Council of Europe's Convention for the Protection of Individuals with Regard to the Processing of Personal Data
Why this Convention is important for UK?
- UK is not leaving Council of Europe. Great Britain still has to comply with the Convention even in case of Brexit.
- Convention sets its priority on respecting human rights and fundamental freedoms, in particular - right to privacy, regardless of nationality and place of residence
- Special attention is given to legitimacy and fariness of the data processing
- It regulates transborder flows of personal data
Human rights and freedoms related to data processing
- According to this Convention, individuals have right not to be subject to automated decision making processes without their views taken into consideration
- To object to the data processing at any time unless the controller demonstrates legitimate, more important grounds
- To obtain rectification or erasure on request, free of charge and without excessive delay
- To have a remedy where their rights have been violated
Convention
- Convention requires transparency of data processing - people have the right to know if, when, how and why their data are processed
- Organizations are deemed with a requirement to store all information relating to data processing. Users are able to ask for them
- Mandates Special protection for genetic and biometric data,
data revealing sensitive information relating to racial or ethnic origin,
political opinions, trade union membership, religious or other beliefs, health
- Requires organizations to analyse the risk of their systems
- adequacy of data processing
and data protection methods.
This means organizations need to conduct privacy impact assessments (as in GDPR).
- Requires deployment of adequate technical and organisational measures taking
into account the implications of the right to the protection of personal
data at all stages of the data processing.
- Data from EU to UK can only be sent if UK will demonstrate adequate
level of protections
- GDPR defines this as data protection by default and by design.
- Privacy engineers and strategists define this as Privacy by Design
Convention places strict consent requirements
- User data processing can be carried out only if free,
specific, informed and unambiguous user consent has
been granted
- Transborder data flows require user's informed consent
Sanctions
- Judical and non-judical sanctions and remedies for violating this Convention apply
Latest draft of the
updated
convention.