Introduction to Data Protection

The Council of Europe Data

Protection Convention
Graham Sutton
 Modernising Data Protection
• Convention 108 Dates from 1981
• Additional Protocol dates from 2001
• Revision complements EU work on GDPR and
Directive on data protection and criminal justice
• Recital 17 of 1995 Data Protection Directive
(now repealed) says the Directive “…give(s)
substance to and amplifie(s)…” Convention 108
• Similar relationship between modernised
instruments

2
 Preamble (1)

• “Considering that it is necessary to secure the

human dignity and protection of the human
rights and fundamental freedoms of every
individual and, given the diversification,
intensification and globalisation of data
processing and personal data flows, personal
autonomy based on a person’s right to control of
his or her personal data and the processing of
such data” (My emphasis)

3
 Preamble (2)

• References to the need to

– reconcile data protection with other human
rights, including freedom of expression
– take account of the principle of the right of
access to official documents
– promote data protection at the global level,
thereby contributing to the free flow of
information between peoples

4
 Article 1: Object and purpose

• “… to protect every individual, whatever his or

her nationality or residence, with regard to the
processing of their personal data, thereby
contributing to respect for his or her human
rights and fundamental freedoms, and in
particular the right to privacy”

5
 Article 2: Definitions
• Personal data - any information about an identified or
identifiable individual (data subject)
• Processing - any operation performed on personal data,
including by non-automated means
• Controller - the natural or legal person with decision-
making power with respect to data processing
• Recipient - a natural or legal person to whom personal
data are disclosed
• Processor - natural or legal person which processes
personal data on behalf of the controller

6
 Article 3: Scope

• Applies to all processing – including of text,

sound and images – in public and private
sectors, including field of criminal justice
• Does not apply to processing by individuals in
the course of purely personal or household
activities

7
 Article 5: Proportionality
• Processing must be “…proportionate in
relation to the legitimate purpose pursued
and reflect … a fair balance between all
interests concerned… and the rights and
freedoms at stake”

8
 Article 5: Legal basis
• Processing can be carried out “… on the
basis of the free, specific, informed and
unambiguous consent of the data subject,
or some other legitimate basis laid down
by law”

9
 Article 5: Data quality
The Data Protection Principles
• Personal data must be
– processed lawfully
– processed fairly and in a transparent manner
– collected for an explicit, specified, legitimate
purpose and not processed “incompatibly”
– adequate, relevant and not excessive
– accurate and, where necessary, kept up to
date
– not kept for longer than required for the
original purpose 10
Article 6: Special categories of data (1)

• Special rules apply to the processing of

– genetic data;
– personal data relating to offences, criminal
proceedings and convictions and related security
measures;
– biometric data uniquely identifying a person;
– personal data for the information they reveal relating
to racial or ethnic origin, political opinions, trade union
membership, religious or other beliefs, health or
sexual life.
• Commonly known as “sensitive data”
11
Article 6: Special categories of data (2)

• Processing allowed only where appropriate

safeguards, which complement those elsewhere
in the Convention, are enshrined in law.
• Safeguards must guard against risks that
processing may present to the interests, rights
and fundamental freedoms of the data subject,
notably a risk of discrimination.

12
 Article 7: Data security
• Requirement to take “appropriate security
measures against risks such as accidental or
unauthorised access to, destruction, loss, use,
modification or disclosure of personal data”.
Applies to both controller and processor
• Duty on controller to inform “at least” supervisory
authority of breaches “which may seriously
interfere with the rights and freedoms of data
subjects” without delay

13
 Article 8: Transparency of
processing
• Controller must provide individuals with information about:
– controller’s identity and location; legal basis and
purposes of processing; categories of data processed;
recipients; means of exercising rights; other information
needed for fair and transparent processing
• Exceptions where
– data subject already has the information; or
– data are not collected from data subject and processing
is prescribed by law, or providing information is
impossible or requires disproportionate effort

14
Article 9: Rights of the data subject
• Individuals have the right to obtain from the controller on request
among other things
– confirmation that their data are being processed
– communication to them of the data (subject access)
• They also have the right
– not to be subject to fully automated decisions
– to object to processing unless controller can show legitimate
grounds which override data subjects’ interests and rights
– to have data processed in breach of the Convention rectified or
erased
– to have a remedy for breach of rights
– to receive assistance from supervisory authority
15
 Article 10: Additional obligations
• Requirements on controller/processor
– to do everything needed to give effect to Convention,
and to be able to demonstrate compliance;
– to “examine the likely impact of intended data
processing on the rights and fundamental freedoms of
data subjects” before starting the processing, and
design processing to prevent or minimise risk
– to take “technical and organisational measures which
take into account the implications of the right to the
protection of personal data at all stages of the data
processing”

16
 Article 11: Exceptions and restrictions

• Derogations must be provided for by law, respect the

essence of fundamental rights and freedoms, and
constitute a necessary and proportionate measure in a
democratic society for the protection of specified
matters of public importance, as well as protection of
data subject and rights and freedoms of others
• Derogations apply to Articles 5.4 (data protection
principles), 7.2 (duty to notify breaches), 8.1
(transparency), 9 (data subjects’ rights)

17
Article 12: Sanctions and remedies
• There must be appropriate judicial and
non-judicial sanctions and remedies for
breaches

18
 Article 13: Extended protection
• Parties may grant data subjects stronger
protection than that required by the
Convention

19
 Article 14: Transborder flows of
personal data (1)
• The prohibition for data protection reasons of
transfers among Parties to Convention is not
allowed, unless there is a “real and serious risk”
of circumvention of the Convention.
• Exemption for countries in a “regional
international organisation” bound by
“harmonised rules of protection”.

20
 Article 14: Transborder flows of
personal data (2)
• Transfers permitted to states or international
organisations which are not Parties but which
provide “appropriate” level of protection
• This can be secured
– by the law of the receiving state or international
organisation, including international treaties
– safeguards provided by “legally binding and
enforceable instruments” adopted by the parties to
the transfer

21
 Article 14: Transborder flows of
personal data (3)
• Exception to need for “appropriateness” where
– data subjects consent
– data subjects’ interests require transfers
– “prevailing legitimate interests” are provided for by law
and the transfer constitutes a necessary and
proportionate measure in a democratic society
– freedom of expression, where necessary and
proportionate in a democratic society
• Specified powers for supervisory authority

22
 Article 15: Supervisory authorities (1)

• Each Party must have one or more supervisory authority

• Supervisory authorities must
– have powers of investigation and intervention
– oversee transborder data flows
– have power to deal with breaches
– have power to engage in legal proceedings or bring violations to the
attention of the judicial authorities
– promote public awareness of their functions, of data subjects’ rights, of
controllers’ duties
– pay particular attention to the rights of children and other vulnerable
individuals
– be consulted on proposals for data processing legislation
– deal with individuals’ complaints

23
 Article 15: Supervisory authorities (2)

• Supervisory authorities must

– act with complete independence
– be provided with the necessary resources
– publish a periodical report
• Members and staff must be bound by an obligation of
confidentiality
• Their decisions may be appealed against through the
courts
• They must not oversee processing by bodies acting in a
judicial capacity

24
 Other provisions
• Convention also deals with
– mutual assistance among supervisory
authorities
– Committee set up to oversee Convention’s
operation (T-PD)
– arrangements for accession to Convention
– other procedural matters
• Not dealt with in this presentation

25
 Status
• Modernised Convention adopted in May
2018 and is now open for signature
• Enters into force when 5 CoE member
States have “agreed to be bound” by it
• Original Convention remains in force
• Open for ratification world-wide

26
Thank you

27