<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Convention 108

GDPR's parent law

Book a Demo

What is Convention 108?

Convention 108 is the first ever legally binding international legislation for the states that ratified it, that aimed to protect the personal data of individuals in the context of collection and processing as well as ensure proper cross-border data transfers. 

It was initially enforced in January 1981 and updated in May of 2018 being now called Convention 108+, and so far has been signed and ratified by several countries with the up to date list available here.

Because it contains many foundational ideas, it stands as the basis for many of the data protection laws that have emerged, being considered the so called parent of the GDPR, to which it bears many similarities with only a few notable exceptions, such as the independent regulating body and the penalties imposed by the latter.

In addition to addressing the way personal data is collected and processed, it also ensures the protection of sensitive personal data (race, political affiliation, religion, sexual life, etc.) where no proper legal safeguard exists, and grants individuals the rights of access, information and correction, among others. 

The importance of Convention 108 lies in the fact that it may facilitate adequacy decisions between GDPR countries and third countries, if Recital 105 of the GDPR is relied upon for assessing a country’s level of protection. According to this recital, a country’s accession to Convention 108 should be taken into account in order to reach an adequacy decision.

Transfers to third countries are only compliant with the GDPR if they meet a series of requirements, as delineated in Chapter 5 of the GDPR. These requirements, when looked at closely, are partly covered by Convention 108, meaning that signatory countries are already on the road to adequacy by default.


What is Personal Information and what are other key definitions?

Under Convention 108 ‘personal data’ is “any information relating to an identified or identifiable individual (‘data subject’),” a ‘data controller’ is “the natural or legal person, public authority, service, agency or any other body which, alone or jointly with others, has decision-mak- ing power with respect to data processing” and a ‘data processor’ is defined as “a natural or legal person, public authority, service, agency or any other body which processes personal data on behalf of the controller.”

There are no differences between the way it and the GDPR define these, as can be seen. Also, it defines ‘special categories of data,’ or sensitive personal data, as genetic data; personal data relating to offenses, criminal proceedings and convictions, and related security measures; biometric data uniquely identifying a person; personal data for the information they reveal relating to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life.”


Who has to comply with Convention 108?

According to the text of the law, this is applicable to data processing in the public and private sectors of each signatory country, referred to as party,’ who is expected to undertake “to apply this Convention to data processing subject to its jurisdiction in the public and private sectors, thereby securing every individual’s right to protection of his or her personal data.”

Who is excluded from Convention 108 compliance? 

Convention 108 does not apply “to data processing carried out by an individual in the course of purely personal or household activities.”


How can I keep my organization Convention 108 compliant? 

Convention 108 regulates compliance in a similar manner to other data protection laws. Firstly it lists several principles in Articles 5, 7, and 8, according to which personal data processing and collection

  • has to be proportionate to the legitimate purpose; 
  • has to be carried out on the basis of “free, specific, informed, and unambiguous consent of the data subject;”
  • has to be processed lawfully, fairly and in a transparent manner;
  • has to be collected for “explicit, specified, and legitimate purposes and not processed in a way incompatible with those purposes;”
  • has to be adequate, relevant and not excessive in relation to the purposes for which they are processed;
  • has to be “accurate and, where necessary, kept up to date”; and
  • has  to be “preserved in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed.”

Appropriate security measures have to be implemented “against risks such as accidental or unauthorized access to, destruction, loss, use, modification or disclosure of personal data,” and, for the purpose of transparency of processing, controllers have to be inform data subjects of

  • their (the controller’s) identity and address;
  • the legal basis and the purposes of processing;
  • the categories of personal data processed;
  • any recipients of the personal data, if that is the case, and
  • the means for exercising the data subject rights.

In the case of sensitive personal data, its processing can only be done if appropriate security measures are in place in each country in accordance with Convention 108, guarding sensitive personal data “against the risks that the processing of sensitive data may present for the interests, rights and fundamental freedoms of the data subject, notably a risk of discrimination.”

Article 10 lists additional obligations for controllers and, where applicable, for processors, both of whom are required to

  • take all appropriate measures to comply with the Convention and be able to demonstrate this; 
  • examine the likely impact of intended data processing on the rights and fundamental freedoms of data subjects prior to the commencement of such processing, and design the data processing in such a manner as to prevent or minimize the risk of interference with those rights and fundamental freedoms;
  • implement technical and organizational measures which take into account the implications of the right to the protection of personal data at all stages of the data processing; and
  • adapt the above three obligations “according to the nature and volume of the data, the nature, scope and purpose of the processing and, where appropriate, the size of the controller or processor,” in such a way as to have in mind “the interests, rights and fundamental freedoms of the data subjects.”

What data access rights does Convention 108 grant? 

According to Convention 108, data subjects have the following rights: 

  • The right to not be subject to automated decision making
  • The right to access their personal data
  • The right to be informed of the reasoning behind the processing of their personal data
  • The right to object to the processing of their personal data
  • The right to correct
  • The right to delete

Additionally, data subjects have a private right of action in the event of a violation of the provisions of Convention 108 and to benefit from the assistance of the supervisory authorities of the country where the violation occurred. 

Convention 108 compliant website with Clym

Book a Demo

How to address data subject access requests under Convention 108?

Convention 108 does not offer specific guidelines or timeframes for addressing data subject requests, but does mention that data subjects should be able to receive a reply to a request for information “at reasonable intervals and without excessive delay or expense.”

In the case of a request for rectification or erasure, data subjects have the right to receive this “free of charge and without excessive delay.”

Enforcement and penalties

There are no specific penalties for violation of Convention 108, nor is there one single regulating authority, instead what the text of the legislation mandates is that “each Party undertakes to establish appropriate judicial and non-judicial sanctions and remedies for violations of the provisions of this Convention.”


Data Subject Rights - GDPR vs. Convention 108


How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

illustration of means of contact


If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
+1 980 446 8535 +1 866 275 2596