II edizione

Protocollo del Consiglio d’Europa che modifica la Convenzione 108 trattamento automatizzato di dati personali

Il Consiglio d’Europa ha adottato un Protocollo che modifica la convenzione per la protezione delle persone rispetto al trattamento automatizzato di dati personali (STE n. 108, nota come Convenzione 108)

CM-Public

MINISTERS’ DEPUTIES CM Documents CM(2018)2-final 18 May 2018
128th Session of the Committee of Ministers
(Elsinore, Denmark, 17-18 May 2018)
Ad hoc Committee on Data Protection (CAHDATA)

Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108)

Preamble

The member States of the Council of Europe and the other Parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), opened for signature in Strasbourg on 28 January 1981 (hereinafter referred to as “the Convention”),

Having regard to Resolution No. 3 on data protection and privacy in the third millennium adopted at the 30th Council of Europe Conference of Ministers of Justice (Istanbul, Turkey, 24-26 November 2010);

Having regard to the Parliamentary Assembly of the Council of Europe’s Resolution 1843 (2011) on the protection of privacy and personal data on the Internet and online media and Resolution 1986 (2014) on improving user protection and security in cyberspace;

Having regard to Opinion 296 (2017) on the draft protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and its explanatory memorandum, adopted by the Standing Committee on behalf of the Parliamentary Assembly of the Council of Europe on 24 November 2017;

Considering that new challenges to the protection of individuals with regard to the processing of personal data have emerged since the Convention was adopted;

Considering the need to ensure that the Convention continues to play its pre-eminent role in protecting individuals with regard to the processing of personal data, and more generally in protecting human rights and fundamental freedoms,

Have agreed as follows:

Article 1

  1. The first recital of the preamble of the Convention shall be replaced by the following:

“The member States of the Council of Europe, and the other signatories hereto,”

  1. The third recital of the preamble of the Convention shall be replaced by the following:

“Considering that it is necessary to secure the human dignity and protection of the human rights and fundamental freedoms of every individual and, given the diversification, intensification and globalisation of data processing and personal data flows, personal autonomy based on a person’s right to control his or her personal data and the processing of such data;”

  1. The fourth recital of the preamble of the Convention shall be replaced by the following:

“Recalling that the right to protection of personal data is to be considered in respect of its role in society and that it has to be reconciled with other human rights and fundamental freedoms, including freedom of expression;”

  1. The following recital shall be added after the fourth recital of the preamble of the Convention:

“Considering that this Convention permits account to be taken, in the implementation of the rules laid down therein, of the principle of the right of access to official documents;”

  1. The fifth recital of the preamble of the Convention shall be deleted. New fifth and sixth recitals shall be added, which read as follows:

“Recognising that it is necessary to promote at the global level the fundamental values of respect for privacy and protection of personal data, thereby contributing to the free flow of information between people;”

“Recognising the interest of a reinforcement of international co-operation between the Parties to the Convention,”

Article 2

The text of Article 1 of the Convention shall be replaced by the following:

“The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.”

Article 3

  1. Littera b of Article 2 of the Convention shall be replaced by the following:

b.        ‘data processing’ means any operation or set of operations performed on personal data, such as the collection, storage, preservation, alteration, retrieval, disclosure, making available, erasure, or destruction of, or the carrying out of logical and/or arithmetical operations on such data;”

  1. Littera c of Article 2 of the Convention shall be replaced by the following:

c.        where automated processing is not used, ‘data processing’ means an operation or set of operations performed upon personal data within a structured set of such data which are accessible or retrievable according to specific criteria;”

  1. Littera d of Article 2 of the Convention shall be replaced by the following:

d.        ‘controller’ means the natural or legal person, public authority, service, agency or any other body which, alone or jointly with others, has decision-making power with respect to data processing;”

  1. The following new litterae shall be added after littera d of Article 2 of the Convention:

e.        ‘recipient’ means a natural or legal person, public authority, service, agency or any other body to whom data are disclosed or made available;

  1. ‘processor’ means a natural or legal person, public authority, service, agency or any other body which processes personal data on behalf of the controller.”

