International Conference of Data Protection and Privacy Commissioners5th November 2009.

The Madrid Resolution

InternationalStandards

on the Protection of Personal Data

and Privacy

presentation

�

�

�

�

�

�

�

�

�

�

�

�

It is a pleasure for me to introduce to you the Joint Propo-sal for a Draft of International Standards on the Protectionof Privacy with regard to the processing of Personal Data,which was welcomed by the International Conference ofData Protection and Privacy Commissioners, held in Madridon 5 November 2009.

The joint efforts of the privacy guarantors from fifty coun-tries, coordinated by the Spanish Data Protection Agency,has resulted in a text that seeks to reflect the many appro-aches that the protection of this right allows for, by inte-grating legislations on five continents. This consensusdocument adds new values by stressing the universal na-ture of the principles and guarantees underlying this right,and by contributing to a better protection of rights and fre-edoms of individuals in a globalized world, characterised bycross-border flows of information.

As of now, we the supervisory and monitoring authoritiestake on the challenge of its dissemination and promotion,from our strong commitment to provide our citizens with abetter protection of their privacy and personal data.

ARTEMI RALLO LOMBARTE DIRECTOR OF THE SPANISHDATA PROTECTION AGENCY

Joint Proposal for a Draft of

International Standardson the Protection of Privacy

with regard to the processingof Personal Data

�

�

�

�

�

�

�

�

�

�

�

�

For further information about the drafting process of this document, pleasevisit the Spanish Data Protection Agency website, at www.agpd.es, where anExplanatory memorandum and other useful documentation are available.

Part I: General

Provisions

21PurposeThe purpose of this Document is:

a. To define a set of principles and rights guaran-teeing the effective and internationally uniformprotection of privacy with regard to the proces-sing of personal data; and

b. The facilitation of the international flows ofpersonal data needed in a globalized world.

DefinitionsIn the context of this Document:

a. “Personal data” means any information rela-ting to an identified natural person or a personwho may be identified by means reasonably likelyto be used.

b. “Processing” means any operation or set ofoperations, automated or not, which is perfor-med on personal data, such as collection, sto-rage, use, disclosure or deletion.

c. “Data subject” means the natural personwhose personal data are subject to processing.

d. “Responsible person” means any natural personor organization, public or private which, alone orjointly with others, decides on the processing.

e. “Processing service provider” means any naturalperson or organization, other than the responsibleperson that carries out processing of personal dataon behalf of such responsible person.

�

�

�

�

�

�

�

�

�

�

�

�

3 4

5

Additional measures1. States may supplement the level of protectionprovided for in this Document with additionalmeasures guaranteeing a better protection of pri-vacy with regard to the processing of personaldata.datos de carácter personal.

2. In any case, the provisions of this Documentshall be an appropriate basis for permitting inter-national transfers of personal data, where suchtransfers are carried out pursuant to section 15of this Document

Scope of application1. This Document is aimed in its application atany processing of personal data, wholly or partlyby automatic means, or otherwise in a structuredmanner, and carried out in the public or the pri-vate sector.

2. Applicable national legislation may lay downthat the provisions of this Document do not applyto the processing of personal data by a naturalperson in the course of activities related exclusi-vely to his/her private and family life.

Restrictions� States may restrict the scope of the provisionslaid down in sections 7 to 10 and 16 to 18 of thisDocument, when necessary in a democratic so-ciety in the interests of national security, publicsafety, for the protection of public health, or forthe protection of the rights and freedoms ofothers. Such restrictions should be expressly pro-vided by national legislation, establishing appro-priate guarantees and limits meant to preservethe rights of the data subjects.

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

Part II: Basic Principles

6Principle of lawfulnessand fairness1. Personal data must be fairly processed, res-pecting the applicable national legislation as wellas the rights and freedoms of individuals as setout in this Document and in conformity with thepurposes and principles of the Universal Declara-tion of Human Rights and the International Co-venant on Civil and Political Rights.

2. In particular, any processing of personal datathat gives rise to unlawful or arbitrary discrimi-nation against the data subject shall be deemedunfair.

7Purpose specificationprinciple1. The processing of personal data should be li-mited to the fulfilment of the specific, explicit andlegitimate purposes of the responsible person.

