of confidentiality of data protected by professional
secrecy or any other significant economic or social
disadvantage, and to provide them with adequate
and meaningful information on, notably, the contact
points and possible measures that they could take to
mitigate the adverse effects of the breach. In cases
where the controller does not spontaneously inform
the data subject of the data breach, the supervisory
authority, having considered the likely adverse effects
of the breach, should be allowed to require the controller to do so. Notification to other relevant authorities
such as those in charge of computer systems security
may also be desirable.
Article 8 – Transparency of processing
67. The controller is required to act transparently
when processing data in order to ensure fair processing
and to enable data subjects to understand and thus
fully exercise their rights in the context of such data
processing.
68. Certain essential information has to be compulsorily provided in a proactive manner by the controller
to the data subjects when directly or indirectly (not
through the data subject but through a third-party)
collecting their data, subject to the possibility to provide for exceptions in line with Article 11 paragraph 1.
Information on the name and address of the controller
(or co-controllers), the legal basis and the purposes of
the data processing, the categories of data processed
and recipients, as well as the means of exercising the
rights can be provided in any appropriate format
(either through a website, technological tools on personal devices, etc.) as long as the information is fairly
and effectively presented to the data subject. The
information presented should be easily accessible,
legible, understandable and adapted to the relevant
data subjects (for example, in a child friendly language
where necessary). Any additional information that
is necessary to ensure fair data processing or that is
useful for such purposes, such as the preservation
period, the knowledge of the reasoning underlying
the data processing, or information on data transfers
to a recipient in another Party or non-Party (including
whether that particular non-Party provides an appropriate level of data protection, or the measures taken
by the controller to guarantee such an appropriate
level of data protection) is also to be provided.
69. The controller is not required to provide this
information where the data subject has already
received it, or in the case of an indirect collection of
data through third parties where the processing is
expressly prescribed by law, or where this proves to
be impossible or it involves disproportionate efforts
because the data subject is not directly identifiable or
the controller has no way to contact the data subject.
Such impossibility can be both of a legal nature (in the
context of a criminal investigation for instance) or of a
practical nature (for instance when a controller is only
processing pictures and does not know the names
and contact details of the data subjects).
70. The data controller may use any available, reasonable and affordable means to inform data subjects
collectively (through a website or public notice) or
individually. If it is impossible to do so when commencing the processing, it can be done at a later stage, for
instance when the controller is put in contact with
the data subject for any new reason.
Article 9 – Rights of the data subject
71. This article lists the rights that every individual
should be able to exercise concerning the processing
of personal data relating to him or her. Each Party shall
ensure, within its legal order, that all those rights are
available for every data subject together with the
necessary legal and practical, adequate and effective
means to exercise them.
72.
These rights include the following:
–– the right of everyone not to be subject to a
purely automated decision significantly affecting them without having their views taken
into consideration (littera a.) ;
–– the right of everyone to request confirmation
of a processing of data relating to them and
to access the data at reasonable intervals and
without excessive delay or expense (littera b.);
–– the right of everyone to be provided, on
request, with knowledge of the reasoning
underlying data processing where the results
of such processing are applied to them (littera c.);
–– the right of everyone to object on grounds
relating to their situation, to a processing of
personal data relating to them, unless the controller demonstrates legitimate grounds for
the processing which override their interests
or rights and fundamental freedoms (littera d.);
–– the right of everyone to rectification or erasure
of inaccurate, false, or unlawfully processed
data (littera e.);
–– the right of everyone to a remedy if any of
the previous rights is not respected (littera f.);
–– the right of everyone to obtain assistance from
a supervisory authority (littera g.).
73. These rights may have to be reconciled with
other rights and legitimate interests. They can, in
accordance with Article 11, be limited only where this
is provided for by law and constitutes a necessary and
proportionate measure in a democratic society. For
instance, the right to erasure of personal data may be
restricted to the extent that processing is necessary
for compliance with a legal obligation which requires
processing by law to which the controller is subject or
Convention 108+ ► Page 23