1. Scope and Definitions
1.1 The principles contained in this Recommendation apply to the automatic processing of personal data which are collected by public bodies and which may be communicated to third parties.
1.2 Member States may extend the scope of this Recommendation so as to include data relating to groups, companies, associations etc. regardless of whether or not they possess legal personality, as well as to personal data in non-automated form.
For the purposes of this Recommendation
1.3 - The expression "personal data" refers to any information relating to an identified or identifiable individual (data subject). An individual shall not be regarded as "identifiable" if the identification requires an unreasonable amount of time, cost and manpower.
- The expression "public bodies" refers to any administration, institution, establishment or other body which exercises public service or public interest functions as a consequence of it being attributed with public powers.
Domestic law may broaden the scope of the expression "public bodies".
- The expression "files accessible to third parties" refers to files held by public bodies containing personal data which may be communicated to the public or to third parties having a particular interest and which are in accordance with general laws on access to public sector information or freedom of information, constitutional provisions as well as specific laws, regulations or case law which authorise third parties to have access to information held by public bodies including by means of official publication.
- The expression "communication" refers to making files or personal data accessible, such as by authorising their consultation, transmitting them, disseminating them or making them available regardless of the means or media used.
- The expression "third party" refers to legal and natural persons to whom personal data are communicated by public bodies to the exclusion of other public bodies.
Domestic law may broaden the scope of the expression "third parties".2. Respect for privacy and data protection principles
2.1 The communication, in particular by electronic means, of personal data or personal data files by public bodies to third parties should be accompanied by safeguards and guarantees designed to ensure that the privacy of the data subject is not unduly prejudiced.
In particular, the communication of personal data or personal data files to third parties should not take place unless:
a) a specific law so provides; or
b) the public has access thereto under legal provisions governing access to public-sector information; or
c) the communication is in conformity with domestic legislation on data protection; or
d) the data subject has given his free and informed consent.
2.2 Unless domestic law provides appropriate safeguards and guarantees for the data subject, personal data or personal data files may not be communicated to third parties for purposes incompatible with those for which the data were collected.
2.3 Domestic legislation on data protection should apply to the processing by a third party of personal data communicated to him by public bodies.3. Sensitive data
3.1 Personal data falling within any of the categories referred to in Article 6 of the Convention for the protection of individuals with regard to automatic processing of personal data should not be stored in a file or in part of a file generally accessible to third parties.
Any exception to this principle should be strictly provided by law and accompanied by the appropriate safeguards and guarantees for the data subject.
3.2 The provisions of Principle 3.1 are without prejudice to the possibility of storing in files accessible to third parties categories of data which in other circumstances would be regarded as sensitive but which concern those data subjects in public life who perform functions which belong to the public domain and as a result their data are accessible to third parties.4. Generally accessible data
4.1 The purposes for which the data will be collected and processed in files accessible to third parties as well as the public interest justifying their being made accessible should be indicated in accordance with domestic law and practice.
4.2 Before or at the time of the collection, data subjects should be informed in accordance with domestic law and practice of the compulsory or optional nature of the collection, of the legal bases and the purposes of the collection and processing of personal data as well as the public interest justifying their being made accessible.
4.3 Public bodies should be able to avoid the communication to third parties of personal data which are stored in a file accessible to the public and which concern data subjects whose security and privacy are particularly threatened.5. Access to and communication of personal data by electronic means
5.1 The automatic processing of personal data contained in files accessible to third parties should be carried out in accordance with domestic law.
Domestic law should lay down the conditions governing communication of and access to the data and, in particular, provide the conditions governing the automatic communication and on-line consultation of such data.
5.2 At the time of automatic communication, technical means designed to limit the scope of electronic interrogations or searches should be introduced with a view to preventing unauthorised consultation or downloading of personal data or files containing such data.6. Processing by third parties of personal data originating in files accessible to third parties
6.1 Where the data subject is legally obliged to provide his data for storage in files accessible to third parties, the processing of personal data by third parties should either be subject to obtaining the express and informed consent of the data subject or be in accordance with statutory requirements.
Where the consent requirement applies, the data subject should be able to withdraw his consent at any time.
6.2 Where the storage of the personal data in a file accessible to third parties is not obligatory, the data subject should be informed before or at the time of the collection of his rights:
a) not to have his data stored in a file accessible to third parties; or
b) to have his data stored in such a file and communicated without however their being processed by third parties; or
c) to object to his data continuing to be processed by third parties; or
d) have his data deleted at any time.
6.3 If a third party creates files containing personal data obtained from files accessible to third parties, such files should be subject to the requirements of domestic legislation on data protection, including the rights of the data subject.
In particular, the data subject should be able to know of the existence of the new file, of its purpose and of his right to have his data erased from the file in question.7. File interconnection/matching
7.1 Unless permitted by domestic law providing appropriate safeguards for the data subject, the interconnection - in particular by means of connecting, merging or downloading - of personal data files consisting of personal data originating from files accessible to third parties with a view to producing new files, as well as the matching or interconnection of files or personal data held by third parties with one or more files held by public bodies so as to enrich the existing files or data, should be prohibited.8. Transborder data flows
8.1 The principles of this Recommendation are applicable to the transborder communication of personal data which are collected by public bodies and which may be communicated to third parties.
8.2 The transborder communication of personal data to third parties residing in a State which has ratified Convention No. 108 and which thus has a data protection law should not be subjected to special conditions concerning the protection of privacy.
8.3 Where the principle of equivalent protection is respected, no restriction should be placed on the transborder communication of personal data to third parties residing in a State which has not ratified Convention No. 108 but which has legal provisions which are in conformity with the principles of that Convention and of this Recommendation.
8.4 Unless otherwise provided for by domestic law, the transborder communication of personal data to third parties residing in a State the legal provisions of which are not in conformity with Convention No. 108 or with this Recommendation should not as a rule occur unless:
a) necessary measures, including of a contractual nature, to respect the principles of the Convention and this Recommendation have been taken and the data subject has the possibility to object to communication, or
b) the data subject has given his free and informed consent in writing and has the possibility to withdraw his consent at any time.
8.5 Measures should be taken to avoid personal data or files containing such data from being subjected to automatic transborder communication to third parties without the knowledge of the data subjects.9. Co-ordination/Co-operation
9.1 Where general legislation governing access to public-sector information provides for the establishment of a supervisory body to implement such legislation and there exists at the same time general data protection legislation with a separate authority responsible for the implementation of that legislation, the respective authorities should come to an arrangement designed to facilitate the exchange of information relating to the conditions governing communication of personal data originating in files accessible to third parties.