Home > Awareness, Data Protection, Internet, Privacy, Social Media > Data protection Directive-part I.

Data protection Directive-part I.

E-Crime Expert started a new series presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights.

First post in this series introduced the Current EU regulatory framework concerning private information and personal data and presented what the Charter of fundamental rights of the European Union is and what it protects.

Today, the main instrument for protecting personal data of the EU citizens it is being presented: Directive 95/46 -part I.. This Directive, is currently under revision and it is expected that the new revised version to come into effect sometimes by the end of this year or at the beginning of the next year. My personal opinion is that the new revised version will be released on the Data Protection Day, on January 28.

According to the European Data Protection Supervisor, in the 1990s, protection of personal data was regulated by non-harmonised laws in the Member States. Although based on the same basic principles laid down in the Council of Europe Convention No. 108 on data protection, these laws differed considerably in detail. Because this was considered to influence competition and thus the well functioning of EU’s internal market, pressure increased for a more harmonised environment. Developments in the ICT-field added to the need for a common set of data protection rules, specifying the Council of Europe Convention.
This led to the adoption in 1995 of Directive 95/46/EC. It is the central piece of legislation on the protection of personal data in Europe. The Directive stipulates general rules on the lawfulness of personal data processing and rights of the people whose data are processed (‘data subjects’). The Directive also provides that at least one independent supervisory authority in each Member State shall be responsible for monitoring its implementation.

Directive 95/46/EC



This Directive came into force (October 1998) aiming to regulate and guarantee a secure and free movement of personal data among the MS. The Directive has 8 Chapters and 33 Articles. The objective of this Directive states that:

1. … Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data…

 2. Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1”.

The scope of this Directive, expressed under Article 3, is that this Directive applies to:

3 (1)“the processing of personal data wholly or party by automatic means of personal data which form part of s filling system or are intended to form part of a filling system and to the processing otherwise than by automatic means.” Does not concern processing of data for public security, defense, state security which falls under Title V of the Treaty on European Union Art. 3 (2), and does not address the processing of personal data performed by “a natural person in the course of a purely household activity.” Art 3 (3).

According to the objective of this Directive, considering that privacy is granted and protected as a fundamental right and freedom, and when personal information is subject to data processing, every person or entity bound by EU Law should consider privacy as a fundamental right when processing personal data.

Article 4 establish which is the applicable National Law:

 “National Law applicable when the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community”. 

The EU Data Protection Directive offers three levels of protection for the processing of personal data. The first level sets the general rules and lawfulness for processing personal data in general, as the data should be:

Article 6:

a)    processed fairly and lawfully”;

b)     “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards”;

c)     “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed”;

d)    accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

e)     “data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use”.

Article 7: “Personal data may be processed only if:

a)    unambiguous consent from the data subject is given

b)    processing of data is needed for the performance of a contract to which data subject is party, or to take steps at request of the data subject prior entering into a contract

c)     processing of data is necessary for compliance with a legal obligations to which the controller is subject

d)    processing of personal data is necessary to protect a vital interest concerning the data subject

e)     processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority delegated to the controller or a third party to whom the data are disclosed

f)      processing is necessary for the purpose of the legitimate interest from the controller or the third party to whom data are disclosed, except when where such interest are overridden by the interest for fundamental rights and freedoms of the data subject which require protection under Article 1 (1) (i.e. protection of fundamental rights and freedoms of natural persons…with respect to personal data)”.

In order personal data may be processes, at least one of the requirements under Article 7 (not all of them) should apply.

Article 10-12: the subject shall be provided with the processing information.

Article 13: Exceptions and restrictions for matters of:

a) national security;

b) national defense;

c) public security;

d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;

e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters;

f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);

     g) the protection of the data subject or of the rights and freedoms of others.

Article 14: “the right to object to the processing of data relating to the subject…or to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses”.

Article 17: “level of security appropriate to the risks represented by the processing and the nature of the data to be protected”.

Article 18: obligations to notify the national Supervisor authority… before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes.

Articles 22, 23, 24: with regards to compensation, injunction or court order, administrative coercion, penalty or negative publicity.

Stay tuned for the next post that will present the Directive 95/46 part II.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Did you know about this Directive 95/46?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: