Zakon o ratifikaciji konvencije o varstvu posameznikov...

18. Zakon o ratifikaciji konvencije o varstvu posameznikov glede na avtomatsko obdelavo osebnih podatkov

Na podlagi druge alinee prvega odstavka 107. člena in prvega odstavka 91. člena ustave Republike Slovenije izdajam

UKAZ
o razglasitvi zakona o ratifikaciji konvencije o varstvu posameznikov glede na avtomatsko obdelavo podatkov

Razglašam zakon o ratifikaciji konvencije o varstvu posameznikov glede na avtomatsko obdelavo podatkov, ki ga je sprejel Državni zbor Republike Slovenije na seji dne 25. januarja 1994.

Št. 0100-11/94

Ljubljana, dne 3. februarja 1994.

Predsednik Republike Slovenije Milan Kučan l. r.

ZAKON
O RATIFIKACIJI KONVENCIJE O VARSTVU POSAMEZNIKOV GLEDE NA AVTOMATSKO OBDELAVO OSEBNIH PODATKOV

1. člen

Ratificira se konvencija o varstvu posameznikov glede na avtomatsko obdelavo osebnih podatkov, sprejeta 28. januarja 1981 v Strasbourgu.

2. člen

Konvencija se v izvirniku v angleškem jeziku in prevodu v slovenskem jeziku glasi:

CONVENTION
FOR THE PROTECTION OF INDIVIDUALS WITH AUTOMATIC PROCESSING OF PERSONAL DATA

PREAMBLE

The member States of the Council of Europe, signatory hereto,

Considering that the aim of the Council of Europe is to achieve greater unity between its members, based in particular on respect for the rule of law, as well as human rights and fundamental freedoms;

Considering that it is desirable to extend the safeguards for everyone's rights and fundamental freedoms, and in particular the right to the respect for privacy, taking account of the increasing flow across frontiers of personal data undergoing automatic processing;

Reaffirming at the same time their commitment to freedom of information regardless of frontiers;

Recognizing that it is necessary to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples,

Have agreed as follows:

CHAPTER I – GENERAL PROVISIONS

Article 1

Object and purpose

The purpose of this convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection").

Article 2

Definitions

For the purposes of this convention:

a. "personal data" means any information relating to an identified or identifiable individual ("data subject");

b. "automated data file" means any set of data undergoing automatic processing;

c. "automatic processing" includes the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination;

d. "controller of the file" means the natural or legal person, public authority, agency or any other body who is competent according to the national law to decide what should be the purpose of the automated data file, which categories of personal data should be stored and which operations should be applied to them.

Article 3

Scope

1. The Parties undertake to apply this convention to automated personal data files and automatic processing of personal data in the public and private sectors.

2. Any State may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, or at any later time, give notice by a declaration addressed to the Secretary General of the Council of Europe:

a. that it will not apply this convention to certain categories of automated personal data files, a list of which will be deposited. In this list it shall not include, however, categories of automated data files subject under its domestic law to data protection provisions. Consequently, it shall amend this list by a new declaration whenever additional categories of automated personal data files are subjected to data protection provisions under its domestic law;

b. that it will also apply this convention to information relating to groups of persons, associations, foundations, companies, corporations and any other bodies consisting directly or indirectly of individuals, whether or not such bodies possess legal personality;

c. that it will also apply this convention to personal data files which are not processed automatically.

3. Any State which has extended the scope of this convention by any of the declarations provided for in sub-paragraph 2.b or c above may give notice in the said declaration that such extensions shall apply only to certain categories of personal data files, a list of which will be deposited.

4. Any Party which has excluded certain categories of automated personal data files by a declaration provided for in subparagraph 2.a above may not claim the application of this convention to such categories by a Party which has not excluded them.

5. Likewise, a Party which has not made one or other of the extensions provided for in sub-paragraphs 2. b and c above may not claim the application of this convention on these points with respect to a Party which has made such extensions.

