3. Ethnic Data Collection: Key Elements, Rules and Principles

Ringelheim (2011), p. 1684.

Equality data collection and ethnic data collection were introduced and defined in Chap. 1 (Sect. 1.​3.​1).

See Chap. 2 (Sect. 2.​2) for an introduction to the notions race and ethnicity.

Inter-American Convention against Racism, Racial Discrimination and Related Forms of Intolerance (5 June 2013), art. 12.

Disaggregated data collection on racial and ethnic groups is, however, implied in several UN instruments, including: Convention on the Rights of the Child (20 November 1989). Convention on the Elimination of All Forms of Discrimination against Women (18 December 1979). International Covenant on Civil and Political Rights (16 December 1966) (ICCPR). International Covenant on Economic, Social and Cultural Rights (16 December 1966). International Convention on the Elimination of All Forms of Racial Discrimination (21 December 1965) (ICERD). Declaration on the Rights of Indigenous Peoples (2 October 2007), arts. 3 and 4. Report of the Permanent Forum for Indigenous Peoples on the Workshop on Data Collection and Disaggregation for Indigenous Peoples (10 February 2014), para. 32.

Convention on the Rights of Persons with Disabilities (31 December 2006) (CRPD), art. 31.

Id.

Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 18. Report of the Special Rapporteur on racism, racial discrimination, xenophobia and related forms of intolerance: Follow-up to and implementation of the Durban Declaration and Programme of Action (19 May 2009), paras. 24(a) and (b). Muigai (2000), p. 2. Chapter 2 (Sect. 2.​1) focused on the notion discrimination.

Refusing to collect such data could in some cases result in the obstruction of the right to information, because of the underlying resistance to document the socio-economic situation of vulnerable groups. Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), paras. 18 and 41.

Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 18. Chapter 2 (Sect. 2.​1) discussed the notion equality. See also Chap. 4 (Sect. 4.​1), which will zoom in on the five main benefits of ethnic data collection.

Council Directive 2000/43/EC implementing the principle of equal treatment between persons irrespective of racial or ethnic origin (29 June 2000) (RED), arts. 1 and 2.1.

European Network Against Racism (ENAR) (2012) p. 8. Ringelheim (2006/2007), p. 53.

RED, recital 15 and arts. 2.1 and 2.2. This was briefly addressed in Chap. 2 (Sect. 2.​1.​2) on direct and indirect discrimination and the link with statistics. See also Chap. 4 (Sect. 4.​1.​2), where the uncovering of discrimination is presented one of the five main benefits of ethnic data collection.

RED, recital 23 and art. 11.

Ethnic monitoring is identified as one of four complementary data sources of ethnic data collection in Chap. 4 (Sect. 4.​3.​3).

Simon (2005), pp. 13–16. A similar argument is used to refute fears and risks surrounding ethnic data collection in Chap. 4 (Sect. 4.​2.​1).

RED, art. 13. Alidadi (2017), p. 19. Chopin et al. (2014), p. 33. Makkonen (2010), p. 218.

The powers and competences of equality bodies thus vary greatly in practice. Chopin et al. (2014), p. 33. Makkonen (2010), p. 218.

RED, recital 6. Resolution of the European Parliament on Non-Discrimination and Equal Opportunities for All—A Framework Strategy (14 June 2006), para. 14. Report of the Special Rapporteur on Contemporary forms of racism, racial discrimination, xenophobia and related intolerance (19 August 2013), para. 45. Report of the Permanent Forum on Indigenous Issues on the twelfth session (12 June 2013), para. 5. Report of the Permanent Forum for Indigenous Peoples on the Workshop on Data Collection and Disaggregation for Indigenous Peoples (10 February 2014), para. 31. Alidadi (2017), p. 16. European Union Agency for Fundamental Rights (FRA) (2011), p. 26. Wrench (2011), p. 1716. Ringelheim (2008/2009), pp. 45 and 46. Rallu et al. (2006), p. 535. Dahal et al. (2007), p. 5. The five main risks of ethnic data collection will be considered in Chap. 4 (Sect. 4.​2).

Durban Declaration (8 September 2001), paras. 92 and 93. Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), paras. 1–3 and 8–92. Report of the Permanent Forum on Indigenous Issues on the thirteenth session (6 June 2014), para. 43. Guidance Note of the United Nations Secretary-General on Racial Discrimination and Protection of Minorities (March 2013), para. 23. Report of the Permanent Forum on Indigenous Issues on the second Session (5 June 2003), para. 122. Report of the Permanent Forum on Indigenous Issues on the first Session (2002), paras. 3(b)(c), 6(a)(b) and 31(b). United Nations Statistics Division (UNSD) (2008), para. 2.160. UNSD (2003), p. 2.

In general policy recommendations, opinions and periodic country reports, various CoE bodies recommend ethnic data collection in different sectors such as education, employment and policing. Resolution 1740 of the Parliamentary Assembly on the situation of Roma in Europe and relevant activities of the Council of Europe (22 June 2010), arts. 12 and 15.7. Outline for State reports to be submitted under the fourth monitoring cycle of the Framework Convention for the Protection of National Minorities (30 April 2013), para. 5. Advisory Committee on the Framework Convention for the Protection of National Minorities (ACFC), Commentary on Effective Participation of Persons Belonging to National Minorities in Cultural, Social and Economic Life and in Public Affairs (27 February 2008), paras. 29–31 and 127. ACFC, Commentary on Education under the Framework Convention for the Protection of National Minorities (2 March 2006), paras; 10, 15, 18 and 19. European Commission against Racism and Intolerance (ECRI), General Policy Recommendation No. 14: Combating racism and racial discrimination in employment (22 June 2012), paras. 1(e) and 10(a). ECRI, General Policy Recommendation No. 13: Combating Anti-Gypsyism and Discrimination against Roma (24 June 2011), para. 14. ECRI, General Policy Recommendation No. 11: Combating racism and racial discrimination in policing (29 June 2007), paras. 2, 36 and 41–43. ECRI, General Policy Recommendation No. 10: Combating racism and racial discrimination in and through school education (15 December 2006), para. 1(b). ECRI, General Policy Recommendation No. 7: National legislation to combat racism and racial discrimination (13 December 2002), para. 1(a). ECRI, General Policy Recommendation No. 4: National surveys on the experience and perception of discrimination and racism from the point of view of potential victims (6 March 1998), paras. 1, 6 and 9. ECRI, General Policy Recommendation No. 1: Combating racism, xenophobia, anti-Semitism and intolerance (4 October 1996).

Resolution of the European Parliament on Non-Discrimination and Equal Opportunities for All—A Framework Strategy (14 June 2006), paras. 13–21 and recitals O to Q. Commission Communication, Joint Report on the application of Council Directive 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin (‘Racial Equality Directive’) and of Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation (‘Employment Equality Directive’) (17 January 2014), pp. 5 and 6. Commission Communication, Non-discrimination and equal opportunities: A renewed commitment (2 July 2008), p. 7. European Commission (2004), pp. 22 and 23. Chopin et al. (2014), p. 21. FRA (2012b), para. 63. FRA (2011), p. 17.

In 2013, OSF launched the Equality Data Initiative in collaboration with ENAR and Migration Policy Group to increase awareness of and enhance data collection practices in Europe for equality and anti-discrimination purposes by means of research and awareness-raising activities. The project focuses on public education (Bulgaria, Germany, Hungary, Ireland, Romania and Sweden) and public employment (France). Farkas (2017, p. 32) explains that only few non-governmental organisations advocate for ethnic data collection due to the controversies surrounding this equality tool and repeated instances of data misuse. Atanasova (2014), p. 1. ENAR (2014a), pp. 5 and 6. Abdikeeva (2014), pp. 5–33. Lamberts et al. (2014), pp. 5, 10, 11, 14 and 32. ENAR (2014b), pp. 1–20. Chopin et al. (2014), pp. 7, 16 and 30–63. Hermanin and Atanasova (2013). Hermanin and de Kroon (2013), pp. 3, 5, 6, 9, 13, 18, 26 and 28. ENAR (2012), pp. 13–18.

Intersectional discrimination was briefly touched upon in Chap. 1 (Sect. 1.​2.​3).

CERD Committee, General Recommendation No. 25: Gender related dimensions of racial discrimination (20 March 2000), paras. 1–3 and 6. See also: Durban Plan of Action (8 September 2001), para. 94.

CESCR Committee, General Comment No. 14: The Right to the Highest Attainable Standard of Health (Art. 12) (11 August 2000), para. 20.

ACFC, Third Opinion on Bulgaria (11 February 2014), paras. 53 and 55. ACFC, Third Opinion on Ireland (10 October 2012), paras. 39 and 60. ACFC, Second Opinion on Bulgaria (18 March 2010), paras. 50, 54, 211 and 222. ACFC, Second Opinion on Hungary (9 December 2004), para. 34.

ECRI, Third Report on Austria (25 June 2004), para. 77. ECRI, Third Report on France (25 June 2004), para. 114. ECRI, Third Report on Belgium (27 June 2003), para. 55. ECRI, Third Report on Germany (5 December 2003), para. 91. ECRI, Third Report on Norway (27 June 2003), para. 68.

Report of the European Parliament on Gender Aspects of the European Framework of National Roma Inclusion Strategies (10 December 2013), para. 15.

Commission Communication, Joint Report on the application of Council Directive 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin (‘Racial Equality Directive’) and of Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation (‘Employment Equality Directive’) (17 January 2014), p. 5. Opinion of the Advisory Committee on Equal Opportunities for Women and Men on the Gender Dimension of the Inclusion of Ethnic Minorities (November 2007), p. 9. European Commission (2004), pp. 22 and 23.

Report of the Open Working Group of the General Assembly on Sustainable Development Goals (12 August 2014), proposed targets 10.3 and 17.18. Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), paras. 30 and 82. Report of the Special Rapporteur on the right of everyone to the enjoyment of the highest attainable standard of health, Paul Hunt, on his Mission to Sweden (28 February 2007), para. 119. Commission Communication, Non-discrimination and equal opportunities: A renewed commitment (2 July 2008), p. 7. Milcher and Ivanov (2004), p. 7.

Alidadi (2017), p. 26. Equality data collection was defined in Chap 1 (Sect. 1.​3.​1). The identification of good practices will be cited as one of the benefits of ethnic data collection for equality and anti-discrimination purposes in Chap. 4 (Sect. 4.​1.​2).

Inter-American Convention against Racism, Racial Discrimination and Related Forms of Intolerance, art. 15(v).

Report of the UN Secretary-General on Compilation of guidelines on the form and content of reports to be submitted by States parties to the international human rights treaties (3 June 2009), para. 34. Guidelines on treaty-specific documents to be submitted by states parties under articles 16 and 17 of the International Covenant on Economic, Social and Cultural Rights (24 March 2009), paras. 3(g) and 10. Guidelines for the CERD-specific document to be submitted by States parties under article 9, paragraph 1, of the Convention (13 June 2008), paras. 3, 11, 12 and 19. Report of the Independent Expert on Minority Issues on the Implementation of General Assembly Resolution 60/251 of 15 March 2006 entitled “Human Rights Council” (2 February 2007), para. 78. Guidelines for the treaty-specific document to be submitted by States parties under article 40 of the International Covenant on Civil and Political Rights (4 October 2010), paras. 25 and 34. Durban Plan of Action (8 September 2001), para. 94. CESCR Committee, General Comment No. 14: The Right to the Highest Attainable Standard of Health (Art. 12) (11 August 2000), para. 63. Country examples: CRC Committee, Concluding observations on the United States of America (26 June 2013), paras. 18, 19 and 25(d). CERD Committee, Concluding Observation on Albania (10 December 2001), paras. 12 and 26. Committee on the Elimination of Discrimination against Women (CEDAW Committee), Concluding observations on the Netherlands (5 February 2010), para. 45. Alidadi (2017, p. 17) identifies States’ obligation to report on their country’s human rights situation to international human rights monitoring bodies as one of the wide range of purposes equality data collection can serve. The benefits of ethnic data collection will be considered in Chap. 4 (Sects. 4.​1 and 4.​2). The significance of international and European monitoring and their role in ethnic data collection will be discussed further in Chap. 4 (Sect. 4.​1.​4) on the benefits of ethnic data collection and in Chap. 5 (Sect. 5.​2.​4) on the data sources on Roma in Europe.

An overview of some of the most commonly used arguments against ethnic data collection can be found in Chap. 4 (Sect. 4.​2).

Ramsay (2006), p. 5.

Outcome document of the high-level plenary meeting of the General Assembly known as the World Conference of Indigenous Peoples (22 September 2014), para. 10. Report of the Permanent Forum on Indigenous Issues on the second Session (5 June 2003), para. 1.