2. The responsible person should not carry outany processing that is non-compatible with thepurposes for which personal data were collected,unless he has the unambiguous consent of thedata subject.

�

�

�

�

�

�

�

�

�

�

�

�

8Proportionality principle1. The processing of personal data should be li-mited to such processing as is adequate, relevantand not excessive in relation to the purposes setout in the previous section.

2. In particular, the responsible person shouldmake reasonable efforts to limit the processedpersonal data to the minimum necessary.

9Data quality principle1. The responsible person should at all times en-sure that personal data are accurate, as well assufficient and kept up to date in such a way as tofulfil the purposes for which they are processed.

2. The responsible person shall limit the period ofretention of the processed personal data to theminimum necessary. Thus, when personal dataare no longer necessary to fulfil the purposeswhich legitimized their processing they must bedeleted or rendered anonymous.

�

�

�

�

�

�

�

�

�

�

�

�

10Openness principle1. Every responsible person shall have transpa-rent policies with regard to the processing of per-sonal data.

2. The responsible person shall provide to thedata subjects, as a minimum, information aboutthe responsible person’s identity, the intendedpurpose of processing, the recipients to whomtheir personal data will be disclosed and howdata subjects may exercise the rights provided inthis Document, as well as any further informationnecessary to guarantee fair processing of suchpersonal data.

3. When personal data have been collected di-rectly from the data subject, the information mustbe provided at the time of collection, unless it hasalready been provided.

4. When personal data have not been collecteddirectly from the data subject, the responsibleperson must also inform him/her about thesource of personal data. This information must begiven within a reasonable period of time, but maybe replaced by alternative measures if complianceis impossible or would involve a disproportionateeffort by the responsible person.

5. Any information to be furnished to the datasubject must be provided in an intelligible form,using a clear and plain language, in particular forany processing addressed specifically to minors.

6. Where personal data are collected on line bymeans of electronic communications networks,the obligations set out in the first and second pa-ragraphs of this section may be satisfied by pos-ting privacy policies that are easy to access andidentify and include all the information mentio-ned above.

�

�

�

�

�

�

11Accountability principleThe responsible person shall:

a. Take all the necessary measures to observe theprinciples and obligations set out in this Do-cument and in the applicable national legisla-tion, and

b. have the necessary internal mechanisms inplace for demonstrating such observance bothto data subjects and to the supervisory autho-rities in the exercise of their powers, as esta-blished in section 23.

�

�

�

�

�

�

Part III: Legitimacy of

processing

12General principle oflegitimacy1. As a general rule, personal data may only beprocessed in one of the following situations:

a. After obtaining the free, unambiguous and in-formed consent of the data subject;

b. Where a legitimate interest of the responsibleperson justifies the processing, and the legiti-mate interests, rights and freedoms of datasubjects do not prevail;

c. Where the processing is necessary for themaintenance or the performance of a legal re-lationship between the responsible person andthe data subject; or

d. Where the processing is necessary for compl-ying with an obligation imposed on the res-ponsible person by the applicable nationallegislation, or is carried out by a public autho-rity where necessary for the legitimate exerciseof its powers.

e. Where there are exceptional situations thatthreaten the life, health or security of the datasubject or of another person.

2. The responsible person shall provide simple,fast and efficient procedures that allow data sub-jects to withdraw their consent at any time andthat shall not entail undue delay or cost, nor anygain whatsoever for the responsible person.

�

�

�

�

�

�

13Sensitive data1. The following personal data shall be deemedto be sensitive:

a. Data which affect the data subject’s most in-timate sphere; or

b.Data likely to give rise, in case of misuse, to:i. Unlawful or arbitrary discrimination; orii A serious risk to the data subject..

2. In particular, those personal data which can re-veal aspects such as racial or ethnic origin, politi-cal opinions, or religious or philosophical beliefsas well as those data relating to health or sex life,will be considered sensitive data. The applicablenational legislation may lay down other catego-ries of sensitive data where the conditions referredto in the previous paragraph are met.

3. Due guarantees shall be established to preservethe rights of the data subjects by applicable na-tional legislation, which shall lay down additionalconditions for processing sensitive personal data.