Article 4

  1. Paragraph 1 of Article 3 of the Convention shall be replaced by the following:

“1.        Each Party undertakes to apply this Convention to data processing subject to its jurisdiction in the public and private sectors, thereby securing every individual’s right to protection of his or her personal data.”

  1. Paragraph 2 of Article 3 of the Convention shall be replaced by the following:

“2.        This Convention shall not apply to data processing carried out by an individual in the course of purely personal or household activities.”

  1. Paragraphs 3 to 6 of Article 3 of the Convention shall be deleted.

Article 5

The title of Chapter II of the Convention shall be replaced by the following:

“Chapter II – Basic principles for the protection of personal data”.

Article 6

  1. Paragraph 1 of Article 4 of the Convention shall be replaced by the following:

“1.        Each Party shall take the necessary measures in its law to give effect to the provisions of this Convention and secure their effective application.”

  1. Paragraph 2 of Article 4 of the Convention shall be replaced by the following:

“2.        These measures shall be taken by each Party and shall have come into force by the time of ratification or of accession to this Convention.”

  1. A new paragraph shall be added after paragraph 2 of Article 4 of the Convention:

“3.        Each Party undertakes:

  1. to allow the Convention Committee provided for in Chapter VI to evaluate the effectiveness of the measures it has taken in its law to give effect to the provisions of this Convention; and
  2. to contribute actively to this evaluation process.”

Article 7

  1. The title of Article 5 shall be replaced by the following:

“Article 5 – Legitimacy of data processing and quality of data”.

  1. The text of Article 5 of the Convention shall be replaced by the following:

“1.        Data processing shall be proportionate in relation to the legitimate purpose pursued and reflect at all stages of the processing a fair balance between all interests concerned, whether public or private, and the rights and freedoms at stake.

  1. Each Party shall provide that data processing can be carried out on the basis of the free, specific, informed and unambiguous consent of the data subject or of some other legitimate basis laid down by law.
  2. Personal data undergoing processing shall be processed lawfully.
  3. Personal data undergoing processing shall be:
  4. processed fairly and in a transparent manner;
  5. collected for explicit, specified and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is, subject to appropriate safeguards, compatible with those purposes;
  6. adequate, relevant and not excessive in relation to the purposes for which they are processed;
  7. accurate and, where necessary, kept up to date;
  8. preserved in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which those data are processed.”

Article 8

The text of Article 6 of the Convention shall be replaced by the following:

“1.        The processing of:

– genetic data;

– personal data relating to offences, criminal proceedings and convictions, and related security measures;

– biometric data uniquely identifying a person;

– personal data for the information they reveal relating to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life,

shall only be allowed where appropriate safeguards are enshrined in law, complementing those of this Convention.

  1. Such safeguards shall guard against the risks that the processing of sensitive data may present for the interests, rights and fundamental freedoms of the data subject, notably a risk of discrimination.”

Article 9

The text of Article 7 of the Convention shall be replaced by the following:

“1.        Each Party shall provide that the controller, and where applicable the processor, takes appropriate security measures against risks such as accidental or unauthorised access to, destruction, loss, use, modification or disclosure of personal data.

  1. Each Party shall provide that the controller notifies, without delay, at least the competent supervisory authority within the meaning of Article 15 of this Convention, of those data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects.”

Article 10

A new Article 8 shall be added after Article 7 of the Convention as follows:

“Article 8 – Transparency of processing

  1. Each Party shall provide that the controller informs the data subjects of:
  2. his or her identity and habitual residence or establishment;
  3. the legal basis and the purposes of the intended processing;
  4. the categories of personal data processed;
  5. the recipients or categories of recipients of the personal data, if any; and
  6. the means of exercising the rights set out in Article 9,

as well as any necessary additional information in order to ensure fair and transparent processing of the personal data.

  1. Paragraph 1 shall not apply where the data subject already has the relevant information.
  2. Where the personal data are not collected from the data subjects, the controller shall not be required to provide such information where the processing is expressly prescribed by law or this proves to be impossible or involves disproportionate efforts.”

Article 11

  1. The former Article 8 of the Convention shall be renumbered Article 9 and the title shall be replaced by the following:

“Article 9 – Rights of the data subject”.