Report of the Permanent Forum on Indigenous Issues on the second Session (5 June 2003), paras. 27, 67, 68, 70 and 122.

Examples include: Alidadi (2017). Farkas (2017). European Commission (2008). Makkonen (2007). Makkonen (2006). Olli and Kofod Olsen (2006). Olli and Kofod Olsen (2005). Simon (2004), p. 27. Reuter et al. (2004).

Regulation 168/2007 of the Council establishing a European Union Agency for Fundamental Rights (15 February 2007), recital 15 and arts. 4 and 6–10. Chopin et al. (2014), p. 26. Wrench (2011), p. 1719.

This is also true for its predecessor, the European Monitoring Center on Racism and Xenophobia. Regulation 168/2007 of the Council establishing a European Union Agency for Fundamental Rights (15 February 2007), recitals 5–7, 10, 15 and 27 and arts. 1, 4, 6–10 and 29. FRA (2009), p. 19.

European Commission (2018). In March 2019, it was announced that the EU High Level Group on Non-Discrimination, Equality and Diversity would publish equality data guidelines, a compendium of practices and a diagnostic mapping tool. FRA (2019).

The United Kingdom (UK) and most Central and Eastern European countries collect data on ethnicity in their censuses, while other Member States rely on proxy indicators for ethnicity—such as nationality, mother tongue and birthplace—to collect personal information. Dahal et al. (2007), p. 5. Makkonen (2006), pp. 6, 7, 25 and 78. Makkonen (2010), p. 227. Simon (2007), p. 45. Ringelheim (2006/2007), p. 74. Proxies for ethnicity are further discussed in Chap. 4 (Sect. 4.​5) on ethnical identification.

This includes census data, vital statistics and migration data. Examples include Estonia, Latvia, Romania, Slovakia and Slovenia. Alidadi (2017), pp. 24 and 25. Haug (2001), p. 304.

In Finland, Ireland and the UK, public bodies have a duty to collect equality data, including racial and ethnic data, as part of their equality planning. Alidadi (2017), p. 27. Farkas (2017), p. 15. Makkonen (2010), p. 211. Dahal et al. (2007), p. 5. Ringelheim (2006/2007), pp. 54 and 55.

This is the case in Germany and France (allowed for statistical purposes but not for measuring anti-discrimination and diversity because considered in violation of the Constitutional equality principles). In Sweden, exceptions to the prohibition of ethnic data collection for equality and anti-discrimination purposes are allowed, but none have been introduced to date. Abdikeeva (2014), p. 16. Chopin et al. (2014), pp. 40–43 and 45. Wrench (2011), p. 1716. Oppenheimer (2008), pp. 737, 746 and 747. Ringelheim (2008/2009), pp. 48, 87 and 117–126. Cardinale (2007), p. 38. Simon (2007), pp. 9, 56, 57 and 59.

The United Nations Principles and Recommendations for Population and Housing Censuses: Results of the Survey on Proposed Changes for the 2020 Census Round prepared by the United Nations Statistics Division (October 2013), paras. 75–77. Alidadi (2017), p. 25. Simon et al. (2015), p. 4. Morning (2005), pp. 1 and 14–22. These issues will be addressed further in Chap. 4 on the benefits, risks, data sources and methods of ethnic data collection.

See Chap. 1 (Sect. 1.​1.​3) on the notion minority and the lack of a uniform status for Roma minorities across Europe. See also Chap. 2 (Sect. 2.​2) for an introduction to the notions race and ethnicity.

Makkonen (2010), p. 236. Simon (2007), pp. 9, 25, 27, 30, 41 and 46. Makkonen (2006), p. 78. Simon (2004), pp. 34, 50, 54, 57 and 59.

For instance, France, Germany and southern Member States collect information on nationality in order to distinguish between the national population and foreigners for statistical purposes. Germany and several Central and Eastern European Member States, including Romania and Slovenia, collect ethnic data for minority purposes. The UK and Ireland collect ethnic data for equality and anti-discrimination purposes. Abdikeeva (2014), pp. 15 and 16. Gray (2009), p. 62. European Commission (2008), pp. 70–74. Simon (2007), pp. 42, 46, 47, 62 and 69. Ringelheim (2006/2007), pp. 54–56.

Alidadi (2017), p. 27. FRA (2012a), p. 31. Wrench (2011), p. 1718. Simon (2007), pp. 26, 46 and 69.

RED, art. 2. See also art. 21 Charter of Fundamental Rights of the European Union (7 December 2000) (CFEU).

Farkas (2017), pp. 4 and 37.

See Chap. 1 (Sect. 1.​3.​1) where ethnic data collection was identified as one of the missing pieces of Roma inclusion in Europe.

Ringelheim (2013), pp. 50 and 51. Ringelheim (2011), p. 1683. Makkonen (2006), pp. 73 and 74. Bulmer and Solomos (1998), pp. 822 and 823. The notions race and ethnicity were introduced in Chap. 2 (Sect. 2.​2).

The notions race and ethnicity were analysed in Chap. 2 (Sect. 2.​2).

The choice of ethnic categories for ethnical classification purposes will be considered in Chap. 4 (Sect. 4.​4) and the challenges to the construction of ethnic categories for Roma in Chap. 5 (Sect. 5.​3). The different approaches to ethnical identification with one or multiple ethnic categories will be analysed in Chap. 4 (Sect. 4.​5) and the appropriateness of these approaches for Roma in Chap. 5 (Sect. 5.​4).

Individuals and groups may understand and define race differently. Hermanin et al. (2013), p. 5. Möschel (2013), pp. 15 and 16. Ringelheim (2011), p. 1686. Makkonen (2006), p. 74.

Sabbagh (2013), p. 33. Ringelheim (2008/2009), p. 90. Makkonen (2006), p. 74. This was briefly mentioned in Chap. 2 (Sect. 2.​2) on the notions race and ethnicity.

Farkas (2017), p. 37.

Ringelheim (2011), p. 1686. Makkonen (2006), p. 74.

Makkonen (2006), p. 74.

See the definition of racial discrimination in art. 1.1 ICERD.

For instance, how many generations does one go back to determine descent, national or ethnic origin? What is colour? Ethnicity is also a context-dependent notion. For more on the context-dependency and variability of ethnicity, see Sect. 3.2.2. Ethnicity was introduced as a social construct in Chap. 2 (Sect. 2.​2).

Farkas (2017), pp. 10 and 11. The wide variety in terminology, categories and answer formats used by States when collecting ethnic data, will be considered in Chap. 4 (Sect. 4.​4.​3).

Id. at pp. 10–13.

See Chap. 4 (Sect. 4.​5.​4) on objective criteria as inadequate proxies for ethnicity and Chap. 5 (Sect. 5.​4.​2) on proxies for Roma ethnicity and how they produce insufficient data for equality and anti-discrimination purposes.

See Chap. 2 (Sect. 2.​2.​2.​3) on ethnicity as a social construct involving group creation and differentiation.

World Health Organization (WHO) (2010), p. 5. Makkonen (2010), p. 21. Makkonen (2006), p. 76.

WHO (2010), p. 6. Makkonen (2006), p. 75. Bulmer and Solomos (1998), pp. 822 and 823.

Ringelheim and De Schutter (2010), p. 84.

Makkonen (2006), p. 76.

Ringelheim and De Schutter (2010), p. 85. Ringelheim (2008/2009), pp. 91 and 92. This will be discussed in Chap. 5 (Sect. 5.​3) on challenges to ethnical categorisation in the context of data collection on Roma for anti-discrimination purposes.

People can identify with multiple ethnic groups. Makkonen (2010), p. 21. Makkonen (2006), pp. 21 and 76. Simon (2007), p. 27.

Not universally accepted, this principle was originally outlined by the Permanent Court of International Justice in Advisory Opinion regarding Minority Schools in Albania (6 April 1935). France is officially colour-blind and denies the existence of ethnic, religious or linguistic minorities within its territory. ECRI, Fourth report on France (29 April 2010) CRI(2010)16, paras. 11 and 12. Dimitras (2004), pp. 2 and 4. Makkonen (2006), p. 76.

These criteria must be applied uniformly to ensure equal treatment among different groups. See: Human Rights Committee (HR Committee), General Comment No. 23: The rights of minorities (Art. 27) (8 April 1994), para. 5.2. CERD Committee, General Recommendation No. 24: Article 12 of the Convention Women and Health (27 August 1999), paras. 2 and 3. Makkonen (2010), p. 21. Makkonen (2006), p. 76.

Ahmed (2011, p. 21) states that common culture and tradition appear to be defining features of ethnicity, whereas common physical or biological features and a proper language are not. UNSD (2014), p. 170. UNSD (2008), para. 2.162. Simon (2007), p. 9. UN Economic Commission for Europe (UNECE) (2006), paras. 419–423. UNSD (2003), p. 4.

EctHR, Timishev v. Russia, Judgment (13 December 2005), para. 55. Gerards (2007), p. 47.

Farkas (2017, p. 4) reports that ethnic origin has been interpreted broadly by various international and national courts. Hermanin et al. (2013), p. 5. Dahal et al. (2007), pp. 4 and 13. Simon (2007), pp. 18, 26 and 27. Morning (2005), pp. 1, 5, 21 and 22. UNSD (2003), pp. 4, 5 and 10. UNSD (2008), para. 2.162. Haug (2001), p. 307. See Sect. 2.​2.​1 on racial origin. See also Chap. 2 (Sect. 2.​2) where the notions race and ethnicity were first introduced.

This will be discussed further in Chap. 4 (Sect. 4.​4.​1) the involvement of objective and/or subjective criteria in the construction of ethnic categories for data collection purposes.

Hermanin et al. (2013), p. 5. UNSD (2008), para. 2.162. Dahal et al. (2007), pp. 4 and 13. Simon (2007), pp. 18, 26 and 27. Morning (2005), pp. 1, 5, 21 and 22. UNSD (2003), pp. 4, 5 and 10. Haug (2001), p. 307. Methodological difficulties the collection of ethnic data, including ethnical categorisation, will be considered in Chap. 4 (Sect. 4.​4).

UNSD (2003), p. 10.

UNSD (2008), para. 2.161. Dahal et al. (2007), pp. 5 and 6.

The construction of ethnic categories for Roma will be discussed in Chap. 5 (Sect. 5.​3).

ICERD, art. 1.1.

Makkonen (2010), p. 21.

The EctHR ruled that Russia violated the prohibition of discrimination in art. 14 European Convention for the Protection of Human Rights and Fundamental Freedoms (4 November 1950) (ECHR) in conjunction with a violation of the liberty of movement in art. 2 Protocol 4 to the ECHR, securing certain rights and freedoms other than those already included in the Convention and in the first Protocol thereto (16 September 1963). EctHR, Timishev v. Russia, Judgment (13 December 2005), para. 55. See Chap. 2 (Sect. 2.​2.​2.​3) on race and ethnicity as overlapping social constructs.

ICERD, art. 1. This was previously addressed more extensively in Chap. 2 (Sect. 2.​2.​2) on the notions race and ethnicity and on the interconnection between both constructs.

Rallu et al. (2006), p. 531. See, for instance, Bulmer (1996, p. 35), who defines an ethnic group as “a collectivity within a larger population having real or putative common ancestry, memories of a shared past, and a cultural focus upon one or more symbolic elements which define the group’s identity, such as kinship, religion, language, shared territory, nationality, or physical appearance”.

Ringelheim (2008/2009), pp. 91 and 92.

Ringelheim and De Schutter (2010), p. 90.

This rule was introduced in Sect. 3.2.2.

See also the working definition of minorities under international in Chap. 1 (Sect. 1.​1.​3), which includes objective and subjective elements. This will be considered further in Chap. 4 (Sect. 4.​4.​1) on choosing ethnic categories based on objective and subjective criteria.

Office of the High Commissioner for Human Rights (2012), pp. 68 and 69. The objective criteria based on which the presence of ethnic minorities can be established as well as the variability of ethnicity over time, were discussed in Sect. 3.2.2.

See Chap. 4 (Sect. 4.​4) on how to choose ethnic categories for ethnical classification purposes, and Chap. 5 (Sect. 5.​3) on challenges to the construction of ethnic categories for Roma.

Approaches to ethnical classification are considered generally in Chap. 4 (Sect. 4.​4) and specifically in relation to Roma in Chap. 5 (Sect. 5.​3).

See Chap. 2 (Sect. 2.​6) on personal data protection.

CFEU, art. 8. It was explained in Chap. 2 (Sect. 2.​6.​6) that the Treaty of Lisbon introduced a separate right to data protection in EU law.

The interrelatedness and complementarity of privacy and personal data protection was addressed in Chap. 2 (Sect. 2.​5.​1).

