DATA PROTECTION LAW

Privacy and privacy protection

Data protection is a type of privacy protection manifesting in special legal regulation.
Data protection right ensures a person the right of disposal over all data in connection with his personality.
This way it serves to sustain the protection of privacy in a world where the possibility of collecting, storing and
conciliation of large pools of data is widely available. In this situation the significance of facts and data that were
previously regarded irrelevant by legislation increases: earlier, due to the lack of highly developed data-processing
technologies no threat was imposed by a situation in which these data became public and known to others, while
today processing, conciliation and association of data or creating new data relying on the old ones might result in the
infringement to the right of privacy. The underlying notion behind the codification of data protection law is the
insufficiency of secrecy protection: within the new context protection should apply to all data: data protection should
be differentiated from the interpretation of privacy as intimacy.
The aim of data protection law is the protection of privacy. The protection of personal data within the new
circumstances can offer the protection of privacy.
However, the main concern is: why privacy needs protection?
All societies have norms of privacy, either legal or extra-legal and protection of honor appears already in classical
Roman Law with the extension of the crime of injury by the law of the XII tables and after its history bridging the
Middle Ages, it remains a guaranty for ensuring the right of name and the protection of portrait right in Swiss law, while
in the United States it is assimilated by privacy-protection
With the establishment of general personality right protection the protection of "secrecy sphere" has been included in
EU laws while in the United Stated is a framework for personal right protection, corresponding to the European idea of
"general personality right.
General personality right, after a temporary decline during the 2nd World War, came back to a legal reconsideration:
although still indirect, it appears a legal protection of individual facts and data outside the sphere of secrecy protection.
The right to data protection - Key points
Under Article 8 of the ECHR, a right to protection against the collection and use of personal data forms part of the right
to respect for private and family life, home and correspondence.
CoE Convention 108: the first international legally binding instrument dealing explicitly with data protection.
EU law: data protection has been regulated by the Data Protection Directive, for the first time.
EU law: data protection has been acknowledged as a fundamental right.
- Article 12 of the United Nation Universal Declaration of Human Rights (UDHR) of 1948 on respect for private and
family life laid down, for the first time, a right to protection of an individuals private sphere against intrusion from
others, especially from the State, and, being an international legal instrument, influenced the development of other
human rights legal instruments in Europe.
_____________________________________________________
With regards to the 47 Members stated of the Council of Europe, it is of application the European Convention on
Human Rights (ECHR) (formally the Convention for the Protection of Human Rights and Fundamental Freedoms): an
international treaty to protect human rights and fundamental freedoms in Europe, drafted in 1950 by the then newly
formed Council of Europe and entered into force on 3 September 1953. All Council of Europe member states are party
to the Convention and new members are expected to ratify the convention at the earliest opportunity.
Protocol 11 and 14 are procedural and institutional protocols of concrete application to judicial environments:
- Protocol 11 (that supersede Protocols 2, 3, 5, 8, 9 and 10) entered into force on 1 November 1998 and establish a
fundamental change in the machinery of the convention, thanks to the abolition of the Commission, allowing
individuals to apply directly to the Court, which has compulsory jurisdiction (altering the latter's structure).
(NB: Previously states could ratify the Convention without accepting the jurisdiction of the Court of Human Rights).
The protocol 11 also abolished the judicial functions of the Committee of Ministers.
- Protocol 14 follows on from Protocol 11 in proposing to further improve the efficiency of the Court. It seeks to "filter"
out cases that have less chance of succeeding along with those that are broadly similar to cases brought previously
against the same Member State. Normally, a case will not be considered admissible where an applicant has not
suffered a "significant disadvantage" and this latter ground can only be used when an examination of the application
on the merits is not considered necessary and where the subject-matter of the application had already been
considered by a national court.

