40. The list of definitions has been brief. The term “data controller” is crucial. An attempt is being made to define a person who, under national law, should have ultimate responsibility for activities related to the processing of personal data. For the purposes of the definition, the controller is a party that has the legal authority to decide on the content and use of the data, whether such data is collected, stored, processed or disseminated by that party or by a representative on its behalf. The controller may be a natural or legal person, a public authority, a service or any other body. The definition excludes at least four categories that may be involved in data processing, namely: 74. The expert group addressed conflict-of-laws issues, focusing mainly on which courts should have jurisdiction over certain issues (choice of jurisdiction) and which legal system should regulate certain issues (choice of law). The discussion of the various proposed strategies and principles confirmed the view that, given the rapid pace of technological change and the non-binding nature of the guidelines, no attempt should be made at this stage to propose concrete and detailed solutions. Difficulties inevitably arise both in choosing a theoretically sound regulatory model and in the need to gain additional experience of the impact of solutions that are possible in themselves.

61. The provisions referred to in Article 13(a) of the Treaty. (c) and (d) is broad and includes actions at first instance against controllers and subsequent appeals before courts, administrative bodies, professional associations or other bodies under national procedural rules (see paragraph 19 RAG). The right to object does not mean that the data subject can decide on the remedies available (rectification, comment on the dispute of the data, etc.): these issues are decided by national law and judicial procedure. In general, the outcome criteria for a challenge determine the criteria set out elsewhere in the Guidelines. 35. On the other hand, the expert group concludes that limiting the Guidelines to automatic processing of personal data would have significant disadvantages. First of all, it is difficult to make a clear distinction in the definition between automatic and non-automatic data processing. For example, there are “mixed” data processing systems and there are steps in data processing that may or may not lead to automatic processing.

These difficulties are usually further complicated by ongoing technological developments, such as the introduction of advanced semi-automatic processes based on the use of microfilm or microcomputers, which can increasingly be used for private purposes, both harmless and impossible to control. In addition, by focusing exclusively on computers, the Guidelines could lead to inconsistencies and gaps and allow archivists to circumvent the rules transposing the Guidelines by using non-automatic means for offensive purposes. 66. As far as the guidelines are concerned, the promotion of international flows of personal data is not in itself an undisputed objective. However, where such data flows take place, they should be uninterrupted and secure in accordance with Article 16, i.e. protected against unauthorised access, loss of data and similar events. Such protection should also be provided for data in transit, i.e. data which transit through a Member State without being used or stored for use or storage in that country. The general obligation arising from article 16, with regard to computer networks, must be seen in the context of the Málaga-Torremolinos International Telecommunication Convention (25 October 1973). Under this agreement, the members of the International Telecommunication Union, including the member States of the OECD, agreed, inter alia, to establish, under the best technical conditions, the channels and facilities necessary for the rapid and uninterrupted exchange of international telecommunications.

In addition, ITU members agreed to take all possible measures compatible with the telecommunications system to ensure the secrecy of international correspondence. With regard to exceptions, the right to suspend international telecommunication services has been reserved, as has the right to transmit international correspondence to the competent authorities in order to ensure the application of national legislation or the application of international conventions to which ITU is a party. These provisions apply as long as the data is carried over telecommunications lines. In context, the Guidelines provide an additional guarantee that international flows of personal data should be uninterrupted and secure. 70. Paragraph 19(a) calls on the Länder to adopt appropriate national legislation, the term `adequate` anticipating the assessment of the appropriateness or inadequacy of legislative solutions by the individual Länder.