Art. 4.2 GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. Art. 2(b) Convention 108+ defines it as “any operation or set of operations performed on personal data, such as the collection, storage, preservation, alteration, retrieval, disclosure, making available, erasure, or destruction of, or the carrying out of logical and/or arithmetical operations on such data”.

Alidadi (2017), p. 20. This will be discussed further in Sect. 3.5 on special data protection rules that apply to sensitive data categories. The violation of privacy and data protection rules will be identified as one of the five main risk of ethnic data collection in Chap. 4 (Sect. 4.​2.​5). See also Chap. 5 on restricted interpretation of data protection rules in the framework of data collection on Roma (Sect. 5.​7) and on the need for genuine political will (Sect. 5.​8.​3).

The wording might differ slightly though. For instance, some first States impose a general prohibition of sensitive data processing (France; Denmark), whereas other prefer introducing conditions without imposing a general prohibition (Austria; Czech Republic; Estonia; Norway; Slovenia). Most national laws require written consent for personal data collection and processing. Cardinale (2007), p. 38. Simon (2007), pp. 10, 23 and 46.

Commission Communication, Non-discrimination and equal opportunities: A renewed commitment (2 July 2008), p. 7. Alidadi (2017), pp. 24–27. Chopin et al. (2014), pp. 30–58. ENAR (2012), p. 6. Wrench (2011), p. 1716. Simon (2007), pp. 24, 46 and 69.

The applicable rules are misread or misunderstood. Alidadi (2017), pp. 16 and 27. FRA (2009), pp. 27 and 272. Cardinale (2007), p. 38. Simon (2007), pp. 24 and 25.

Personal data protection was introduced in Chap. 2 (Sect. 2.​6).

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (28 January 1981) (Convention 108).

The Protocol amending Convention 108 (10 October 2018) was opened for signatures by the Contracting States to Convention 108 on 10 October 2018. As of 9 May 2019, 27 States had signed but not yet ratified the Protocol amending Convention 108. The special conditions regarding the entry into force of the Protocol, as included in art. 37, have not yet been fulfilled. For an up-to-date overview of ratifications and signatures, see: https://​www.​coe.​int/​en/​web/​conventions/​full-list/​-/​conventions/​treaty/​223/​signatures (Accessed 9 May 2019). See Chap. 2 (Sect. 2.​6.​2.​2) for a brief overview of the review process of the European data protection framework.

Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (27 April 2016) (GDPR) entered into force on 24 May 2016 and has applied directly in national legislation of the Member States since 25 May 2018. See Chap. 2 (Sect. 2.​6.​3.​2) for a brief overview of the review process of the EU data protection framework.

Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (24 October 1995) (Former Directive 95).

Resolution of the European Parliament on Non-Discrimination and Equal Opportunities for All—A Framework Strategy (14 June 2006), art. 13.

This is reflected in the ENAR Shadow Reports of France, Hungary, Spain, Luxembourg, Slovakia, Croatia, Turkey, Italy, Belgium, Poland, Greece, Ireland, the Czech Republic, Latvia, Austria, Bulgaria, the Netherlands, Finland, Lithuania, Germany and Portugal. An overly protective reading of the applicable data protection requirements hinders equality data practices, especially so when such efforts involve sensitive data, including data on racial and ethnic origin. Alidadi (2017), p. 20. Lamberts et al. (2014), p. 11.

This has consequences for the protection of minorities, because the implementation of special measures for specific minority groups, including Roma, becomes very difficult without disaggregated data on ethnicity in various areas of socio-economic life. End-of-mission statement on Romania, by Professor Philip Alston, United Nations Human Rights Council Special Rapporteur on extreme poverty and human rights (11 November 2015). The data protection rules that apply to sensitive categories of data will be analysed in Sect. 3.5.

In 2010, the HR Committee expressed such concern regarding the Hungarian act LXIII on the Protection of Personal Data and Public Access to Data of Public Interest, because “prohibits the collection of disaggregated personal data of any kind”. HR Committee, Concluding Observations on Hungary (16 November 2010), para. 6.

End-of-mission statement on Romania, by Professor Philip Alston, United Nations Human Rights Council Special Rapporteur on extreme poverty and human rights (11 November 2015).

The difference between anonymous, personal and sensitive data was explained in Chap. 2 (Sect. 2.​6.​4).

General data protection rules applies to all sorts of personal data will be analysed in Sect. 3.4.

Special data protection rules applying to sensitive categories will be analysed in Sect. 3.5. Chapter 2 (Sect. 2.​2) took a closer look at to he notions race and ethnicity. Section 3.2 considered how to define racial and ethnic origin for data collection purposes, and this will be developed further in Chap. 4 (Sect. 4.​4) on ethnical categorisation as the first method of ethnic data collection practices.

Convention 108+, art. 6.2. GDPR, art. 5.2. CFEU, art. 8.3. Chapter 2 (Sect. 2.​6.​5.​2) expanded on the role of data protection authorities.

Exceptions to the general data protection principles are possible, provided that they are included in national law and that they constitute necessary and proportionate measures in a democratic society for a range of purposes included in art. 11.1 Convention 108+ and art. 23.1 GDPR, including an open-ended provision on the protection of other essential or important objectives of general public interest.

Convention 108+, art. 5.3. Convention 108, art. 5(a). GDPR, art. 5.1(a).

The burden of proof regarding the legitimacy of data processing falls on data controllers. Convention 108+, art. 10.1. GDPR, art. 5.2. See Sect. 3.4.9 on accountability. Within the CoE framework, the controller is “the natural or legal person, public authority, service, agency or any other body which alone or jointly with others has decision-making power with respect to data processing” (art. 2(d) Convention 108+). Within the EU framework, the notion refers to “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (art. 4.7 GDPR).

GDPR, art. 6. Convention 108+, art. 5.2.

Former Directive 95, arts. 6 and 7. Commission Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Commission Proposal GDPR) (25 January 2012), arts. 5 and 6. De Hert and Papakonstantinou (2012), p. 135.

Art. 5.1(a) GDPR states that the requirement of lawful processing equals the lawfulness requirement, which is considered in article 6 entitled ‘Lawfulness of processing’. See also the Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 48), which clarifies that the conditions for legitimate processing are set out in arts. 5.3 (“Personal data undergoing processing shall be processed lawfully”) and 5.4.

Convention 108+, art. 5.2. GDPR, article 4.11. Consent is also explicitly mentioned in art. 8.2 CFEU, though this has been criticised. See, for instance: Rouvroy and Poullet (2009), pp. 71–74.

Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011), pp. 2, 7 and 34. Chapter 2 (Sect. 2.​5.​2) underlined the focus on self-determination in the right to privacy. Article 29 Working Party and its replacement by the European Data Protection Board (EDBP) were discussed in Chap. 2 (Sect. 2.​6.​5.​1) on the notion personal data protection. As explained there, the EDPB endorsed the GDPR-related guidelines of Article 29 Working Party in May 2018.

Le Métayer and Monteleone (2009), p. 136. See also: Brownsword (2009), p. 109.

An overview of the data protection reform at CoE and EU level can be found in Chap. 2 (Sects. 2.​6.​2 and 2.​6.​3 respectively).

It is unclear why consent is not mentioned in Convention 108 (except in art. 15 on mutual assistance). Consent takes up an important place, however, in various Recommendations of the Committee of Ministers. Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011), p. 4.

Free, informed and unambiguous consent is cited as one possibility to render personal data processing lawful if there is also a legal basis for such processing. Consent can be withdrawn or suspended at any time and without retroactive effect. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principles 4.3 and 6.1. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), paras. 67, 71, 83, 84(a) and 84(c). The role of recommendations within the CoE data protection framework was considered in Chap. 2 (Sect. 2.​6.​2.​1).

The data subject’s consent was defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”. Former Directive 95, arts. 2(h) and 7(a).

Zanfir (2014), p. 240. Le Métayer and Monteleone (2009), p. 139. Simon (2007), p. 23.

Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011). The role of supervisory bodies, including former Article 29 Working Party and its successor the EDPB, was briefly discussed in Chap. 2 (Sect. 2.​6.​5.​1).

FRA and CoE (2014), p. 57.

The written consent required by some national laws could be problematic regarding the anonymity requirement. Simon (2007), p. 23.

Whether sufficient information is provided, must be determined on a case-by-case basis. FRA and CoE (2014), p. 60.

Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011), p. 12.

Former Directive 95, art. 2(h). FRA and CoE (2014), p. 60.

FRA and CoE (2014), p. 61.

Reding (2012), pp. 124 and 125.

Id.

See, among others: Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011). Feretti (2012), pp. 473–506. Curren and Kaye (2010), pp. 273–283. Brownsword (2009), pp. 83–110. Le Métayer and Monteleone (2009), pp. 136–144.

Commission Communication, A comprehensive approach on personal data protection in the European Union (4 November 2010), pp. 8 and 9. Zanfir (2014), pp. 237 and 240. De Hert and Papakonstantinou (2012), pp. 135 and 136. The data protection reform at EU level was discussed in Chap. 2 (Sect. 2.​6.​3).

See Chap. 2 (Sect. 2.​6.​2) for an overview of the data protection reform at CoE level.

Convention 108+, art. 5.2. GDPR, article 4.11. Whereas the GDPR includes a definition of consent in art. 4.11, Convention 108+ does not.

Written consent can be given electronically. GDPR, recital 32 and article 4.11. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 42.

Commission Proposal GDPR (25 January 2012). Traung (2012), p. 38.

Mere silence, pre-ticked boxes, pre-validated forms or inactivity do not constitute consent. GDPR, recital 32. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 42.

GDPR, recital 32 and art. 6.1(a). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 42. The purpose specification requirement is considered in Sect. 3.4.4.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 42. Different types of data were discussed in Chap. 2 (Sect. 2.​6.​4).

This also includes respect for the proportionality of data processing, which will be discussed in Sect. 3.4.5 on data minimisation. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 44.

GDPR, art. 7.1.

FRA and CoE (2018), p. 143. This will be discussed in Sect. 3.4.9.1 on the documentation of personal data processing as part of the accountability rule.

De Hert and Papakonstantinou (2012), p. 135.

Convention 108+, art. 5.2. GDPR, art. 4.11. The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 42) clarifies that there may be no (in)direct undue influence or pressure. Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011, p. 12) states that consent must be given without deception, intimidation or coercion.

GDPR, art. 7.3.

GDPR, art. 7.3. The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 42) explains that consent can not be considered to have been given freely if the data subject cannot withdraw consent without prejudice.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 45. The right to object will be reviewed in Sect. 3.4.3.2 on the transparency of personal data processing.

Several Member States have lowered the minimum age of consent. For instance, it is 15 years in France and 13 years in the UK and Belgium (for information society services). GDPR, art. 8.

De Hert and Papakonstantinou (2012), p. 136. In the European data protection framework, the notion processor refers to “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. See: Convention 108+, art. 2(f) (also includes to a service). GDPR, art. 4.8.

GDPR, art. 83.5(a).

Zanfir (2014), pp. 241 and 242.

Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011), pp. 2, 7 and 34.

Convention 108+, art. 5.2. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 41. Contrary to Convention 108+, the lawfulness of processing is not further developed in art. 5(a) Convention 108, which merely states that “(p)ersonal data undergoing automatic processing shall be obtained and processed fairly and lawfully”. Art. 8.2. CFEU also requires consent of the data subject “or some other legitimate basis laid down by law”.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 46.

Different articles apply to the processing of sensitive data, as will be discussed in Sect. 3.5.

GDPR, art. 6.

Arts. 6.1(b)–(f) GDPR did not substantially change these non-consent based options for lawful processing previously included in former arts. 7(b)–(f) Directive 95. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 46. Suggested further reading on these lawful ground for data processing, see: FRA and CoE (2018), pp. 151–159.

See Sect. 3.5.

GDPR, art. 85.2. Recital 153 GDPR refers to the right to freedom of expression and information in art. 11 CFEU, the content of which is similar to art. 10 ECHR following art. 52.3 CFEU. Former Directive 95 already included a similar provision in art. 9 for journalistic, artistic or literary expression purposes; recital 37 referred to the right to freedom of information and the right to receive and impart information in art. 10 ECHR.

Art. 11.1(b) Convention 108+ stipulates that exceptions are allowed if they have a legal basis, respect the fundamental rights and freedoms’ essence and are a necessary and proportionate measure in a democratic society for “the protection of the data subject or the rights and fundamental freedoms of others, notably freedom expression”. The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 96) expands further on the issues and provides some examples, including “freedom of expression of journalistic, academic, artistic or literary expression, and the right to receive and impart information, confidentiality of correspondence and communications, or business or commercial secrecy and other legally protected secrets”, which “should apply in particular to processing of personal data in the audio-visual field and in news archives and press libraries”. Notions related to the right to freedom of expression, including journalism, should be interpreted broadly.

Convention 108+, art. 11.1(b). GDPR, recital 153.