�

�

�

�

�

�

14Provision of processing servicesThe responsible person may carry out processingof personal data through one or more processingservice providers, without considering it a disclo-sure of data to a third party, provided that:

a. The responsible person ensures that the pro-cessing service provider guarantees, at least,the level of protection contained in this Docu-ment and in the applicable national legislation;and

b. The legal relationship is established through acontract or legal instrument that allows pro-ving its existence, scope and content, and thatsets out the processing service provider’s obli-gation to comply with these guarantees andto ensure the personal data are processed incompliance with the instructions of the res-ponsible person.

�

�

�

�

�

�

15International transfers1. As a general rule, international transfers ofpersonal data may be carried out when the Stateto which such data are transmitted affords, as aminimum, the level of protection provided for inthis Document.

2. It will be possible to carry out internationaltransfers of personal data to States that do notafford the level of protection provided for in thisdocument where those who expect to transmitsuch data guarantee that the recipient will affordsuch level of protection; such guarantee may forexample result from appropriate contractual clau-ses. In particular, where the transfer is carried outwithin corporations or multinational groups, suchguarantees may be contained in internal privacyrules, compliance with which is mandatory.

3. Moreover, national legislation applicable tothose who expect to transmit data may permit aninternational transfer of personal data to States

■

■

■

■

■

■ that do not afford the level of protection provi-ded for in this Document, where necessary andin the interest of the data subject in the frame-work of a contractual relationship, to protect thevital interests of the data subject or of anotherperson, or when legally required on importantpublic interest grounds

4. Applicable national legislation may confer po-wers on the supervisory authorities referred to insection 23 to authorize some or all of the interna-tional transfers falling within their jurisdiction, be-fore they are carried out. In any case, those whoexpect to carry out an international transfer ofpersonal data should be capable of demonstra-ting that the transfer complies with the guaran-tees provided for in this Document and inparticular where required by the supervisory au-thorities pursuant to the powers laid down in pa-ragraph 23.2.

Part IV: Rights of the Data Subject

16Right of access1. The data subject has the right to obtain fromthe responsible person, upon request, informa-tion on the specific personal data subject to pro-cessing, as well as the source of such data, thepurposes of processing and the recipients or ca-tegories of recipients to whom such data are orwill be disclosed.

2. Any information to be furnished to the datasubject must be provided in an intelligible form,using a clear and simple language.

3. Applicable national legislation may limit therepetitive exercise of this right that would requirethe responsible person to respond to multiple re-quests within short periods of time, unless thedata subject states a legitimate reason when exer-cising this right.

�

�

�

�

�

� 17Rights to rectify andto delete1. The data subject has the right to request fromthe responsible person the deletion or rectifica-tion of personal data that might be incomplete,inaccurate, unnecessary or excessive.

2. Where justified, the responsible person shouldcarry out the rectification or deletion requested.The responsible person should also notify this factto third parties to whom personal data had beendisclosed, where they are known.

3. Deletion of personal data is not justified wherepersonal data must be retained for the perfor-mance of an obligation imposed on the respon-sible person by the applicable national legislation,or possibly by the contractual relations betweenthe responsible person and the data subject.

�

�

�

�

�

�

18Right to object1. The data subject may object to the processingof personal data where there is a legitimate rea-son related to his/her specific personal situation.

2. The exercise of this right to object is not justi-fied where the processing is necessary for the per-formance of a duty imposed on the responsibleperson by the applicable national legislation.

3. Any data subject may also object to those de-cisions which produce legal effects based solelyon automated processing of personal data, ex-cept when the decision had been specifically re-quested by the data subject or when it isnecessary for the establishment, the maintenanceor the performance of a legal relation betweenthe responsible person and the data subject. Inthe latter case, the data subject must be able toput his/her point of view in order to defendhis/her right or interest.

�

�

�

�

�

�

19Exercise of theserights 1. The rights provided for in sections 16 to 18 ofthis Document may be exercised:

a. Directly by the data subject, who shall satis-factorily establish his/her identity to the res-ponsible person.

b. Through a representative, who shall satisfac-torily establish his/her status to the responsi-ble person.

2. The responsible person must implement pro-cedures to enable data subjects to exercise therights provided for in sections 16 to 18 of this Do-cument in a simple, fast and efficient way, whichdo not entail undue delay or cost nor any gainwhatsoever for the responsible person.

3. When a responsible person concludes that,pursuant to the applicable national legislation,the exercise of rights under this Part is not justi-fied, the data subject should be informed of thereasons that led to this conclusion.