6. The declarations provided for in paragraph 2 above shall take effect from the moment of the entry into force of the convention with regard to the State which has made them if they have been made at the time of signature or deposit of its instrument of ratification, acceptance, approval or accession, or three months after their receipt by the Secretary General of the Council of Europe if they have been made at any later time. These declarations may be withdrawn, in whole or in part, by a notification addressed to the Secretary General of the Council of Europe. Such withdrawals shall take effect three months after the date of receipt of such notification.

CHAPTER II – BASIC PRINCIPLES FOR DATA PROTECTION

Article 4

Duties of the Parties

1. Each Party shall take the necessary measures in its-domestic law to give effect to the basic principles for data protection set out in this chapter.

2. These measures shall be taken at the latest at the time of entry into force of this convention in respect of that Party.

Article 5

Quality of data

Personal data undergoing automatic processing shall be:

a. obtained and processed fairly and lawfully;

b. stored for specified and legitimate purposes and not used in a way incompatible with those purposes;

c. adequate, relevant and not excessive in relation to the purposes for which they are stored;

d. accurate and, where necessary, kept up to date;

e. preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.

Article 6

Special categories of data

Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions.

Article 7

Data security

Appropriate security measures shall be taken for the protection of personal data stored in automated data files against accidental or unauthorized destruction or accidental loss as well as against unauthorized access, alteration or dissemination.

Article 8

Additional safeguards for the data subject

Any person shall be enabled:

a. to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;

b. to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form;

c. to obtain, as the case may be, rectification or erasure of such data if these have been processed contrary to the provisions of domestic law giving effect to the basic principles set out in Articles 5 and 6 of this convention;

d. to have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to in paragraphs b and c of this article is not complied with.

Article 9

Exceptions and restrictions

1. No exception to the provisions of Articles 5, 6 and 8 of this convention shall be allowed except within the limits defined in this article.

2. Derogation from the provisions of Articles 5, 6 and 8 of this convention shall be allowed when such derogation is provided for by the law of the Party and constitutes a necessary measure in a democratic society in the interests of:

a. protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences;

b. protecting the data subject or the rights and freedoms of others.

3. Restrictions on the exercise of the rights specified in Article 8, paragraphs b, c and d, may be provided by law with respect to automated personal data files used for statistics or for scientific research purposes when there is obviously no risk of an infringement of the privacy of the data subjects.

Article 10

Sanctions and remedies

Each Party undertakes to establish appropriate sanctions and remedies for violations of provisions of domestic law giving effect to the basic principles for data protection set out in this chapter.

Article 11

Extended protection

None of the provisions of this chapter shall be interpreted as limiting or otherwise affecting the possibility for a Party to grant data subjects a wider measure of protection than that stipulated in this convention.

CHAPTER III – TRANSBORDER DATA FLOWS

Article 12

Transborder flows of personal data and domestic law

1. The following provisions shall apply to the transfer across national borders, by whatever medium, of personal data undergoing automatic processing or collected with a view to their being automatically processed.

2. A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorization transborder flows of personal data going to the territory of another Party.

3. Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph 2:

a. insofar as its legislation includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection

b. when the transfer is made from its territory to the territory of a non-Contracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph.

CHAPTER IV – MUTUAL ASSISTANCE

Article 13

Co-operation between Parties

1. The Parties agree to render each other mutual assistance in order to implement this convention.

2. For that purpose:

a. each Party shall designate one or more authorities, the name and address of each of which it shall communicate to the Secretary General of the Council of Europe;

b. each Party which has designated more than one authority shall specify in its communication referred to in the previous sub-paragraph the competence of each authority.

3. An authority designated by a Party shall at the request of an authority designated by another Party:

a. furnish information on its law and administrative practice in the field of data protection;

b. take, in conformity with its domestic law and for the sole purpose of protection of privacy, all appropriate measures for furnishing factual information relating to specific automatic processing carried out in its territory, with the exception however of the personal data being processed.

Article 14 Assistance to data subjects resident abroad

1. Each Party shall assist any person resident abroad to exercise the rights conferred by its domestic law giving effect to the principles set out in Article 8 of this convention.

2. When such a person resides in the territory of another Party he shall be given the option of submitting his request through the intermediary of the authority designated by that Party.