An example could be binding those collecting and working with the data to be bound by a professional secrecy obligation. Safeguards will be considered in Sect. 3.7.1. GDPR, art. 89.

See, among other, derogations in EU or national law to data subjects’ right of access to their personal data and their right to rectification, their right to restriction of processing and their right to object. This will be considered in Sect. 3.4.3 on the transparency of personal data processing. FRA and CoE (2018), p. 340.

Convention 108+, art. 5.4(a). Convention 108, art. 5(a). GDPR, art. 5.1(a). Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 9.1. See also CFEU, art. 8.2.

For more on the information requirement, see Sect. 3.4.3 on the transparency of data processing. Documentation and notification requirements are further discussed in Sect. 3.4.9 on accountability.

See Sect. 3.4.3 on transparency as the third general data protection rules.

The close connection between both data protection rules is also emphasised in Convention 108+, with art. 5.4(a) demanding personal data to be “processed fairly and in a transparent manner” and art. 8.1 stipulation that controllers must provide data subjects with “any necessary additional information in order to ensure fair and transparent processing of the personal data”. Clifford and Ausloos (2018), pp. 138 and 139. Transparency of processing, including the types of information that controllers must give to data subjects, will be considered in Sect. 4.​3.​4.

Clifford and Ausloos (2018), p. 140.

Id.

See Sect. 3.4.3 on transparency as the third general data protection rule.

FRA and CoE (2018), p. 118.

Clifford and Ausloos (2018), pp. 138–140.

FRA and CoE (2018), p. 118. This will be discussed further in Sect. 3.4.3.1 on the information aspect of transparency.

Convention 108+, art. 10.1. GDPR, art. 5.2. See Sect. 3.4.9.1 on accountability.

FRA and CoE (2018), p. 118. Lawful processing based on consent was considered in Sect. 3.4.1.1.

Clifford and Ausloos (2018), p. 140.

Id.

Clifford and Ausloos (2018), pp. 140 and 141.

FRA and CoE (2018), p. 119.

Clifford and Ausloos (2018), p. 186.

Id.

Convention 108+, arts. 5.4. (a) and 8. GDPR, arts. 5.1(a) and 12. The lawfulness of data processing was analysed in Sect. 3.4.1 and the fairness of processing in Sect. 3.4.2.

De Hert and Papakonstantinou (2012), p. 134.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 67. The close connection between both requirements was previously highlighted in Sect. 3.4.2 on the fairness of personal data processing. The rights of data subjects will be reviewed in Sect. 3.4.3.2.

Gellert et al. (2013), p. 70.

Convention 108+, art. 8. GDPR, arts. 12 and 13.

Opinion 2/2017 of Article 29 Data Protection Working Party on data processing at work (8 June 2017), p. 23.

Convention 108+, art. 9.1(b). GDPR, art. 15. FRA and CoE (2018), p. 120.

Convention 108+, art. 9.1(b). GDPR, art. 15.1.

Convention 108+, art. 9.1(b). GDPR, art. 1.5.1. Art. 8.2 CFEU also includes the right of access to one’s personal data.

It will be considered in Sect. 3.4.3.2 how data subjects can exercise control over the processing of their personal data.

Convention 108+, art. 9.1(b). See, similarly, arts. 12.3–12.5 GDPR.

This period can be extended by 2 months if this is considered necessary, taking into consideration the complexity and numbers of requests. GDPR, art. 12.3.

This could range from the need to safeguard national security to protecting judicial investigations and prosecutions and the protection of public (economic and/or financial) or private interests. GDPR, arts. 15.3 and 15.4. See, similarly, Convention 108+, art. 11.

GDPR, recital 63. The lawfulness of personal data processing was considered in Sect. 3.4.1.

Convention 108+, art. 9.1(b). In certain specific conditions, including in case of excessive requests, controllers may exceptionally charge a reasonable fee, which may not prevent data subjects from exercising their rights. Manifestly unfounded or excessive requests, particularly so when there are repetitive, may be refused provided that the controller or processor justifies such a refusal. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 76.

GDPR, art. 15.1. Several of these rights will be discussed in Sect. 3.4.3.2 on data subjects’ exercise of control over their personal data.

Convention 108+, art. 9.1(c). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 77. GDPR, art. 15.1(h). Following arts. 13.2(f) and 14.2(g) GDPR, data subjects must also be informed meaningfully about the significance and the envisaged consequences for data subjects of such processing. For more on this, see Sect. 3.4.3.2 on data subjects” right not to be subject to decisions based on automated processing, which also includes a definition of profiling.

FRA and CoE (2018), p. 207.

Convention 108+, art. 8.1. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 68. GDPR, art. 12.

GDPR, recital 39.

Arts. 13.1(b) and 14.1(b) GDPR add that, where applicable, data subjects must also receive the data protection officer’s contact details.

Controllers that intend to further processing for other purposes than the ones for which the data were obtained must inform data subjects about that other purpose and other relevant information prior to performing such further processing. See GDPR, arts. 14.3 and 14.4. As explained in Sect. 3.4.1.1, new consent will be required for processing for different purposes.

Convention 108+, arts. 8.1, 9.1(f) and 12. GDPR, arts. 13.1(a)–(f) and 14.1(a)–(f). In addition to the right of access discussed previously in this section, the data subjects’ rights, including their right to data rectification, data erasure, data portability as well as their right to restrict processing and to object to the processing of their personal data, will be discussed further in Sect. 3.4.3.2.

GDPR, arts. 13.2(f) and 14.2(e). See also: Convention 108+, arts. 9.1(f) and 12.

According to art. 8.1 Convention 108+, this could include “the preservation period, the knowledge of the reasoning underlying the data processing, or information on data transfers to a recipient in another Party or non-Party (including whether that particular non-Party provides an appropriate level of data protection, or the measures taken by the controller to guarantee such an appropriate level of data protection)”.

Arts. 13.2 and 14.2 cite information on data storage, the existence of their right to request access, rectification or erasure of personal data, restriction of processing, to object to processing and the right to data portability, as well as the right to withdraw consent at any time if consent formed the lawful basis for the data collection. The rights of the data subject will be analysed in Sect. 3.4.3.2.

The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 70) states that the provision of information may be done at a later stage if it is impossible at the start of the processing operation. Within the EU framework, art. 14.3 GDPR determines in case the personal data were collected from third parties, data controllers must give the information to the data subjects within a reasonable period of obtaining their data and the latest within 1 month. In case of the use of personal data for communication with the data subject/for disclosure to another recipient/for further processing for another purpose than the inital one, the information must be given at the latest at the time of the first communication/first disclosure/prior to that further processing.

Art. 9.1(b) Convention 108+ requires communication in an intelligible form, which “applies to the content as well as to the form of a standardised digital communication”. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 76. GDPR, recital 39.

GDPR, recital 39. FRA and CoE (2018), p. 218.

Convention 108+, art. 9.1(b). GDPR, arts. 12.1 and 13. The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 68) clarifies that any appropriate format suffices to provide information to data subjects, “as long as the information is fairly and effectively presented to the data subject” in an “easily accessible, legible, understandable” way. Furthermore, the language used must be adapted based on the relevant data subjects. For instance, the language used to inform adults about data processing operations will differ from the language used to inform children.

GDPR, arts. 13 and 14. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 68. The informing of data subjects via any available, reasonable and affordable manes may be done individually or collectively. Collective means could include a public notice or a website. See: Convention 108+, art. 8.2. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 70. GDPR, art. 13.4.

Convention 108+, art. 8.2. GDPR, art. 13.4.

Indirect data collection concerns data collection through third parties. Convention 108+, art. 8.3. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 69. GDPR, arts. 13.4 and 14.5.

The reason for this could be legal (eg. criminal investigation) or practice (eg. processing of pictures without names or contact details). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 69. GDPR, art. 12.2.

The GDPR includes a broad interpretation of the processing of personal data for scientific research purposes, “including for example technological development and demonstration, fundamental research, applied research and privately funded research” as well as “studies conducted in the public interest in the area of public health”. GDPR, recital 159. Within the framework of Convention 108+, the processing of data for scientific research purposes is interpreted as aiming “at providing researchers with information contributing to an understanding of phenomena in varied scientific fields (epidemiology, psychology, economics, sociology, linguistics, political science, criminology, etc.) with a view to establishing permanent principles, laws of behaviour or patterns of causality which transcend all the individuals to whom they apply”. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 50.

Historical research also includes genealogical research. GDPR, recital 160. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 50.

Another situation that justifies an exception to controllers’ obligation to provide information to data subjects concerns professional secrecy obligation regulated by law that require personal data to be kept confidential. See arts. 14.5(b) to 14.5(e) and 89.2 and 89.3 GDPR. See also art. 11 Convention 108+, which puts down the strict conditions that must be adhered to to restrict data subjects’ rights. Public interest will be discussed more in-depth in Sect. 3.5 when reviewing sensitive data processing.

GDPR, recital 157.

See, among others, Sect. 3.4.3.2 on the rights of data subjects and Sect. 3.5.2 on speciale data processing rules in the GDPR. See also Chap. 5 (Sect. 5.​7.​1) on the application of strict consent rules for data collection on Roma.

The lawfulness of processing was analysed in Sect. 3.4.1.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 71.

The repetitive character of requests may play a role in this. It falls on the controller to demonstrate requests’ manifestly unfounded or excessive character. Another option is that controllers charge a reasonable fee in such situations. GDPR, art. 12.5. For excpetions and restrictions to the rights of the data subject within the CoE framework, see: Convention 108+, art. 11.

The modernisation of the personal data protection frameworks at the CoE and the EU level were discussed in Chap. 2 (Sects. 2.​6.​2 and 2.​6.​3 respectively).

It mainly remains a national competence. Former Directive 95 also included a discretionary framework with regard to the adoption of research exemptions.

The application of such rights might make it very hard or impossible to achieve the research’s legitimate purpose. FRA and CoE (2018), pp. 339–340.

It concerns data subjects’ right of access, right to rectification, right to restriction and right to object. This was done based on art. 89 GDPR. Which of the 12 safeguards a controller adopts, will depend on the nature, scope, context, purposes and degree of risk of processing. Safeguards could include, among others, the implementation of anonymisation or pseudonymisation measures, the performance a data protection impact assessment, the adoption of a code of conduct, and/or the carrying out of regular audits. The controller must document and justify the choices made for each research project. Luxembourg, Act on the organisation of the National Data Protection Commission and the general data protection framework (1 August 2008), art. 65.

The inaccuracy can concern the wrong spelling of a name or a change of address. For more significant legal inaccuracies, including the legal identity or the place of residence of a data subject, controllers may demand proof, provided that this does not place an unreasonable burden on data subjects as this would be prevent data subjects from exercising their right to rectification. Convention 108+, art. 9.1(e). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 72. GDPR, arts. 12.5 and 16. This right is also included in art. 8.2 CFEU. FRA and CoE (2018), p. 220. De Hert and Papakonstantinou (2012), p. 137.

For instance, this could be relevant in the context of proceedings before a public authority, where data subjects could ask to include a supplementary statement indicating the contestation of data accuracy while awaiting an official decision. GDPR, art. 16. FRA and CoE (2018), p. 221.

As will be explained in Sect. 3.4.6, data accuracy constitutes one of the genearl data protection rules that apply to all sorts of personal data.

Realisation of this right should happen upon request, free of charge and without excessive delay. Convention 108+, art. 9.1(e). GDPR, arts 12.5 and 17.

See Sect. 3.4.5 on data minimisation and the demand for adequate, relevant and limited data.

Convention 108+, art. 9.1(e). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 72. The lawfulness of personal data processing was discussed in Sect. 3.4.1. See also Sect. 3.4.9 on the accountability rule, where it is explained that controllers must be able to demonstrate compliance with the lawfulness rule at all times.

This obligation ceases to exist in case it is impossible to inform the recipients of the original information or if doing so would requires disproportionate efforts. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 81.

GDPR, art. 17.1.

The available technology and cost of implementation must be taken into account when implementing this obligation. Erasure includes any links to as well as any copies or replications of those personal data. GDPR, art. 17.2.

Art. 17.3(c) GDPR limits this to the area of public health, whereas art. 11.1(a) Convention 108+ contains the open category “other essential objectives of general public interest” in addition to the ones explicitly included in the provision. Public interest will be considered more in-depth in Sect. 3.5 on sensitive data processing.

Convention 108+, art. 11. GDPR, art. 17.3. The GDPR also cites personal data processing to comly with a legal obligation that requires processing and to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority invested in the controller, as exceptions to the right to be forgotten.

See Guidelines of Article 29 Data Protection Working Party on the implementation of the CJEU judgment on “Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (24 November 2014), pp. 5 and 12. Suggested further reading: FRA and CoE (2018), pp. 224–226.

