Posts Tagged ‘Data Protection Officer’

EU Member States’ national Data Protection Laws

December 16, 2011 1 comment

As announced in the last blog post here, E-Crime Expert presents today the National Data Protection Legal Acts of each Member State as required by the implementation of the Directive 95/46. This could be helpful for anyone interested as there are significant differences among the Member States DP national legal frameworks, acquired during their implementation  process of  the Directive 95/46. In this regards, for a company running commercial activities in Belgium, their compliance when processing personal data in Belgium, should be subject to the Belgian DP national Law. The Directive 95/46 has no direct implication or relation to their processing operations in Belgium or in any other member States. This Directive sets forth the general European legal framework with the minimum protection requirements  for the national DP laws implemented by each member State in their own ways. Therefore, for any interested party, company or data subject, it is useful to know which DP Laws particularly applies when running businesses, doing electronic commerce or any other activities that require processing of personal data.

Transposition of the Directive 95/46 requirements into national laws.

Here you can find the national laws of each member state:


Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999


Act of 8 December 1992

Royal Decree


Personal Data Protection Act


The Processing of Personal Data (Protection of Individuals)
Law 138(I)2001

Czech Republic

Act on Protection of Personal Data (April 2000) No. 101


Act on Processing of Personal Data, Act No. 429, May 2000.


Personal Data Protection Act of 2003


 Personal Data Act (523/1999)

Act on the amendment of the Personal Data Act (986/2000)


Data Protection Act of 1978 (revised in 2004)


Federal Data Protection Act of 2001


Law No.2472 on the Protection of Individuals with Regard to the Processing of Personal Data, April 1997.


Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests


Data Protection Act 1988.

Data Protection (Amendment) Act 2003.


Data Protection Code of 2003

Processing of Personal Data Act, January 1997


Personal Data Protection Law, March 23, 2000.


Law on Legal Protection of Personal Data (June 1996)


Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data.


Data Protection Act (Act XXVI of 2001), Amended March 22, 2002, November 15, 2002 and July 15, 2003

The Netherlands

Dutch Personal Data Protection Act 2000


Act of the Protection of Personal Data (August 1997)


Act on the Protection of Personal Data (Law 67/98 of 26 October)


Law No. 677/2001 for the Protection of Persons concerning the Processing of Personal Data and the Free Circulation of Such Data


Act No. 428 of 3 July 2002 on Personal Data Protection.


Personal Data Protection Act , RS No. 55/99.


ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data


Personal Data Protection Act (1998:204), October 24, 1998

United Kingdom

UK Data Protection Act 1998

Privacy and Electronic Communications (EC Directive) Regulations 2003

E-Crime Expert would like to thank you for reading this Blog and to wish you Merry Christmas and a very Happy New Year! We’ll be back in the first week of January 2012.

Till then, stay safe!

Any questions can be submitted to:

Additional information can be found at:

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.


EU National Data Protection Authorities

December 14, 2011 1 comment

Today, E-Crime Expert presents the contact details of all the (EU) National Data Protection Authorities in order to help citizens/users know where to address and complaint in case their fundamental right to the protection of personal data it is breached. This right is granted by the Charter of Fundamental Rights of European Union. Also, the Directive 95/46 sets forth the National Data Protection Authorities to protect the right to privacy and personal data of the data subjects.

Briefly, the main roles of National DPA are:



-Hear claims and engage in legal proceedings



Here are listed the up-to-date contact details of all EU National EU DPAs:


Österreichische Datenschutzkommission
Hohenstaufengasse 3
1010 Wien
+43 1 531 15 25 25; Fax +43 1 531 15 26 90


Commission de la protection de la vie privée
Rue Haute 139
1000 Bruxelles
Tel. +32 2 213 8540; Fax +32 2 213 8545


Commission for Personal Data Protection
Mrs Veneta Shopova
15 Acad. Ivan Evstratiev Geshov Blvd.
Sofia 1431
Tel. +3592 915 3531; Fax +3592 915 3525


Commissioner for Personal Data Protection
Mrs Panayiota Polychronidou
1 Iasonos Street,
1082 Nicosia
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456; Fax +357 22 304 565