�

�

�

�

�

�

Part V: Security

20Security measures1. Both the responsible person and any proces-sing service provider must protect the personaldata subject to processing with the appropriatetechnical and organizational measures to ensure,at each time, their integrity, confidentiality andavailability. These measures depend on the exis-ting risk, the possible consequences to data sub-jects, the sensitive nature of the personal data,the state of the art, the context in which the pro-cessing is carried out, and where appropriate theobligations contained in the applicable nationallegislation.

2. Data subjects should be informed by those in-volved in any stage of the processing of any se-curity breach that could significantly affect theirpecuniary or non-pecuniary rights, as well as themeasures taken for its resolution. This informa-tion should be provided in good time, in order toenable data subjects to seek the protection oftheir rights.

�

�

�

�

�

�

21Duty of confidentialityThe responsible person and those involved atany stage of the processing shall maintain theconfidentiality of personal data. This obligationshall remain even after the ending of the rela-tionship with the data subject or, when appro-priate, with the responsible person.

�

�

�

�

�

�

Part VI: Compliance

and Monitoring

22Proactive measures States should encourage, through their domesticlaw, the implementation by those involved in anystage of the processing of measures to promotebetter compliance with applicable laws on theprotection of privacy with regard to the proces-sing of personal data. Such measures could in-clude, among others:

a. The implementation of procedures to preventand detect breaches, which may be based onstandardized models of information securitygovernance and/or management.

b. The appointment of one or more data protec-tion or privacy officers, with adequate qualifi-cations, resources and powers for exercisingtheir supervisory functions adequately.

c. The periodic implementation of training, edu-cation and awareness programs among themembers of the organization aimed at betterunderstanding of the applicable laws on theprotection of privacy with regard to the pro-cessing of personal data, as well as the proce-dures established by the organization for thatpurpose.

d. The periodic conduct of transparent audits byqualified and preferably independent partiesto verify compliance with the applicable lawson the protection of privacy with regard to theprocessing of personal data, as well as withthe procedures established by the organizationfor that purpose.

e. The adaptation of information systems and/ortechnologies for the processing of personaldata to the applicable laws on the protectionof privacy with regard to the processing ofpersonal data, particularly at the time of deci-ding on their technical specifications and onthe development and implementation thereof.

f. The implementation of privacy impact as-sessments prior to implementing new infor-mation systems and/or technologies for theprocessing of personal data, as well as priorto carrying out any new method of proces-sing personal data or substantial modifica-tions in existing processing.

�

�

�

�

�

�

g. The adoption of codes of practice the obser-vance of which are binding and that includeelements that allow the measurement of effi-ciency as far as compliance and level of pro-tection of personal data are concerned, andthat set out effective measures in case of noncompliance.

h. The implementation of a response plan thatestablishes guidelines for action in case of ve-rifying a breach of applicable laws on the pro-tection of privacy with regard to theprocessing of personal data, including at leastthe obligation to determine the cause and ex-tent of the breach, to describe its harmful ef-fects and to take the appropriate measures toavoid future breaches.

23Monitoring 1. In every State there shall be one or more su-pervisory authorities, in accordance with its do-mestic law, that will be responsible for supervisingthe observance of the principles set out in this Document.

2. These supervisory authorities shall be impar-tial and independent, and will have technicalcompetence, sufficient powers and adequate re-sources to deal with the claims filed by the datasubjects, and to conduct investigations and in-terventions where necessary to ensure com-pliance with the applicable national legislation onthe protection of privacy with regard to the pro-cessing of personal data.

3. In any case, without prejudice to any admi-nistrative remedy before the supervisory authori-ties referred to in the preceding paragraphs,including judicial oversight of their decisions, datasubjects may have a direct recourse to the courtsto enforce their rights under the provisions laiddown in the applicable national legislation.

�

�

�

�

�

�

24Cooperation and coordination 1. The Authorities mentioned in the previous sec-tion shall try to cooperate with each other toachieve a more uniform protection of privacy withregard to the processing of personal data, at bothnational and international level. For the purposeof facilitating this cooperation, each State shouldbe able to identify the competent supervisory au-thorities on its territory as needed.