  1. The text of Article 8 of the Convention (new Article 9) shall be replaced by the following:

“1.        Every individual shall have a right:

  1. not to be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration;
  2. to obtain, on request, at reasonable intervals and without excessive delay or expense, confirmation of the processing of personal data relating to him or her, the communication in an intelligible form of the data processed, all available information on their origin, on the preservation period as well as any other information that the controller is required to provide in order to ensure the transparency of processing in accordance with Article 8, paragraph 1;
  3. to obtain, on request, knowledge of the reasoning underlying data processing where the results of such processing are applied to him or her;
  4. to object at any time, on grounds relating to his or her situation, to the processing of personal data concerning him or her unless the controller demonstrates legitimate grounds for the processing which override his or her interests or rights and fundamental freedoms;
  5. to obtain, on request, free of charge and without excessive delay, rectification or erasure, as the case may be, of such data if these are being, or have been, processed contrary to the provisions of this Convention;
  6. to have a remedy under Article 12 where his or her rights under this Convention have been violated;
  7. to benefit, whatever his or her nationality or residence, from the assistance of a supervisory authority within the meaning of Article 15, in exercising his or her rights under this Convention.
  8. Paragraph 1.a shall not apply if the decision is authorised by a law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests.”

Article 12

A new Article 10 shall be added after the new Article 9 of the Convention as follows:

“Article 10 – Additional obligations

  1. Each Party shall provide that controllers and, where applicable, processors, take all appropriate measures to comply with the obligations of this Convention and be able to demonstrate, subject to the domestic legislation adopted in accordance with Article 11, paragraph 3, in particular to the competent supervisory authority provided for in Article 15, that the data processing under their control is in compliance with the provisions of this Convention.
  2. Each Party shall provide that controllers and, where applicable, processors, examine the likely impact of intended data processing on the rights and fundamental freedoms of data subjects prior to the commencement of such processing, and shall design the data processing in such a manner as to prevent or minimise the risk of interference with those rights and fundamental freedoms.
  3. Each Party shall provide that controllers, and, where applicable, processors, implement technical and organisational measures which take into account the implications of the right to the protection of personal data at all stages of the data processing.
  4. Each Party may, having regard to the risks arising for the interests, rights and fundamental freedoms of the data subjects, adapt the application of the provisions of paragraphs 1, 2 and 3 in the law giving effect to the provisions of this Convention, according to the nature and volume of the data, the nature, scope and purpose of the processing and, where appropriate, the size of the controller or processor.”

Article 13

The former Articles 9 to 12 of the Convention shall become Articles 11 to 14 of the Convention.

Article 14

The text of Article 9 of the Convention (new Article 11) shall be replaced by the following:

“1.        No exception to the provisions set out in this chapter shall be allowed except to the provisions of Article 5, paragraph 4, Article 7, paragraph 2, Article 8, paragraph 1 and Article 9, when such an exception is provided for by law, respects the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society for:

  1. the protection of national security, defence, public safety, important economic and financial interests of the State, the impartiality and independence of the judiciary or the prevention, investigation and prosecution of criminal offences and the execution of criminal penalties, and other essential objectives of general public interest;
  2. the protection of the data subject or the rights and fundamental freedoms of others, notably freedom of expression.
  3. Restrictions on the exercise of the provisions specified in Articles 8 and 9 may be provided for by law with respect to data processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes when there is no recognisable risk of infringement of the rights and fundamental freedoms of data subjects.
  4. In addition to the exceptions allowed for in paragraph 1 of this article, with reference to processing activities for national security and defence purposes, each Party may provide, by law and only to the extent that it constitutes a necessary and proportionate measure in a democratic society to fulfil such an aim, exceptions to Article 4 paragraph 3, Article 14, paragraphs 5 and 6 and Article 15, paragraph 2, litterae a, b, c and d.

This is without prejudice to the requirement that processing activities for national security and defence purposes are subject to independent and effective review and supervision under the domestic legislation of the respective Party.”

Article 15

The text of Article 10 of the Convention (new Article 12) shall be replaced by the following:

“Each Party undertakes to establish appropriate judicial and non-judicial sanctions and remedies for violations of the provisions of this Convention.”

