibit or subject to special authorisation the transfer of such data to a recipient who is subject to the jurisdiction of another Party to the Convention. Such a Party may, however, do so if there is a real and serious risk that the transfer to another Party, or from that other Party to a non-Party, would lead to circumventing the provisions of the Convention. A Party may also do so, if bound by harmonised rules of protection shared by States belonging to a regional international organisation.
2. When the recipient is subject to the jurisdiction of a State or international organisation which is not Party to this Convention, the transfer of personal data may only take place where an appropriate level of protection based on the provisions of this Convention is secured.
3. An appropriate level of protection can be secured by:
a. the law of that State or international organisation, including the applicable international treaties or agreements; or
b. ad hoc or approved standardised safeguards provided by legally-binding and enforceable instruments adopted and implemented by the persons involved in the transfer and further processing.
4. Notwithstanding the provisions of the previous paragraphs, each Party may provide that the transfer of personal data may take place if:
a. the data subject has given explicit, specific and free consent, after being informed of risks arising in the absence of appropriate safeguards; or
b. the specific interests of the data subject require it in the particular case; or
c. prevailing legitimate interests, in particular important public interests, are provided for by law and such transfer constitutes a necessary and proportionate measure in a democratic society; or
d. it constitutes a necessary and proportionate measure in a democratic society for freedom of expression.
5. Each Party shall provide that the competent supervisory authority within the meaning of Article 15 of this Convention is provided with all relevant information concerning the transfers of data referred to in paragraph 3.b and, upon request, paragraphs 4.b and 4.c.
6. Each Party shall also provide that the supervisory authority is entitled to request that the person who transfers data demonstrates the effectiveness of the safeguards or the existence of prevailing legitimate interests and that the supervisory authority may, in order to protect the rights and fundamental freedoms of data subjects, prohibit such transfers, suspend them or subject them to condition.
Chapter IV – Supervisory authorities
Article 15 – Supervisory authorities
1 Each Party shall provide for one or more authorities to be responsible for ensuring compliance with the provisions of this Convention.
2 To this end, such authorities:
a. shall have powers of investigation and intervention;
b. shall perform the functions relating to transfers of data provided for under Article 14, notably the approval of standardised safeguards;
c. shall have powers to issue decisions with respect to violations of the provisions of this Convention and may, in particular, impose administrative sanctions;
d. shall have the power to engage in legal proceedings or to bring to the attention of the competent judicial authorities violations of the provisions of this Convention;
e. shall promote:
i. public awareness of their functions and powers as well as their activities;
ii. public awareness of the rights of data subjects and the exercise of such rights;
iii. awareness of controllers and processors of their responsibilities under this Convention;
specific attention shall be given to the data protection rights of children and other vulnerable individuals.
3. The competent supervisory authorities shall be consulted on proposals for any legislative or administrative measures which provide for the processing of personal data.
4. Each competent supervisory authority shall deal with requests and complaints lodged by data subjects concerning their data protection rights and shall keep data subjects informed of progress.
5. The supervisory authorities shall act with complete independence and impartiality in performing their duties and exercising their powers and in doing so shall neither seek nor accept instructions.
6. Each Party shall ensure that the supervisory authorities are provided with the resources necessary for the effective performance of their functions and exercise of their powers.
7. Each supervisory authority shall prepare and publish a periodical report outlining its activities.
8. Members and staff of the supervisory authorities shall be bound by obligations of confidentiality with regard to confidential information to which they have access, or have had access to, in the performance of their duties and exercise of their powers.
9. Decisions of the supervisory authorities may be subject to appeal through the courts.
10. The supervisory authorities shall not be competent with respect to processing carried out by bodies when acting in their judicial capacity.
Chapter V – Co-operation and mutual assistance
Article 16 – Designation of supervisory authorities
1. The Parties agree to co-operate and render each other mutual assistance in order to implement this Convention.
2. For that purpose:
a. each Party shall designate one or more supervisory authorities within the meaning of Article 15 of this Convention, the name and address of each of which it shall communicate to the Secretary General of the Council of Europe;
b. each Party which has designated more than one supervisory authority shall specify the competence of each authority in its communication referred to in the previous littera.
Article 17 – Forms of co-operation
1. The supervisory authorities shall co-operate with one another to the extent necessary for the performance of their duties and exercise of their powers, in particular by:
a. providing mutual assistance by exchanging relevant and useful information and co-operating with each other under the condition that, as regards the protection of personal data, all the rules and safeguards of this Convention are complied with;
b. co-ordinating their investigations or interventions, or conducting joint actions;
c. providing information and documentation on their law and administrative practice relating to data protection.
2. The information referred to in paragraph 1 shall not include personal data undergoing processing unless such data are essential for co-operation, or where the data subject concerned has given explicit, specific, free and informed consent to its provision.
3. In order to organise their co-operation and to perform the duties set out in the preceding paragraphs, the supervisory authorities of the Parties shall form a network.
