personal data is processed.5 More recently, data protection has been included as a fundamental right in
Article 8 of the Charter of Fundamental Rights of the
EU as well as in the constitutions of several Parties to
the Convention.
15. The guarantees set out in the Convention are
extended to every individual regardless of nationality or residence. No discrimination between citizens
and third country nationals in the application of these
guarantees is allowed.6 Clauses restricting data protection to a State’s own nationals or legally resident
foreign nationals would be incompatible with the
Convention.
Article 2 – Definitions
16. The definitions used in this Convention are meant
to ensure the uniform application of terms to express
certain fundamental concepts in national legislation.
Litt. a. – “personal data”
17. “Identifiable individual” means a person who
can be directly or indirectly identified. An individual is
not considered “identifiable” if his or her identification
would require unreasonable time, effort or resources.
Such is the case, for example, when identifying a data
subject would require excessively complex, long and
costly operations. The issue of what constitutes “unreasonable time, efforts or resources” should be assessed
on a case-by-case basis. For example, consideration
could be given to the purpose of the processing and
taking into account objective criteria such as the cost,
the benefits of such an identification, the type of
controller, the technology used, etc. Furthermore,
technological and other developments may change
what constitutes “unreasonable time, effort or other
resources”.
18. The notion of “identifiable” refers not only to the
individual’s civil or legal identity as such, but also to
what may allow to “individualise” or single out (and
thus allow to treat differently) one person from others.
This “individualisation” could be done, for instance, by
referring to him or her specifically, or to a device or
a combination of devices (computer, mobile phone,
camera, gaming devices, etc.) on the basis of an identification number, a pseudonym, biometric or genetic
data, location data, an IP address, or other identifier.
The use of a pseudonym or of any digital identifier/
digital identity does not lead to anonymisation of
5.
6.
“the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect
for private and family life as guaranteed by Article 8” - ECtHR
MS v. Sweden, (Application No. 20837/92),1997, paragraph
41.
See Council of Europe Commissioner on Human Rights, The
rule of law on the Internet and in the wider digital world,
Issue Paper, CommDH/IssuePaper(2014)1, 8 December 2014,
p. 48, point 3.3 ’Everyone’ without discrimination.
the data as the data subject can still be identifiable
or individualised. Pseudonymous data is thus to be
considered as personal data and is covered by the
provisions of the Convention. The quality of the pseudonymisation techniques applied should be duly taken
into account when assessing the appropriateness of
safeguards implemented to mitigate the risks to data
subjects.
19. Data is to be considered as anonymous only as
long as it is impossible to re-identify the data subject
or if such re-identification would require unreasonable
time, effort or resources, taking into consideration the
available technology at the time of the processing
and technological developments. Data that appears
to be anonymous because it is not accompanied by
any obvious identifying element may, nevertheless
in particular cases (not requiring unreasonable time,
effort or resources), permit the identification of an
individual. This is the case, for example, where it is
possible for the controller or any person to identify
the individual through the combination of different
types of data, such as physical, physiological, genetic,
economic, or social data (combination of data on the
age, sex, occupation, geolocation, family status, etc.).
Where this is the case, the data may not be considered
anonymous and is covered by the provisions of the
Convention.
20. When data is made anonymous, appropriate
means should be put in place to avoid re-identification
of data subjects, in particular, all technical means
should be implemented in order to guarantee that
the individual is not, or is no longer, identifiable. They
should be regularly re-evaluated in light of the fast
pace of technological development.
Litt. b. and c. – “data processing”
21. “Data processing” starts from the collection of
personal data and covers all operations performed
on personal data, whether partially or totally automated. Where automated processing is not used, data
processing means an operation or set of operations
performed upon personal data within a structured
set of such data which are accessible or retrievable
according to specific criteria, allowing the controller
or any other person to search, combine or correlate
the data related to a specific data subject.
Litt. d. –“controller”
22. “Controller” refers to the person or body having
decision-making power concerning the purposes
and means of the processing, whether this power
derives from a legal designation or factual circumstances that are to be assessed on a case-by-case basis.
In some cases, there may be multiple controllers or
co-controllers (jointly responsible for a processing
and possibly responsible for different aspects of that
processing). When assessing whether the person or
Convention 108+ ► Page 17