Data protection Directive-part II.
E-Crime Expert started a new series where is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights.
This post is presenting the second part of the Directive 95/46-data protection Directive, which it is the central piece of legislation on the protection of personal data in Europe. The Directive stipulates general rules on the lawfulness of personal data processing and rights of the people whose data are processed (‘data subjects’). The Directive also provides that at least one independent supervisory authority in each Member State shall be responsible for monitoring its implementation.
Under the first level of protection concerning data subjects, they have the right to know who the data controller is, who the recipient of the data is and the purpose of data processing. If data concerning a private person is not accurate or incomplete, that person has the right to claim the rectification, update or completion of that data referring to his person. The data controller should carefully act when processing data in order to protect that personal data from destruction, alteration, deletion or unlawful processing. The controller is the entity that gives approval and instruction for data processing, which should provide security measures against deletion, alteration and unlawful processing. The data subject is fully entitled to express his consent regarding: if, when and how his personal data is processed with regards to receiving for example, direct marketing material.
The second level addresses the processing of sensitive data by setting out criteria for a special category of data as such:
Article 8 (1) DPD: prohibition to process special categories of data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life”.
The specific exemptions are as follows: Article 8 (2): when the subject gave his explicit consent, or it is a matter of employment law; vital interest; legitimate activities (non-profit organization); data is made available by the subject himself; medical data; public interest; criminal data; national identification number; or Article 9: journalistic, artistic purpose.
The information regarding sensitive personal data and its use includes, but is not limited to, philosophical and religious beliefs, sex life, health, and race which are given special status and they cannot be subject of data processing unless the data subject expressed her consent or in any other inapplicable situations expressly established through this Directive. The supervisory authority can achieve the enforcement of data processing. This authority is empowered to investigate, block, erase, destroy or stop processing when the data was obtained unlawfully. Furthermore, if a private person suffered damage or losses from an unlawful data processing, he could claim compensation for the damage or lose from the controller in charge. Exemptions of these stipulations apply as identified under Article 8 (2) above. However, when a data controller processes sensitive personal data he should both comply with level one and two of the protection of sensitive data.
The third level of protection is in regards to the transfer criterion of personal data to third countries:
Article 25 (1): Adequate level of protection: “transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection” :
Article 26 (1) Derogations regarding data that could be transferred to third countries when:
a) the subject gives unambiguous consent
b) it is a contractual obligation (matter)
c) contract between controller and third party in the interest of the subject;
d) matter of important public interest;
e) vital interest of the data subject;
f) transfer is made from a public register.
Article 26 (2): authorization is given by the MS “…transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses”.
The transfer of personal data outside of the EU territory should comply with an adequate level of protection provided by the third country where the data is transferred. When a third country does not offer an adequate level of protection regarding data from EU space, then the data controller should employ any measure in order to prevent any transfer to that third country. When the data processor transfers personal information to third countries, it should also comply with the first level of protection (processing of personal data), and the second level of protection (processing of sensitive personal data). Additional protection is provided as at a fourth and fifth level regarding the right to privacy when processing personal data in the electronic communication field (Directive 2002/58) and respectively the data retention protection (Directive 2006/24/EC).
The purpose of having a layered system is that the appropriate protection should be granted in regards to private information and personal data. As there are different categories of data (general data and sensitive data), the protection is also granted on different levels in order to not over regulate, but what is most important is to provide a sufficient level of protection.