2. These authorities will in particular realise makeevery effort to

a. Share reports, investigation techniques, com-munication and regulatory strategies and anyother useful information for exercising theirfunctions more effectively, in particular follo-wing a request for cooperation by anothersupervisory authority in conducting an inves-tigation or intervention;

b. Conduct co-ordinated investigations or inter-ventions, at both national and internationallevel, in matters where the interests of two ormore authorities are shared;

c. Take part in associations, working groups andjoint fora, as well as in seminars, workshops orcourses that contribute to adopting joint posi-tions or to improving the technical ability of thestaff serving such supervisory authorities;

d. Maintain the appropriate level of confidentia-lity in respect of the information exchanged inthe course of cooperation.

2 States should encourage the negotiation of co-operation agreements among supervisory autho-rities, regional, national and international, thatcontribute to a more effective observance of thissection.

�

�

�

�

�

�

3. The aforementioned liability should exist wi-thout prejudice to the penal, civil or administra-tive penalties provided for, where appropriate, incase of violation of the provisions of domesticlaws on the protection of privacy with regard tothe processing of personal data.

4. The implementation of proactive measuressuch as those described in section 22 of this Do-cument should be considered when determiningthe liability and penalties provided for in this section.

25Liability1. The responsible person will be liable for the pe-cuniary and/or non-pecuniary damages caused tothe data subjects as a result of processing of per-sonal data that had infringed the applicable lawson the protection of privacy with regard to theprocessing of personal data, except if the res-ponsible person can demonstrate that the da-mage can not be attributed to him. This liability iswithout prejudice to any action by the responsi-ble person against the processing service providerinvolved at any stage of the processing.

2. States will promote suitable measures to faci-litate the access of data subjects to the relevantjudicial or administrative processes that allowthem to obtain compensation for the damage re-ferred to in the preceding paragraph.

�

�

�

�

�

�

Proposed resolutionon International

Standards ofprivacy

�

�

�

�

�

�

�

�

�

�

�

�

PROPOSED RESOLUT ION ON INTERNATIONAL STANDARDS OF PR IVACY

PROPOSERS:

Agencia Española de Protección de DatosPréposé fédéral à la protection des données et à la transparence (Switzerland)European Data Protection SupervisorCommission Nationale de l’Informatique et des Libertés (France)Irish Data Protection CommissionerOffice of the Privacy Commissioner of CanadaOffice for Personal Data Protection (Czech Republic)Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Germany)Garante per la Protezione dei Dati Personali (Italy)College Bescherming Persoonsgegevens (Netherlands)New Zealand Privacy CommissionerInformation Commissioner’s Office (United Kingdom)

CO-PROPOSERS:

Agència Andorrana de Protecció de Dades (Andorra)Agència Catalana de Protecció de Dades (Spain)Agencia de Protección de Datos de la Comunidad de Madrid (Spain)Agencia Vasca de Protección de Datos (Spain)Office of the Data Protection Supervisor (Isle of Man)Estonian Data Protection InspectorateState Data Protection Inspectorate of the Republic of LithuaniaData Protection and Freedom of Information Commissioner of Berlin (Germany)Data Protection Commissioner of Schleswig-Holstein (Germany)National Direction for Personal Data Protection (Argentina)Commissioner for Data Protection (Malta)Commission on Computers and Liberties (Burkina-Faso)Personal Data Protection Commissioner (Cyprus)Data Protection Ombudsman (Finland)Information Commissioner (Slovenia)Hellenic Data Protection Authority

Nothing that:

The 30th International Conference of Data Protection and Privacy Commissioners inStrasbourg unanimously adopted the Resolution on the urgent need for protectingprivacy in a borderless world, and for reaching a Joint Proposal for setting Internatio-nal Standards on Privacy and Personal Data Protection.

The resolution established a mandate to establish a Working Group, co-ordinated bythe Spanish Data Protection Agency as the host of the 31st Conference and compo-sed of interested Data Protection Authorities, to draft and submit to the 31st Con-ference a Joint proposal for setting international standards on privacy and personaldata protection.

In keeping with this mandate, the Spanish Data Protection Agency established a Wor-king Group and promoted and coordinated the work for elaborating a Joint Proposalfor a Draft of International Standards.

The Working Group has drafted a Joint Proposal for a Draft of International Standardson the Protection of Privacy with regard to the processing of Personal Data, based onprinciples that are present in different instruments, guidelines or recommendations ofinternational scope and that have received a broad consensus in their respective geo-graphical, economic or legal areas.

