body is a controller, special account should be taken of
whether that person or body determines the reasons
justifying the processing, in other terms its purposes
and the means used for it. Further relevant factors for
this assessment include whether the person or body
has control over the processing methods, the choice
of data to be processed and who is allowed to access
it. Those who are not directly subject to the controller
and carry out the processing on the controller’s behalf,
and solely according to the controller’s instructions, are
to be considered processors. The controller remains
responsible for the processing also where a processor
is processing the data on his or her behalf.
Litt. e. – “recipient”
23. “Recipient” is an individual or an entity who
receives personal data or to whom personal data is
made available. Depending on the circumstances, the
recipient may be a controller or a processor. For example, an enterprise can send certain data of employees
to a government department that will process it as a
controller for tax purposes. It may send it to a company
offering storage services and acting as a processor. The
recipient can be a public authority or an entity that has
been granted the right to exercise a public function
but where the data received by the authority or entity
is processed in the framework of a particular inquiry
in accordance with the applicable law, that public
authority or entity shall not be regarded as a recipient. Requests for disclosure from public authorities
should always be in writing, reasoned and occasional
and should not concern the entirety of a filing system
or lead to the interconnection of filing systems. The
processing of personal data by those public authorities
should comply with the applicable data protection
rules according to the purposes of the processing.
Litt. f. – “processor”
24. “Processor” is any natural or legal person (other
than an employee of the data controller) who processes data on behalf of the controller and according to
the controller’s instructions. The instructions given by
the controller establish the limit of what the processor
is allowed to do with the personal data.
Article 3 – Scope
25. According to paragraph 1, each Party should
apply the Convention to all processing, whether within
the public or private sector, subject to its jurisdiction.
26. Making the scope of the protection dependent
on the notion of “jurisdiction” of the Parties, is justified by the objective of better standing the test of
time and accommodating continual technological
developments.
27. Paragraph 2 excludes processing carried out for
purely personal or household activities from the scope
of the Convention. This exclusion aims at avoiding
Page 18 ► Convention 108+
the imposition of unreasonable obligations on data
processing carried out by individuals in their private
sphere for activities relating to the exercise of their
private life. Personal or household activities are activities which are closely and objectively linked to the
private life of an individual and which do not significantly impinge upon the personal sphere of others.
These activities have no professional or commercial
aspects and relate exclusively to personal or household
activities such as storing family or private pictures on
a computer, creating a list of the contact details of
friends and family members, correspondence, etc. The
sharing of data within the private sphere encompasses
notably the sharing between a family, a restricted
circle of friends or a circle which is limited in its size
and based on a personal relationship or a particular
relation of trust.
28. Whether activities are “purely personal or household activities” will depend on the circumstances. For
example, when personal data is made available to a
large number of persons or to persons obviously external to the private sphere, such as a public website on
the internet, the exemption will not apply. Likewise,
the operation of a camera system, as a result of which
a video recording of people is stored on a continuous
recording device such as a hard disk drive, installed
by an individual in his or her family home for the
purposes of protecting the property, health and life
of the home owners, but which covers, even partially,
a public space and is accordingly directed outwards
from the private setting of the person processing the
data in that manner, cannot be regarded as an activity
which is a purely “personal or household” activity.7
29. The Convention nonetheless applies to data
processing carried out by providers of the means for
processing personal data for such personal or household activities.
30. While the Convention concerns data processing
relating to individuals, the Parties may extend the protection in their domestic law to data relating to legal
persons in order to protect their legitimate interests.
The Convention applies to living individuals: it is not
meant to apply to personal data relating to deceased
persons. However, this does not prevent Parties from
extending the protection to deceased persons.
Chapter II – Basic principles of data
protection
Article 4 – Duties of the Parties
31. As this article indicates, the Convention obliges
Parties to incorporate its provisions into their law and
secure their effective application in practice; how this
7.
See Court of Justice of the EU, František Ryneš v. Úřad, 11
December 2014, C212/13k.