Council of Europe's Convention for the Protection of Individuals with Regard to the Processing of Personal Data

Why this Convention is important for UK?
  • UK is not leaving Council of Europe. Great Britain still has to comply with the Convention even in case of Brexit.
  • Convention sets its priority on respecting human rights and fundamental freedoms, in particular - right to privacy, regardless of nationality and place of residence
  • Special attention is given to legitimacy and fariness of the data processing
  • It regulates transborder flows of personal data
Human rights and freedoms related to data processing
  • According to this Convention, individuals have right not to be subject to automated decision making processes without their views taken into consideration
  • To object to the data processing at any time unless the controller demonstrates legitimate, more important grounds
  • To obtain rectification or erasure on request, free of charge and without excessive delay
  • To have a remedy where their rights have been violated
Convention
  • Convention requires transparency of data processing - people have the right to know if, when, how and why their data are processed
  • Organizations are deemed with a requirement to store all information relating to data processing. Users are able to ask for them
  • Mandates Special protection for genetic and biometric data, data revealing sensitive information relating to racial or ethnic origin, political opinions, trade union membership, religious or other beliefs, health
  • Requires organizations to analyse the risk of their systems - adequacy of data processing and data protection methods. This means organizations need to conduct privacy impact assessments (as in GDPR).
  • Requires deployment of adequate technical and organisational measures taking into account the implications of the right to the protection of personal data at all stages of the data processing.
  • Data from EU to UK can only be sent if UK will demonstrate adequate level of protections
    • GDPR defines this as data protection by default and by design.
    • Privacy engineers and strategists define this as Privacy by Design
    Convention places strict consent requirements
    • User data processing can be carried out only if free, specific, informed and unambiguous user consent has been granted
    • Transborder data flows require user's informed consent
    Sanctions
    • Judical and non-judical sanctions and remedies for violating this Convention apply
Latest draft of the updated convention.