Convention 108+
A modernisation protocol - colloquially Convention 108+ - was signed by 21 states on 10 October 2018 after more than seven years of work begun in January 2011. It raises data protection standards and, given mutual influence, mirrors many GDPR concepts (the definition of processor, a legal basis for processing, expanded special categories, breach notification, transparency and accountability). It dovetails with GDPR Recital 105, under which the Commission must take account of a third country's accession to Convention 108 when assessing adequacy.
In January 2011, about thirty years after the original, the Convention 108 Advisory Committee began a modernisation protocol to address new information and communications technologies. The final protocol was approved on 18 May 2018 and signed by 21 states on 10 October 2018. As amended it is colloquially Convention 108+.
- Central definitions such as that of a processor
- A specific legal basis for processing (consent or other legitimate basis laid down by law)
- Genetic data, biometric data, ethnic origin and trade union membership added as special categories
- Enhanced security and an obligation to declare data breaches
- Transparency requirements for data subjects
- Duties to demonstrate compliance, assess likely impact before processing, and design processing to minimise risk
Convention 108+ dovetails with Recital 105 GDPR: when deciding whether a third country offers an adequate level of protection, the Commission must take particular account of that country's accession to Convention 108. The modernised Convention also lets the Convention Committee monitor implementation and even allows accession by international organisations.