Czech Republic

The Office for Personal Data Protection
Urad pro ochranu osobnich udaju
Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111; Fax +420 234 665 444


Borgergade 28, 5
1300 Copenhagen K
Tel. +45 33 1932 00; Fax +45 33 19 32 18


Estonian Data Protection Inspectorate
(Andmekaitse Inspektsioon)
Director General: Mr Viljar Peep (Ph.D)
Väike-Ameerika 19
10129 Tallinn
+372 6274 135; Fax +372 6274 137


Office of the Data Protection
P.O. Box 315
FIN-00181 Helsinki
+358 10 3666 700; Fax +358 10 3666 735


Commission Nationale de l’Informatique et des Libertés
8 rue Vivienne, CS 30223
F-75002 Paris, Cedex 02
+33 1 53 73 22 22; Fax +33 1 53 73 22 00


Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Husarenstraße 30
53117 Bonn
+49 228 997799 0 or +49 228 81995 0
Fax +49 228 997799 550 or +49 228 81995 550


Hellenic Data Protection Authority
Kifisias Av. 1-3, PC 11523
Ampelokipi Athens
Tel. +30 210 6475 600; Fax +30 210 6475 628


Data Protection Commissioner of Hungary
Parliamentary Commissioner for Data Protection and Freedom of Information: Dr András Jóri
Nádor u. 22.
1051 Budapest
Tel. +36 1 475 7186; Fax +36 1 269 3541


Data Protection Commissioner
Canal House
Station Road
Co. Laois
Lo-Call: 1890 25 22 31
Tel. +353 57 868 4800; Fax +353 57 868 4757


Garante per la protezione dei dati personali
Piazza di Monte Citorio, 121
00186 Roma
+39 06 69677 1; Fax +39 06 69677 785


Data State Inspectorate
Director: Ms Signe Plumina
Blaumana str. 11/13-15
1011 Riga
Tel. +371 6722 3131; Fax +371 6722 3556


State Data Protection
Inspectorate Director: Mr Algirdas Kunčinas
Žygimantų str. 11-6a
011042 Vilnius
Tel. + 370 5 279 14 45; Fax +370 5 261 94 94


Commission nationale pour la protection des données
41 avenue de la Gare
1611 Luxembourg
+352 2610 60 1; Fax +352 2610 60 29


Office of the Data Protection Commissioner
Data Protection Commissioner: Mr Joseph Ebejer
2, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100; Fax +356 2328 7198

The Netherlands

College bescherming persoonsgegevens
Dutch Data Protection Authority
Juliana van Stolberglaan 4-10
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500; Fax +31 70 888 8501


The Bureau of the Inspector General for the Protection of Personal Data
Inspector General for Personal Data Protection: Mr Wojciech Rafał Wiewiórowski
ul. Stawki 2
00-193 Warsaw
Tel. +48 22 860 70 81; Fax +48 22 860 70 90


Comissão Nacional de Protecção de Dados
R. de São.
Bento, 148-3°
1200-821 Lisboa
Tel. +351 21 392 84 00; Fax +351 21 397 68 32


The National Supervisory Authority for Personal Data Processing
President: Mrs Georgeta BASARABESCU
Str. Olari nr. 32
Cod poştal 024057
Tel. +40 21 252 5599; Fax +40 21 252 5757


Office for Personal Data Protection of the SR
President: Mr Gyula Veszelei
Odborárske námestie č. 3
817 60, Bratislava
Tel. + 421 2 5023 9418; Fax + 421 2 5023 9441
e-mail: or


Information Commissioner
Ms Natasa Pirc Musar
Vošnjakova 1
1000 Ljubljana
+386 1 230 9730; Fax +386 1 230 9778


Agencia de Protección de Datos
C/Jorge Juan, 6
28001 Madrid
Tel. +34 91399 6200; Fax +34 91455 5699


Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Tel. +46 8 657 6100; Fax +46 8 652 8652

United Kingdom

The Office of the Information Commissioner Executive Department
Mr Christopher Graham
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 1 625 54 57 00

Stay posted as the next blog  post will bring you the individual EU National Data Protection legal act that transpose the Directive 95/46 into National Law.

