CYIL vol. 9 (2018)

CYIL 9 ȍ2018Ȏ PROTOCOL MODERNISING THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS… brings additional obligations for controllers and processors of data in terms of being able to demonstrate compliance with the data protection rules and to “ design the data processing in such a manner as to prevent or minimise the risk of interference with those rights and fundamental freedoms ”. 24 The rights enshrined in the Convention are not absolute and are subject to exceptions and restrictions. However, any such limitation must be stipulated by law, constitute a necessary and proportionate measure in a democratic society, respect the essence of the fundamental rights and freedoms and be limited only to grounds expressly specified in the Convention (such as national security 25 and defence, other essential objectives of general public interest or protection of the data subject or the rights and fundamental freedoms of others, notably with regard to freedom of expression). 26 With regard to the provisions on transborder flow of personal data, they have also been significantly revised. As a matter of principle, data flows between Parties to the Convention cannot be prohibited or subject to special authorisation, since there is a presumption of a sufficient level of protection. However, there are two exceptions to this rule: (i) if there is a real and serious risk that the transfer to another Party, or from that other Party to a non- Party, would lead to circumventing the provisions of the Convention; or (ii) if a Party is bound by harmonised rules of protection shared by States belonging to a regional international organisation (incl. the European Union). 27 In a situation of transborder flows of data to a recipient that is not subject to the jurisdiction of a Party, there is a need to have a guarantee of appropriate level of protection in the recipient State or international organisation. The Protocol permits two possibilities in this respect: (i) guarantee established by the law of that State or international organisation, including the applicable international treaties or agreements; or (ii) existence of ad hoc or approved standardised safeguards provided by legally-binding and enforceable instruments adopted and implemented by the persons involved in the transfer and further processing (such as contractual clauses or binding corporate rules). 28 Finally, the role and competences of the supervisory authorities were also strengthened. In addition to their current powers to intervene, investigate, engage in legal proceedings or bring to the attention of the judicial authorities violations of data protection provisions, the authorities must be also empowered to take decisions and impose administrative sanctions. 29 In the context of the Czech Republic, the Office for Personal Data Protection 30 performs 24 Art. 10(1) and Art. 10(2), respectively. 25 According to the Explanatory Report (para. 94 and footnote No. 13), “ The notion of “national security” should be interpreted on the basis of the relevant case law of the European Court of Human Rights. The relevant case law includes in particular the protection of state security and constitutional democracy from, inter alia, espionage, terrorism, support for terrorism and separatism. Where national security is at stake, safeguards against unfettered power must be provided .” 26 Art. 11(1)-(3) of the Convention. Needless to say, the extent of exceptions and restrictions applicable to processing activities for national security and defence purposes constituted a very difficult part of the negotiations, given the sensitivity of this area. 27 Art. 14(1) of the Convention. 28 Art. 14(2)-(3) of the Convention. 29 Art. 15(2) of the Convention. It should be noted that due to the updated framework for both the transborder flows of data and supervisory authorities, Art. 37(4) of the Protocol stipulates that “ From the date of entry into force of this Protocol, the Additional Protocol (…) regarding supervisory authorities and transborder data flows (ETS No. 181) shall be repealed. ” 30 Established by Act No. 101/2000 Coll., on the Protection of Personal Data, as amended.

149