The Joint Proposal has been drafted assuming that all these principles and common ap-proaches bring elements of value in the defence and improvement of privacy and per-sonal information, with the aim of expanding them by adding solutions and specificprovisions which could apply irrespective of any differences that may exist betweenthe different existing models of data protection and privacy.

Accordingly, the Conference resolves:

1. To welcome the Joint Proposal for a Draft of International Standards on the Pro-tection of Privacy with regard to the processing of Personal Data attached as Annex1 to this resolution. The Joint Proposal demonstrates the feasibility of such stan-dards, as a new step towards the development of a binding international instru-ment in due course.

2. To state that the Joint Proposal provides a set of principles, rights, obligations andprocedures that any legal system of data protection and privacy should strive tomeet. In this perspective, the processing of personal data in the public and privatesector would be performed, in a more internationally uniform approach:

a. fairly, lawfully and in a proportionate manner in relation to specific, explicitand legitimate purposes;

b. on the basis of transparent policies, informing adequately the data subjectsand without any arbitrary discrimination against them;

c. ensuring the accuracy, the confidentiality and the security of the data as wellas the legitimacy of the processing, and the rights of data subjects to access,rectification, erasure of data and to object against their processing;

d. implementing the principles of accountability and liability, even if the proces-sing operations are carried out by service providers on behalf of the controller;

e. offering more appropriate guarantees where the data are sensitive;

f. ensuring that personal data transferred internationally benefits from the levelof protection provided by the above-mentioned set of standards,

g. subject to the monitoring of independent and impartial supervisory authori-ties provided with adequate powers and resources also in connection with theirduty to cooperate among themselves;

h. in a new and modern framework of proactive measures, such as those orien-ted in particular to prevent and detect breaches and based on the appointmentof privacy officers as well as on efficient audits and privacy impact assessments.

3. To invite the Data Protection and Privacy Authorities accredited to the Internatio-nal Conference, to disseminate the Joint Proposal for a Draft of International Stan-dards on the Protection of Privacy with regard to the processing of Personal Data,as widely as possible.

4. To entrust the organizing authorities of the 31st and 32nd International Confe-rence to co-ordinate a Promotion Group, composed of the interested Data Pro-tection Authorities, which will be responsible for:

a. disseminating and promoting the Joint Proposal among relevant private enti-ties, experts and national and international authorities as a basis for further worktowards the development of a binding international convention, and in particularto the bodies and organizations mentioned in the Montreux Declaration; and

b. exploring and reporting back on other ways in which the Joint Proposal mightbe used as a basis for developing international understanding and cooperationon data protection and privacy, particularly in the context of enabling interna-tional transfers of personal data to take place in a way that safeguards the rightsand freedoms of individuals.

5. To request the Promotion Group:

a. to coordinate its work with the Conference’s Steering Group on Representa-tion before International Organisations, and

b. to report on any relevant progress at the 32nd International Conference to en-sure continued attention for the subject of this resolution.

Explanatory Note

The 30th International Conference of Data Protection and Privacy Commissioners adop-ted the Resolution on the urgent need for protecting privacy in a borderless world,and for reaching a Joint Proposal for setting International Standards on Privacyand Personal Data Protection, jointly submitted by the data protection authoritiesfrom Switzerland and Spain and supported by twenty other authorities.

In that resolution, the Conference recalled several declarations and resolutions adop-ted during the last ten years that aimed to strengthen the universal nature of the rightto the protection of personal data and privacy, and which called for the developmentof a universal convention for the protection of individuals with regard to the proces-sing of personal data.

Furthermore, the resolution stated that the Conference considered the rights to dataprotection and privacy as fundamental rights of individuals, irrespective of their na-tionality or residence, while noting that the persisting data protection and privacy dis-parities in the world, in particular due to the fact that many states have not yet passedadequate laws, harm the exchange of personal information and the implementationof effective global data protection.

Therefore, the resolution expressed the conviction of the Conference that recognitionof these rights requires the adoption of a universal legally binding instrument esta-blishing, drawing on and complementing the common data protection and privacyprinciples laid down in several existing instruments, and strengthening the internatio-nal cooperation between data protection authorities.