Any questions can be submitted to:

Additional information can be found at:

Do you have any complaint? Did you know where to address in case of DP breach?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

“Cookie” Directive

October 28, 2011 6 comments

From the same series which is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights, today it is presenting:

Directive 2009/136/EC amends and supplements Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.


Directive 2009/136/EC addresses the issues of unsolicited commercial messages, the use of technologies for telemarketing purpose the use of traffic and location data, public directories and cookies: “a message given to a Web browser by a Web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server”. Through the implementation of this Directive, which complements and amends Directive 2002/58/EC, a better protection of users’ personal data is aimed at. Additionally, a new framework for disclosure of security breaches from the electronic communication provider to their users is set.

Regarding the access of the stored data (Article 4 E-Privacy Directive), in the view of this new Directive, the electronic communication providers should ensure that users’ personal data can be accessed only by “authorized personnel for a legally authorized purpose”. The new requirement essentially is that the communication service providers should implement security policies regarding the processing of users’ personal data. In regards to this stipulation, the national authorities are granted rights to audit the measures taken by the providers of communication services in regard to security and the processing of users’ data, and could provide best practices and techniques in achieving the best security measures for users’ data protection.

In the view of this Directive, regarding the breach of security, the communication service providers are provided with clear definitions and meanings of security breaches and risks, and the notion of personal data breach has been introduced. The scope of this Directive referring to security breaches is that the communication service providers should take appropriate actions to try stop or reduce the effect of security breaches, inform the user about the data that was at risk or breached, and when well-defined and potential security breaches could occur such as: “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a publicly available communications service.” The scope of identifying and defining those security risks is that from the moment this Directive will be implemented (e.g. June 2011), every communication service provider will refer to security breaches as to something well determined and are also obliged under the new Art 4 (3) to give Notice of security breaches to the competent national authority and to the user whose data is at risk, suffered an adverse effect or when data at risk could potentially disclose the user’s identity. The Notice is not required if the communication service provider proves that all the technical and security measures available were taken to protect users’ privacy and security breaches.

This directive applies to the collection of personal data placed on a EU user’s terminal (i.e. computer hard drive, smartphone, iPad) by using cookies as a mean of equipment. Consequentially, the EU users are protected against any website that uses cookies (without users opt-in consent),

The Directive requires before any cookie is sent to a user terminal, consent should be obtained. The user needs to express the opt-in consent before any cookie is sent. The user’s terminal is regarded as his personal and private space and an illegitimate installation of a program such cookies, is a privacy intrusion. In addition, if the user gives consent for cookies installation, the user should also be informed about any exchange of private information retrieved from his terminal. Precedent views regarding the user’s browser settings, assumed that if the browser setting allows cookies (i.e. the user set up his browser to accept cookies), then the consent is given. Furthermore, this Directive requires, even if the browser settings allow cookies, still the user must be informed regarding any exchange of private information between his computer terminal and the communication service provider.

For example, when a third-party website which uses Facebook “Like” button (even when the button is not clicked on that particular website, when the user visits it), when it is visited by a Facebook user, because of the cookie assigned to its unique Facebook ID number, makes him identifiable to the third-party website as well. The website “knows” then who is the visitor and can get access to that particular user’s Facebook profile (the “Like” button is designed to post on one’s Facebook Wall the website/business he likes). By getting access to private information this is a breach of this directive because the user should “be informed about any exchange of private information retrieved from his terminal”.

This Directive entered into force as of 2010, but the EU Member States should have transposed it into their national legislation by June 2011.

If you would like to read another E-Crime Expert Article on how the cookie “notification” is actually done in practice, check “Privacy: search for it and claim it“, post.

Any questions can be submitted to:

Additional information can be found at:

Did you know about this Directive? Are you aware of the use of cookies? Are you informed about the use of cookies on your machine?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Data Retention Directive

October 26, 2011 Leave a comment

From the same series which is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights, today it is presenting:

Directive 2006/24/EC, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services.


Under Article 1 “Scope”, the Directive objective is to establish legal provisions concerning public communications providers in order for the traffic and location data (necessary to identify a user) to be stored for at least 6 month to a maximum period of 24 months. The purpose of users’ stored data is when criminal investigations, detection and prosecution of serious crimes require access to users’ traffic data, the communication service provider has to make it available.