Article 18 – Assistance to data subjects
1. Each Party shall assist any data subject, whatever his or her nationality or residence, to exercise his or her rights under Article 9 of this Convention.
2. Where a data subject resides on the territory of another Party, he or she shall be given the option of submitting the request through the intermediary of the supervisory authority designated by that Party.
3. The request for assistance shall contain all the necessary particulars, relating inter alia to:
a. the name, address and any other relevant particulars identifying the data subject making the request;
b. the processing to which the request pertains, or its controller;
c. the purpose of the request.
Article 19 – Safeguards
1. A supervisory authority which has received information from another supervisory authority, either accompanying a request or in reply to its own request, shall not use that information for purposes other than those specified in the request.
2. In no case may a supervisory authority be allowed to make a request on behalf of a data subject of its own accord and without the express approval of the data subject concerned.
Article 20 – Refusal of requests
A supervisory authority to which a request is addressed under Article 17 of this Convention may not refuse to comply with it unless:
a. the request is not compatible with its powers;
b. the request does not comply with the provisions of this Convention;
c. compliance with the request would be incompatible with the sovereignty, national security or public order of the Party by which it was designated, or with the rights and fundamental freedoms of individuals under the jurisdiction of that Party.
Article 21 – Costs and procedures
1. Co-operation and mutual assistance which the Parties render each other under Article 17 and assistance they render to data subjects under Articles 9 and 18 shall not give rise to the payment of any costs or fees other than those incurred for experts and interpreters. The latter costs or fees shall be borne by the Party making the request.
2. The data subject may not be charged costs or fees in connection with the steps taken on his or her behalf in the territory of another Party other than those lawfully payable by residents of that Party.
3. Other details concerning the co-operation and assistance, relating in particular to the forms and procedures and the languages to be used, shall be established directly between the Parties concerned.
Chapter VI – Convention Committee
Article 22 – Composition of the committee
1. A Convention Committee shall be set up after the entry into force of this Convention.
2. Each Party shall appoint a representative to the committee and a deputy representative. Any member State of the Council of Europe which is not a Party to the Convention shall have the right to be represented on the committee by an observer.
3. The Convention Committee may, by a decision taken by a majority of two-thirds of the representatives of the Parties, invite an observer to be represented at its meetings.
4. Any Party which is not a member of the Council of Europe shall contribute to the funding of the activities of the Convention Committee according to the modalities established by the Committee of Ministers in agreement with that Party.
Article 23 – Functions of the committee
The Convention Committee:
a. may make recommendations with a view to facilitating or improving the application of the Convention;
b. may make proposals for amendment of this Convention in accordance with Article 25;
c. shall formulate its opinion on any proposal for amendment of this Convention which is referred to it in accordance with Article 25, paragraph 3;
d. may express an opinion on any question concerning the interpretation or application of this Convention;
e. shall prepare, before any new accession to the Convention, an opinion for the Committee of Ministers relating to the level of personal data protection of the candidate for accession and, where necessary, recommend measures to take to reach compliance with the provisions of this Convention;
f. may, at the request of a State or an international organisation, evaluate whether the level of personal data protection the former provides is in compliance with the provisions of this Convention and, where necessary, recommend measures to be taken to reach such compliance;
g. may develop or approve models of standardised safeguards referred to in Article 14;
h. shall review the implementation of this Convention by the Parties and recommend measures to be taken in the case where a Party is not in compliance with this Convention;
i. shall facilitate, where necessary, the friendly settlement of all difficulties related to the application of this Convention.
Article 24 – Procedure
1. The Convention Committee shall be convened by the Secretary General of the Council of Europe. Its first meeting shall be held within twelve months of the entry into force of this Convention. It shall subsequently meet at least once a year, and in any case when one-third of the representatives of the Parties request its convocation.
2. After each of its meetings, the Convention Committee shall submit to the Committee of Ministers of the Council of Europe a report on its work and on the functioning of this Convention.
3. The voting arrangements in the Convention Committee are laid down in the elements for the Rules of Procedure appended to Protocol CETS No. .
4. The Convention Committee shall draw up the other elements of its Rules of Procedure and establish, in particular, the procedures for evaluation and review referred to in Article 4, paragraph 3, and Article 23, litterae e, f and h on the basis of objective criteria.
Chapter VII – Amendments
Article 25 – Amendments
1. Amendments to this Convention may be proposed by a Party, the Committee of Ministers of the Council of Europe or the Convention Committee.
2. Any proposal for amendment shall be communicated by the Secretary General of the Council of Europe to the Parties to this Convention, to the other member States of the Council of Europe, to the European Union and to every non-member State or international organisation which has been invited to accede to this Convention in accordance with the provisions of Article 27.
3. Moreover, any amendment proposed by a Party or the Committee of Ministers shall be communicated to the Convention Committee, which shall submit to the Committee of Ministers its opinion on that proposed amendment.
