can be left by individuals and can reveal information
on the health or filiation of the person, as well as of
third parties. Genetic data are all data relating to the
genetic characteristics of an individual which have
been either inherited or acquired during early prenatal development, as they result from an analysis of
a biological sample from the individual concerned:
chromosomal, DNA or RNA analysis or analysis of any
other element enabling equivalent information to
be obtained. Similar risks occur with the processing
of data related to criminal offences (which includes
suspected offences), criminal convictions (based on
criminal law and in the framework of criminal proceedings) and related security measures (involving
deprivation of liberty for instance) which require the
provision of appropriate safeguards for the rights and
freedoms of data subjects.
58. Processing of biometric data, that is data resulting
from a specific technical processing of data concerning
the physical, biological or physiological characteristics
of an individual which allows the unique identification
or authentication of the individual, is also considered
sensitive when it is precisely used to uniquely identify
the data subject.
59. The context of the processing of images is relevant to the determination of the sensitive nature of
the data. The processing of images will not generally
involve processing of sensitive data as the images
will only be covered by the definition of biometric
data when being processed through a specific technical mean which permits the unique identification or
authentication of an individual. Furthermore, where
processing of images is intended to reveal racial, ethnic or health information (see the following point),
such processing will be considered as processing of
sensitive data. On the contrary, images processed by
a video surveillance system solely for security reasons
in a shopping area will not generally be considered
as processing of sensitive data.
60. Processing of sensitive data has the potential
to adversely affect data subjects’ rights when it is
processed for specific information it reveals. While the
processing of family names can in many circumstances
be void of any risk for individuals (e.g. common payroll
purposes), such processing could in some cases involve
sensitive data, for example when the purpose is to
reveal the ethnic origin or religious beliefs of the individuals based on the linguistic origin of their names.
Information concerning health includes information
concerning the past, present and future, physical or
mental health of an individual, and which may refer
to a person who is sick or healthy. Processing images
of persons with thick glasses, a broken leg, burnt skin
or any other visible characteristics related to a person’s
health can only be considered as processing sensitive data when the processing is based on the health
information that can be extracted from the pictures.
Page 22 ► Convention 108+
61. Where sensitive data has to be processed for a
statistical purpose it should be collected in such a way
that the data subject is not identifiable. Collection of
sensitive data without identification data is a safeguard
within the meaning of Article 6. Where there is a
legitimate need to collect sensitive data for statistical purposes in identifiable form (so that a repeat or
longitudinal survey can be carried out, for example),
appropriate safeguards should be put in place.12
Article 7 – Data security
62. The controller and, where applicable the processor, should take specific security measures, both
of technical and organisational nature, for each processing, taking into account: the potential adverse
consequences for the individual, the nature of the
personal data, the volume of personal data processed,
the degree of vulnerability of the technical architecture
used for the processing, the need to restrict access to
the data, requirements concerning long-term storage,
and so forth.
63. Security measures should take into account the
current state of the art of data-security methods and
techniques in the field of data processing. Their cost
should be commensurate with the seriousness and
probability of the potential risks. Security measures
should be kept under review and updated where
necessary.
64. While security measures are aimed at preventing a number of risks, paragraph 2 contains a specific
obligation in cases where a data breach has nevertheless occurred that may seriously interfere with the
fundamental rights and freedoms of the individual.
For instance, the disclosure of data covered by professional confidentiality, or which may result in financial,
reputational, or physical harm or humiliation, could
be deemed to constitute a “serious” interference.
65. Where such a data breach has occurred, the
controller is required to notify the relevant supervisory
authorities of the incident, subject to the exception
permitted under Article 11 paragraph 1. This is the
minimum requirement. The controller should also
notify the supervisory authorities of any measures
taken and/or proposed to address the breach and its
potential consequences.
66. The notification made by the controller to the
supervisory authorities does not preclude other complementary notifications. For instance, the controller
may also recognise the need to notify the data subjects in particular when the data breach is likely to
result in a significant risk for the rights and freedoms
of individuals, such as discrimination, identity theft
or fraud, financial loss, damage to reputation, loss
12. See Recommendation Rec No. (97)18 of the Committee of
Ministers, op cit.