From the definition section point of view, outlined under Article 2 “Definitions”, two new terms are introduced which are not mentioned under the Data Protection Directive.

i)       user ID: refers to a unique identifiable number or sequence of numbers, letters or a combination of two, assigned to users when they subscribe to an Internet Service Provider (ISP) or Internet Communication Service (ICS).

ii)      cell ID: refers to any means which could identify a user in relation with a cellular phone call, by determining the cell phone from where the phone call was made or terminated.

Further, the authorities’ access to the retained data is regulated under Article 5 as following:

i)       any necessary data which traces and identifies the communication type and the person or entity that made it. Here no distinction is made between data in general, private information, natural person or legal person. The access is granted for traffic or subscriber of data.

ii)      any traffic data which is made available through a digital, analog fixed telephony network or mobile network should be retained by the service provider in the scope of this Directive, whether is the calling number or/and the name and address of the user.

iii)    the  Internet ID (e.g. Internet Protocol address) or the VOIP number (e.g. Skype offers phone numbers to its subscribers), should be retained and made available for the scope of this Directive. Furthermore if a user is subscribed to a certain SNS (e.g. Facebook or YouTube) under an ID number or nickname, the identity of that user (if it could be determined) should be provided by that SNS provider in the cases outlined under Article 1 “Scope” of this Directive.

The same categories of information regarding the identification of the communication should be retained as well, as stipulated under Article 5 (b) “data necessary to identify the destination of a communication”. No content data of the communication can be retained.

The duration of retention of users’ data is regulated under Article 6 “Periods of retention” where this period of time should be between 6 months minimum and 24 months maximum.

Article 7 addresses the “Data protection and data security” issue by requiring the communication providers in relation with the stored data, to:

i)       ensure that they have all the organizational and technical means to preserve and protect the data at the same quality as they protect the users’ data in their networks.

ii)      provide all the technical and organizational means to protect users’ data from destruction, alteration, deletion (partial or total), processing, access or unlawful storage.

iii)    make available all the stored data for access only by specially authorized personal.

iv)    destroy all the data after the period of retention expires, except that data which is subject to necessary, appropriate and proportionate measures to safeguard national security, defence, public security, or prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system, as indicated under Article 15 (1) Directive 2002/58/EC.

Article 8 details that the requirements and standards for retained data are to be transmitted from the communication provider to the authorities, with no delay, and more specifically the users’ data is to be accessible and available in real time.

Article 9 refers to the obligation of providing supervision by the MS on how users’ data is stored, if it is secure, and thus not vulnerable or altered, etc. The supervisory authorities could be the same as described in Article 28 of Directive 95/46/EC.

The scope of this Directive is to require the operators of publicly available electronic communication networks to store and provide location and traffic data (not content data) processed through their networks, to the State authorities (e.g. police, intelligence service, government, etc) for the purpose of serving the detection, investigation and prosecution of serious crimes.

The corespondent national law that implemented this Directive in MS, was found unconstitutional in several countries already: Romania, Germany, Bulgaria, to name few. For the moment this Directive is suspended until will be decided its necessity in the existing form, in a new amended form or at all.

Stay tuned for the next post that will present the Directive 2009/136/EC  known as “Cookie Directive Directive”.

Any questions can be submitted to:

Additional information can be found at:

Did you know about this Directive? Do you think that the retention of data help you stay protected?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

E-privacy Directive

October 24, 2011 3 comments

From the same series which is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights, today it is presenting:

Directive 2002/58 on Privacy and Electronic Communications, otherwise known as E-Privacy Directive



The scope of his Directive is to complement the Data Protection Directive 95/46/EC. The objective is pursued by the harmonization of the provisions of the Member States (MS) in order to secure a uniform and equivalent level of protection of fundamental rights and freedoms among all the MS. It addresses the right to privacy when processing personal data in the electronic communication field (i.e. communication environment which allow content to be delivered digitally through networks, such as the Internet, as opposed to the analog telecom features); and it also secures the free movement of personal data and electronic communications. The Directive does not address issues regarding security and defense, covered by the title V of the Treaty on European Union. Criminal law is addressed by the Council Framework Decision 2008/977/JHA, formerly under title VI of the Treaty on European Union. While the Data Protection Directive refers just to natural persons, the 2002/58/EC Directive refers to legal persons as well.

