CYIL vol. 9 (2018)

EMIL RUFFER

CYIL 9 ȍ2018Ȏ

III. Main elements of the Protocol In the following section, we shall focus on the most important changes introduced by the Protocol, without being exhaustive in describing each and every amendment. While the Protocol follows naturally the structure of the Convention, it updates and clarifies certain definitions (such as ‘data controller’, ‘processor’ and ‘recipient’ of data), as well as confirms the scope of application to include both automated and non-automated processing of personal data, thus removing the previous possibility of Parties to reduce or extend the scope of application by making a declaration. However, the Convention no longer applies to data processing carried out by a natural person for the exercise of purely personal our household activities. 17 The Protocol also strengthens the duties of the Parties to adopt in their domestic law the measures necessary to give effect to the provisions of the Convention, also by establishing an evaluation procedure by the Convention Committee to asses efficiency of the measures (‘follow-up mechanism’). 18 The Protocol further strengthens the principle of proportionality, which should apply throughout the entire processing, and in particular in respect of the means and methods used in the processing of data. It also specifies the principle of lawful processing, in particular with respect to the requirements for consent of the data subject, which in order to be valid has to satisfy several criteria; alternatively, there has to be some other legitimate basis laid down by law (such as contract, vital interest of the data subject, legal obligation of the controller, etc.) to comply with the principle of lawful processing. 19 The catalogue of sensitive data (‘special categories of data’) has been also expanded to include genetic and biometric data, as well as data processed for the information they reveal relating to trade-union membership or ethnic origin. The Protocol also provides for additional safeguards for individuals when their personal data are processed and in terms of data security introduces the requirement to notify, without delay, any security breaches to the competent supervisory authority. 20 Furthermore, the Protocol also increases obligations of the controllers to guarantee transparency of data processing vis à vis to the data subjects. 21 New rights of data subjects have also been introduced, in order to ensure greater control over their data, especially with regard to the use of information technologies. One of the specific novelties in this context is the right “ not to be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration ”. 22 The data subjects shall also have right to object to the processing of data at any time and a right to remedy is guaranteed in case of violation of any Convention rights. 23 The Protocol also 17 Art. 3(1) and 3(2) of the amended Convention. From this section onwards, for the sake of clarity and simplicity, all references to the provisions of the Convention will be to the version as amended by the Protocol, if not stated otherwise (even though the Protocol has not entered into force yet). 18 Art. 4(3) of the Convention. 19 Art. 5(1)-(3) of the Convention. 20 Art. 6 and 7 of the Convention, respectively. However, under Art. 7(2) of the Convention, the obligation to report serious breaches is limited to those “ which may seriously interfere with the rights and fundamental freedoms of data subjects ”. 21 Art. 8 of the Convention. 22 Art. 9(1).a of the Convention. 23 Art. 9(1).d and Art. 9(1).f, respectively.

148