3. The request for assistance shall contain all the necessary particulars, relating inter alia to:

a. the name, address and any other relevant particulars identifying the person making the request;

b. the automated personal data file to which the request pertains, or its controller;

c. the purpose of the request.

Article 15

Safeguards concerning assistance rendered by
designated authorities

1. An authority designated by a Party which has received information from an authority designated by another Party either accompanying a request for assistance or in reply to its own request for assistance shall not use that information for purposes other than those specified in the request for assistance.

2. Each Party shall see to it that the persons belonging to or acting on behalf of the designated authority shall be bound by appropriate obligations of secrecy or confidentiality with regard to that information.

3. In no case may a designated authority be allowed to make under Article 14, paragraph 2, a request for assistance on behalf of a data subject resident abroad, of its own accord and without the express consent of the person concerned.

Article 16

Refusal of requests for assistance

A designated authority to which a request for assistance is addressed under Articles 13 or 14 of this convention may not refuse to comply with it unless:

a. the request is not compatible with the powers in the field of data protection of the authorities responsible for replying;

b. the request does not comply with the provisions of this convention;

c. compliance with the request would be incompatible with the sovereignty, security or public policy (ordre public) of the Party by which it was designated, or with the rights and fundamental freedoms of persons under the jurisdiction of that Party.

Article 17

Costs and procedures of assistance.

1. Mutual assistance which the Parties render each other under Article 13 and assistance they render to data subjects abroad under Article 14 shall not give rise to the payment of any costs or fees other than those incurred for experts and interpreters. The latter costs or fees shall be borne by the Party which has designated the authority making the request for assistance.

2. The data subject may not be charged costs or fees in connection with the steps taken on his behalf in the territory of another Party other than those lawfully payable by residents of that Party.

3. Other details concerning the assistance relating in particular to the forms and procedures and the languages to be used, shall be established directly between the Parties concerned.

CHAPTER V- CONSULTATIVE COMMITTEE

Article 18

Composition of the committee

LA Consultative Committee shall be set up after the entry into force of this convention.

2. Each Party shall appoint a representative to the committee and a deputy representative. Any member State of the Council of Europe which is not a Party to the convention shall have the right to be represented on the committee by an observer.

3. The Consultative Committee may, by unanimous decision, invite any non-member State of the Council of Europe which is not a Party to the convention to be represented by an observer at a given meeting.

Article 19

Functions of the committee

The Consultative Committee:

a. may make proposals with a view to facilitating or improving the application of the convention;

b. may make proposals for amendment of this convention in accordance with Article 21;

c. shall formulate its opinion on any proposal for amendment of this convention which is referred to it in accordance with Article 21, paragraph 3;

d. may, at the request of a Party, express an opinion on any question concerning the application of this convention.

Article 20

Procedure

1. The Consultative Committee shall be convened by the Secretary General of the Council of Europe. Its first meeting shall be held within twelve months of the entry into force of this convention. It shall subsequently meet at least once every two years and in any case when one-third of the representatives of the Parties request its convocation.

2. A majority of representatives of the Parties shall constitute a quorum for a meeting of the' Consultative Committee.

3. After each of its meetings, the Consultative Committee shall submit to the Committee of Ministers of the Council of Europe a report on its work and on the functioning of the convention.

4. Subject to the provisions of this convention, the Consultative Committee shall draw up its own Rules of Procedure.

CHAPTER VI – AMENDMENTS

Article 21

Amendments

1. Amendments to this convention may be proposed by a Party, the Committee of Ministers of the Council of Europe or the Consultative Committee.

2. Any proposal for amendment shall be communicated by the Secretary General of the Council of Europe to the member States of the Council of Europe and to every non-member Stale which has acceded to or has been invited to accede to this convention in accordance with the provisions of Article 23.

3. Moreover, any amendment proposed by a Party or the Committee of Ministers shall be communicated to the Consultative Committee, which shall submit to the Committee of Ministers its opinion on that proposed amendment.

4. The Committee of Ministers shall consider the proposed amendment and any opinion submitted by the Consultative Committee and may approve the amendment.

5. The text of any amendment approved by the Committee of Ministers in accordance with paragraph 4 of this article shall be forwarded to the Parties for acceptance.