The right to object will be discussed further on in this section.

In automated filing systems, processing restrictions should be ensured by technical means that prevent further processing of, or changes to, the personal data. Restrictions to the processing should be clearly indicated in the system. GDPR, recital 67.

GDPR, art. 18.2.

GDPR, art. 18.2. For more on public interest, see Sect. 3.5.

GDPR, art. 19. See, similarly, regarding data rectification and erasure: Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 81.

GDPR, art. 18.3.

GDPR, art. 20.1. Former Article 29 Working Party developed guidelines on this right. See: Guidelines of Article 29 Data Protection Working Party on the right to data portability (13 December 2016; revised 5 April 2017). Convention 108+ does not include a corresponding right.

GDPR, art. 20.1.

GDPR, art. 20.2.

GDPR, recital 68.

Id.

GDPR, art. 201.1.

Data processing may be necessary for the controller to comply with a legal obligation or to perform a task carried out in the public interest or int he exercise of an official authority vested in him or her. GDPR, recital 68 and art. 20.3.

GDPR, art. 20.4.

Convention 108+, art. 9.1(d). GDPR, arts. 6.1(e)–(f) and 21.1. Profiling will be defined when discussing the next right of data subjects, namely their right not to be subject to decisions based solely on automated processing. Public interest will be considered in Sect. 3.5.

GDPR, arts. 21.2 and 21.6.

GDPR, art. 21.5.

FRA and CoE (2018), p. 232.

Prior processing operations remain legitimate. GDPR, arts. 21.1 and 21.3.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 79.

Data processing for the establishment, exercise or defence of legal claims or for reasons of public safety could constitute such an overriding legitimate ground. Convention 108+, art. 9.1(d). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 78. GDPR, art. 21.1.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 78.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 80. Lawfulness of personal data processing was analysed in Sect. 3.4.1.

GDPR, arts. 21.2 and 21.6. Convention 108+, art. 11.1(a). Public interest will be discussed in Sect. 3.5.

Convention 108+, art. 11.2 (also mentions archiving purposes in the public interest. GDPR. GDPR, art. 89.

GDPR, art. 89.

Convention 108+, art. 11.2.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 97.

FRA and CoE (2018), p. 233.

GDPR, art. 4.(4).

GDPR, arts. 12, 13.2(f) and 14.2(g). See Sect. 3.4.3.1 on the information aspect of the transparency rule.

GDPR, art. 22.1.

Convention 108+, art. 9.1(a). GDPR, art. 22.1.

GDPR, recital 71.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 75.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 75.

Examples of laws include fraud and tax-evasion monitoring. This is the only exception explicitly mentioned in Convention 108+. Convention 108+, art. 9.2. GDPR, recital 71 and art. 22.2.

GDPR, recital 71 and art. 22.2. Art. 22.4 GDPR includes additional rules for decisions based on special categories of data. Special data protection rules will be analysed in Sect. 3.5.

GDPR, arts. 22.2 and 22.3.

GDPR, art. 22.3.

GDPR, recital 71.

Id.

GDPR, recital 71 and art. 22.4. The two core sets of data protection rules were introduced in Sect. 3.3. See Sect. 3.5 for an analysis of the special data protection rules included in the European data protection framework. See also Sect. 3.5.3 for a brief introduction to sensitive data processing for profiling purposes in the police sector.

Convention 108, art. 5(b). Convention 108+, art. 5.4(b). GDPR, art. 5.1(b). Art. 8.2 CFEU also requires specified purposes for processing.

Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 4.1 and 12.1. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 68. Makkonen (2010), pp. 228 and 229.

In such situations, the inital legal basis suffices. GDPR, recital 50 and art. 6. The lawfulness of processing was discussed in Sect. 3.4.1.

GDPR, art. 9. Sensitive data protection rules applying to sensitive categories will be analysed in Sect. 3.5. The distinction between personal and sensitive data was introduced in Chap. 2 (Sect. 2.​6.​4) on the notion personal data protection.

GDPR, art. 10.

GDPR, art. 6.4. Very similar wording is included in the Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 49).

FRA and CoE (2018), pp. 122 and 123.

Article 29 Data Protection Working Party emphasises the close connection between purpose limitation and transparency, predictability and user control. Opinion 3/2013 of Article 29 Data Protection Working Party on purpose limitation (2 April 2013), pp. 13 and 14. The transparency rule was considered in Sect. 3.4.3.

Gutwirth (2002), p. 96. Similarly, the FRA and CoE (2018, p. 122) refer to it as one of the fundamental principles of European data protection law.

De Hert and Papakonstantinou (2012), pp. 134 and 135.

No explicit prior consent is needed for such further processing. Such further processing is a priori considered to be compatible, provided that other safeguards exist. Convention 108+, art. 5.4(b). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 50. GDPR, art. 5.1(b). See: Simon (2007), p. 12. Korff (2002), pp. 66–69.

For instance, recital 157 GDPR recognises the value of research within social science when stating that “research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions”. Such solid, high-quality knowledge could be used to feed into the implementation of knowledge-based policies and improve peoples’ lives and the efficiency of social services. Art. 13 CFEU explicitly protects freedom of the arts and sciences, whereas art. 10 ECHR on freedom of expression does so implicitly. FRA and CoE (2014), p. 32.

Convention 108+, art. 5.4(b). GDPR, art. 6.4(e). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 50.

GDPR, arts. 6.4(e) and 30. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 50. Simon (2007), p. 12. Korff (2002), pp. 66–69. Anonymisation will be discussed in Sect. 3.4.7 on storage limitation. Encryption, pseudonymisation and professional secrecy will be considered in Sect. 3.7.1 on operational and organisational principles of sensitive data processing.

GDPR, recital 50. An example of such a situation can be found in FRA and CoE (2018), p. 125. Public interest will be discussed in Sect. 3.5.

GDPR, recital 50. The right to object was considered in Sect. 3.4.3.2.

Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 4.7. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 75c.

Convention 108, art. 5(c). Former Directive 95, art. 6.1(c).

Convention 108+, art. 5.4(c). Convention 108 referred data storage instead of processing.

FRA and CoE (2018), p. 125.

Convention 108+, art. 5.1.

Id.

Special privacy-enhancing technology might make it possible to avoid personal data processing in certain situations. For an example, see: FRA and CoE (2018), pp. 126 and 127.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 52.

GDPR, art. 5.1(c).

Commission Proposal GDPR (25 January 2012), art. 5(c).

Art. 89.1 GDPR stipulates that the safeguards put in place for such derogations “shall ensure that technical and organisational measures are in place in particular to ensure respect for the principle of data minimisation”. Explicit reference to data minimisation is also found in art. 25 (data protection by design and by default) and art. 47 (binding corporate rules). Secondary use was discussed in Sect. 3.4.4 on purpose limitation.

Convention 108, art. 5(d). Convention 108, art. 5.4(d). GDPR, art. 5.1(d).

GDPR, art. 5.1(d).

FRA and CoE (2018), p. 127.

For examples of both situations, see: FRA and CoE (2018), pp. 127 and 128.

Convention 108, art. 5(e). Convention 108+, art. 5.4(e). GDPR, art. 5.1(e).

GDPR, art. 5.1(e). Convention 108+, art. 5.4(e). The Explanatory Report to to the Protocol amending Convention 108 (10 October 2018, para. 53) clarifies that, in addition to deleting personal data once the purpose of the data processing operation has been achieved, keeping them solely in a form that prevents any (in)direct identification of the data subject is a valuable means to respect the storage limitation rule.

The unreasonableness of time, effort or resources must be assessed in light of the available technology at the time of the processing and of technological developments. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 19. In 2014, former Article 29 Working Party issued an opinion on the effectiveness of different anonymisation techniques, in which it stressed that the appropriateness of the different techniques must be considered on a case-by-case basis. See: Opinion 5/2014 of Article 29 Data Protection Working Party on anonymisation techniques (10 April 2014). For more on data anonymisation, see: FRA and CoE (2018), pp. 93 and 94.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 20.

GDPR, recital 39.

GDPR, recital 26. The distinction between personal and anonymous data was explained in Chap. 2 (Sect. 2.​6.​4) when introducing the notion personal data protection.

Whereas Convention 108+ uses the notion ‘appropriate safeguards’, the GDPR cites ‘appropriate technical and organisation measures’ GDPR, art. 5.1(e). Convention 108+, art. 5.4(b).

Art. 11.1 Convention 108+ reads that an exception is allowed “[…] when such an exception is provided for by law, respects the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society for: (a) the protection of national security, defense, public safety, important economic and financial interests of the State, the impartiality and independence of the judiciary or the prevention, investigation and prosecution of criminal offences and the execution of criminal penalties, and other essential objectives of general public interest; (b) the protection of the data subject or the rights and fundamental freedoms of others, notably freedom of expression.” These principles were previously considered when discussing interferences with the right to private life in Chap. 2 (Sect. 2.​5.​4). Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 54.

Convention 108, art. 7. Convention 108+, art. 7.1. GDPR, arts. 5.1(f) and 5.2.

GDPR, art. 28.1. See also: Convention 108+, art. 7.1. The Committee of Ministers determines that everyone to whom personal data are communicated for statistical purposes, is responsible for keeping such data secure and that the controller must make sure that who collects or processes the personal data, is aware of such security responsibilities. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), paras. 110(A) and 110(D). Chapter 2 (Sect. 2.​6.​2.​1) considered the role of recommendations within the CoE data protection framework.

Art. 28.1 GDPR states that “(w)here processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”.

GDPR, recital 81 and arts. 25 and 32.1. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 56. See also: Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 15.1. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), paras. 110(A) and 110(D). Chapter 2 (Sect. 2.​6.​2.​1) considered the role of recommendations within the CoE data protection framework.

See Sect. 3.7 on the operational and organisational principles for sensitive data processing. See, in particular, Sect. 3.7.1 for professional secrecy obligations and Sect. 3.7.3 for codes of conduct.

GDPR, art. 32.1.

GDPR, art. 32.1. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 63.

GDPR, arts. 32.1 and 32.2 Explanatory Report to the Protocol amending Convention 108 (10 October 2018), paras. 62 and 63 (“Their costs should be commensurate with the seriousness and probability of the potential risks”). Examples of security measures controllers and processor can adopt will be given in Sect. 3.7.1 when discussing the confidentiality of personal data processing.

For an introduction to the review processes that took place at the CoE and the EU level, see Chap. 2 (Sects. 2.​6.​2 and 2.​6.​3 respectively).

Whereas security makes up the focus of this section, confidentiality of personal data processing will be considered in Sect. 3.7.1 on the operational and organisational principles for sensitive data processing.

Former Directive 95, art. 17.1. Sections 3.4.1–3.4.7 for an overview of the first seven general data protection rules. The ninth one will be covered in Sect. 3.4.9.

GDPR, arts. 32–34. Some of these provision were already discussed previously in this section on data security. As explained, article 32 deals with the security of processing and gives suggestions regarding the appropriate technical and organisational measures controllers and processers could implement and how the appropriate level of security accounts can be assessed.

Waltzer (2011), p. 84. Kierkegaard et al. (2011, p. 226) do not consider it absolutely necessary to include such a new obligation in the security principle. It could also stand alone as a separate principle.

Waltzer (2011), p. 84.

At EU level, these new articles build on the personal data breach notification in art. 4.2 Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (12 July 2002). Commission Proposal GDPR (25 January 2012), p. 10.

Art. 7.2 Convention 108+ states that notification is required without delay when it concerns “data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects”. Art. 33.1 GDPR requires notification without undue delay when the personal data breach is likely “to result in a risk to the rights and freedoms of natural persons”. The controller must notify supervisory authority within 72 h of becoming aware of the data breach. If done at a later time, the controller must provide reasons for the delay.

GDPR, art. 34.1. Whereas not explicitly included in Convention 108+, art. 7.2 stipulates that “at least the competent supervisory authority” must be notified of data breaches, leaving the door open for other complementary notifications and the Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 66) clarifies in which situations this may be advised or required. In addition to competent supervisory authorities and data subjects, it may also be desirable to notify other relevant authorities (e.g. those in charge of computer systems).

GDPR, arts. 34.1 and 34.3.

This will be discussed further in Sect. 3.7.1 on the confidentiality of data processing.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 66.

GDPR, recital 75.

GDPR, art. 34.2.

Id.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 66.

GDPR, art. 34.3(c). Convention 108+ does not include a similar provision.

This obligation also applies to processors. Demonstrating compliance may be required to supervisory authorities, data subjects and/or the general public. Convention 108+, art. 10.1. GDPR, arts. 5.2, 30 and 37. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 85. FRA and CoE (2018), pp. 134 and 135. The general data protection rules were analysed in Sects. 3.4.1–3.4.8.

GDPR, arts. 24, 30, 37–39, 40 and 44.

