subject resides in the territory of another Party, he or
she can submit the request through the intermediary
of the authority designated by that Party. The request
for assistance should contain sufficient information to
permit identification of the data processing in question. This right can be limited according to Article 11
or adapted in order to safeguard the interests of a
pending judicial procedure.
83. Limited exceptions to Article 9 are permitted under the conditions specified in Article 11,
paragraph 1.
Article 10 - Additional obligations
84. In order to ensure that the right to the protection
of personal data is effective, additional obligations are
imposed on the controller as well as, where applicable,
the processor(s).
85. According to paragraph 1, the obligation on the
controller to ensure adequate data protection is linked
to the responsibility to verify and be in a position to
demonstrate that data processing is in compliance
with the applicable law. The data protection principles
set out in the Convention, which are to be applied at
all stages of processing, including the design phase,
aim at protecting data subjects and are also a mechanism for enhancing their trust. Appropriate measures
that the controller and processor may have to take
to ensure compliance include: training employees;
setting up appropriate notification procedures (for
instance to indicate when data have to be deleted
from the system); establishing specific contractual
provisions where the processing is delegated in order
to give effect to the Convention; as well as setting up
internal procedures to enable the verification and
demonstration of compliance.
86. If, in accordance with Article 11, paragraph 3,
a Party choses to limit the powers of a supervisory
authority within the meaning of Article 15 with reference to processing activities for national security and
defence purposes, the controller has no obligation to
demonstrate to such a supervisory authority compliance with data protection requirements for activities falling within the scope of the aforementioned
exception.
87. A possible measure that could be taken by the
controller to facilitate such a verification and demonstration of compliance would be the designation of
a “data protection officer” entrusted with the means
necessary to fulfil his or her mandate. Such a data
protection officer, whose designation should be notified to the supervisory authority, could be internal or
external to the controller.
88. Paragraph 2 clarifies that before carrying out a
data processing activity, the controller will have to
examine its potential impact on the rights and fundamental freedoms of the data subjects. This examination
can be done without excessive formalities. It will also
have to consider respect for the proportionality principle on the basis of a comprehensive overview of the
intended processing. In some circumstances, where
a processor is involved in addition to the controller,
the processor will also have to examine the risks. IT
systems developers, including security professionals,
or designers, together with users and legal experts
could assist in examining the risks.
89. Paragraph 3 specifies that in order to better guarantee an effective level of protection, controllers, and,
where applicable, processors, should ensure that data
protection requirements are integrated as early as possible, that is, ideally at the stage of architecture and
system design, in data processing operations through
technical and organisational measures (data protection
by design). This implementation of data protection
requirements should be achieved not only as regards
the technology used for processing the data, but also
the related work and management processes. Easyto-use functionalities that facilitate compliance with
applicable law should be put in place. For example,
secure online access to one’s own data should be
offered to data subjects where possible and relevant.
There should also be easy-to-use tools to enable data
subjects to take their data to another provider of their
choice or keep the data themselves (data portability
tools). When setting up the technical requirements
for default settings, controllers and processors should
choose privacy-friendly standard configurations so
that the usage of applications and software does not
infringe the rights of the data subjects (data protection
by default), notably to avoid processing more data
than necessary to achieve the legitimate purpose.
For example, social networks should be configured
by default so as to share posts or pictures only with
restricted and chosen circles and not with the whole
internet.
90. Paragraph 4 allows Parties to adapt the additional
obligations listed in paragraphs 1 to 3 taking into
consideration the risks at stake for the interests, rights
and fundamental freedoms of the data subjects. Such
adaptation should be done considering the nature
and volume of data processed, the nature, scope and
purposes of the data processing and, in certain cases,
the size of the processing entity. The obligations could
be adapted, for example, so as not to entail excessive
costs for small and medium-sized enterprises (SMEs)
processing only non-sensitive personal data received
from customers in the framework of commercial activities and not re-using it for other purposes. Certain
categories of data processing, such as processing
which does not entail any risk for data subjects, may
even be exempt from some of the additional obligations prescribed in this article.
Convention 108+ ► Page 25