6. Any amendment approved in accordance with paragraph 4 of this article shall come into force on the thirtieth day after all Parties have informed the Secretary General of their acceptance thereof.

CHAPTER VII – FINAL CLAUSES

Article 22

Entry into force

1. This convention shall be open for signature by the member States of the Council of Europe. It is subject to ratification, acceptance or approval. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the Council of Europe.

2. This convention shall enter into force on the first day of the month following the expiration of a period of three months after the date on which five member States of the Council of Europe have expressed their consent to be bound by the convention in accordance with the provisions of the preceding paragraph.

3. In respect of any member State which subsequently expresses its consent to be bound by it, the convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of the deposit of the instrument of ratification, acceptance or approval.

Article 23

Accession by non-member States

1. After the entry into force of this convention, the Committee of Ministers of the Council of Europe may invite any State not a member of the Council of Europe to accede to this convention by a decision taken by the majority provided for in Article 20.d of the Statute of the Council of Europe and by the unanimous vote of the representatives of the Contracting States entitled to sit on the committee.

2. In respect of any acceding State, the convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of accession with the Secretary General of the Council of Europe.

Article 24

Territorial clause

1. Any State may at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, specify the territory or territories to which this convention shall apply.

.2. Any State may at any later date, by a declaration addressed to the Secretary General of the Council of Europe, extend the application of this convention to any other territory specified in the declaration. In respect of such territory the convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of receipt of such declaration by the Secretary General.

3. Any declaration made under the two preceding paragraphs may, in respect of any territory specified in such declaration, be withdrawn by a notification addressed to the Secretary General. The withdrawal shall become effective on the first day of the month following the expiration of a period of six months after the date of receipt of such notification by the Secretary General.

Article 25

Reservations

No reservation may be made in respect of the provisions of this convention.

Article 26

Denunciation

1. Any Party may at any time denounce this convention by means of a notification addressed to the Secretary General of the Council of Europe.

2. Such denunciation shall become effective on the first day of the month following the expiration of a period of six months after the date of receipt of the notification by the Secretary General.

Article 27

Notifications

The Secretary General of the Council of Europe shall notify the member States of the Council and any State which has acceded to this convention of:

a. any signature;

b. the deposit of any instrument of ratification, acceptance, approval or accession;

c. any date of entry into force of this convention in accordance with Articles 22, 23 and 24;

d. any other act, notification or communication relating to this convention.

In witness whereof the undersigned, being duly authorized thereto, have signed this Convention.

Done at Strasbourg, the 28th day of January 1981, in English and French, both texts being equally authoritative; in a single copy which shall remain deposited in the archives of the Council of Europe. The Secretary General of the Council of Europe shall transmit certified copies to each member State of the Council of Europe and to any State invited to accede to this Convention.

KONVENCIJA
O VARSTVU POSAMEZNIKOV GLEDE NA AVTOMATSKO OBDELAVO OSEBNIH PODATKOV

PREAMBULA

Države članice Sveta Evrope in druge podpisnice konvencije,

–

ob upoštevanju, da je cilj Sveta Evrope doseči večjo enotnost njegovih članic, ki temelji zlasti na spoštovanju zakonitosti kot tudi človekovih pravic in temeljnih svoboščin;

–

ob upoštevanju, da je treba zagotoviti človekovo dostojanstvo ter varstvo človekovih pravic in temeljnih svoboščin vsakega posameznika, ter glede na razvejanost, stopnjevanje in globalizacijo obdelave podatkov in pretok osebnih podatkov tudi osebno samostojnost na podlagi pravice nadzorovati lastne osebne podatke in njihovo obdelavo,

–

ob upoštevanju, da je treba pravico do varstva osebnih podatkov obravnavati glede na njeno vlogo v družbi in dejstvo, da jo je treba uskladiti z drugimi človekovimi pravicami in temeljnimi svoboščinami, tudi svobodo izražanja,

-

ob upoštevanju, da izvajanje pravil, določenih v konvenciji, omogoča spoštovanje načela pravice do dostopa do uradnih dokumentov,