In addition, the Directive 95/46/EC sets forward clear definitions regarding: personal data, data subject, identifiable information, processing of personal data, personal data filling system, controller, processor of personal data, third party, recipient and data subject consent.
i) “data subject” means any natural person who could be identified or identifiable by any information (personal data) regarding his person”.
ii) “personal data” means any information that could identify or make identifiable a natural person, such as: name, address, telephone number, pictures, videos, identification number, place of birth, educational, employment, financial, physical, mental or social information, sex, religion, race”.
iii) “Identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.
iv) Processing of personal data as any type of action, operation or set of operations applied to personal data regardless if the action is done automatically or not, by a computer or manually. The actions considered as processing of personal data under Article 2 (b) are: “collection, recording, organizing, storage, adaption, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction” of personal data. In other words, in the view of this Directive, any person or entity who collects, organizes, use, retrieves or makes personal data available to another party, without right, consent, or without following the specific requirements and exemptions of this Directive, is in non-compliance with this normative act. Collection of personal data means when for example someone submits an application for a university program and the registry office collects the applicant’s personal information such as: name, contact details, address, etc. Also, collection of personal information is when someone subscribes to a website, an email client, or a SNS when setting up a user account. The receiver (e.g. university) could organize this personal information based on different purposes such as: entrance to a particular program, scholarship applications, etc. In the online case, this information could also be categorized for the purpose of granting access to different services as basic user, premium user, etc.
v) Personal data filling system means when a system is in place to identify and retrieve information regarding a person, based on a determined request and criterion such as: listing the entire number of the subjects stored in that particular system based on age groups, sex, certain location, etc, whether the system is in one place, or dispersed in multiple locations and geographical areas (e.g. part in Europe, another part in US).
vi) Controller means a private or juridical person, which nomination and appointment are subject to the EU or Community Law, that is invested with the power to determine who, when, how, for how long, in what way, and why the personal data could be processed.
vii) Processor of personal data is the person or entity that is granted authority by the Controller to process personal data.
viii) By third party, the Article 2 of the Directive, refers to any private person or entity which is different than the subject the data refers to, the controller or the processor as identified above, which is authorized to process personal data under the direct control of the controller or processor.
ix) The recipient is any private natural or legal person, public authority, agency or any other body, which receives, disclosed data. If during a police investigation, a certain entity was empowered to receive particular personal data, this falls under the scope of this article. For example, anyone who receives personal information (e.g. contact details and address) of someone, from another person or entity could be considered the recipient.
x) Data subject consent means the expressed, explicit and free consent of a subject, regarding the processing of personal data referring to his person. In practice, consent means when a person provides another person with his address or personal contact details for a university application, regardless that the data are part of a filing or processing system, and/or signs a legal Disclaimer for processing of personal data, for that University application process.
This Directive identifies and defines the minimum data protection elements, which the MS should transpose into their national legislation through their own ways and means, but at the level of protection this Directive aims for.
This Directive establishes also what data controller means and its obligation to verify the applicability of the principles and rules regarding data quality and data processing. Also, the data controller has obligations regarding the subject and the personal data refers to whether the data is obtained from the person himself or through other means. In both cases, the personal data should be processed, filed, manipulated, stored, disclosed, accessed only in the spirit of this Directive. In other words, even if the data is obtained with consent from the subject, the data controller should ensure that all the actions regarding data processing, filing, manipulation, use, storage, etc. are in compliance with this Directive. Furthermore, a comprehensive set of definitions and specific terms are provided in this Directive in order to help understand, implement and protect individuals with regard to the processing of personal data and on the free movement of such data.
Stay tuned for the next post that will present the Directive 2002/58/EC.
Any questions can be submitted to: email@example.com
Additional information can be found at: www.e-crimeexppert.com
Did you know about this Directive 95/46? Do you think that it effectively protects your rights?
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.
- @k3rstin Hi Kerstin. Im fine thank you. Still in Brussels. Can we collaborate on any project/assignment? Best regards, Dan. 1 year ago
- 6 Essential Tips on How to Prevent Online Shopping Fraud wp.me/p1N1s0-jD 3 years ago
- Cyberbullying wp.me/p1N1s0-jz 3 years ago
- 10 Ways to Prevent Your Identity From Being Stolen wp.me/p1N1s0-jv 3 years ago
- Infographic-Privacy and Security on Facebook wp.me/p1N1s0-jp 3 years ago