convenio 108+ alt

This post is also available in: Español

If it were necessary to choose a word to describe 2018, it would be “data”; a good example is Convention 108+.

Since the General Data Protection Regulation (“GDPR”) came into force on May 25, the legislative bodies of the Member States have continued to work and finalize the adaptation of their respective national laws. In Spain’s case, the new Spanish Act on the Protection of Personal Data and the Guarantee of Digital Rights (Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales) is in its final processing stage and is expected to be introduced very soon.

Internationally, the Council of Europe developed Convention 108 over three decades ago (1981) to protect individuals with regard to the automated processing of their personal data. However, its regulation required urgent updating, adapting it to the realities of this new digital era.

The new version, Convention 108+, was opened for signing on October 10th in Strasbourg, and was well received by the Member States, with Spain being one of the signatories, and with third countries, such as Uruguay, being included.

In line with the GDPR, the key elements of this convention are the principles of transparency and proportionality in the processing of data, increasing the guarantees that must be adopted along with adequate safeguarding measures. The most notable inclusions are the following:

  • The legal bases under which personal data can be processed are clarified (article 5).
  • The list of sensitive data is extended, including genetic information, biometric data or that belonging to an ethnic group (article 6).
  • It is mandatory to notify, at least the supervisory authorities, of security breaches that affect individuals (article 7).
  • The rights of access and deletion are guaranteed and extended, and all information relating to the processing that will be carried out and the purposes must be transmitted (article 9).
  • Those responsible for, and in charge of, processing must take all necessary measures to ensure that the data protection regulations are complied with and, similarly, the principle of proactive responsibility is established (article 10).
  • Data transfer is facilitated, whether between Member States or third countries, provided that minimum guarantees are met (article 14).
  • Emphasis is placed on the importance of supervisory authorities, as well as being disciplinary instruments, investing in education and awareness-raising in this sector (article 16).

The final text of the updated protocol can be consulted here, a summary with the complete new developments here, and a document comparing the former convention with the modernized version can be viewed here.


Authors: Adaya Esteban and Raúl Pérez Terol

This post is also available in: Español



39 artículos