-

ob spoznanju, da je treba spodbujati temeljne vrednote spoštovanja zasebnosti in varstva osebnih podatkov na svetovni ravni in tako prispevati k prostemu pretoku informacij med ljudmi,

-

ob priznavanju interesa okrepiti mednarodno sodelovanje med pogodbenicami konvencije,

–

ob spoznanju, da je treba spoštovati temeljna načela zasebnosti in zagotoviti svoboden pretok informacij med narodi,

strinjajo o naslednjem:

I. POGLAVJE – SPLOŠNE DOLOČBE

1. člen

Predmet in namen

Namen konvencije je varovati vsakega posameznika glede obdelave njegovih osebnih podatkov ne glede na njegovo državljanstvo ali prebivališče ter tako prispevati k spoštovanju njegovih človekovih pravic in temeljnih svoboščin, predvsem pravice do zasebnosti.

2. člen

Definicije

Za namen te konvencije:

a)

"osebni podatek" pomeni katero koli informacijo, ki se nanaša na določenega ali določljivega posameznika (nosilec podatkov);

b)

»obdelava podatkov« pomeni vsako dejanje ali niz dejanj, ki se izvajajo v zvezi z osebnimi podatki, kot je zbiranje, shranjevanje, ohranjanje, spreminjanje, priklic, razkrivanje, omogočanje dostopa, izbris, uničenje ali izvajanje logičnih in/ali računskih operacij pri delu s temi podatki,

c)

če ne gre za avtomatizirano obdelavo podatkov, pomeni »obdelava podatkov« dejanje ali niz dejanj, ki se izvajajo z osebnimi podatki v strukturiranem nizu podatkov, ki so dostopni ali jih je mogoče priklicati v skladu s posebnimi merili,

d)

»upravljavec« pomeni fizično ali pravno osebo, javni organ, službo, agencijo ali drugo telo, ki je samo ali skupaj z drugimi pristojno za odločanje o obdelavi podatkov,

e)

»uporabnik« pomeni fizično ali pravno osebo, javni organ, službo, agencijo ali drugo telo, ki so mu podatki razkriti ali mu je omogočen dostop do njih,

f)

»obdelovalec« pomeni fizično ali pravno osebo, javni organ, službo, agencijo ali drugo telo, ki obdeluje osebne podatke v imenu upravljavca.

3. člen

Obseg

1. Vsaka pogodbenica se zaveže uporabljati konvencijo pri obdelavi podatkov v svoji pristojnosti v javnem in zasebnem sektorju ter tako vsakemu posamezniku zagotoviti pravico do varstva osebnih podatkov.

2. Konvencija se ne uporablja za podatke, ki jih obdeluje posameznik v okviru izključno osebne ali domače dejavnosti.

a)

da ne bo uporabljala določil te konvencije glede določenih kategorij avtomatskih zbirk podatkov, ki vsebujejo osebne podatke, katerih seznam bo shranjen. Na to listo ne bo vključila kategorij avtomatskih zbirk podatkov, za katere velja njena nacionalna zakonodaja o zaščiti podatkov. Kasneje lahko to listo spremeni z novo izjavo, kadar koli se določijo dodatne kategorije avtomatskih zbirk podatkov, ki vsebujejo osebne, podatke, za katere veljajo določila nacionalne zakonodaje o zaščiti podatkov;

b)

da bodo zagotovile uporabo določil te konvencije. tudi pri informacijah, ki se nanašajo na skupine oseb, združenja, ustanove, družbe, korporacije in katera koli druga telesa, sestavljena neposredno ali posredno iz posameznikov, ne glede na to, ali imajo takšna telesa lastnost pravne osebe;

c)

da bodo zagotovile uporabo te konvencije tudi za tiste zbirke podatkov, ki vsebujejo osebne podatke, ki niso vodene avtomatsko.

3. Vsaka država, ki razširi področje uporabe te konvencije na točko 2. b ali c, lahko v izjavi navede, da se takšna razširitev nanaša samo na določene kategorije zbirk podatkov, ki vsebujejo osebne podatke, in katerih listo bo shranila.