Under Article 2 “Definitions” new terms are provided for the electronic services providers, in order to supply better protection for the users of such services with regards to:

i)           the user: identified as a any private person that is using a publicly available electronic communication service for personal or business purposes, which does not have necessary to be subscribed to a determined service (e.g. visiting a website does not require subscription, but personal data could be retrieved).

ii)          traffic data: refers to any data necessary for carrying a communication on an electronic communication network (such as IP address, user name, email address) but not limited to billing purpose (i.e. to establish the cost of the services provided). The electronic communication providers argued that they needed to keep traffic data for billing purposes.

iii)        location data: refers to any data processed in an electronic communication network which determines a geographic position or location with regards to a user or the user’s equipment while using publicly available electronic communication services. This definition is important for users which use for example a cellular as a terminal for their communication instead of a computer. Using a cellular (mobile phone, which is different then a fixed computer station), user’s particular location may be determined by the communication service provider based on the signals sent and received to the closest communication “cell” in the proximity of that user, as any cellular has an unique identity number (IMEI). The Internet Protocol (IP) address used by computers for Internet connections can identify a user located in a certain geographical area. For example, when one logs into their computer while in The Netherlands, his web browser provides information in Dutch, while another person in the UK is provided the same information in English, and there is a clear differentiation made between their geographical location.

iv)        communication: is identified as an information exchange between users when using publicly available communication services (e.g. email). It does not refer to TV or radio broadcasting. The communication could take the form of text, audio, video or photo, or code.

v)          call: refers to any connection performed through a publicly available telephone service, by allowing a two-way communication in real time.

vi)        consent: refers to user or subscriber approval given to any entity for processing, retrieving, using, etc. data in accordance with the Directive 95/46/EC stipulations.

vii)       value added service: refers to any service that requires the processing of traffic or location data other than the traffic data required for the communication itself or billing purpose.

viii)     electronic mail: refers to any sound, voice, text, image, or message sent through a public communication network  that can be stored  in the network or on the user’s terminal. By establishing the “electronic mail” term to more than a “written message” clarifies that under electronic mail (as Web 2.0 is in use), can fall any kind of communication between users such as family pictures, music, or videos.

Establishing these definitions is an important step taken in eliminating confusion between users and providers, ensuring that now both parties have the same understanding and terms of reference when dealing with “communication”, “location data”, “electronic mail”, “user”, and “consent”, etc.

Under Article 4 (1) “Security”, the Directive established as a general obligation for the provider of electronic services to supply security of services by ensuring that technical and organizational measures are in place in order for personal data concerning the users is appropriately protected. Under Article 4 (2) “Security” the Directive established new obligations for the electronic service providers by requiring them to inform the subscribers when risks (e.g. viruses, malwares) are detected in the network or are imminent to occur.

Article 5 sets forward another obligation for the providers of electronic communication, as they have to provide confidentiality of the information regarding their users. The Directive clearly prohibits any type of listening, tapping, storage, interception, and surveillance of communication and traffic data if the users did not expressly give their consent or if no exemptions apply such as: necessary, appropriate and proportionate measures to safeguard national security, defence, public security, or prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system, as indicated under Article 15 (1).

Article 6 concerns traffic data and expressly requires the providers of public communication networks to erase or make it anonymous when it is no longer required for the transmission of a communication. Furthermore no electronic communication provider can keep this data for marketing, advertising or value added services without the consent of the users. This consent could be withdrawn at any time. The provider should inform the user which type of data is processed, for how long, and the scope of the processing. The processing of the data should be done just by the legitimate and authorized personnel from the provider’s side or on its behalf with regards to billing, marketing, fraud detection, and customer services and it must be restricted to what is necessary for providing the communication service.

Under Article 9, location data is dealt with such that data, which provides a geographical position or location obtained through a public communication network, but which is not traffic data, and can be processed only when the users are made anonymous or they gave their consent. The purpose of data processing, duration, and transition to third parties can be done only when the users expressed their consent. Once the user has given their consent, they can also withdraw it. The users could discretionarily give consent regarding each time when location data is processed, transmitted or manipulated by the service providers. The transmission to third parties of location data is restricted to the scope of offering value added services.