In this regard, the resolution expressed the Conference’s support for the Council ofEurope’s efforts to improve the fundamental rights to data protection and privacy andinvites States, whether or not members of the organization, to ratify the Conventionfor the protection of individuals with regard to automatic processing of personal dataand its additional protocol, while confirmed its support for actions carried out by APEC,OECD and other regional and international fora to develop effective means to pro-mote better international standards of privacy and data protection.

The resolution mandated the Spanish Data Protection Agency, as host of the 31st In-ternational Conference, to establish and coordinate a Working Group composed ofinterested data protection authorities, to draft and submit to its closed session a Jointproposal for setting international standards on privacy and personal data protection.

The resolution included a list of criteria to govern the drafting process of this Joint Pro-posal, and in particular indicated that it should be developed by encouraging broadparticipation of public and private organizations and entities, with the purpose of ob-taining the broadest institutional and social consensus.

In keeping with this mandate, the Spanish Data Protection Agency established theWorking Group referred to in the resolution and promoted and coordinated the workfor elaborating a Joint Proposal for a Draft of International Standards.

The Spanish Data Protection Agency sent invitations to participate in the preparatoryWorking Group to all the data protection and privacy authorities accredited to the In-ternational Conference. The authorities listed in Annex 2* expressed their desire totake part in this Working Group and consequently joined it.

The Working Group met in January and June 2009. The first meeting agreed on thedrafting methodology of the Joint Proposal and its material scope, while the seconddiscussed an advanced version of the draft proposal for its subsequent submission tothe 31st Conference.

According to the criteria and methodology set forth by the Strasbourg Resolution andagreed by the Working Group, the Spanish Data Protection Agency has carried out anintensive activity and elaborated various documents, which incorporated contributionsfrom data protection and privacy authorities and other public entities related to dataprotection, as well as from experts from the industry, the legal profession, academiaand international organizations and NGOs.

In particular, the Working Group has drafted a Joint Proposal for a Draft of InternationalStandards on the Protection of Privacy with regard to the processing of Personal Data,based on principles that are present in different instruments, guidelines or recom-mendations of international scope and that have received a broad consensus in theirrespective geographical, economic or legal areas.

The Joint Proposal has been drafted assuming that all these principles and commonapproaches bring elements of value in the defence and improvement of privacy andpersonal information, with the aim of expanding them by adding solutions and spe-cific provisions which could apply irrespective of any differences that may exist bet-ween the different existing models of data protection and privacy.

* AUTHORITIES BELONGING TO THE WORKING GROUP: CDATA PROTECTION COMMISSION (Austria),PRI-VACY PROTECTION COMMISSION (Belgium),, COMMISSION ON COMPUTERS AND LIBERTIES (Burkina-Fasso),,OF-FICE OF THE PRIVACY COMMISSIONER OF CANADA, INFORMATION ACCESS COMMISSION OF QUEBEC (Canada),OFFICE FOR PERSONAL DATA PROTECTION (Czech Republic), EUROPEAN DATA PROTECTION SUPERVISOR, NA-TIONAL COMMISSION ON COMPUTERS AND LIBERTIES (France),FEDERAL DATA PROTECTION COMMISSIONER(Germany), DATA PRO TECTION AND FREEDOM OF INFORMATION COMMISSIONER OF BERLIN (Germany), DATAPROTECTION COMMISSIONER OF SCHLESWIG-HOLSTEIN (Germany), PRIVACY COMMISSIONER FOR PERSONALDATA (Hong Kong), IRISH DATA PROTECTION COMMISSIONER, ITALIAN DATA PROTECTION AUTHORITY, DATAPROTECTION COMMISSION (Netherlands), NEW ZEALAND PRIVACY COMMISSIONER, NATIONAL DATA PROTEC-TION COMMISSION (Portugal), INFORMATION COMMISSIONER OF THE REPUBLIC OF SLOVENIA, SPANISH DATAPROTECTION AGENCY (Spain), CATALAN DATA PROTECTION AUTHORITY (Spain), DATA PROTECTION AGENCY OFMADRID (Spain), BASQUE DATA PROTECTION AGENCY (Spain), FEDERAL DATA PROTECTION COMMISSIONER(Switzerland), INFORMATION COMMISSIONER’S OFFICE (United Kingdom)

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