# 11 The Council of Europe updated the only international legally binding instrument for data protection – Convention No. 108

On the 18th of May 2018, in Helsingør, the Council of Europe adopted an Amendment Protocol of Convention № 108 from 28.01.1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data (“The Convention”).

About the Convention

As of now, the Convention is the only globally relevant international agreement in the field of data protection. It has been created in response to the ongoing challenges to the privacy rights, stemming from the use of new information and communication technologies. With the complete revision of the Convention, the Council of Europe seeks to update it, expand its scope and strengthen the mechanisms it provides, in order to guarantee its effective application.

What are the novelties introduced in the Convention?

The changes to the Convention generally aim to facilitate the trans-border exchange of data while further developing the foundational mechanisms for protection of personal data laid down in the Convention in accordance to the legislative changes on European level. The Convention encompasses data processing in both the public and private sectors, hence, the changes seek to improve the level of personal data protection and its current scope. The discussions and the work on the amendment started back in 2012 and ran in parallel with the rest of the legislative changes to the personal data protection framework within the EU, including with the famous General Data Protection Regulation (GDPR).

The Secretary General of the Council of Europe Thorbjørn Jagland points out that the modernization of the Convention is a reflection of the frequent violations of data protection law as for the main focus in its implementation will be preventing of such in the future.

Numerous novelties in the Convention are in accordance with the solutions provided by the GDPR. Some of the main novelties include:

  • The categories of sensitive data are expanded – additionally to the current personal data related to: race, political views, religious or other beliefs, health conditions, ethnicity, crimes, criminal proceedings and sentences; now genetic and biometric data, as well as syndicate membership and data related to ethnicity have also been included to the category;
  • Some of the data subject rights have been expanded, including:
    – The right not be a subject of automated decision-making, when the decision has a significant impact on the subject, without considering their viewpoint;
    – The right to be informed about the data processing;
    – The right of the subject to be informed about the reasoning for data processing, particularly in cases when algorithms are used for the automated decision-making and profiling;
    – The right to object against the processing of personal data, related to the subject unless in cases where the legitimate interest of the controller is prevailing;
  • Additional obligations to the personal data controllers and processors have been introduced:
    – The measures undertaken for data protection have to be connected with their obligation to be able to prove the lawfulness of the data processing (the so-called “accountability” principle);
    – The principles of data protection shall be applied at all stages of processing, including the designing stage (“privacy by design” and “privacy by default”);
    – The suitable measures that have to be undertaken include: training of personnel, establishing suitable notification procedures (establishing data retention periods and specific deadlines for their deletion from the systems); establishing specific contract clauses for delegated processing; establishing of internal procedures providing the possibility to review and to justify compliance, etc.
    – The powers of the Authority elected by the parties of the Convention have been strengthened in order to guarantee the application of the provisions of the Convention. According to the Explanatory Protocol to the Convention, the Authority can either be sole (a commissioner) or collegiate body. Most importantly the Authority has to possess effective regulatory powers and functions and to be independent;
    – The parties of the Convention may introduce other specific authorities whose activity covers only a very restricted sector (According to the Explanatory Protocol the electronic communications sector, the healthcare sector, the public sector and others);
    – The Authority has to be empowered to initiate or participate in court proceedings related to all data protection violations. This is linked to the powers to conduct an investigation and detection of infringements;
    – An obligatory notification about data protection breach has also been introduced;
  • The measures for proportional data processing and application of the principle of data minimization have been strengthened;
  • Amendment of the current terminology – the term “automated data file” has been repealed and there is one new participant to the data processing, called with the term “receiver” (1) , etc.;
  • One of the most important additions to the Convention is the enhanced role of the Convention Committee, which has advisory, but also evaluation and supervisor capacity. It will determine whether and to what extent a Member State or an international organization has fulfilled the requirements set by the Convention. The Committee has the right to evaluate the compliance of the internal law of a Convention party and to determine the effectiveness of the undertaken measures.

It is important to note that all countries as well as international organizations, including the European Union, can accede to the Convention. This turns the Convention into a key tool for harmonizing various data protection legal regimes, by ensuring high degree of protection on international level.

The modernization of the Convention is a crucial step towards the promotion of global data protection standards. The renewed Convention seeks to stimulate the inclusion of as many countries as possible aiming to encourage the international business and its development, now on the basis of more secure and universally applicable rules regarding personal data and its efficient protection.

You can find more information on the official website of the Council of Europe here.

 

(1) Art. 3, “e” – “recipient” means a natural or legal person, public authority, service, agency or any other body to whom data are disclosed or made available; Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), URL.

# 10 The Act for Amendment and Supplement to the Personal Data Protection Act, synchronized with GDPR, is officially submitted before the National Assembly

On 18th of July the Bill for Amendment and Supplement of the Personal Data Protection Act was submitted before the National Assembly (the New Bill). The New Bill aims to introduce measures to implement EU’s General Data Protection Regulation (the Regulation/GDPR) and transpose Directive 2016/680 on the protection of personal data in the police sector (the changes proposed in this section – Chapter 8a of the New Bill – will be the subject of a follow-up analysis on our blog).

As expected, some rules from the initial bill (the Old Bill) – subject to public consultation since 30.04.2018 – have been revised as a result of the consultation(1).

At first glance and without claiming to be exhaustive, we underline here some of the amendments made in the New Bill:

1. The minimum thresholds for fines and pecuniary sanctions have been removed since such were not provided in the Regulation. Fines/ sanctions will be imposed according to the criteria set out in the Regulation;
2. The envisaged fine for other violations remains up to BGN 5 000 where the minimum threshold of BGN 1 000 is abolished;
3. The New Bill provides safeguards in order to balance the protected secrecy (e.g. the lawyer’s secret) with the investigating powers of the Commission for the Protection of Personal Data (CPDP), insofar such secrecy provides an option to serve the controllers/ processors as grounds for refusal or access to it by CPDP in case of an inspection;
4. The CPDP will maintain a non-public internal register of data breaches and the measures undertaken in accordance with the exercise of its remedial powers. However, new public ones are being introduced:
– Register of controllers and personal data processors who have appointed Data protection officers (DPO);
-The proposal to maintain a DPO register is removed due to concerns of an attempt to introduce a disguised registration regime for this position, which is not provided in the Regulation;Register of the accredited certification bodies;
-Conduct codes register;
5. The provisions empowering the CPDP to conduct trainings of DPOs were also removed;
6. The personal data retention period of all job candidates/applicants cannot be more than 6 months (in the Old Bill the term was 3 years) after the end of the procedure of recruitment. This restriction also applies to documents that certify the physical and mental health of the applicant, the necessary qualifications and experience for the position held. Other provisions on the protection of personal data in the context of the employment relationship are also specified (e.g. the disputed permission to request explicit consent from employees to process their personal data, which is not required by the employer or a legal act is also removed);
7. The requirement for controllers/ processors to appoint a DPO if they process the personal data of more than 10,000 individuals has also been removed since this requirement, as set out in the Old Bill, has raised serious objections in the public consultation procedure (mainly due to the uncertainties of how it would be applied in practice);
8. Structures, whose main activity is related to the spending of public funds, will be considered as a public body/ structure. This will affect their duty to appoint a DPO;
9. The New Bill also provides new provisions regarding the processing of personal data for the purposes of archiving in the public interest, scientific and historical research, statistical purposes and journalistic purposes.

The full text of the New Bill could be found in Bulgarian here.

As your trusted partner we will continue to keep you updated about the New Bill legislation process as well as all the new developments in the personal data protection legislation on a national and European level.

(1) See in this sense also the latest newsletter of CPDP from July 2018, URL