Article 16

The title of Chapter III shall be replaced by the following:

“Chapter III – Transborder flows of personal data”.

Article 17

  1. The title of Article 12 of the Convention (new Article 14) shall be replaced by the following:

“Article 14 – Transborder flows of personal data”.

  1. The text of Article 12 of the Convention (new Article 14) shall be replaced by the following:

“1.        A Party shall not, for the sole purpose of the protection of personal data, prohibit or subject to special authorisation the transfer of such data to a recipient who is subject to the jurisdiction of another Party to the Convention. Such a Party may, however, do so if there is a real and serious risk that the transfer to another Party, or from that other Party to a non-Party, would lead to circumventing the provisions of the Convention. A Party may also do so if bound by harmonised rules of protection shared by States belonging to a regional international organisation.

  1. When the recipient is subject to the jurisdiction of a State or international organisation which is not Party to this Convention, the transfer of personal data may only take place where an appropriate level of protection based on the provisions of this Convention is secured.
  2. An appropriate level of protection can be secured by:
  3. the law of that State or international organisation, including the applicable international treaties or agreements; or
  4. ad hoc or approved standardised safeguards provided by legally-binding and enforceable instruments adopted and implemented by the persons involved in the transfer and further processing.
  5. Notwithstanding the provisions of the previous paragraphs, each Party may provide that the transfer of personal data may take place if:
  6. the data subject has given explicit, specific and free consent, after being informed of risks arising in the absence of appropriate safeguards; or
  7. the specific interests of the data subject require it in the particular case; or
  8. prevailing legitimate interests, in particular important public interests, are provided for by law and such transfer constitutes a necessary and proportionate measure in a democratic society; or
  9. it constitutes a necessary and proportionate measure in a democratic society for freedom of expression.
  10. Each Party shall provide that the competent supervisory authority, within the meaning of Article 15 of this Convention, is provided with all relevant information concerning the transfers of data referred to in paragraph 3, littera b and, upon request, paragraph 4, litterae b and c.
  11. Each Party shall also provide that the supervisory authority is entitled to request that the person who transfers data demonstrates the effectiveness of the safeguards or the existence of prevailing legitimate interests and that the supervisory authority may, in order to protect the rights and fundamental freedoms of data subjects, prohibit such transfers, suspend them or subject them to conditions.”
  12. The text of Article 12 of the Convention (new Article 14) includes the provisions of Article 2 of the Additional Protocol of 2001 regarding supervisory authorities and transborder data flows (ETS No. 181) on transborder flows of personal data to a recipient which is not subject to the jurisdiction of a Party to the Convention.

Article 18

A new Chapter IV shall be added after Chapter III of the Convention, as follows:

“Chapter IV – Supervisory authorities”.

Article 19

A new Article 15 includes the provisions of Article 1 of the Additional Protocol of 2001 (ETS No.181) and reads as follows:

“Article 15 – Supervisory authorities

  1. Each Party shall provide for one or more authorities to be responsible for ensuring compliance with the provisions of this Convention.
  2. To this end, such authorities:
  3. shall have powers of investigation and intervention;
  4. shall perform the functions relating to transfers of data provided for under Article 14, notably the approval of standardised safeguards;
  5. shall have powers to issue decisions with respect to violations of the provisions of this Convention and may, in particular, impose administrative sanctions;
  6. shall have the power to engage in legal proceedings or to bring to the attention of the competent judicial authorities violations of the provisions of this Convention;
  7. shall promote:
  8. public awareness of their functions and powers, as well as their activities;
  9. public awareness of the rights of data subjects and the exercise of such rights;

iii.         awareness of controllers and processors of their responsibilities under this Convention;

specific attention shall be given to the data protection rights of children and other vulnerable individuals.

