This privacy notice explains how the European Committee for the Prevention of Torture and Inhuman or Degrading Treatment (CPT) processes personal data in relation to its visits to places where persons are deprived of their liberty by a public authority.

Who is responsible for data processing?

The CPT (also “the Committee”) is the “data controller” with respect to the processing of personal data, which means it has the decision-making power concerning the data processing. Processing of the personal data is governed by the Council of Europe Regulations on the Protection of Personal Data adopted by the Committee of Ministers on 15 June 2022 as well as by the European Convention for the Prevention of Torture and Inhuman or Degrading Treatment or Punishment and the Explanatory Report.

What data do we process and for what purpose?

The CPT was established by the European Convention for the Prevention of Torture and Inhuman or Degrading Treatment or Punishment (also “the Convention”) in 1989. State parties to the Convention currently comprise the 46 members states of the Council of Europe and one non-member state, the Russian Federation.

Under the Convention, the CPT is tasked with examining the treatment of persons deprived of their liberty by a public authority by means of visits to any place of detention within the state’s jurisdiction. The findings of the Committee are brought to the attention of the state party concerned in the form of a comprehensive confidential report. The state party is under the statutory obligation to use the CPT findings to strengthen the protection of people deprived of their liberty from torture and ill-treatment.

During the Committee’s visits to places of detention, its members, its experts, and its Secretariat carry out confidential interviews with persons deprived of their liberty (such as persons in police and immigration detention, prisoners, patients and residents) and other persons of interest (such as managers, custodial officers, doctors and healthcare staff, judges and public prosecutors). 

The Convention also grants the Committee the right to access “other information […] necessary for the Committee to carry out its task”; usually this concerns the consultation of personal files, registers and other written documentation (whether electronic or paper based).

In carrying out its Convention-based mandate, the Committee may obtain personal data, including sensitive personal data of a medical and judicial nature, such as the result of a medical examination upon admission to the establishment, a complaint filed against staff working in an institution or an imposed disciplinary punishment.

Access to personal data is restricted to information essential to carry out the CPT’s work. Most of the data needed is retrieved from registers, databases and documents present in the establishment visited. In certain cases, including for confirming information obtained elsewhere, the persons concerned may be approached themselves.

For more information on the CPT’s work, you can refer to the CPT frequently asked questions page.

What is the legal basis for our processing of your data?

The CPT processes personal data on the basis laid down by the Council of Europe legal instruments where it is necessary for the performance of the Organisation’s tasks and activities, in particular, on the basis of the European Convention for the Prevention of Torture and Inhuman or Degrading Treatment or Punishment and the Explanatory Report.

If the CPT is to publish any personal data, the persons concerned will be asked for express consent. The Convention is explicit in its prohibition for personal data to be published without express consent (Article 11 § 3).

Who has access to personal data?

Only the CPT members and experts as well as staff members of the CPT Secretariat have access to personal data.

The CPT uses personal data to underpin the facts found during a visit. For the report, personal data is transformed into findings, conclusions, and recommendations at aggregate level. As a general rule, only anonymised data is included in a report. If, in exceptional cases, the CPT considers that it needs to publish personal data, the persons concerned must have expressly given their consent to the publication (see Section 3 above).

How do we store personal data?

Where personal data is stored in hard copy documents, including notebooks, they are stored in either locked cupboards or the locked documentation centre, which is only accessible to the CPT Secretariat and the Council of Europe security staff.

Where personal data is stored electronically, it is first stored on electronic devices used by the CPT visiting delegation during the visit, such as mobile phones, tablets or computers, and is then transferred to the Council of Europe’s servers which are located within the European Union. We have put in place measures to protect the security of your personal information, including appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include encrypted servers, limited access to any databases only for those people who need it and secure backup of all data.

How long is personal data stored?

Personal data is destroyed when no longer needed. Usually, this is the case when a report has been sent to a member state and a response on the report has been received and assessed (usually between six months to one year after the visit). Until that moment the personal data shall be kept in a secured place, independent in what format the personal data has been provided: orally, in writing or electronically.

What are your data protection rights?

You have the right to:

• request access to your personal information held by us;
• request that we correct incomplete or inaccurate personal information that we hold about you;
• request that we delete or remove your personal information when there is no valid reason for us to keep it;
• object to the processing of your personal information on specific grounds relating to your situation;
• where the processing of your personal data is based on consent, withdraw your consent at any time. However, quotes and testimonials which have already been used or provided to third parties cannot be withdrawn from circulation.

Contacts

If you wish to exercise the above rights, or for any queries, concerns, or requests you may have in connection with the way your data is collected and used, please contact us:

• via a contact form available on the CPT website ;
• by sending an email to the Council of Europe’s Data Protection Officer at [email protected].

If you feel that we have not adequately responded to your request and consider that your data protection rights have been violated as a result of our processing of your personal data, you have the right to lodge a complaint with the Council of Europe Data Protection Commissioner by sending an e-mail to [email protected].