Amendments to the Convention 108+: European standards for personal data protection will be applied in third countries


In November 7, 2019, the Parliament of the Republic of Lithuania ratified the Protocol (CETS No. 223) amending the Convention (hereinafter – the Convention) for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and endorsed its Explanatory Report. The provisions of the Convention sought to safeguard the subjects‘ rights, fundamental freedoms and the right to respect their privacy within the territories of all signatory States, when their data is being processed automatically. The Convention was adopted in response to the growing need  of data processing due to the development of technological data processing solutions.

Prior to the adoption of the Convention, in order to establish a uniform system for the protection of personal data, relevant to as many different States as possible, the provisions of the various States were taken into consideration. The objectives of the adopted Convention in 1981 remain relevant even nowadays.

The Convention for the protection of individuals has been ratified by 55 countries – 28 EU Member States, including Armenia, Georgia, Turkey, Russia and other countries.

With the improvements of technological data processing methods and in order in order to have appropriate solutions to the privacy issues involved, to strengthen the mechanism of operation of the Convention itself and having regard to the requirements of the General Data Protection Regulation (hereinafter – the GDPR), which became applicable in May, 2018, the need to amendments to previously mentioned provisions of the Convention arose.This was made with the Protocol of 10 October, 2018.

There are currently 36 States that have ratified for the amendments of the Convention, including 26 EU Member States among which Croatia was the first State to ratify the Protocol amending the Convention.

The most significant amendments of the Convention:

– In order to ensure the compliance with the provisions of the Convention, there was introduced an obligation to designate a supervisory authority for each State that has ratified the Convention.

– There was included the requirement to immediately notify the supervisory authority about data protection breach.

– Third countries were encouraged to access to the general data protection standards and the section of the Convention on trans-border flows of personal data Was expanded too.

– There was included a provision that the processing of data should be proportionate to the legitimate purposes (the provision taken over from GDPR).

– The list of sensitive personal data was expanded too. According to the amendments of the Convention, such personal data are a person’s genetic and biometric data; data related to a person’s criminal activities; data revealing racial or ethnic origin, political beliefs, trade union membership, religious beliefs, person’s health or sex life.

European standards for the protection of personal data also apply in third countries

The amendments of the Convention will encourage third countries, that have acceded to the Convention and are not covered by the GDPR, to apply the fundamental principles of personal data processing. In this way, the requirements for the transfer and protection of personal data will be unified internationally.

Accession to the Convention may also have significant effect on determining whether the third country can be considered as applying adequate personal data security measures and whether the transfer of personal data to such country would be considered secure. If the commission takes such decision, the transfer of data to such countries could take place without the specific authorization or other applicable security measures.

Significance of the Convention to the United Kingdom and Brexit

The renewed Convention seeks to ensure that third the highest possible standards of protection of personal data would apply by the third countries, thus, this makes it particularly relevant for the United Kingdom, which is seeking to leave the European Union. United Kingdom is among the signatories to the Protocol, therefore, an assessment of the accession to the Convention as an appropriate safeguard for the transfer of data to third countries could simplify the exchange of personal data between the UK and EU.

It is interesting that the UK government is providing its proposals on the protection of personal data to local businesses making them to gain greater insight about the amendments to the Convention. Hence, the renewed Convention presumably will be the set of rules on the protection of personal data which the United Kingdom will use to comply with international standards on the protection of personal data after the leaving of European Union.

Newsletter SubscriptionGet in touch