  1. The competent supervisory authorities shall be consulted on proposals for any legislative or administrative measures which provide for the processing of personal data.
  2. Each competent supervisory authority shall deal with requests and complaints lodged by data subjects concerning their data protection rights and shall keep data subjects informed of progress.
  3. The supervisory authorities shall act with complete independence and impartiality in performing their duties and exercising their powers and in doing so shall neither seek nor accept instructions.
  4. Each Party shall ensure that the supervisory authorities are provided with the resources necessary for the effective performance of their functions and exercise of their powers.
  5. Each supervisory authority shall prepare and publish a periodical report outlining its activities.
  6. Members and staff of the supervisory authorities shall be bound by obligations of confidentiality with regard to confidential information to which they have access, or have had access to, in the performance of their duties and exercise of their powers.
  7. Decisions of the supervisory authorities may be subject to appeal through the courts.
  8. The supervisory authorities shall not be competent with respect to processing carried out by bodies when acting in their judicial capacity.”

Article 20

  1. Chapters IV to VII of the Convention shall be renumbered to Chapters V to VIII of the Convention.
  2. The title of Chapter V shall be replaced by “Chapter V – Co-operation and mutual assistance”.
  3. A new Article 17 shall be added, and former Articles 13 to 27 of the Convention shall become Articles 16 to 31 of the Convention.

Article 21

  1. The title of Article 13 of the Convention (new Article 16) shall be replaced by the following:

“Article 16 – Designation of supervisory authorities”.

  1. Paragraph 1 of Article 13 of the Convention (new Article 16) shall be replaced by the following:

“1.        The Parties agree to co-operate and render each other mutual assistance in order to implement this Convention.”

  1. Paragraph 2 of Article 13 of the Convention (new Article 16) shall be replaced by the following:

“2.        For that purpose:

  1. each Party shall designate one or more supervisory authorities within the meaning of Article 15 of this Convention, the name and address of each of which it shall communicate to the Secretary General of the Council of Europe;
  2. each Party which has designated more than one supervisory authority shall specify the competence of each authority in its communication referred to in the previous littera.”
  1. Paragraph 3 of Article 13 of the Convention (new Article 16) shall be deleted.

Article 22

A new Article 17 shall be added after the new Article 16 of the Convention as follows:

            “Article 17 – Forms of co-operation

  1. The supervisory authorities shall co-operate with one another to the extent necessary for the performance of their duties and exercise of their powers, in particular by:
  2. providing mutual assistance by exchanging relevant and useful information and co-operating with each other under the condition that, as regards the protection of personal data, all the rules and safeguards of this Convention are complied with;
  3. co-ordinating their investigations or interventions, or conducting joint actions;
  4. providing information and documentation on their law and administrative practice relating to data protection.
  5. The information referred to in paragraph 1 shall not include personal data undergoing processing unless such data are essential for co-operation, or where the data subject concerned has given explicit, specific, free and informed consent to its provision.
  6. In order to organise their co-operation and to perform the duties set out in the preceding paragraphs, the supervisory authorities of the Parties shall form a network.”

Article 23

  1. The title of Article 14 of the Convention (new Article 18) shall be replaced by the following:

“Article 18 – Assistance to data subjects”.

  1. The text of Article 14 of the Convention (new Article 18) shall be replaced by the following:

“1.        Each Party shall assist any data subject, whatever his or her nationality or residence, to exercise his or her rights under Article 9 of this Convention.

  1. Where a data subject resides on the territory of another Party, he or she shall be given the option of submitting the request through the intermediary of the supervisory authority designated by that Party.
  2. The request for assistance shall contain all the necessary particulars, relating inter alia to:
  3. the name, address and any other relevant particulars identifying the data subject making the request;
  4. the processing to which the request pertains, or its controller;
  5. the purpose of the request.”

Article 24

  1. The title of Article 15 of the Convention (new Article 19) shall be replaced by the following:

“Article 19 – Safeguards”.

  1.         The text of Article 15 of the Convention (new Article 19) shall be replaced by the following:

“1.        A supervisory authority which has received information from another supervisory authority, either accompanying a request or in reply to its own request, shall not use that information for purposes other than those specified in the request.

  1. In no case may a supervisory authority be allowed to make a request on behalf of a data subject of its own accord and without the express approval of the data subject concerned.”

Article 25

  1. The title of Article 16 of the Convention (new Article 20) shall be replaced by the following:

“Article 20 – Refusal of requests”.

