100. It is left to each Party to determine the nature
(civil, administrative, criminal) of these judicial as well
as non-judicial sanctions. These sanctions have to be
effective, proportionate and dissuasive. The same goes
for remedies: data subjects must have the possibility
to judicially challenge a decision or practice, the definition of the modalities to do so being left with the
Parties. Non-judicial remedies also have to be made
available to data subjects. Financial compensation for
material and non-material damages where applicable,
caused by the processing and collective actions could
also be considered.
104. Article 14 applies only to the outflow of data, not
to its inflow, since the latter are covered by the data
protection regime of the recipient Party.
Article 13 – Extended protection
106. The rationale of the provision in paragraph
1 is that all Parties, having subscribed to the common core of data protection provisions set out in the
Convention, are expected to offer a level of protection that is considered appropriate and therefore in
principle allows data to circulate freely. There might,
however, be exceptional cases where there is a real and
serious risk that this free circulation of personal data
will lead to the circumvention of the provisions of the
Convention. As an exception, this provision has to be
interpreted restrictively and Parties cannot rely on it
in cases where the risk is either hypothetical or minor.
Therefore, a Party may only invoke the exception in a
specific case when it has clear and reliable evidence
that transferring the data to another Party could significantly undermine the protections afforded to that
data under the Convention, and that the likelihood
of this happening is high. This might be the case, for
instance, when certain protections afforded under the
Convention are no longer guaranteed by the other
Party (for instance because its supervisory authority
is no longer able to effectively exercise its functions)
or when data transferred to another Party is likely to
be further transferred (onward transfer) without an
appropriate level of protection being ensured. A further
exception recognised in international law exists where
Parties are bound by harmonised rules of protection
shared by States belonging to regional (economic)
organisations that seek a deeper level of integration.
101. This article is based on a similar provision, Article
53 of the European Convention on Human Rights. The
Convention confirms the principles of data protection law which all Parties are ready to adopt. The text
emphasises that these principles constitute only a
basis on which Parties may build a more advanced
system of protection. The expression “wider measure of
protection” therefore refers to a standard of protection
which is higher, not lower, than that already required
by the Convention.
Chapter III – Transborder flows of
personal data15
Article 14 – Transborder flows of
personal data
102. The aim of this article is to facilitate the free
flow of information regardless of frontiers (recalled
in the preamble), while ensuring an appropriate protection of individuals with regard to the processing
of personal data. A transborder data transfer occurs
when personal data is disclosed or made available to
a recipient subject to the jurisdiction of another State
or international organisation.
103. The purpose of the transborder flow regime
is to ensure that personal data originally processed
within the jurisdiction of a Party (data collected or
stored there, for instance), which is subsequently
under the jurisdiction of a State which is not Party
to the Convention, continues to be processed with
appropriate safeguards. What is important is that data
processed within the jurisdiction of a Party always
remains protected by the relevant data protection
principles of the Convention. While there may be
a wide variety of systems of protection, protection
afforded has to be of such quality as to ensure that
human rights are not affected by globalisation and
transborder data flows.
15. From the entry into force of the Amending Protocol, the
Additional Protocol regarding supervisory authorities and
transborder flows (ETS No. 181) shall be considered an integral
part of the Convention as amended.
105. Paragraph 1 applies to data flows between Parties
to the Convention. Data flows cannot be prohibited
or subjected to special authorisation “for the sole purpose of the protection of personal data”. However, the
Convention does not restrict the freedom of a Party
to limit the transfer of personal data to another Party
for other purposes, including for instance national
security, defence, public safety, or other important
public interests (including protection of state secrecy).
107. Among others, this applies to the member States
of the EU. However, as explicitly stated in the General
Data Protection Regulation (EU) 2016/679, a third
country’s accession to Convention 108 and its implementation will be an important factor when applying
the EU’s international transfer regime, in particular
when assessing whether the third country offers an
adequate level of protection (which in turn allows the
free flow of personal data).
108. Paragraph 2 provides for an obligation to ensure,
in principle, that “an appropriate level of protection
based on the provisions of the Convention is secured”.
At the same time, according to paragraph 4, Parties
may transfer data even in the absence of an appropriate level of protection where this is justified, among
Convention 108+ ► Page 27