Furthermore, a new mechanism has been introduced by Protocol 14 to assist enforcement of judgments by the
Committee of Ministers. The Committee can ask the Court for an interpretation of a judgment and can even bring a
member state before the Court for non-compliance of a previous judgment against that State. Protocol 14 allows
for European Union accession to the Convention and has been ratified by every Council of Europes Member State,
(including Russia, in February 2010), entering into force on 1 June 2010.
NB: A provisional Protocol 14bis had been opened for signature in 2009. A protocol for allowing the Court to
implement revised procedures in respect of the Member States which have ratified it. It allowed single judges to reject
manifestly inadmissible applications made against the states that have ratified the protocol. It also extended the
competence of three-judge chambers to declare applications made against those States admissible and to decide on
their merits where there already is a well-established case law of the Court. Now that all the Member States of the
CoE have ratified Protocol 14, Protocol 14bis has lost its initial aim (raison d'tre) and according to its own terms
ceased to have any effect when Protocol 14 entered into force on 1 June 2010.
________________________________________
EU legislation
1

Convention 108 CoE; Directive 2006/24/EC , Directive 2002/58/EC , Directive 95/46/EC ; Regulation (EC) No
45/20014; 2002/58/EC5; Article 29 WP; and CAHDATA 20146.
With regards to Convention 108 CoE, it is important to highlight its modernization (see the last proposal on:
http://www.coe.int/t/dghl/standardsetting/dataprotection/modernisation_en.asp and
http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD_2012_04_rev2_En.pdf)
We can find that for Data Security Every Party shall provide that the controller, and, where applicable the processor,
takes the appropriate security measures against accidental or unauthorized modification, loss or destruction
accidental of personal data, as well as against unauthorized access, dissemination or disclosure of such data and a
new article Article 7bis on Transparency of processing, further to more specifications related to the content of Article 8
on Rights of the data subject, Article 9 on Exceptions and restrictions and the Article 10 on Sanctions and remedies,
as well as a Chapter III bis concerning the Supervisory authorities and a Chapter V that foreseen the change of
Consultative Committee with Convention Committee.
Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly
available electronic communications services or of public communications networks and amending Directive
2002/58/EC (Data Retention Directive, invalidated on 8 April 2014) aims to harmonize Member States provisions
concerning the obligations of the providers of publicly available electronic communications services or of public
communications networks with respect to the retention of certain data which are generated or processed by them, in
order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious
crime, as defined by each Member State in its national law. It applies to traffic and location data on both legal entities
and natural persons and to the related data necessary to identify the subscriber or registered user, not applying to
content of electronic communications, including information consulted using an electronic communications network.
In this Directive we can find rules on data protection and data security, storage requirements for retained data,
supervisory authority remedies, and liability and penalties.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of
personal data and the protection of privacy in the electronic communications sector (Directive on privacy and
electronic communications) harmonises the provisions of the Member States required to ensure an equivalent level of
protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of
personal data in the electronic communication sector and to ensure the free movement of such data and of electronic
communication equipment and services in the Community and where we can find an specific article on traffic data
relating to subscribers and users.
Article 1 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data states that:
In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural
persons, and in particular their right to privacy with respect to the processing of personal data. 2. Member States shall
neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the
protection afforded under paragraph 1.
1

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML
3
http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
4
https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/pid/86#regulation
5
http://europa.eu/legislation_summaries/information_society/legislative_framework/l24120_en.htm
http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32002L0058
6
http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/CAHDATA-RAP03Abr_En.pdf
2

It is important to keep in mind, from a substantial point of view, the articles 12 to 17 of the Directive, as follows:
SECTION V
Data subjects right of access to data
Article 12 - Right of access
Member States shall guarantee every data subject the right to obtain from the controller:
(a) without constraint at reasonable intervals and without excessive delay or expense:
- confirmation as to whether or not data relating to him are being processed and information at least as to the
purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom
the data are disclosed,
- communication to him in an intelligible form of the data undergoing processing and of any available information as to
their source,
- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the
automated decisions referred to in Article 15 (1);
(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the
provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried
out in compliance with (b), unless this proves impossible or involves a disproportionate effort.
SECTION VI
Exemptions and restrictions
Article 13 - Exemptions and restrictions
1. Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in
Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard:
(a) national security;
(b) defence;
(c) public security;
(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated
professions;
(e) an important economic or financial interest of a Member State or of the European Union, including monetary,
budgetary and taxation matters;
(f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in
cases referred to in (c), (d) and (e);
(g) the protection of the data subject or of the rights and freedoms of others.
2. Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions
regarding any particular individual, Member States may, where there is clearly no risk of breaching the privacy of the
data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed solely for
purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary
for the sole purpose of creating statistics.
SECTION VII
The data subject's right to object
Article 14 - The data subject's right to object
Member States shall grant the data subject the right:
(a) at least in the cases referred to in Article 7 (e) and (f), to object at any time on compelling legitimate grounds
relating to his particular situation to the processing of data relating to him, save where otherwise provided by national
legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those
data;
(b) to object, on request and free of charge, to the processing of personal data relating to him which the controller
anticipates being processed for the purposes of direct marketing, or to be informed before personal data are disclosed
for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly
offered the right to object free of charge to such disclosures or uses.
Member States shall take the necessary measures to ensure that data subjects are aware of the existence of the right
referred to in the first subparagraph of (b).