4. Pogodbenica, ki je izključila določene kategorije avtomatskih zbirk podatkov, ki vsebujejo osebne podatke, z izjavo po 2. a točki, ne more v teh primerih terjati uporabe določil te konvencije od druge udeleženke, ki jih ni izključila.

5. Prav tako pogodbenica, ki ni sprejela nobene razširitve, predvidene, po točki 2. b in c, ne more terjati uporabe te konvencije v teh točkah nasproti pogodbenici, ki je sprejela te razširitve.

6. Izjave, ki so predvidene, v točki 2, učinkujejo od trenutka veljavnosti konvencije glede na državo, ki je izjave dala, če so bile dane ob podpisu ali shranitvi listin o ratifikaciji, sprejemu, odobritvi ali pristopu, ali po treh mesecih, ko jih je prejel generalni sekretar Sveta Evrope, če so bile dane kasneje. Te izjave se lahko kasneje umaknejo v celoti ali deloma z obvestilom, naslovljenim na generalnega sekretarja Sveta Evrope. Takšni preklici začnejo učinkovati po treh mesecih od dneva njihovega prejema.

II. POGLAVJE – TEMELJNA NAČELA VARSTVA OSEBNIH PODATKOV

4. člen

Dolžnosti pogodbenic

1. Vsaka pogodbenica v svoji zakonodaji sprejme potrebne ukrepe za učinkovanje določb konvencije in zagotovi njihovo učinkovito uporabo.

2. Vsaka pogodbenica te ukrepe sprejme in ti ukrepi začnejo veljati pred ratifikacijo konvencije ali pristopom k njej.

3. Vsaka pogodbenica se zaveže:

a)

omogočiti odboru konvencije iz VI. poglavja, da oceni učinkovitost ukrepov, ki jih je sprejela v svoji zakonodaji za učinkovanje določb konvencije, in

b)

dejavno prispevati k postopku ocenjevanja.

5. člen

Zakonitost obdelave podatkov in kakovost podatkov

1. Obdelava podatkov mora biti sorazmerna glede na zakoniti namen in na vseh stopnjah odražati pošteno ravnovesje med vsemi interesi, javnimi ali zasebnimi, ter zadevnimi pravicami in svoboščinami.

2. Vsaka pogodbenica zagotovi, da se podatki lahko obdelujejo na podlagi prostovoljne, konkretne, informirane in nedvoumno izražene privolitve posameznika, na katerega se nanašajo osebni podatki, ali na drugi upravičeni, z zakonom določeni podlagi.

3. Osebne podatke, ki se obdelujejo, je treba obdelovati zakonito.

4. Osebni podatki, ki se obdelujejo, so:

a)

obdelani pošteno in pregledno;

b)

zbrani za izrecne, določene in zakonite namene in se ne smejo obdelovati na način, ki ni združljiv s temi nameni; nadaljnja obdelava za arhiviranje v javnem interesu, za znanstvenoraziskovalne ali zgodovinskoraziskovalne ali statistične namene je ob upoštevanju ustreznih zaščitnih ukrepov združljiva s temi nameni;

c)

ustrezni, relevantni in ne pretirani glede na namene, za katere se obdelujejo;

d)

točni, in kadar je to potrebno, posodobljeni;

e)

hranjeni v obliki, ki dopušča identifikacijo posameznikov, na katere se nanašajo osebni podatki, le toliko časa, kolikor je to potrebno za namene, za katere se ti podatki obdelujejo.

6. člen

Posebne vrste podatkov

1.

Obdelava:

-

genskih podatkov;

-

osebnih podatkov o prekrških, kazenskih postopkih in obsodbah ter s tem povezanih varnostnih ukrepih;

-

biometričnih podatkov za edinstveno identifikacijo posameznika;

-

osebnih podatkov, ki razkrivajo rasno ali etnično poreklo, politično mnenje, članstvo v sindikatu, versko ali drugo prepričanje, zdravje ali spolno življenje,

je dovoljena le, če so v zakonodaji določeni ustrezni zaščitni ukrepi, ki dopolnjujejo zaščitne ukrepe po konvenciji.

2.