Article 12 requires providers of electronic communication to inform the users before they are included in any kind of directory of the purpose of the directory and the usage availability of that directory whether is offline or online. The users have the right to identify that data, modify or withdraw from the directory.

Under Article 13, the Directive establishes rules and defines unsolicited email (e.g. Spam) and restricts the use of email addresses for marketing purpose. This Article establishes an opt-in regime when the users give prior agreement. Under the scope of this Article falls also the text messages, push mail (i.e. the message is received from the server where it is stored; always-on e-mail receiving capabilities) or similar forms, which target users’ portable devices such as, smartphones, PDA’s (e.g. iPhone, HTC).

Directive 2002/58 is a continuation of the Data Protection Directive and addresses a number of new important issues, which come along with the new advanced digital technologies in the field of the communication networks. This Directive also implements specific requirements regarding the protection of personal data, which at the time when Directive 95/46/EC came into place, have not been foreseen due to the technological developments available at that time (i.e. 1995). The development of the information society comes with new electronic communication services such as digital networks, which facilitate a faster, and more global transfer of personal data between users. Besides the economical and technological benefits, the users’ privacy should be properly protected with up-to-date regulatory measures

Stay tuned for the next post that will present the Directive 2006/24/EC  known as “Data retention Directive”.

Any questions can be submitted to:

Additional information can be found at:

Did you know about this Directive? Do you think that it effectively protects your rights in relation to the electronic communication field?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Data protection Directive-part II.

October 21, 2011 Leave a comment

E-Crime Expert started a new series where is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights.

This post is presenting the second part of the Directive 95/46-data protection Directive, which it is the central piece of legislation on the protection of personal data in Europe. The Directive stipulates general rules on the lawfulness of personal data processing and rights of the people whose data are processed (‘data subjects’). The Directive also provides that at least one independent supervisory authority in each Member State shall be responsible for monitoring its implementation.

Under the first level of protection concerning data subjects, they have the right to know who the data controller is, who the recipient of the data is and the purpose of data processing. If data concerning a private person is not accurate or incomplete, that person has the right to claim the rectification, update or completion of that data referring to his person. The data controller should carefully act when processing data in order to protect that personal data from destruction, alteration, deletion or unlawful processing. The controller is the entity that gives approval and instruction for data processing, which should provide security measures against deletion, alteration and unlawful processing. The data subject is fully entitled to express his consent regarding: if, when and how his personal data is processed with regards to receiving for example, direct marketing material.

The second level addresses the processing of sensitive data by setting out criteria for a special category of data as such:

Article 8 (1) DPD: prohibition to process special categories of data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life”.

The specific exemptions are as follows: Article 8 (2): when the subject gave his explicit consent, or it is a matter of employment law; vital interest; legitimate activities (non-profit organization); data is made available by the subject himself; medical data; public interest; criminal data; national identification number; or Article 9: journalistic, artistic purpose.

The information regarding sensitive personal data and its use includes, but is not limited to, philosophical and religious beliefs, sex life, health, and race which are given special status and they cannot be subject of data processing unless the data subject expressed her consent or in any other inapplicable situations expressly established through this Directive. The supervisory authority can achieve the enforcement of data processing. This authority is empowered to investigate, block, erase, destroy or stop processing when the data was obtained unlawfully. Furthermore, if a private person suffered damage or losses from an unlawful data processing, he could claim compensation for the damage or lose from the controller in charge. Exemptions of these stipulations apply as identified under Article 8 (2) above. However, when a data controller processes sensitive personal data he should both comply with level one and two of the protection of sensitive data.

The third level of protection is in regards to the transfer criterion of personal data to third countries:

Article 25 (1): Adequate level of protection: “transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection” :

Article 26 (1) Derogations regarding data that could be transferred to third countries when:

a)     the subject gives unambiguous consent

b)    it is a contractual obligation (matter)

c)     contract between controller and third party in the interest of the subject;

d)    matter of important public interest;

e)     vital interest of the data subject;

f)     transfer is made from a public register.

Article 26 (2): authorization is given by the MS “…transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses”.