Article 15 - Automated individual decisions

1. Member States shall grant the right to every person not to be subject to a decision which produces legal effects
concerning him or significantly affects him and which is based solely on automated processing of data intended to
evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability,
conduct, etc.
2. Subject to the other Articles of this Directive, Member States shall provide that a person may be subjected to a
decision of the kind referred to in paragraph 1 if that decision:
(a) is taken in the course of the entering into or performance of a contract, provided the request for the entering into or
the performance of the contract, lodged by the data subject, has been satisfied or that there are suitable measures to
safeguard his legitimate interests, such as arrangements allowing him to put his point of view; or
(b) is authorized by a law which also lays down measures to safeguard the data subject's legitimate interests.
SECTION VII
Confidentiality of processing and Security of processing
Article 16 - Confidentiality of processing
Any person acting under the authority of the controller or of the processor, including the processor himself, who has
access to personal data must not process them except on instructions from the controller, unless he is required to do
so by law.
Article 17 - Security of processing
1. Member States shall provide that the controller must implement appropriate technical and organizational measures
to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized
disclosure or access, in particular where the processing involves the transmission of data over a network, and against
all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of
security appropriate to the risks represented by the processing and the nature of the data to be protected.
2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a
processor providing sufficient guarantees in respect of the technical security measures and organizational measures
governing the processing to be carried out, and must ensure compliance with those measures.
3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the
processor to the controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is
established, shall also be incumbent on the processor.
4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the
requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.
For the Directive on privacy and electronic communications, is important to highlight that This Directive harmonises
the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and
freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic
communication sector and to ensure the free movement of such data and of electronic communication equipment and
services in the Community.
The provisions of this Dir, provide for protection of the legitimate interests of subscribers who are legal persons.
The Directive shall not apply to activities which fall outside Titles V and VI of the Treaty on European Union, and in
any case to activities concerning public security, defense, State security (including economic well-being of the State
when the activities relate to State security matters) and the activities of the State in areas of criminal law.
Furthermore, it is really important to be aware also of the content of articles 8 and 9 of the Directive:
Article 8 - Presentation and restriction of calling and connected line identification
1. Where presentation of calling line identification is offered, the service provider must offer the calling user the
possibility, using a simple means and free of charge, of preventing the presentation of the calling line identification on
a per-call basis. The calling subscriber must have this possibility on a per-line basis.

2. Where presentation of calling line identification is offered, the service provider must offer the called subscriber the
possibility, using a simple means and free of charge for reasonable use of this function, of preventing the presentation
of the calling line identification of incoming calls.
3. Where presentation of calling line identification is offered and where the calling line identification is presented prior
to the call being established, the service provider must offer the called subscriber the possibility, using a simple
means, of rejecting incoming calls where the presentation of the calling line identification has been prevented by the
calling user or subscriber.
4. Where presentation of connected line identification is offered, the service provider must offer the called subscriber
the possibility, using a simple means and free of charge, of preventing the presentation of the connected line
identification to the calling user.
5. Paragraph 1 shall also apply with regard to calls to third countries originating in the Community. Paragraphs 2, 3
and 4 shall also apply to incoming calls originating in third countries.
6. Member States shall ensure that where presentation of calling and/or connected line identification is offered, the
providers of publicly available electronic communications services inform the public thereof and of the possibilities set
out in paragraphs 1, 2, 3 and 4.
Article 9 - Location data other than traffic data
1. Where location data other than traffic data, relating to users or subscribers of public communications networks or
publicly available electronic communications services, can be processed, such data may only be processed when
they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration
necessary for the provision of a value added service. The service provider must inform the users or subscribers, prior
to obtaining their consent, of the type of location data other than traffic data which will be processed, of the purposes
and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the
value added service. Users or subscribers shall be given the possibility to withdraw their consent for the processing of
location data other than traffic data at any time.
2. Where consent of the users or subscribers has been obtained for the processing of location data other than traffic
data, the user or subscriber must continue to have the possibility, using a simple means and free of charge, of
temporarily refusing the processing of such data for each connection to the network or for each transmission of a
communication.
3. Processing of location data other than traffic data in accordance with paragraphs 1 and 2 must be restricted to
persons acting under the authority of the provider of the public communications network or publicly available
communications service or of the third party providing the value added service, and must be restricted to what is
necessary for the purposes of providing the value added service.
As the aim of adopting the Data Protection Directive was harmonization of data protection law at the national level, the
directive affords a degree of specificity comparable to that of the (then) existing national data protection laws.
For the CJEU, Directive 95/46 is intended [] to ensure that the level of protection of the rights and freedoms of
individuals with regard to the processing of personal data is equivalent in all Member States. []. The approximation
of the national laws applicable in this area must not result in any lessening of the protection they afford but must, on
the contrary, seek to ensure a high level of protection in the EU. Accordingly, [] the harmonization of those national
laws is not limited to minimal harmonization but amounts to harmonization which is generally complete.
Consequently, the EU Member States have only limited freedom to manoeuvre when implementing the directive. The
Data Protection Directive is designed to give substance to the principles of the right to privacy already contained in
Convention 108, and to expand them. The fact that all 15 EU Member States in 1995 were also Contracting Parties to
Convention 108 rules out the adoption of contradictory rules in these two legal instruments.
The Data Protection Directive, however, draws on the possibility, provided for in Article 11 of Convention 108, of
adding on instruments of protection. In particular, the introduction of independent supervision as an instrument for
improving compliance with data protection rules proved to be an important contribution to the effective functioning of
European data protection law. (Consequently, this feature was taken over into CoE law in 2001 by the Additional
Protocol to Convention 108.).
The territorial application of the Data Protection Directive extends beyond the 28 EU Member States, including also
the non-EU Member States that are part of the European Economic Area (Iceland, Liechtenstein and Norway).
Regulation (EC) No 45/2001 or Data Protection Regulation regulates the protection of individuals with regard to the
processing of personal data by Community institutions and bodies, implementing the Article 286 of the TFUE which
requires the application of data protection rules to Community institutions and bodies, as well as the establishment of
an independent supervisory authority.

The data protection rules in the Regulation are based on the existing Community rules on data protection (Data
Protection Directive 95/46/EC and E-privacy Directive 2002/58/EC). The Regulation regroups the rights of the data
subjects and the obligations of those responsible for the processing into a comprehensive legal instrument, and re-call
the application of Article 13 of Regulation (EC) No 45/2001 on the right of access.
It also establishes the European Data Protection Supervisor as an independent supervisory authority with the
responsibility of monitoring the processing of personal data by the Community institutions and bodies.
It is important to highlight how the right to protection of data can face the right of having disclosed the data and the
fact that the Regulation in question foresee also a right to object (free of charge) that can be exercised by a natural
person at the moment of the collection of the data, or at a later stage, by contacting the controller.
Article 29 Data Protection Working Party contains analysis of the Data protection risks of cloud computing:
- Lack of control [Lack of availability due to lack of interoperability (vendor lock-in) Lack of integrity caused by the
sharing of resources Lack of confidentiality in terms of law enforcement requests made directly to a cloud Lack of
intervenability due to the complexity and dynamics of the outsourcing chain Lack of intervenability (data subjects
rights) Lack of isolation] and Lack of information on processing (transparency);
- The Data Protection Legal framework: Data Protection Directive 95/46/EC that applies in every case where personal
data are being processed as a result of the use of cloud computing services and the e-privacy Directive 2002/58/EC
(as revised by 2009/136/EC) that applies to the processing of personal data in connection with the provision of
publicly available electronic communications services in public communications networks (telecom operators) and
thus is relevant if such services are provided by means of a cloud solution. Furthermore, we can find, of relevance, an
approach to the Data protection requirements in the client-provider relationship.
For the CADATHA: The Committee on data protection of the Council of Europe approved on 3 December 2014, after
discussions and amendments, the modernization proposals of the Convention for the Protection of Individuals with
regard to Automatic Processing of Personal Data (Convention 108) during its 3rd and last meeting held in Strasbourg
on 1-3 December 2014. A draft amending Protocol will be prepared on this basis and transmitted to the Committee of
Ministers for examination and adoption.
The purpose of this Convention is to protect every individual, whatever their nationality or residence, with regard to the
processing of their personal data, thereby contributing to respect for their human rights and fundamental freedoms,
and in particular their right to privacy.
Specific rules on the legitimacy of data processing and quality of data and Special categories of data security and
transparency of processing, rights of the data subject, remedies and sanctions can be found on the text of the
document (http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/CAHDATA-RAP03Abr_En.pdf).
Furthermore, in the CADATHA we can find rules on Transborder flows of personal data (when the recipient is subject
to the jurisdiction of a State or international organization which is not Party to this Convention, the transfer of personal
data may only take place where an appropriate level of protection based on the provisions of this Convention is
secured), Supervisory authorities (co-operatation among supervisory authorities the supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties and exercise of their powers by:
providing mutual assistance and cooperating with each other under the condition that all the rules and safeguards of
this Convention are complied with, coordinating their investigations or interventions,; and providing information and
documentation on their law and administrative practice relating to data protection) and Convention Committee
(recommendations proposals for amendments, opinions development and approving of models of standardized
safeguards, reviewing and facilitation of settlement of difficulties concerning the implementation of the Convention)
For a history integration see: http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.Privacy
[2. There are various definitions that have been proposed for privacy. According to Schoeman it has been regarded
5. The protection of an individual's "secrecy sphere" appears within the scope of general personality right, and is
recognized partly within its frameworks. As Elemr Bals P. puts it, "the point in secrecy sphere is that the importance
of personality is so predominant concerning certain facts that, from a legal point of view, these facts and their
embodiments do not count as objects of the external world, but have to be understood as functions of personality ].
For the commission proposal to a comprehensive reform of the data protection rules see:
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm
- Brussels, 25 January 2012 Proposal of the European Commission for a comprehensive reform of the EU's 1995
data protection rules to strengthen online privacy rights and boost Europe's digital economy. A single law will for
avoiding current fragmentation and costly administrative burdens and for helping the reinforcement of consumer
confidence in online services, for growth, jobs and innovation.
For common standards and policies of the Rule of Law of the CoE see:
http://www.coe.int/t/dghl/standardsetting/DataProtection/default_en.asp (under the link for data protection rules)
http://www.coe.int/t/dghl/standardsetting/dataprotection/Default_en.asp

For a tangential application see Article 8 of the European Convention on Human Rights that provides a right to
respect for one's "private and family life, his home and his correspondence", subject to certain restrictions that are "in
accordance with law" and "necessary in a democratic society" and contains sometimes comprises positive obligations
[such as obligations for the State to become active, and to take initiative whereas classical human rights are
formulated as prohibiting a State from interfering with rights, and thus not to take initiatives (facere or non facere)]
(e.g.: to enforce access for a divorced parent to his/her child; or not to separate a family under family life protection).
_____________________________________________
Legal summary
Under CoE law, reference can be made to the principles enshrined in the Recommendation on access to official
documents, which inspired the drafters of the Convention on Access to Official Documents (Convention 205).
Under EU law, the right of access to documents is guaranteed by Regulation 1049/2001 regarding public access to
European Parliament, Council and Commission documents (Access to Documents Regulation).
Article 42 of the Charter and Article 15 (3) of the TFEU have extended this right of access to documents of the
institutions, bodies, offices and agencies of the Union, regardless of their form.
In accordance with Article (52) 2 of the Charter, the right of access to documents is also exercised under the
conditions and within the limits for which provision is made in Article 15 (3) of TFEU. This right may come into conflict
with the right to data protection if access to a document would reveal others personal data.
Requests for access to documents or information held by public authorities may therefore need balancing with the
right to data protection of persons whose data are contained in the requested documents.
Moreover,
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose, and
persons or organizations collecting and managing personal information must guarantee protection from misuse and,
therefore, common EU rules have been established to ensure that personal data enjoys a high standard of protection
everywhere in the EU.
As remedy foreseen by the Law for obtain redress if personal data are misused anywhere within the EU, it is possible
to complain (right of complain).
The EU's Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU to
ensure the best possible protection of your data when it is exported abroad.
The right of access to documents cannot automatically overrule the right to data protection.
The importance of transparency is firmly established.
Special categories of personal data are established:
- Sensitive data: Convention 108 (Article 6) and Data Protection Directive (Article 8):
1. personal data revealing racial or ethnic origin;
2. personal data revealing political opinions, religious or other beliefs; and
3. personal data concerning health or sexual life.
NB: Data Protection Directive additionally lists trade union membership as sensitive data, as this information can be
a strong indicator of political belief or affiliation, Convention 108 also considers personal data relating to criminal
convictions as sensitive, and Article 8(7) of Data Protection Directive mandates EU Member States to determine the
conditions under which a national identification number or any other identifier of general application may be
processed.
For other in-depth insides see the hand book on European data protection law jointly prepared by the European
Union Agency for Fundamental Rights (FRA) and the Council of Europe together with the Registry of the European
Court of Human Rights of Luxembourg: Publications Office of the European Union, 2014.
Available on the website of the FRA (fra.europa.eu), the Council of Europe website (coe.int/dataprotection), and on
the European Court of Human Rights website under the Case-Law menu at (echr.coe.int).

