The provisions of the Convention sought to safeguard the rights and fundamental freedoms of individuals and the right to respect their privacy when their data is processed automatically within the territories of all signatory states. The Convention was adopted in response to the growing need for data processing due to the development of technological solutions.
Prior to the adoption of Convention 108, in order to establish a uniform system for the protection of personal data relevant to as many different states as possible, the provisions of the various states were taken into consideration. The objectives of the Convention, adopted in 1981, remain relevant even today.
With the continued improvements in technological data processing methods and in order to provide appropriate solutions for the privacy issues involved, as well as to strengthen the Convention’s own mechanism of operation with regard to the requirements of the General Data Protection Regulation (GDPR), which came into force in the EU in May 2018, it was necessary to amend previously defined provisions of Convention 108.
The most significant amendments to Convention 108
- In order to ensure compliance with the provisions of the Convention, the obligation to designate a supervisory authority for each state that has acceded to the Convention was introduced. In Lithuania, the supervisory authority is the State Data Protection Inspectorate.
- The requirement to immediately notify the supervisory authority about any breach of data protection was included. In Lithuania information can be submitted in person to the Inspectorate, by post or by email with a secure electronic signature. Complaints may also be submitted through the Inspectorate's electronic services portal.
- Third countries were encouraged to agree to comply with the general data protection standards and the section of the Convention relating to cross border flows of personal data was also extended.
- A provision was included stating that the processing of data should be proportionate to the legitimate purposes (this provision was taken over from the GDPR).
- The list of sensitive personal data was also expanded. According to the amendments of the Convention, such personal data are
- a person’s genetic and biometric data;
- data related to a person’s criminal activities;
- data revealing racial or ethnic origin, political beliefs, trade union membership, religious beliefs, a person’s health or sex life.
The amendments to Convention 108 will encourage third countries that have acceded to the Convention and are not covered by the GDPR to apply the fundamental principles of personal data processing, explain the Ecovis experts. In this way, the requirements for the transfer and protection of personal data will be unified internationally.
Accession to the Convention may also have a significant effect on determining whether the third country can be considered as applying adequate personal data security measures and whether the transfer of personal data to such a country would be considered secure. If the Commission takes such a decision, the transfer of data to these countries could take place without specific authorisation or other applicable security measures.
The Significance of Convention 108 for the UK and Brexit
On 31 January 2020, the United Kingdom left the European Union and entered a Brexit transition period which will run until the end of 2020. Until then, the GDPR still applies and data protection is therefore ensured.
However, from 2021 the United Kingdom will be considered a third country in terms of the processing and transfer of personal data. This means that among other things, the transfer of personal data to the United Kingdom will only be possible if the terms of the GDPR are met. The United Kingdom is among the signatories to the Protocol, thus assessing the accession to the Convention as an appropriate safeguard for the transfer of data to third countries will probably simplify the exchange of personal data between the UK and the EU.
For further information please contact:
Loreta Andziulyte, Certified Data Protection Specialist, Attorney at Law, Partner, ECOVIS ProventusLaw, Vilnius, Lithuania