The transfer of personal data outside of the EU territory should comply with an adequate level of protection provided by the third country where the data is transferred. When a third country does not offer an adequate level of protection regarding data from EU space, then the data controller should employ any measure in order to prevent any transfer to that third country. When the data processor transfers personal information to third countries, it should also comply with the first level of protection (processing of personal data), and the second level of protection (processing of sensitive personal data). Additional protection is provided as at a fourth and fifth level regarding the right to privacy when processing personal data in the electronic communication field (Directive 2002/58) and respectively the data retention protection (Directive 2006/24/EC).

The purpose of having a layered system is that the appropriate protection should be granted in regards to private information and personal data. As there are different categories of data (general data and sensitive data), the protection is also granted on different levels in order to not over regulate, but what is most important is to provide a sufficient level of protection.

In addition, the Directive 95/46/EC sets forward clear definitions regarding: personal data, data subject, identifiable information, processing of personal data, personal data filling system, controller, processor of personal data, third party, recipient and data subject consent.

i)       “data subject” means any natural person who could be identified or identifiable by any information (personal data) regarding his person”.

ii)      “personal data” means any information that could identify or make identifiable a natural person, such as: name, address, telephone number, pictures, videos, identification number, place of birth, educational, employment, financial, physical, mental or social information, sex, religion, race”.

iii)    “Identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

iv)    Processing of personal data as any type of action, operation or set of operations applied to personal data regardless if the action is done automatically or not, by a computer or manually. The actions considered as processing of personal data under Article 2 (b) are: “collection, recording, organizing, storage, adaption, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction” of personal data. In other words, in the view of this Directive, any person or entity who collects, organizes, use, retrieves or makes personal data available to another party, without right, consent, or without following the specific requirements and exemptions of this Directive, is in non-compliance with this normative act. Collection of personal data means when for example someone submits an application for a university program and the registry office collects the applicant’s personal information such as: name, contact details, address, etc. Also, collection of personal information is when someone subscribes to a website, an email client, or a SNS when setting up a user account. The receiver (e.g. university) could organize this personal information based on different purposes such as: entrance to a particular program, scholarship applications, etc. In the online case, this information could also be categorized for the purpose of granting access to different services as basic user, premium user, etc.

v)         Personal data filling system means when a system is in place to identify and retrieve information regarding a person, based on a determined request and criterion such as: listing the entire number of the subjects stored in that particular system based on age groups, sex, certain location, etc, whether the system is in one place, or dispersed in multiple locations and geographical areas (e.g. part in Europe, another part in US).

vi)        Controller means a private or juridical person, which nomination and appointment are subject to the EU or Community Law, that is invested with the power to determine who, when, how, for how long, in what way, and why the personal data could be processed.

vii)      Processor of personal data is the person or entity that is granted authority by the Controller to process personal data.

viii)     By third party, the Article 2 of the Directive, refers to any private person or entity which is different than the subject the data refers to, the controller or the processor as identified above, which is authorized to process personal data under the direct control of the controller or processor.

ix)        The recipient is any private natural or legal person, public authority, agency or any other body, which receives, disclosed data. If during a police investigation, a certain entity was empowered to receive particular personal data, this falls under the scope of this article. For example, anyone who receives personal information (e.g. contact details and address) of someone, from another person or entity could be considered the recipient.

x)          Data subject consent means the expressed, explicit and free consent of a subject, regarding the processing of personal data referring to his person. In practice, consent means when a person provides another person with his address or personal contact details for a university application, regardless that the data are part of a filing or processing system, and/or signs a legal Disclaimer for processing of personal data, for that University application process.

This Directive identifies and defines the minimum data protection elements, which the MS should transpose into their national legislation through their own ways and means, but at the level of protection this Directive aims for.

This Directive establishes also what data controller means and its obligation to verify the applicability of the principles and rules regarding data quality and data processing. Also, the data controller has obligations regarding the subject and the personal data refers to whether the data is obtained from the person himself or through other means. In both cases, the personal data should be processed, filed, manipulated, stored, disclosed, accessed only in the spirit of this Directive. In other words, even if the data is obtained with consent from the subject, the data controller should ensure that all the actions regarding data processing, filing, manipulation, use, storage, etc. are in compliance with this Directive. Furthermore, a comprehensive set of definitions and specific terms are provided in this Directive in order to help understand, implement and protect individuals with regard to the processing of personal data and on the free movement of such data.