For derogations see Article 15 of the European Convention on Human Rights that allows contracting States
to derogate from certain rights guaranteed by the Convention in time of "war or other public emergency threatening
the life of the nation".
Permissible derogations under article 15 must meet three substantive conditions:
1. there must be a public emergency threatening the life of the nation;
2. any measures taken in response must be "strictly required by the exigencies of the situation", and
3. the measures taken in response to it, must be in compliance with a state's other obligations under international law.
In addition to these substantive requirements the derogation must be procedurally sound.
There must be some formal announcement of the derogation and notice of the derogation, any measures adopted
under it, and the ending of the derogation must be communicated to the Secretary-General of the Council of Europe.
The Court is quite permissive in accepting a state's derogations from the Convention but applies a higher degree of
scrutiny in deciding whether measures taken by states under derogation are, in the words of Article 15, "strictly
required by the exigencies of the situation". Thus in A v United Kingdom, the Court dismissed a claim that a
derogation lodged by the British government in response to the September 11 attacks was invalid, but went on to find
that measures taken by the United Kingdom under that derogation were disproportionate.
In order for a derogation itself to be valid, the emergency giving rise to it must be:
- actual or imminent, although states do not have to wait for disasters to strike before taking preventive measures
involve the whole nation, although a threat confined to a particular region may be treated as "threatening the life of the
nation" in that particular region,
- threaten the continuance of the organised life of the community,
- exceptional such that measures and restriction permitted by the Convention would be "plainly inadequate" to deal
with the emergency.
Examples of such derogations include:
Operation Demetrius: Internees arrested without trial pursuant to "Operation Demetrius" could not complain to
the European Commission of Human Rights about breaches of Article 5 because on 27 June 1957, the UK lodged a
notice with the Council of Europe declaring that there was a "public emergency within the meaning of Article 15(1) of
the Convention."
Main online sources:
- http://www.hri.org/docs/ECHR50.html
- http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm
- http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm
- http://www.conventions.coe.int/Treaty/en/Treaties/Html/005.htm
- http://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf
- http://www.coe.int/t/dghl/standardsetting/DataProtection/default_en.asp
- http://human-rights-convention.org/
- https://www.dataprotection.ie/viewdoc.asp?DocID=4
- http://fra.europa.eu/en/theme/information-society-privacy-and-data-protection
- http://infoportal.fra.europa.eu/InfoPortal/infobaseShowContent.do