4. The Committee of Ministers shall consider the proposed amendment and any opinion submitted by the Convention Committee and may approve the amendment.
5. The text of any amendment approved by the Committee of Ministers in accordance with paragraph 4 of this article shall be forwarded to the Parties for acceptance.
6. Any amendment approved in accordance with paragraph 4 of this article shall come into force on the thirtieth day after all Parties have informed the Secretary General of their acceptance thereof.
7. Moreover, the Committee of Ministers may, after consulting the Convention Committee, decide unanimously that a particular amendment shall enter into force at the expiration of a period of three years from the date on which it has been opened to acceptance, unless a Party notifies the Secretary General of the Council of Europe of an objection to its entry into force. If such an objection is notified, the amendment shall enter into force on the first day of the month following the date on which the Party to this Convention which has notified the objection has deposited its instrument of acceptance with the Secretary General of the Council of Europe.
Chapter VIII – Final clauses
Article 26 – Entry into force
1. This Convention shall be open for signature by the member States of the Council of Europe and by the European Union. It is subject to ratification, acceptance or approval. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the Council of Europe.
2. This Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date on which five member States of the Council of Europe have expressed their consent to be bound by the Convention in accordance with the provisions of the preceding paragraph.
3. In respect of any Party which subsequently expresses its consent to be bound by it, the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of ratification, acceptance or approval.
Article 27 – Accession by non-member States or international organisations
1. After the entry into force of this Convention, the Committee of Ministers of the Council of Europe may, after consulting the Parties to this Convention and obtaining their unanimous agreement, and in light of the opinion prepared by the Convention Committee in accordance with Article 23.e, invite any State not a member of the Council of Europe or an international organisation to accede to this Convention by a decision taken by the majority provided for in Article 20.d of the Statute of the Council of Europe and by the unanimous vote of the representatives of the Contracting States entitled to sit on the Committee of Ministers.
2. In respect of any State or international organisation acceding to this Convention according to paragraph 1 above, the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of accession with the Secretary General of the Council of Europe.
Article 28 – Territorial clause
1. Any State, the European Union or other international organisation may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, specify the territory or territories to which this Convention shall apply.
2. Any State, the European Union or other international organisation may, at any later date, by a declaration addressed to the Secretary General of the Council of Europe, extend the application of this Convention to any other territory specified in the declaration. In respect of such territory the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of receipt of such declaration by the Secretary General.
3. Any declaration made under the two preceding paragraphs may, in respect of any territory specified in such declaration, be withdrawn by a notification addressed to the Secretary General. The withdrawal shall become effective on the first day of the month following the expiration of a period of six months after the date of receipt of such notification by the Secretary General.
Article 29 – Reservations
No reservation may be made in respect of the provisions of this Convention.
Article 30 – Denunciation
1. Any Party may at any time denounce this Convention by means of a notification addressed to the Secretary General of the Council of Europe.
2. Such denunciation shall become effective on the first day of the month following the expiration of a period of six months after the date of receipt of the notification by the Secretary General.
Article 31 – Notifications
The Secretary General of the Council of Europe shall notify the member States of the Council and any Party to this Convention of:
a. any signature;
b. the deposit of any instrument of ratification, acceptance, approval or accession;
c. any date of entry into force of this Convention in accordance with Articles 26, 27 and 28;
d. any other act, notification or communication relating to this Convention.
Appendix to the Protocol: Elements for the Rules of Procedure of the Convention Committee
1. Each Party has a right to vote and shall have one vote.
2. A two-thirds majority of representatives of the Parties shall constitute a quorum for the meetings of the Convention Committee. In case the amending Protocol to the Convention enters into force in accordance with its Article 37 (2) before its entry into force in respect of all Contracting States to the Convention, the quorum for the meetings of the Convention Committee shall be no less than 34 Parties to the Protocol.
3. The decisions under Article 23 shall be taken by a four-fifths majority. The decisions pursuant to Article 23 littera h shall be taken by a four-fifths majority, including a majority of the votes of States Parties not members of a regional integration organisation that is a Party to the Convention.
4. Where the Convention Committee takes decisions pursuant to Article 23 littera h, the Party concerned by the review shall not vote. Whenever such a decision concerns a matter falling within the competence of a regional integration organisation, neither the organisation nor its member States shall vote.
5. Decisions concerning procedural issues shall be taken by a simple majority.
6. Regional integration organisations, in matters within their competence, may exercise their right to vote in the Convention Committee, with a number of votes equal to the number of their member States that are Parties to the Convention. Such an organisation shall not exercise its right to vote if any of its member States exercises its right.
7. In case of vote, all Parties must be informed of the subject and time for the vote, as well as whether the vote will be exercised by the Parties individually or by a regional integration organisation on behalf of its member States.
8. The Convention Committee may further amend its rules of procedure by a two-thirds majority, except for the voting arrangements which may only be amended by unanimous vote of the Parties and to which Article 25 of the Convention applies.