Stay tuned for the next post that will present the Directive 2002/58/EC.

Any questions can be submitted to:

Additional information can be found at:

Did you know about this Directive 95/46? Do you think that it effectively protects your rights?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Cloud computing and the Internet part II

October 13, 2011 1 comment

As announced on yesterday’s post “Cloud computing and the Internet part I, E-Crime Expert is posting the second part on cloud computing.

In addition to the methods in which Cloud computing is delivered, there are different types of the cloud computing which include: public cloud, hybrid cloud and private cloud.

Public cloud which is when a service provider offer services such as application usage, development or storage of data, to anyone on the Internet.

Hybrid cloud is when a business uses some applications in house and some provided by an external provider such as storage of data, etc.

Private cloud is when a provider offers cloud computing solutions, but on a private infrastructure network. A business does not want its employees files to be accessible for example on a public cloud and so it rents/buys a private cloud that no one else except that business has access to.

Besides the usefulness of cloud computing solutions, there are questions regarding how the Data Protection Directive applies to this situation? How the personal data of users is dealt with, stored, accessed, manipulated, and processed by the cloud-computing providers. A unique characteristic of cloud computing is that data is floating around from server to server located within the EU or also outside the EU for example to India, the US, etc. Part of someone’s data could be at the same time in the EU and India, on different servers.

There are some questions regarding cloud computing in Facebook’s. Facebook provides services to its clients such as: storage of information (e.g. pictures, videos, profiles, personal data, etc.), application access (e.g. Facebook Places or other applications where the user should agree with the access of that particular application to her personal data), or infrastructure for sending messages, invitations, updates, and posting comments which all deal with private information and data. Everything is done on the Facebook’s platform, which could host the users’ personal information on different servers inside or outside the EU.

The question is who has access to users’ personal data when uploaded and processed on Facebook? According to EU Data Protection Directive (DPD) the users have the right to know which personal data is stored and processed in regards at least to the online marketing advertisers that could be granted access to that data for advertising purposes, profiling, and delivery of targeted advertising. In addition, when a user delete her Facebook account, this operation is not done in real time, it has a delay and the account basically is not deleted but becomes inactive. For example, I ran a search under my name, and some entries showed pictures from my Facebook account that I deleted in the past. This shows that even if the users want to delete some information concerning his person, it would be still available on the Internet.  Furthermore, some entries generate pictures or names of my friends on Facebook by associating them with my Facebook account friends’ list.

In other words, even if a user asks for all of his personal data provided on Facebook to be removed, this most likely would not happen. Facebook claims that some users’ personal data would not be available to any other user on Facebook, but some personal information and data will be kept for technical reasons (such as to provide service to other users which are inter-connected with the account that was deleted).

Regarding the compliance with the EU DPD, it is not clear which rules and regulations could apply to cloud computing, as the cloud concept itself is “volatile” (continually changing). Cloud computing is subject to multiple jurisdictions as the information is moved from one server to another or is stored on different servers located in different geographical areas. Kumaraswany and Latif scholars asked: how does moving the private information to the cloud impact the current privacy compliance requirements?  Is information kept on the server, in the cloud or in a data center? These are questions that momentarily have no answer, at least in regards to how Facebook deals with, makes accessible, stores, and “floats” the users’ private data.

Who has the technical capabilities, jurisdiction and access to verify whether Facebook complies with these requirements?

For how long is the users’ personal data stored on its servers, cloud or in data centers?

According to the EU DPD, the user owns her personal data, but when this data is transferred and stored outside the EU, does the user still own her data?

How could a user enforce her right in this case?

If Facebook had provided the answers to these questions, there would be more transparency and less tensions regarding how users’ personal data is dealt with. The burden of proof regarding that the personal data is dealt with, stored, processed, and made available according to the EU DPD, falls on the provider’s shoulders, at least on an informal level when users are questioning more and more how their privacy is protected.

Any questions can be submitted to:

Additional information can be found at:

Do you think that cloud computing is a threat to privacy? Do you think that cloud computing is “out” of jurisdiction?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

%d bloggers like this: