Data protection: Protocol updating Convention 108 approved
Data protection: approved on Protocol which updates the Convention 108
After a long process that began in 2011, the Committee of Ministers of the Council of Europe completed the process of modernization of the Convention 108 of 1981 on the protection of individuals with respect to automated processing of personal data.
The formal adoption took place on the occasion of the Elsinore Ministerial meeting on 18 May. The amending Protocol, which updates Convention 108, will be opened for signature on 25 June, on the occasion of the session of the Parliamentary Assembly of the Council of Europe.
The modernization of Convention 108, which is still the only internationally binding instrument on data protection, responds to the many challenges that have arisen over the years due to the advent of new technologies, ensuring that the principles of the Convention are maintained and strengthening the mechanisms for its actual implementation.
The Protocol guarantees high standards in a flexible regulatory framework that facilitates their adoption by a large number of countries, including those that are not members of the Council of Europe. It also forms a bridge between different regional approaches, including the Regulation (EU) 2016/679 (fully applicable from next May 25) which places the accession by third countries to Convention 108 among the criteria to be considered in the assessment of the adequacy of these countries in the context of data transfers.
The Protocol contains several innovations compared to the original. In particular: the strengthening of transparency obligations for data controllers; the expansion of the rights of the interested parties, which now also include the right not to be subject to purely automated decisions and to know the logic of the treatment; greater guarantees for data security, including the obligation to notify data breaches, and to ensure a privacy by design approach. The Protocol also strengthens the tasks of the Data Protection Authorities and the Convention Committee, called to play a role in assessing effective compliance with the principles of the Convention which must be ensured by the countries that will be party to it.
Rome, 21 May 2018 – Privacy Guarantor
Gdpr [General Data Protection Regulation], inspections at the door: here's what to do
The checks by the Guardia di Finanza or the Guarantor for the processing of personal data will be constant and not always communicated in time. Here is a handbook to avoid mistakes that could cost companies dearly. From issue 158 of AboutPharma
AboutPharma – 21 May 2018 by Alessio Chiodi
If the landlord knew what time the thief was coming, he wouldn't let his house be broken into. You too get ready…” reads a well-known Gospel parable which can also be useful for the most secular inspections by the authorities in matters of privacy protection. Because now that the rules of the game are changing, the controls may also increase. And it is not known when they will come knocking on the door to ask for an account of the activities of a company.
First point: be ready
If one were to imagine a vademecum of behaviour, in this case, the first rule would be: be ready to manage an inspection by the Guarantor for the protection of personal data. Inspections are usually preceded by reports or appeals. Or they are initiatives of the Guarantor within a well-defined road map. However, if a company is contacted by the competent authority to obtain specific information on its business, then it is likely that an inspection visit will soon take place. Maybe in person. In less serious cases, the Gdf takes care of routine visits. In the most serious cases, it is the inspectors of the Guarantor. And without the support of the core of the Guardia di Finanza. As written by the lawyer Gianluigi Marino, partner of OsborneClarke (AboutPharma n°154, pages 90-91), if the inspection is carried out in person by the inspectors, the situation can be expected to become controversial. The inspection may uncover other possible violations. Therefore, based on the person who carries out the checks, we understand the greater or lesser level of awareness of the authority regarding the problems of the inspected company.
Second point: find the right answers
The checks can be communicated (the day before) or take place by surprise. A document called a “request for information” is required before the inspection. With this element, notified at the time of access to the office, account is requested of all legislative and regulatory obligations regarding personal data. How is consent collected? How is the information given to the interested parties? How are external data processors contracted? All questions that need to be answered.
Third point: have someone who follows the inspections
Internal procedures must be streamlined and fast. The honors of the house must be done immediately. Generally, this task is performed by the internal privacy manager, the head of the legal department, the head of the compliance function or the DPO.
Fourth point: verbalize what happens and what is said
Everything must be transcribed, recorded and checked. Better to reserve the right to verify the correctness of what has been declared. Even better if everything is examined by an internal lawyer of the company or an external consultant.
Fifth point: have well-established privacy compliance
It will be easier to access the required documentation. However, fourteen days are foreseen for sending the material. Nothing to worry about if the inspectors' requests are not met immediately. It happens frequently.
Sixth point: consider the duration of the operations
The investigations last about two or three days. Therefore it is necessary that the company figure in charge of following them draws up an exhaustive report on what happened.
Seventh point: never release original documents
Only copies are better. Furthermore, it is necessary to take note of the databases inspected, obtain a copy of the report from the inspector, and always give truthful information. In case of doubts, better not to answer and postpone to subsequent investigations. As with university exams, it is better to remain silent than to give an incorrect answer. In the case of confidential documentation it is a good idea to cancel or make anonymous sensitive data that you do not want to make known to the inspector. For example, the economic terms of the agreements. Marino wonders: "will the organizations be sufficiently responsible to withstand the impact of the GDPR and the new waves of inspections in the coming semesters?".
Eighth point: there will be no exceptions
In recent weeks, news has circulated, which later turned out to be false, about a possible transitional period to be granted to non-compliant companies after 25 May 2018. The Guarantor had to intervene publicly to deny any information relating to this "bridge period". And confirm the effective entry into force on May 25th. Indeed, to be honest, there has already been a sort of transitional period. The Gdpr came into force in 2016, but the European institutions have decided to grant an additional two years to allow companies to adapt.
Related news: PRIVACY: Fimmg, Here are the steps to comply by the 25th
Note European Privacy Guarantor: «archive»: any structured set of personal data accessible according to specific criteria, regardless of whether this set is centralized, decentralized or distributed in a functional or geographical way;
«consent of the interested party»: any expression of free, specific, informed and unequivocal will of the interested party, with which the same expresses his assent, by unequivocal declaration or positive action, that the personal data concerning him are object of treatment. The interested party has the right to withdraw his consent at any time.
collected for specified, explicit and legitimate purposes, and not further processed in a way that is incompatible with those purposes; further processing of personal data for archiving purposes in the public interest, for scientific or historical research or for statistical purposes is not, in accordance with Article 89(1), considered to be incompatible with the initial purposes ('purpose limitation');
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation")
accurate and, if necessary, updated; all reasonable measures must be taken to promptly erase or correct data that is inaccurate with respect to the purposes for which they are processed ("accuracy");
The treatment is lawful if necessary for the pursuit of the legitimate interest of the data controller or of third parties, provided that the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail, in particular if the data subject is a minor.