Taki zaščitni ukrepi varujejo pred tveganji, ki jih obdelava posebnih vrst osebnih podatkov lahko pomeni za interese, pravice in temeljne svoboščine posameznika, na katerega se nanašajo osebni podatki, zlasti pred tveganjem diskriminacije.

Osebni podatki, ki kažejo na rasno poreklo, politična, verska ali druga prepričanja, kot tudi osebni podatki, ki se nanašajo na zdravstveno ali spolno življenje, se ne smejo avtomatsko obdelovati, če nacionalna zakonodaja ne določa ustrezne zaščite. Enako velja tudi za osebne podatke, ki se nanašajo na kazenske (ob)sodbe.

7. člen

Zavarovanje podatkov

1. Vsaka pogodbenica zagotovi, da upravljavec, in kadar je to primerno, obdelovalec sprejmeta ustrezne ukrepe za varovanje pred tveganji, kot je nenamerni ali nepooblaščeni dostop do osebnih podatkov, njihovo uničenje, izguba, uporaba, spreminjanje ali razkritje.

2. Vsaka pogodbenica zagotovi, da upravljavec brez odlašanja uradno obvesti vsaj pristojni nadzorni organ v smislu 15. člena konvencije o tistih kršitvah varstva podatkov, ki lahko resno posežejo v pravice in temeljne svoboščine posameznikov, na katere se nanašajo osebni podatki.

8. člen – preglednost obdelave

1.

Vsaka pogodbenica zagotovi, da upravljavec obvesti posameznike, na katere se nanašajo osebni podatki, o:

a)

svoji identiteti in običajnem prebivališču ali sedežu;

b)

zakonski podlagi in namenih predvidene obdelave podatkov;

c)

vrstah obdelovanih osebnih podatkov;

d)

uporabnikih ali vrstah morebitnih uporabnikov osebnih podatkov in

e)

načinih uresničevanja pravic iz 9. člena

ter o vseh morebitnih dodatnih informacijah za zagotovitev poštene in pregledne obdelave osebnih podatkov.

2.

Prvi odstavek se ne uporablja, če posameznik, na katerega se nanašajo osebni podatki, že ima ustrezne informacije.

3.

Kadar se osebni podatki ne pridobijo od posameznikov, na katere se nanašajo, upravljavcu ni treba zagotoviti navedenih informacij, če je obdelava izrecno določena z zakonom, je to nemogoče ali vključuje nesorazmerne napore.

9. člen

Pravice posameznika, na katerega se nanašajo osebni podatki

1. Vsak posameznik ima pravico:

a)

da zanj ne velja odločitev, ki znatno vpliva nanj in temelji izključno na podlagi avtomatizirane obdelave podatkov, ne da bi se upoštevala njegova stališča;

b)

da na zahtevo, v razumnih časovnih razmikih in brez nepotrebnega odlašanja ali stroškov prejme potrditev o obdelavi osebnih podatkov, ki se nanašajo nanj, sporočilo o obdelanih podatkih v razumljivi obliki, vse razpoložljive informacije o njihovem izvoru, obdobju hrambe ter vse druge informacije, ki jih mora upravljavec dati za zagotovitev preglednosti obdelave v skladu s prvim odstavkom 8. člena;

c)

da je na zahtevo seznanjen z razlogi, na katerih temelji obdelava podatkov, kadar se izsledki take obdelave uporabljajo zanj;

d)

da zaradi razlogov, povezanih s svojim položajem, kadar koli ugovarja obdelavi osebnih podatkov, ki se nanašajo nanj, razen če upravljavec izkaže upravičene razloge za obdelavo, ki prevladajo nad posameznikovimi interesi ali pravicami in temeljnimi svoboščinami;

e)

da na zahtevo, brezplačno in brez nepotrebnega odlašanja doseže popravek ali izbris podatkov, odvisno od primera, če se obdelujejo ali so bili obdelani v nasprotju z določbami te konvencije;

f)

do pravnega sredstva iz 12. člena, če so bile kršene njegove pravice po tej konvenciji;

Zakon o ratifikaciji konvencije o varstvu posameznikov glede na avtomatsko obdelavo osebnih podatkov

Časovnica