  1. The recital of Article 16 of the Convention (new Article 20) shall be replaced by the following:

“A supervisory authority to which a request is addressed under Article 17 of this Convention may not refuse to comply with it unless:”

  1. Littera a of Article 16 of the Convention (new Article 20) shall be replaced by the following:

a.        the request is not compatible with its powers.”

  1. Littera c of Article 16 of the Convention (new Article 20) shall be replaced by the following:

c.        compliance with the request would be incompatible with the sovereignty, national security or public order of the Party by which it was designated, or with the rights and fundamental freedoms of individuals under the jurisdiction of that Party.”

Article 26

  1. The title of Article 17 of the Convention (new Article 21) shall be replaced by the following:

“Article 21 – Costs and procedures”.

  1. Paragraph 1 of Article 17 of the Convention (new Article 21) shall be replaced by the following:

“1.        Co-operation and mutual assistance which the Parties render each other under Article 17 and assistance they render to data subjects under Articles 9 and 18 shall not give rise to the payment of any costs or fees other than those incurred for experts and interpreters. The latter costs or fees shall be borne by the Party making the request.”

  1. The terms “his or her” shall replace “his” in paragraph 2 of Article 17 of the Convention (new Article 21).

Article 27

The title of Chapter V of the Convention (new Chapter VI) shall be replaced by the following:

“Chapter VI – Convention Committee”.

Article 28

  1. The terms “Consultative Committee” in paragraph 1 of Article 18 of the Convention (new Article 22) shall be replaced by “Convention Committee”.
  2. Paragraph 3 of Article 18 of the Convention (new Article 22) shall be replaced by the following:

“3.        The Convention Committee may, by a decision taken by a majority of two-thirds of the representatives of the Parties, invite an observer to be represented at its meetings.”

  1. A new paragraph 4 shall be added after paragraph 3 of Article 18 of the Convention (new Article 22):

“4.        Any Party which is not a member of the Council of Europe shall contribute to the funding of the activities of the Convention Committee according to the modalities established by the Committee of Ministers in agreement with that Party.”

Article 29

  1. The terms “Consultative Committee” in the recital of Article 19 of the Convention (new Article 23) shall be replaced by “Convention Committee”.
  1. The term “proposals” in littera a of Article 19 of the Convention (new Article 23) shall be replaced with the term “recommendations”.
  2. References to “Article 21” in littera b and “Article 21 paragraph 3” in littera c of Article 19 of the Convention (new Article 23) shall be replaced respectively by references to “Article 25” and “Article 25, paragraph 3”.
  3. Littera d of Article 19 of the Convention (new Article 23) shall be replaced by the following:

d.        may express an opinion on any question concerning the interpretation or application of this Convention;”.

  1. The following additional litterae shall be added following littera d of Article 19 of the Convention (new Article 23):

“e.        shall prepare, before any new accession to the Convention, an opinion for the Committee of Ministers relating to the level of personal data protection of the candidate for accession and, where necessary, recommend measures to take to reach compliance with the provisions of this Convention;

  1. may, at the request of a State or an international organisation, evaluate whether the level of personal data protection the former provides is in compliance with the provisions of this Convention and, where necessary, recommend measures to be taken in order to reach such compliance;
  2. may develop or approve models of standardised safeguards referred to in Article 14;
  3. shall review the implementation of this Convention by the Parties and recommend measures to be taken in the case where a Party is not in compliance with this Convention;
  4. shall facilitate, where necessary, the friendly settlement of all difficulties related to the application of this Convention.”

Article 30

The text of Article 20 of the Convention (new Article 24) shall be replaced by the following:

“1.        The Convention Committee shall be convened by the Secretary General of the Council of Europe. Its first meeting shall be held within twelve months of the entry into force of this Convention. It shall subsequently meet at least once a year, and in any case when one-third of the representatives of the Parties request its convocation.

  1. After each of its meetings, the Convention Committee shall submit to the Committee of Ministers of the Council of Europe a report on its work and on the functioning of this Convention.
  2. The voting arrangements in the Convention Committee are laid down in the elements for the rules of procedure appended to Protocol CETS No. [223].
  3. The Convention Committee shall draw up the other elements of its rules of procedure and establish, in particular, the procedures for evaluation and review referred to in Article 4, paragraph 3, and Article 23, litterae e, f and h on the basis of objective criteria.”