http://conventions.coe.int/treaty/en/Treaties/Html/005.htm

Other sources:
Data Retention after the Judgement of the Court of Justice of the European Union, Mnster/Luxembourg, 30
June 2014 Dr. Franziska Boehm Assistant Professor, University of Mnster, Institute for Information,
Telecommunication and Media Law (ITM), Germany; and Prof. Dr. Mark D. Cole Associate Professor, Faculty of Law,
Economics and Finance and Interdisciplinary Centre for Security, Reliability and Trust (SnT), at the University of
Luxembourg, Luxembourg.
The proposed data Regulation for the protection of individuals 95/46/EC: A sound systheim for the protection
of individuals, Computer Law and Security Review 28 (2012) 130 -1 (SciVerse Sciencedrect) on basic data
protection principles for identifying merits and shortcoming following the Commissions amendment of the EU data
protection regulatory framework and law-making process for amending the whole EU Data Protection Regulation
(replacing the Directive 95/49/EC) and a Police and Criminal Justice Data Protection Directive intended to replace the
Framework Directive by the draft General Data Protection Regulation)
Fundamental rights: challenges and achievements in 2011: Chapter 3 Information Society and Data Protection,
FRA European Union Agency for Fundamental Rights
Press release: Progress on EU data protection reform now irreversible following European Parliament vote,
European Commission - MEMO/14/186 - Strasbourg, 12 March 2014
For a transversal approach in case of considering Data Protection and Privacy rules to Clouds Computing see also
The future of Cloud Computing - Opportunities for European Cloud Computing Beyond 2010 - Expert Group
Report, Public Version 1.0, Rapporteur Lutz Schubert, Editors: Keith Jeffery, Burkhard Neidecker-Lutz of European
Commission, DG INFSO 2010 (which includes analysis of Cloud Infrastructure as a Service (IaaS); Cloud Platform as
a Service (PaaS), and Clouds Software as a Service (SaaS); and Privacy in Cloud Computing, ITU-T Technology
Watch Report of March 2012, of the Institute of International Tecnology (report written by Stphane Guilloteau of the
France Tlcom Orange, France, and Venkatesen Mauree of the ITU Telecommunication Standardization Bureau.
The European Convention on Human Rights is the first Council of Europes convention and the cornerstone of all the
Councils activities. It was adopted in 1950 and entered into force in 1953. Its ratification is a prerequisite for joining
the Organization.
The European Court of Human Rights oversees the implementation of the Convention in the 47 Council of Europe
Member States. Individuals can bring complaints of human rights violations to the Strasbourg Court once all
possibilities of appeal have been exhausted in the member state concerned. The European Union is preparing to sign
the European Convention on Human Rights, creating a common European legal space for over 820 million citizens.
For selected case law of the CJ of the EU jurisprudence related to the Data Protection Directive
C-73/07, Tietosuojavaltuutettu v. Satakunnan Markkinaprssi Oy and Satamedia Oy, 16 December 2008
[Concept of journalistic activities within the meaning of Article 9 Data Protection Directive];
Joined cases C-92/09 and C-93/09, Volker and Markus Schecke GbR and Hartmut Eifert v. Land Hessen,
9 November 2010
[Proportionality of the legal obligation to publish personal data about the beneficiaries of certain EU agricultural funds]
C-101/01, Bodil Lindqvist, 6 November 2003
[Legitimacy of publishing data by a private person on the private life of others on the internet]
C-131/12, Google Spain, S.L., Google Inc. v. Agencia Espaola de Proteccin de Datos, Mario Costeja Gonzlez,
Reference for a preliminary ruling from Audiencia Nacional (Spain) lodged on 9 March 2012, 25 May 2012
[Obligations of search engine providers to refrain, on request of the data subject, from showing personal data in the
search results]
C-270/11, European Commission v. Kingdom of Sweden, 30 May 2013 [Fine for not implementing a directive] C275/06, Productores de Msica de Espaa (Promusicae) v. Telefnica de Espaa SAU, 29 January 2008
[Obligation of internet access providers to disclose identity of users of KaZaA file exchange programmes to intellectual
property protection association];
C-288/12, European Commission v. Hungary, 8 April 2014 [Legitimacy of removal of office of the national data
protection supervisor]
Handbook on European data protection law 192 C-291/12, Michael Schwarz v. Stadt Bochum, Opinion of the
Advocate General, 13 June 2013
[Violation of EU primary law by Regulation (EC) 2252/2004 providing that fingerprints have to be stored in passports];