Commission Proposal GDPR (25 January 2012), p. 10.

De Hert and Papakonstantinou (2012), p. 134. See also: Van Alsenoy (2012), pp. 41 and 43. Bigo et al. (2011), pp. 22–24. De Hert (2011), pp. 88–121.

Opinion 15/2011 of Article 29 Data Protection Working Party on the definition of consent (13 July 2011). Joint contribution on The Future of Privacy by Article 29 Data Protection Working Party and Working Party on Police and Justice to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data (1 December 2009), paras. 8, 17, 39, 77 and 79–83. In an opinion from 2010, former Article 29 Working Party stated that the controller must be proactive by putting the appropriate measures in place to demonstrate compliance as by keeping documentation to demonstrate compliance. See: Opinion 3/2010 of Article 29 Data Protection Working Party on the principle of accountability (13 July 2010). Former Article 29 Data Protection Party was discussed in Chap. 2 (Sect. 2.​6.​5) on the role of supervisory bodies in the European data protection framework.

Convention 108+, art. 10.1. GDPR, arts. 5.2 and 24.

This list is not exhaustive. Other provisions, including those relating to contracts, data protection by design and default, data protection officers, codes of conduct, certification schemes and data protection fees, also contribute to accountability and governance.

Former Directive 95, arts. 18 and 19. Member States could foresee in simplifications of and exceptions to the notification requirement in certain situations.

De Hert and Papakonstantinou (2012), p. 139.

The documentation must include information on the controller, the processing purposes, a description of the data (subject) categories, the categories of recipients, data transfers (if any) and time limits for erasure and a general description of the technical and organisational security measures. Enterprises and organisations employing less than 250 people are exempted from the documentation requirement, unless the processing is likely to pose a risk for the rights and freedoms of data subjects, when the processing is not occasional, when the processing includes special categories of data, or when it concerns personal data relating to criminal convictions or offences. GDPR, arts. 30.1, 30.4 and 30.5.

GDPR, arts. 33 and 34. Data security was considered in Sect. 3.4.8.

GDPR, art. 35. Data protection impact assessments (DPIAs) will be considered in Sect. 3.4.9.2.

De Hert and Papakonstantinou (2012), p. 139.

DPIAs must also be considered in light of the abolishment of the notification requirement. See Sect. 3.4.9.1 for more information on the replacement of the notification requirement with a documentation requirement in the GDPR. De Hert and Papakonstantinou (2012), pp. 134 and 141.

In April 2017, Article 29 Working Party adopted Guidelines on DPIA and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (4 April 2017). The Guidelines were revised on 4 October 2017. In May 2018, the EDPB endorsed the GDPR-related guidelines of Article 29 Working Party. Examples of risks for data subjects were cited in Sect. 3.4.8 on data security.

GDPR, art. 35.3(b). The distinction between personal and sensitive data was explained in Chap. 2 (Sect. 2.​6.​4). Arts. 35.4 and 35.5 GDPR determine that supervisory authorities must draw up and publicize a list of the different kinds of processing operations that require a DPIA, and it may do the same for operations that do not require a DPIA. The role of data protection authorities was briefly discussed in Chap. 2 (Sect. 2.​6.​5.​2).

Wright (2011b), p. 73. Suggested further reading: Wright (2011a), pp. 121–131.

GDPR, art. 35.7.

GDPR, art. 35.9.

Wright (2011b), p. 73. For more on this, see: Wright (2011a).

De Hert and Papakonstantinou (2012), p. 141. Wright and De Hert (2012a), p. 24.

De Hert and Papakonstantinou (2012), p. 141.

GDPR, art. 35.11.

De Hert and Papakonstantinou (2012), p. 140. Wright and De Hert (2012a), p. 18.

The handbook was revised several times (e.g. UK Information Commissioner’s Office (2014)). Ireland followed in December 2010: Irish Health Information and Quality Authority (2010), p. 14. Both organisations recently published new guidelines on their websites following the adoption of the GDPR.

Recommendation of the European Commission on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (RFID) (12 May 2009), recommendation 4. In 2011, former Article 29 Working Party endorsed a DPIA for RFID applications (Opinion 9/2011 of Article 29 Data Protection Working Party on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications (11 February 2011)). The European Parliament also requires prior PIAs and a proportionality test for new legislative instruments in its Resolution on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada (5 May 2010), art. 5.

European Commission (2010), paras. 108, 131 and 132.

De Hert (2012, pp. 33 and 34) supports his argument by referring to the inclusion of a separate right to privacy and to data protection rights in the CFEU. The introduction of a separate right to data protection in the CFEU was explained in Chap. 2 (Sect. 2.​6.​6).

These rules were discussed in Sects. 3.3–3.5. See also Chap. 2 (Sect. 2.​6) on the notion personal data protection. De Hert (2012), pp. 34 and 35. De Hert and Papakonstantinou (2012), p. 140. Wright (2011a). Suggested further reading on PIAs: Wright and De Hert (2012b).

The exact definition and methodology of PIAs varies considerably across countries and companies. Wright and De Hert (2012a), pp. 6 and 7. Privacy legislation will be analysed in Sect. 3.6. The right to privacy was previously introduced in Chap. 2 (Sect. 2.​5).

Wright and De Hert (2012a), pp. 7 and 8. Section 3.6 of this chapter will build on the analysis in Chap. 2 (Sect. 2.​5.​3), which expanded on the inclusion of personal data protection in the right to privacy.

Recommendation of the European Commission on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (12 May 2009), recital 11 and recommendations 4 and 10. Wright (2011b), p. 72.

Chapter 2 (Sect. 2.​5.​2) presented the different dimensions of the right to privacy. Wright and De Hert (2012a), p. 5. Wright (2011b), p. 72.

Convention 108+, art. 10.2.

Convention 108+, art. 10.3.

Convention 108+, art. 10.4.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 85.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 85. Section 3.7.4 will discuss the involvement of trained staff in data collection and processing as an important organisational and operational principle.

Former Directive 95, art. 20.

Former Directive 95, arts. 20.1 and 20.2. According to recital 53 of former Directive 95, specific risks could arise “by virtue of their nature, their scope or their purposes, such as that of excluding individuals from a right, benefit or a contract, or by virtue of the specific use of new technologies”. It was up to Member States to specify such specific risks in their national legislation. The notification requirement as applicable under former Directive 95 was briefly mentioned in Sect. 3.4.9.1.

Former Directive 95, recital 54. The role of data protection authorities was discussed in Chap. 2 (Sect. 2.​6.​5.​2).

Countries with standardised routines for such data do not need prior authorisation by the appropriate national body or authority. Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (8 November 2001), art. 1. Explanatory Report to Convention 108 (28 January 1981), para. 16. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 18. Simon (2007), p. 18. As mentioned in Sect. 3.1.2, the collection of ethnic data for equality and anti-discrimination purposes is encouraged by international and European actors. The five main risks of ethnic data collection will be addressed in Chap. 4 (Sect. 4.​2).

GDPR, art. 36.1. Privacy impact assessments were considered in Sect. 3.4.9.2. Data protection authorities were introduced in Chap. 2 (Sect. 2.​6.​5.​2).

Former Directive 95, art. 20.3.

GDPR, art. 36.4.

Section 3.3 explained the key difference between general and sensitive data protection rules. The distinction between personal and sensitive data was introduced in Chap. 2 (Sect. 2.​6.​4).

Convention 108+, art. 6.1. Convention 108, art. 6. GDPR, art. 9.1. De Schutter (2007), p. 861. Section 3.2 explored how to define racial and ethnic origin for data collection purposes.

Simon (2007), p. 19. Ringelheim (2006/2007), p. 63.

The notions race and ethnicity were previously discussed in Chap. 2 (Sect. 2.​2) and in this chapter (Sect. 3.2). The role of objective criteria in ethnic data collection purposes will be addressed further on in Chap. 4 (Sects. 4.​4 and 4.​5) when considering the different methods involved in ethnic data collection and in Chap. 5 (Sects. 5.​3 and 5.​4) when reviewing the challenges to these methods upon the collection of data on Roma in Europe.

As will be explained, appropriate safeguards play an important role in both instruments.

Within the framework of Convention 108+, special categories of data are: genetic data, personal data relating to offenses, criminal proceedings and convictions, an related security measures; biometric data uniquely identifying a person; personal data for the information they reveal relating to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life. Notwithstanding the appropriate safeguards requirement, exceptions and restrictions to data subjects’ rights in art. 9 Convention 108+ are still possible under art. 11 Convention 108+. Convention 108+, art. 6.1. Convention 108, art. 6.

Convention 108+, art. 6.2. The Explanatory Report to the Protocol amending Convention 108 (10 October 2018, para. 55) cites some other examples, including “injury to an individual’s dignity or physical integrity, where the data subject’s most intimate sphere, such as his or her sex life or sexual orientation, is being affected, or here processing of data could affect the presumption of innocence”.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 60.

This will be discussed further in Chap. 5 (Sect. 5.​4) when reviewing the appropriateness of different ethnical identification approaches for Roma.

The Explanatory Report underlines that a particular risk may rise for data subjects when specific types of data (e.g. genetic data, data related to criminal offences and convictions) are processed, independently of the context of such processing operations. For the processing of other types of data (e.g. images), the context is relevant to determine whether the data are sensitive. the Explanatory Report to the Protocol amending Convention 108 (10 October 2018), paras. 56, 57 and 59.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 56. Risk analysis was considered in Sect. 3.4.9.2 on accountability through DPIAs. See also Sect. 3.7 on organisational and technical measures for sensitive data processing.

Simon (2007), p. 68.

The Committee of Ministers specifies additionally that the communication of sensitive data is only possible if provided for by law or with the explicit consent of the data subject, provided domestic law does not prohibit the giving of consent. Where required, such consent must be explicit, free and informed. An important public interest may justify an exception to the obligation of requiring consent. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principles 6.2 and 12.1. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 85(b).

Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 85(b).

Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 39.

Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 85(b).

This constitutes a safeguard within the meaning of art. 6 Convention 108+. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 60.

For instance, the collection of sensitive data in identifiable form for statistical purposes could be needed to carry out a repeat or longitudinal survey. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 60. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 4.8. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 76.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 60. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 4.8. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 76.

See Sect. 3.5.1 for the rules on sensitive data processing included in Convention 108+.

GDPR, art. 9.1. Within the framework of the GDPR, special categories of data are: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Arts. 9.2–9.4 GDPR include the lawful grounds for sensitive data processing.

National law could exclude consent as a ground of lawful processing of sensitive data when such operations pose unusual risks for data subjects. GDPR, art. 8.2(a). The conditions of consent as included in art. 7 GDPR and as discussed in Sect. 3.4.1.1 must be fulfilled. FRA and CoE (2018), p. 11. Alidadi (2017), p. 21. As explained in Sect. 3.4.1.1, consent also forms a possible ground for lawful processing for non-sensitive data.

See Chap. 5 (Sect. 5.​7.​1) on the impact a restrictive interpretation of privacy and data protection rules may have on data collection practices on Roma in Europe.

GDPR, art. 9.2(e). FRA and CoE (2014, p. 91) state that the public availability of the data “must be interpreted as implying consent of the data subject to the use of such data”. FRA and CoE (2018, pp. 162 and 163) further specify that this exception “must be construed strictly and as requiring the data subject to deliberately make his or her personal data public” and that “(t)he fact that the data subject has made public the processed personal data does not exempt controllers from their obligations under data protection law” (e.g. purpose limitation).

The processing may only relate to these bodies’ (former) members or to persons who have regular contact with them in connection with their purposes. Furthermore, the data may not disclosed outside that body, unless when data subjects’ have given their consent. GDPR, art. 9.2(d).

GDPR, art. 9.2(c). Recital 46 clarifies that processing of personal data that is essential for the life of another natural person “should in principle take place only where the processing cannot be manifestly based on another legal basis”.

This exception applies more broadly to any situation where courts act in their judicial capacity. Legal claims can play a role in court proceedings, administrative procedures or out-of-court procedures. GDPR, recital 52 and art. 9.2(f).

In the framework of processing for preventative or occupational medicine purposes, a contract with a health care professional can also constitute a lawful ground.

This exception must be authorised by national law providing appropriate safeguards to protect the data subjects’ fundamental rights and interests. GDPR, art. 9.2(b).

This includes preventive or occupational medicine, working capacity assessments of employees, medical diagnosis, the provision of health or social care or treatment, and the management of health-care services. The processor must be bound by professional secrecy. It is the only processing of sensitive data for which a contractual relationship can constitute a legal basis for legitimate processing. GDPR, arts. 9.2(h) and 9.3. On a separate note, when it comes to the processing of genetic data, biometric data and data concerning health, art. 9.4 GDPR allows Member States to maintain or introduce additional conditions, including limitations, to such operations.

