is done depends on the applicable legal system and
the approach taken regarding the incorporation of
international treaties.
32. The term “law of the Parties” denotes, according
to the legal and constitutional system of the particular
country, all enforceable rules, whether of statute law
or case law. It must meet the qualitative requirements
of accessibility and previsibility (or “foreseeability”).
This implies that the law should be sufficiently clear
to allow individuals and other entities to regulate
their own behaviour in light of the expected legal
consequences of their actions, and that the persons
who are likely to be affected by this law should have
access to it. It encompasses rules that place obligations or confer rights on persons (whether natural or
legal) or which govern the organisation, powers and
responsibilities of public authorities or lay down procedure. In particular, it includes States’ constitutions
and all written acts of legislative authorities (laws in
the formal sense) as well as all regulatory measures
(decrees, regulations, orders and administrative directives) based on such laws. It also covers international
conventions applicable in domestic law, including
EU law. Furthermore, it includes all other statutes of
a general nature, whether of public or private law
(including the law of contracts), together with court
decisions in common law countries, or in all countries,
established case law interpreting a written law. In addition, it includes any act of a professional body under
powers delegated by the legislator and in accordance
with its independent rule-making powers.
33. Such a “law of the Parties” may be usefully reinforced by voluntary regulation measures in the field
of data protection, such as codes of good practice
or codes for professional conduct. However, such
voluntary measures are not by themselves sufficient
to ensure full compliance with the Convention.
34. Where international organisations are concerned,8
in some situations, the law of such international organisations may be applied directly at the national level of
the member States of such organisations depending
on each national legal system.
35. The effectiveness of the application of the measures giving effect to the provisions of the Convention
is of crucial importance. The role of the supervisory
authority (or authorities), together with any remedies
that are available to data subjects, should be considered in the overall assessment of the effectiveness of a
Party’s implementation of the Convention’s provisions.
36. It is further stipulated in paragraph 2 that the
measures giving effect to the Convention shall be taken
by the Parties concerned and shall have come into force
by the time of ratification or accession, that is when a
8.
International organisations are defined as organisations
governed by public international law.
Party becomes legally bound by the Convention. This
provision aims to enable the Convention Committee
to verify whether all “necessary measures” have been
taken, to ensure that the Parties to the Convention
observe their commitments and provide the expected
level of data protection in their national law. The process and criteria used for this verification are to be
clearly defined in the Convention Committee’s rules
of procedure.
37. Parties commit in paragraph 3 to contribute
actively to the evaluation of their compliance with their
commitments, with a view to ensuring regular assessment of the implementation of the principles of the
Convention (including its effectiveness). Submission
of reports by the Parties on the application of their
data protection law could be one possible element
of this active contribution.
38. In exercising its powers under paragraph 3, the
Convention Committee shall not evaluate whether a
Party has taken effective measures, to the extent it
has made use of exceptions and restrictions in accordance with the provisions of this Convention. It follows
that under Article 11 paragraph 3 a Party shall not
be required to provide classified information to the
Convention Committee.
39. The evaluation of a Party’s compliance will be
carried out by the Convention Committee on the
basis of an objective, fair and transparent procedure
established by the Convention Committee and fully
described in its rules of procedure.
Article 5 – Legitimacy of data processing
and quality of data
40. Paragraph 1 provides that data processing must
be proportionate, that is, appropriate in relation to the
legitimate purpose pursued and having regard to the
interests, rights and freedoms of the data subject or the
public interest. Such data processing should not lead
to a disproportionate interference with these interests,
rights and freedoms. The principle of proportionality is
to be respected at all stages of processing, including
at the initial stage, i.e. when deciding whether or not
to carry out the processing.
41. Paragraph 2 prescribes two alternate essential
pre-requisites for a lawful processing: the individual’s consent or a legitimate basis prescribed by law.
Paragraphs 1, 2, 3 and 4 of Article 5 are cumulative and
must be respected in order to ensure the legitimacy
of the data processing.
42. The data subject’s consent must be freely given,
specific, informed and unambiguous. Such consent
must represent the free expression of an intentional
choice, given either by a statement (which can be
written, including by electronic means, or oral) or by a
clear affirmative action and which clearly indicates in
this specific context the acceptance of the proposed
Convention 108+ ► Page 19