Joined cases C-293/12 and C-594/12, Digital Rights Ireland and Seitling and Others v. Ireland, 8 April 2014
[Violation of EU primary law by the Data Retention Directive];
C-360/10, SABAM v. Netlog N.V., 16 February 2012
[Obligation of social network providers to prevent unlawful use of musical and audiovisual works by network users]
Joined cases C-465/00, C-138/01 and C-139/01, Rechnungshof v. sterreichischer Rundfunk and Others and
Neukomm and Lauermann v. sterreichischer Rundfunk, 20 May 2003 [Proportionality of legal obligation to publish
personal data about salaries of employees of certain categories of public sector related institutions];
Joined cases C-468/10 and C-469/10, Asociacin Nacional de Establecimientos Financieros de Crdito (ASNEF) and
Federacin de Comercio Electrnico y Marketing Directo (FECEMD) v. Administracin del Estado, 24 November 2011
[Correct implementation of Article 7(f) of Data Protection Directive legitimate interests of others in national law];
C-518/07, European Commission v. Federal Republic of Germany, 9 March 2010
[Independence of a national supervisory authority]
C-524/06, Huber v. Bundesrepublik Deutschland, 16 December 2008
[Legitimacy of holding data on foreigners in a statistical register]
C-543/09, Deutsche Telekom AG v. Bundesrepublik Deutschland, 5 May 2011 [Necessity of renewed consent]
C-553/07, College van burgemeester en wethouders van Rotterdam v. M.E.E. Rijkeboer, 7 May 2009
[Right of access of the data subject]
Case law 193 C-614/10, European Commission v. Republic of Austria, 16 October 2012
[Independence of a national supervisory authority]
Jurisprudence related to the EU Institutions Data Protection Regulation C-28/08 P, European Commission v. The
Bavarian Lager Co. Ltd., 29 June 2010
[Access to documents]
C-41/00 P, Interporc Im- und Export GmbH v. Commission of the European Communities, 6 March 2003
[Access to documents]
F-35/08, Dimitrios Pachtitis v. European Commission, 15 June 2010
[Use of personal data in the context of employment in EU institutions]
F-46/09, V v. European Parliament, 5 July 2011
[Use of personal data in the context of employment in EU institutions]

Case-law of the Court of Justice of the European Union

Asociacin Nacional de Establecimientos Financieros de Crdito (ASNEF) and Federacin de Comercio Electrnico y
Marketing Directo (FECEMD) v. Administracin del Estado, Joined cases, C-468/10 - C-469/10, 24 November 2011
Digital Rights Ireland and Seitlinger and Others, Joined cases C-293/12 and C-594/12, 8 April 2014
European Commission v. Hungary, C-288/12, 8 April 2014
European Commission v. Kingdom of Sweden, C-270/11, 30 May 2013
European Commission v. Republic of Austria, C-614/10, 16 October 2012
Google Spain, S.L., Google Inc. v. Agencia Espaola de Proteccin de Datos, Mario Costeja Gonzlez, C-131/12,
Reference for a preliminary ruling from the Audiencia Nacional lodged on 9 March 2012, 25 May 2012;
Michael Schwarz v. Stadt Bochum, C-291/12, Opinion of the Advocate General, 13 June 2013;
SABAM v. Netlog N.V., C-360/10, 16 February 2012;
Volker und Markus Schecke GbR and Hartmut Eifert v. Land Hessen;
Joined cases C-92/09 and C-93/09, 9 November 2010;
Association 21 Dcembre 1989 and Others v. Romania, Nos. 33810/07 and 18817/08, 24 May 2011;
Axel Springer AG v. Germany [GC], No. 39954/08, 7 February 2012;
Bernh Larsen Holding AS and Others v. Norway, No. 24117/08, 14 March 2013;
Godelli v. Italy, No. 33783/09, 25 September 2012;
Khelili v. Switzerland, No. 16188/07, 18 October 2011;
Kpke v. Germany, No. 420/07, 5 October 2010;
M.K. v. France, No. 19522/09, 18 April 2013;
M.M. v. the United Kingdom, No. 24029/07, 13 November 2012;
Michaud v. France, No. 12323/11, 6 December 2012;
Mosley v. the United Kingdom, No. 48009/08, 10 May 2011;
Shimovolos v. Russia, No. 30194/09, 21 June 2011;
Uzun v. Germany, No. 35623/05, 2 September 2010; 60641/08, 7 February 2012;
Relevant case-law of national courts:
- Germany, Federal Constitutional Court (Bundesverfassungsgericht),1 BvR 256/08, 2 March 2010;
- The Czech Republic, Constitutional Court (stavn soud esk republiky), 94/2011 Coll., 22 March 2011.