Examples include protection against serious cross-border heath threats or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. Professional secrecy is underlined as a particularly important safeguard. GDPR, art. 9.2(i).

The law must be proportionate to the aim pursued and respect the essence of the right to data protection. GDPR, art. 9.2(j). Art. 89(1) GDPR specifies that “(t)hose safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation” and that “(t)hose measures may include pseudonymisation provided that those purposes can be fulfilled in that manner”. The article continues that “(w)here those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner”.

The law must be proportionate to the aim pursued and respect the essence of the right to data protection. GDPR, art. 9.2(g).

UK, Data Protection Act (England and Wales) (23 May 2018), Section 10.

Germany, Federal Data Protection Law (27 April 2017), art. 27.1. The Law entered into force on 25 May 2018. Suggested further reading on changes in German data protection law within the framework of the GDPR, see: Molnár-Gábor (2018), pp. 620–621.

Luxembourg, Act on the organisation of the National Data Protection Commission and the general data protection framework (1 August 2008), art. 64.

Member States can specify the situations in which, and the conditions according to which, sensitive data can be processed, thereby leaving the door open for different approaches across the EU towards this practice. Alidadi (2017), p. 21.

Simon (2007), p. 22.

Art. 21.1 CFEU refers to discrimination grounds “such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation”. FRA (2012b), paras. 70, 72, 74, 76 and 77.

Such data collection must “(c)omply with legally established safeguards, including legislation on data protection, to ensure confidentiality and respect for the privacy of persons with disabilities” and “with internationally accepted norms to protect human rights and fundamental freedoms and ethical principles in the collection and use of statistics”. The CRPD has been ratified by all EU Member States as well as by the EU. CRPD, art. 31. This article was previously mentioned in Sect. 3.1.2 on the lack of an explicit legal obligation at UN, Council of Europe and EU level to collect ethnic data.

Recital 34 former Directive 95 cited public health, social protection, scientific research and government statistics as possible substantial public interests. As explained previously in this section, contrary to former Directive 95, art. 9.2(j) GDPR explicitly includes the exception of sensitive data processing when this is necessary for archiving purposes in the public interest, scientific research purposes or statistical purposes.

GDPR, art. 9.2(g). Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 39. Makkonen (2006), p. 61. Ringelheim (2006/2007), pp. 64–65 and 77.

UK, Data Protection Act (England and Wales) (23 May 2018), Schedule 3 para. 9.

The Information Commissioner also monitors the application of the Data Protection Act. University of Essex Human Rights Centre Clinic (2013), pp. 33 and 34. Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 53.

Such prior monitoring does not take place in countries such as the UK where the processing of sensitive data is undertaken as a standardised routine. Art. 36.5 GDPR stipulates that “Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health”. Former Directive 95, recital 22 and arts. 8(2)–(5) and 20. Simon (2007), pp. 10, 11 and 17–19. Ringelheim (2006/2007), pp. 56, 57 and 63. As will be explained in Sect. 3.4.9.1 on accountability, the prior notification that was included in former Directive 95 has been replaced by a documentation requirement in the GDPR.

CJEU, Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy, Judgment (16 December 2008, GC), paras. 1–3. Makkonen (2010), p. 229.

CJEU, Galina Meister v. Speech Design Carrier Systems, Judgment (19 April 2012), paras. 43–47. Chopin et al. (2014), pp. 17 and 18. Farkas (2012), pp. 29, 30, 32 and 33.

Ethnic data collection takes place only when specifically encouraged in legislation, as is the case in the UK. Alidadi (2017), p. 20. Farkas (2017), pp. 4 and 5. McDonald and Negrin (2010), p. 16.

Farkas (2017), pp. 5 and 6.

See Chap. 5 (Sect. 5.​8.​3), where genuine political will is cited as a key element of data collection on Roma for anti-discrimination purposes.

See Sect. 3.4.1.2 on lawful processing and Sect. 3.4.3 on transparency of processing. The discussion in those sections focused on the research exemption in art. 89(2) GDPR that gives Member States the discretion to enact derogations from various rights of the data subject.

GDPR, art. 9.2.

The possibility for differences in Member States is atypical for the GDPR.

Pormeister (2017), p. 138.

Belgium, Law on the protection of natural persons with regard to the processing of their personal data (30 July 2018), art. 9.

Luxembourg, Act on the organisation of the National Data Protection Commission and the general data protection framework (1 August 2008), art. 66.

Additional (technical and organisational) measures can be adopted by the French Data Protection Authority regarding the processing of genetic, biometric of health-related data. France, Law n° 2018-493 on the protection of personal data (21 June 2018).

Pormeister (2017), p. 146.

This would be the case if the conditions apply to the cross-border processing of such sensitive data. GDPR, recital 53. Pormeister (2017), p. 146.

GDPR, art. 10.

Id.

This will be discussed further in Chap. 4 on the support of indirect discrimination claims in legal proceedings as the fifth benefit of ethnic data collection for equality and anti-discrimination purposes (Sect. 4.​1.​5), and discriminatory ethnic profiling by public bodies as the fourth risk or fear of ethnic data collection (Sect. 4.​2.​4).

The role of recommendations within the Council of Europe data protection framework and their non-legally binding nature was addressed in Chap. 2 (Sect. 2.​6.​2.​1). Recommendation CM/Rec(87)15 of the Committee of Ministers to Member States Regulating the Use of Personal Data in the Police Sector (17 September 1987), Principle 2.4.

Recommendation CM/Rec(2010)13 of the Committee of Ministers to Member States on the protection of individuals with regard to automatic processing of personal data in the context of profiling (23 November 2010). The general data protection rules were analysed in Sect. 3.4.

GDPR, art. 22.1. Former Directive 95 did not contain a provision specifically dealing with profiling. Exceptions to this right are possible under specific conditions, including when the decision is necessary for substantial public interests, provided that suitable safeguards are in place to safeguard the data subjects’ rights and freedoms and legitimate interests. Other exceptions include necessity for entry into force or performance of a contract, authorisation by law, or when the decision is based on the data subject’s explicit consent. In all these situations, safeguards must be put in place. See: GDPR, recital 71 and arts. 22.2 and 22.4. This was discussed in Sect. 3.4.3.2 on the transparency of data processing.

The Police and Criminal Justice Authorities Directive entered into force on 6 May 2016 and the Member States had until 6 May 2018 to transpose it into national legislation. Directive 2016/680 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences of the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (Police and Criminal Justice Authorities Directive) (27 April 2016). This instrument replaced Council Framework Decision 2008/877/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (27 November 2008).

Safeguards must include, at a minimum, the right to obtain human intervention on the part of the controller. Police and Criminal Justice Authorities Directive, art. 11.1.

Police and Criminal Justice Authorities Directive, arts. 11.2.

Police and Criminal Justice Authorities Directive, arts. 11.3.

FRA (2012b), para. 80.

The inclusion of personal data protection in the right to privacy was addressed in Chap. 2 (Sect. 2.​5.​3). European Convention for the Protection of Human Rights and Fundamental Freedoms (4 November 1950).

See, for example, S. and Marper v. the United Kingdom, in which the EctHR refers repeatedly to the data protection principles contained in Convention 108. EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), para. 103. See Sects. 3.3–3.5 on the general and special rules covering data collection and processing. Convention 108 was introduced in Chap. 2 (Sects. 2.​5.​1 and 2.​6).

EU Network of Independent Experts in Fundamental Rights (2006), p. 91.

González Fuster (2014, pp. 94 and 95) argues that the degree of incorporation of the substance of Convention 108 in art. 8 ECHR remains debatable. For instance, it is unclear whether or not art. 8 ECHR is limited to automated personal data processing operations like Convention 108. According to Gutwirth (2002, p. 86), art. 8 ECHR covers both manual and automatic processing of personal information. For further reading on the partial recognition of data protection under art. 8 of the ECHR, see also: De Hert and Gutwirth (2009), pp. 24–26.

This follows from the inclusion of negative and positive obligations in both articles. The right to privacy was introduced in Chap. 2 (Sect. 2.​5).

Gutwirth (2002), pp. 85 and 86.

These ECHR, art. 8.2. See, similarly: CFEU, arts. 7 and 57. See also: Note from the Praesidium on the Draft Charter of Fundamental Rights of the European Union—Text of the explanations relating to the complete text of the Charter as set out in CHARTE 4487/00 CONVENT 50 (11 October 2000). principle were considered in Chap. 2 (Sect. 2.​5.​4) on the conditions that interferences with the right to private life must fulfil.

The mere storage of personal information constitutes an interference within the scope of art. 8 ECHR, irrespective of the subsequent use of such information. EctHR, Leander v. Sweden, Judgment (26 March 1987), paras. 48, 54, 55 and 66–68. In the case Joanna Szulc v. Poland, the EctHR states that it is now “well-established in its case-law that the storing of information relating to an individual’s private life in a secret register and the release of such information comes within the scope of Article 8.2”. EctHR, Joanna Szulc v. Poland, Judgment (13 November 2012), para. 81.

EctHR, Leander v. Sweden, Judgment (26 March 1987), paras. 49–68. The lawfulness of processing and purpose specification were considered in Sects. 3.4.1 and 3.4.4 respectively. See also Chap. 2 (Sect. 2.​5.​4), where the legality, necessity and legitimacy principles were introduced.

EctHR, Rotaru v. Romania, Judgment (4 May 2000, GC), paras. 52, 62, 63, 72 and 73. The accessibility and foreseeability of legal provisions including interferences with the right to private life was highlighted in Chap. 2 (Sect. 2.​5.​4.​1) on the legality principle that privacy interferences must adhere to.

HR Committee, General Comment No. 16: Article 17 (The Right to Privacy) (8 April 1988), para. 10. For a general consideration of privacy interferences within the framework of art. 17 ICCPR, see Chap. 2 (Sect. 2.​5.​4).

S. was acquitted of all charges and the case against Marper was formally discontinued. EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC). The need to limit the storage of personal data was stressed in Sect. 3.4.7.

EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), para. 99. The notions foreseeability and accessibility were introduced in Chap. 2 (Sect. 2.​5.​4) on the conditions for privacy interferences.

The UK system also did not include independent review of data retention. EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), paras. 102, 118–112 and 122–125. States’ margin of appreciation was considered in Chap. 2 (Sect. 2.​5.​4.​2) on necessity as one of the conditions for privacy interferences.

Data retention must be proportionate in relation to the purposes of the processing operation and it must be limited in time. EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), para. 119. The storage limitation rule was considered as the seventh general data protection rule in Sect. 3.4.7.

See, similarly, concerning the right of convicted prisoners to vote irrespective of the length of sentence, the gravity of their offence and their personal circumstances: EctHR, Hirst v. United Kingdom (No. 2), Judgment (6 October 2005, GC), paras. 76, 79, 81 and 82. Nardell (2010), p. 46. The importance of a case-by-case approach to interferences with the right to private life was highlighted in Chap. 2 (Sect. 2.​5.​4).

See Chap. 8 (Sect. 8.​2.​2) on the rejection of automatic gender preferences in recruitment and promotion in the case law of the CJEU.

EctHR, S. and Marper v. the United Kingdom, Judgment (4 December 2008, GC), para. 103. Automated processing of personal data was discussed in Sect. 3.4.3.2 on data subjects’ right not to be subject right not to be subject to decisions based solely on automated processing and in Sect. 3.5.3 on sensitive data processing for profiling purposes in the police sector.

HR Committee, General Comment No. 16: Article 17 (The Right to Privacy) (8 April 1988), para. 10.

The inclusion of positive and negative obligations in the right to respect for private life was previously addressed in Chap. 2 (Sects. 2.​5.​4 and 2.​5.​5).

In addition to art. 8 ECHR, Laferty (2014, p. 562) also points out the importance of art. 10 ECHR on the right of access to information. Data subjects’ right to access their personal data was considered in Sect. 3.4.3 on the transparency of personal data processing.

Id. at para. 48.

Id. at para. 58.

The EctHR did agree with the authorities that the quantity of files and shortcomings in the archive system justified a 6-year of delay in granting the applicant access to his file. EctHR, Haralambie v. Romania, Judgment (27 October 2009), paras. 77–79, 86 and 96. See also: EctHR, Joanna Szulc v. Poland, Judgment (13 November 2012), paras. 81, 84 and 86–87. EctHR, Jarnea v. Romania, Judgment (19 July 2011), paras. 50 and 51.

It concerned personal information collected by the secret services during Communism that alleged her collaboration with them. EctHR, Joanna Szulc v. Poland, Judgment (13 November 2012), para. 87. Data subjects’ right to data rectification was considered in Sect. 3.4.3.2 on the transparency of personal data processing.

Laferty (2014), pp. 563 and 564.