Article 31

  1. Paragraphs 1 to 4 of Article 21 of the Convention (new Article 25) shall be replaced by the following:

“1.        Amendments to this Convention may be proposed by a Party, the Committee of Ministers of the Council of Europe or the Convention Committee.

  1. Any proposal for amendment shall be communicated by the Secretary General of the Council of Europe to the Parties to this Convention, to the other member States of the Council of Europe, to the European Union and to every non-member State or international organisation which has been invited to accede to this Convention in accordance with the provisions of Article 28.
  2. Moreover, any amendment proposed by a Party or the Committee of Ministers shall be communicated to the Convention Committee, which shall submit to the Committee of Ministers its opinion on that proposed amendment.
  3. The Committee of Ministers shall consider the proposed amendment and any opinion submitted by the Convention Committee, and may approve the amendment.”
  4. An additional paragraph 7 shall be added after paragraph 6 of Article 21 of the Convention (new Article 25) as follows:

“7.        Moreover, the Committee of Ministers may, after consulting the Convention Committee, unanimously decide that a particular amendment shall enter into force at the expiration of a period of three years from the date on which it has been opened to acceptance, unless a Party notifies the Secretary General of the Council of Europe of an objection to its entry into force. If such an objection is notified, the amendment shall enter into force on the first day of the month following the date on which the Party to this Convention which has notified the objection has deposited its instrument of acceptance with the Secretary General of the Council of Europe.”

Article 32

  1. Paragraph 1 of Article 22 of the Convention (new Article 26) shall be replaced by the following:

“1.        This Convention shall be open for signature by the member States of the Council of Europe and by the European Union. It is subject to ratification, acceptance or approval. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the Council of Europe.”

  1. The terms “member State” in paragraph 3 of Article 22 of the Convention (new Article 26) shall be replaced by “Party”.

Article 33

  1. The title and the text of Article 23 of the Convention (new Article 27) shall be replaced as follows:

“Article 27 – Accession by non-member States or international organisations

  1. After the entry into force of this Convention, the Committee of Ministers of the Council of Europe may, after consulting the Parties to this Convention and obtaining their unanimous agreement, and in light of the opinion prepared by the Convention Committee in accordance with Article 23.e, invite any State not a member of the Council of Europe or an international organisation to accede to this Convention by a decision taken by the majority provided for in Article 20.d of the Statute of the Council of Europe and by the unanimous vote of the representatives of the Contracting States entitled to sit on the Committee of Ministers.
  2. In respect of any State or international organisation acceding to this Convention according to paragraph 1 above, the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of accession with the Secretary General of the Council of Europe.”

Article 34

Paragraphs 1 and 2 of Article 24 of the Convention (new Article 28) shall be replaced by the following:

“1.        Any State, the European Union or other international organisation may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, specify the territory or territories to which this Convention shall apply.

  1. Any State, the European Union or other international organisation may, at any later date, by a declaration addressed to the Secretary General of the Council of Europe, extend the application of this Convention to any other territory specified in the declaration. In respect of such territory the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of receipt of such declaration by the Secretary General.”

Article 35

  1. The term “State” in the recital of Article 27 of the Convention (new Article 31) shall be replaced by “Party”.
  2. References to “Articles 22, 23 and 24” in littera c shall be replaced by references to “Articles 26, 27 and 28”.

Article 36 – Signature, ratification and accession

  1. This Protocol shall be open for signature by Contracting States to the Convention. It shall be subject to ratification, acceptance or approval. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the Council of Europe.
  2. After the opening for signature of this Protocol and before its entry into force, any other State shall express its consent to be bound by this Protocol by accession. It may not become a Party to the Convention without acceding simultaneously to this Protocol.