HR Committee, General Comment No. 16: Article 17 (The Right to Privacy) (8 April 1988), para. 10. This corresponds to the transparency rule as discussed in Sect. 3.4.3.

Id.

Data security was analysed as the eighth general data protection rule in Sect. 3.4.8.

Id.

The general and special data protection rules were analysed in Sects. 3.3–3.5.

Seltzer and Anderson (2001), pp. 497 and 498.

Gray (2009), p. 63. Seltzer and Anderson (2001), pp. 497 and 498.

Makkonen (2010), p. 227. Seltzer and Anderson (2001), p. 498.

Makkonen (2010), p. 227. See Chap. 5 (Sect. 5.​1.​3) for a discussion on the varying attitudes among Roma in Europe towards ethnic data collection. As will be emphasised there (Sect. 5.​8.​1), Roma’s preferences must be respected.

Data security was identified as the eighth general data protection rule in Sect. 3.4.8.

Makkonen (2010), p. 227. Makkonen (2006), p. 85. Haug (2001), p. 309. Seltzer and Anderson (2001), p. 498.

UNSD (2008), para. 1. EU and national laws on official statistics often include a professional secrecy obligation that applies to those working in statistics bureaus. FRA and CoE (2018), p. 340.

Resolution 68/261 of the General Assembly on Fundamental Principles of Official Statistics (3 March 2014), principle 6. See also Sect. 3.4.4, where it was explained that the purpose specification rule limits of personal data use.

The same goes for statistical research professionals, including those who collect the data. FRA and CoE (2018), p. 340.

Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 48.

GDPR, art. 5.1(f). Data security was considered in Sect. 3.4.8.

As explained in Sect. 3.4.8 on data security, the appropriateness of a measure will depend on “the state of the art, the costs of implementation and the nature, scope, context and purpose of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. GDPR, art. 32.1.

GDPR, art. 32.2.

GDPR, 32.4.

Convention 108+, art. 7.1. See Sect. 3.4.8 on data security as the eight general data protection rule.

It was explained in Sect. 3.4.8 on data security that such a breach gives rise to a notification obligation of the controller. Convention 108+, art. 7. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), paras. 64 and 66.

FRA and CoE (2018), p. 171.

Such processing operations must be governed by a contract of another legal act. GDPR, art. 28.3(b).

Within the EU framework, such an obligation applies in accordance with EU or national law. GDPR, 38.5. Convention 108+, art. 15.8. Within the CoE framework, Supervisory authorities are “bound by the same obligation to observe discretion and confidentiality towards data protection authorities of other Parties and data subjects residing abroad”. See Convention 108+, art. 19. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 148. In relation to obligations of secrecy, see also art. 90 GDPR.

Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 3.2.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), paras. 50 and 56.

GDPR, art. 9.2(i). The non-consent based grounds for sensitive data processing within the framework of the GDPR were cited in Sect. 3.5.2.

GDPR, arts. 9.2(h) and 9.3. See Sect. 3.5.2.

Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principles 11, 15.1 and 15.4. Anonymisation was discussed in Sect. 3.4.7 on storage limitation. The key distinction between anonymous and personal data was explained in Chap. 2 (Sect. 2.​6.​4). As explained there, the rules of the GDPR and Convention 108(+) do not apply to anonymous data.

Pavee Point Traveller and Roma Centre (2013).

This was explained Sect. 3.4.7 on storage limitation and in Chap. 2 (Sect. 2.​6.​4) when introducing the distinction between personal and anonymous data.

GDPR, art. 25.1. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), paras. 18–20.

The pseudonymised data and the list containing the identifying information must be stored separately. Contrary to anonymisation, pseudonymisation does not break all links to identifying the individual. GDPR, art. 4.5. FRA and CoE (2018), pp. 94, 95, 131 and 342.

A decryption key makes it possible to identify pseudonymised data. Good practices exist with regard to medical and epidemiological data. FRA and CoE (2018), pp. 94, 95 and 131. See also: UNECE (2007), pp. 44 and 85. Simon (2007), p. 14.

Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principles 11 and 15.1–15.3.

This is the case in the Netherlands. Seltzer and Anderson (2001), pp. 497 and 498.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 18. FRA and CoE (2018), pp. 94 and 95. The general and sensitive data protection rules at CoE and EU level were analysed in Sects. 3.4 and 3.5.

Art. 32.1 GDPR cites “the state of the art, the costs of implementation and the nature, scope, context and purpose of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” as relevant factors. This was previously highlighted in Sect. 3.4.8 on data security.

Haug (2001), p. 309.

This is the case in the USA. Seltzer and Anderson (2001), pp. 497 and 498.

Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), para. 43.

Id.

See Chap. 5 (Sect. 5.​7.​3).

This was explained in Sect. 3.4.9 on accountability.

These norms exist at international and national level. Resolution 68/261 of the General Assembly on Fundamental Principles of Official Statistics (3 March 2014). UNSD (2015). National examples: Academy of Social Sciences (2013). National Committees for Research Ethics in Norway (2006). Hesse-Biber and Leavy (2011), pp. 59–89.

Seltzer and Anderson (2001), pp. 498 and 499.

Statements such as “this is typical for the majority population, compared to that for ethnic minorities” are inappropriate. Makkonen (2010), p. 236.

See Chap. 5 (Sect. 5.​6.​4). See also Chap. 5 (Sect. 5.​6.​4) on the limited representativeness of data on Roma due to large heterogeneity among Roma. Anti-Gypsyism was defined in Chap. 1 (Sect. 1.​2.​1) when discussing the present-day situation of Roma in Europe.

GDPR, art. 32.3. For more on this, see Sect. 3.4.8 on data security.

GDPR, art. 40.1. The role of the European Data Protection Board and supervisory authorities was considered in Chap. 2 (Sect. 2.​6.​5.​1) when introducing personal data protection.

FRA and CoE (2018), pp. 181–183.

GDPR, art. 40. Art. 40.2 GDPR stipulates that codes of conduct should give special attention to ensuring proper application of, among others, the rules concerning fair and transparent processing, the legitimate interests pursued, the collection of personal data, pseudonymisation of such data, information requirements, the rights of data subjects, data security, notification of personal data breaches and dispute resolution procedures. The general data protection rules were analysed in Sect. 3.4. See also: Commission Proposal GDPR (25 January 2012), p. 11.

GDPR, art. 40.1.

GDPR, arts. 40.9 and 40.10.

Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 33. This relates to Convention 108(+), art. 4.1.

These codes must include information on who has access to the data, which measures must be taken to protect the data and keep them secure and confidential, and information on the controllers. The Explanatory Memorandum adds that each organisation collecting and processing personal data needs to have a code of professional ethics that is in line with the basic data protection principles, based on the realities of the day-to-day work of the organisation and “known and subscribed to by all involved in collecting and processing data for statistical purposes”. Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 16.1. Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 114(a). As explained in Chap. 2 (Sect. 2.​6.​2.​1), the Recommendations issued by the Committee of Ministers are not legally binding, but contain important standards of reference for states.

Gelling (1999), pp. 564–569.

See, for instance, the research ethics policy and procedure of the University of the West of England, Bristol, which is available at https://​www2.​uwe.​ac.​uk/​services/​Marketing/​research/​pdf/​Research-Ethics-Policy-and-Procedures.​pdf (Accessed 13 March 2019).

Gelling (1999), pp. 564–569.

General data protection rules were analysed in Sect. 3.4 and special data protection rules in Sect. 3.5.

See, in relation to the anonymisation of personal health data in scientific research: Quinn (2017), pp. 347–367. Suggested further reading on how research participants can be affected by ethical committee’s protective efforts: Juritzen et al. (2011), pp. 640–650. The impact of a too restrictive interpretation of privacy and data protection rules will be considered in relation to data collection on Roma in Chap. 5 (Sect. 5.​7).

Pavee Point Traveller and Roma Centre (2013).

For instance, Harvard University requires researchers working on projects involving data collection on vulnerable groups to have completed the CITI Program training for Social and Behavioral Research Investigators. The latter includes modules on a variety of topics, including informed consent, privacy and confidentiality, and conflicts of interest.

Recommendation CM/Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (30 September 1997), principle 9.5. See Sect. 3.4.4 on purpose specification, Sect. 3.4.8 on integrity and confidentiality, Sect. 3.6 on personal data protection through the right to private life, and Sect. 3.7.1 on professional secrecy and confidentiality of data processing.

Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 95.

Explanatory Memorandum of Recommendation CM/Rec(97)18 (30 September 1997), para. 95.

GDPR, art. 39, para. 1(b).

Other examples of appropriate measures include “setting up of appropriate notification procedures, establishing specific contractual provisions where the processing is delegated in order to give effect to the Convention; as well as setting up internal procedures to enable the verification and demonstration of compliance”. Convention 108+, art. 10.1. Explanatory Report to the Protocol amending Convention 108 (10 October 2018), para. 85.

The United Nations Development Programme (UNDP) adds that co-operation with national statistical offices is also important to identify the data already available, to encourage dialogue on concerns and to enhance capacity building. UNDP (2010), pp. 3, 4, 95, 109 and 110.

CRC Committee, General Comment No. 11: Indigenous children and their rights under the Convention (12 February 2009), paras. 71 and 80. CERD Committee, General Recommendation No. 32: The meaning and scope of special measures in the International Convention on the Elimination of All Forms of Racial Discrimination (24 September 2009), para. 18. Report of the Special Rapporteur on combating racism, racial discrimination, xenophobia and related intolerance on the comprehensive implementation of and follow-up to the Durban Declaration and Programme of Action (20 August 2015), paras. 59 and 60. Report of the Special Rapporteur on Contemporary forms of racism, racial discrimination, xenophobia and related intolerance (19 August 2013), paras. 24 and 82. Report of the Independent Expert on Minority Issues on the Implementation of General Assembly Resolution 60/251 of 15 March 2006 entitled “Human Rights Council” (2 February 2007), paras. 76, 91 and 104(b). Report of the High Commissioner for Human Rights containing a draft basic document on the development of a racial equality index (31 January 2006), paras. 60, 74 and 75. Report of the Permanent Forum for Indigenous Peoples on the Workshop on Data Collection and Disaggregation for Indigenous Peoples (10 February 2014), para. 33. UNSD (2014), p. 170. UNDP (2010), pp. 59 and 95. UNSD (2008), para. 246. Gray (2009), pp. 59 and 63. Haug (2001), p. 309. The importance of active participation of Roma and non-Roma communities and local authorities in ethnic data collection will be highlighted in Chap. 5 (Sect. 5.​8.​2).

This will be discussed further throughout the remaining two chapters of Part I. See, among other, Chap. 4 (Sect. 4.​4) and Chap. 5 (Sects. 5.​3, 5.​5.​4, 5.​7.​3 and 5.​8.​2).

GDPR, art. 35.9. Security accountability through DPIAs was mentioned in Sect. 3.4.9.2.

See, for example: ACFC, Third Opinion on Bulgaria (11 February 2014), para. 31. ACFC, Third Opinion on Hungary (18 March 2010), para. 45. ACFC, Second Opinion on Slovakia (26 May 2005), para. 27. For more on the importance of awareness-raising among Roma and non-Roma communities when collecting data on Roma, see Chap. 5 (Sect. 5.​8.​1).

Gray (2009), p. 63. Haug (2001), p. 309. As will be discussed in Chap. 4 (Sect. 4.​5.​2), self-identification is—in theory—the preferred approach to ethnical identification, but the effectiveness of this approach depends on the level of co-operation from the target group. See also Chap. 5 on combining self-identification with other identification methods as an interesting alternative in the case of the Roma minority (Sect. 5.​4.​5) and on awareness-raising and active participation as key principles of ethnic data collection on Roma (Sect. 5.​8).

This includes questions, definition and explanatory notes in the languages of various racial or ethnic groups. Gray (2009), p. 63.

This happened in Ireland. Gray (2009, p. 59) underlines, however, that the main responsibility for collecting information on minorities and indigenous peoples lies with States.

See, among other: Chap. 5 (Sects. 5.​8.​1 and 5.​8.​2) on the key principles of ethnic data collection practices on Roma, Chap. 6 (Sects. 6.​2 and 6.​3.​2) on positive action, Chap. 9 (Sects. 9.​2.​1 and 9.​2.​4) on challenges limiting positive action for Roma, Chap. 11 (Sects. 11.​3.​1, 11.​3.​4 and 11.​5) on inter-cultural mediation to enhance Roma inclusion, and Chap. 12 (Sects. 12.​2.​1 and 12.​2.​2) on the key elements identified throughout the book.

This will be discussed in Chap. 4 (Sect. 4.​4) on ethnical classification.

Data subject have the right to have their personal data rectified or erased, to restrict processing or to object to it and to transfer their data to another controller.

See Chap. 4.