Article 37 – Entry into force

  1. This Protocol shall enter into force on the first day of the month following the expiration of a period of three months after the date on which all Parties to the Convention have expressed their consent to be bound by the Protocol, in accordance with the provisions of paragraph 1 of Article 36.
  2. In the event this Protocol has not entered into force in accordance with paragraph 1, following the expiry of a period of five years after the date on which it has been opened for signature, the Protocol shall enter into force in respect of those States which have expressed their consent to be bound by it in accordance with paragraph 1, provided that the Protocol has at least thirty-eight Parties. As between the Parties to the Protocol, all provisions of the amended Convention shall have effect immediately upon entry into force.
  3. Pending the entry into force of this Protocol and without prejudice to the provisions regarding the entry into force and the accession by non-member States or international organisations, a Party to the Convention may, at the time of signature of this Protocol or at any later moment, declare that it will apply the provisions of this Protocol on a provisional basis. In such cases, the provisions of this Protocol shall apply only with respect to the other Parties to the Convention which have made a declaration to the same effect. Such a declaration shall take effect on the first day of the third month following the date of its receipt by the Secretary General of the Council of Europe.
  4. From the date of entry into force of this Protocol, the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (ETS No. 181) shall be repealed.
  5. From the date of the entry into force of this Protocol, the amendments to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, approved by the Committee of Ministers, in Strasbourg, on 15 June 1999, have lost their purpose.

Article 38 – Declarations related to the Convention

From the date of entry into force of this Protocol, with respect to a Party having entered one or more declarations in pursuance of Article 3 of the Convention, such declaration(s) will lapse.

Article 39 – Reservations

No reservation may be made to the provisions of this Protocol.

Article 40 – Notifications

The Secretary General of the Council of Europe shall notify the member States of the Council of Europe and any other Party to the Convention of:

  1. any signature;
  2. the deposit of any instrument of ratification, acceptance, approval or accession;
  3. the date of entry into force of this Protocol in accordance with Article 37;
  4. any other act, notification or communication relating to this Protocol.

In witness whereof the undersigned, being duly authorised thereto, have signed this Protocol.

Done at […..], on [………], in English and in French, both texts being equally authentic, in a single copy which shall be deposited in the archives of the Council of Europe. The Secretary General of the Council of Europe shall transmit certified copies to each member State of the Council of Europe, to other Parties to the Convention and any State invited to accede to the Convention.

Appendix to the Protocol: Elements for the rules of procedure of the Convention Committee

  1. Each Party has a right to vote and shall have one vote.
  2. A two-thirds majority of representatives of the Parties shall constitute a quorum for the meetings of the Convention Committee. In case the amending Protocol to the Convention enters into force in accordance with its Article 37 (2) before its entry into force in respect of all Contracting States to the Convention, the quorum for the meetings of the Convention Committee shall be no less than 34 Parties to the Protocol.
  3. The decisions under Article 23 shall be taken by a four-fifths majority. The decisions pursuant to Article 23 littera h shall be taken by a four-fifths majority, including a majority of the votes of States Parties not members of a regional integration organisation that is a Party to the Convention.
  4. Where the Convention Committee takes decisions pursuant to Article 23 littera h, the Party concerned by the review shall not vote. Whenever such a decision concerns a matter falling within the competence of a regional integration organisation, neither the organisation nor its member States shall vote.
  5. Decisions concerning procedural issues shall be taken by a simple majority.
  6. Regional integration organisations, in matters within their competence, may exercise their right to vote in the Convention Committee, with a number of votes equal to the number of their member States that are Parties to the Convention. Such an organisation shall not exercise its right to vote if any of its member States exercises its right.
  7. In case of vote, all Parties must be informed of the subject and time for the vote, as well as whether the vote will be exercised by the Parties individually or by a regional integration organisation on behalf of its member States.
  8. The Convention Committee may further amend its rules of procedure by a two-thirds majority, except for the voting arrangements which may only be amended by unanimous vote of the Parties and to which Article 25 of the Convention applies.

Related documents

Meetings

128th Session of the Committee of Ministers (18 May 2018) – Meetings 2018 / 17 May 2018 / English

Committee of Ministers;Council of Europe

CM(2018)2-addfinal / 18 May 2018 / English / CM-Public

128th Session of the Committee of Ministers (Elsinore, Denmark, 17-18 May 2018) – Ad hoc Committee on Data Protection (CAHDATA) ‒ Protocol amending the Convention for the Protection of Individuals…