Posts Tagged ‘Directive (European Union)’

Privacy versus Data Protection

November 27, 2012 6 comments

Today, E-Crime Expert presents the main similarities and differences between privacy and data protection concepts mainly from two different legislative perspectives:  Canada and the European Union (EU), and briefly from the United States (US).

Also, this blog post provides the main privacy and data protection legislative acts from Canada and EU as a useful resource for those interested or working in this field.

Last but not least, you could find bellow the full EU Data protection revision 2012 package.

I.      US versus EU versus Canada

-The United States (US) and European Union (EU) have different concepts regarding personal information and private data, such as Privacy in the US versus Data Protection in the EU.

US’s approach to privacy focuses on narrowly applicable legislation.

  • sector-based,
  • with a mix of legislation,
  • regulation and self-regulation,
  • focusing on the protection of personal information by specifically addressing a particular industry sector (i.e. medical information, online transactions, credit check, etc)
  • regulating data collected by the federal government

EU has a more comprehensive approach.

  • set of rights and principles for personal data treatment (processing),
  • without considering that the data is held in the public or private sector,
  • protects just natural persons not legal entities
  • the relation between data protection and the economic value as a proper balance between fundamental rights and free flow of information (which has economic value).
  • by granting data protection as a fundamental right, the aim is to protect the individuals but also to encourage the free flow of information, giving data subjects legal certainty and encouraging them to not negatively affect the exchange of information and data

-Canada – similar level of protection to the EU one.

  • Privacy is regulated by the government at the federal and provincial level:
    • The Privacy Act (federal level for private information held by the gov),
    • PIPEDA (federal level for private sector),
    • PIPA (provincial level for private sector, Alberta for example),
    • FOIP (provincial level for public sector, Alberta for example),
    • HIPA (federal level for health information),
    • HIA (provincial level for health information, Alberta for example)
  • The difference between Canada and EU
    • Canada’s legislation regulates both organizations and individuals privacy rights and access
    • EU’s legislation regulates the individuals’ rights (no organizations)
    • Canada gives to the individual the right to access their data or other individuals’ or organizations data along with their privacy protection right under the same Act (The Privacy Act, FOIP)
    • EU gives to the data subject the right to protection of their personal data under one single act (Directive 95) and to access data for public interest under the Transparency Regulation (1049)-no others personal data could be accessed in the private sector (just for law enforcement)
  • Canada enacted different acts for different data categories (private-PIPA, public-FOIP, health-HIA, children-Child, Youth&family enhancement act, etc)
  • EU has the same Legislative Act (e.g. Directive) but with different degrees of protection and limitations based on the data categories sensitivity (identification, medical, criminal, etc).
  • Canada sets forth a minimum time for information retention when EU sets forth a maximum time for data retention
  • in Canada information sharing is done based on Information Sharing Agreements (local, federal, international)
  • in EU the data transfer has three layers of protection for exchange locally within the same institutions, bodies, organizations, between EU member states, or internationally (with third countries).

 II.      Privacy versus data protection

  • The concept of privacy and data protection is not the same.
  • Data protection has a privacy dimension, but it is narrower in scope than the privacy concept, “as the privacy encloses more than personal data” (i.e. private life, private home, private correspondence, etc.)
  • From a different angle, it encloses a wider area, “since personal data are protected not only to enhance the privacy of the subject, but also to guarantee other fundamental rights, such as the right to freedom of expression, or the right to know what data is gathered about you,  to have access to your data, to ask for modification or deletion of your data, etc”
    • Furthermore, data protection gives individuals the right to know
  • What personal data is collected,
  • on what legal grounds,
  • how it is used, for how long it used and kept,
  • and by whom.
    • specifically grants data subjects with the rights to access, modify,   update or ask for deletion of such data

 III.      EU legislative framework

IV.      EU Data protection revision 2012 (to reflect the new technological developments and to provide a consistent legislative framework across EU):

Click here to access the new proposed EU Data Protection regulation

  • It was proposed a Regulation versus the existing Directive. A Regulation is better, as it is immediately and more uniformly implemented into the Member States national law.
  • Data subjects
    • increasing responsibility and accountability – companies would have to notify their clients of any theft or accidental release of personal data
    • clarifying that where someone’s consent is required before a company reuses their personal data, they need to give that consent explicitly – people would also have access to their own private data and be able to transfer it to another service provider more easily
    • reinforcing the ‘right to be forgotten’ – people will be able to have their personal data deleted if a business or other organization has no legitimate reasons for keeping it
    • applying EU rules when personal data is processed outside Europe – people would be able to involve the national data protection authority in their country, even when their data is processed by a company based outside the EU
    • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services
  • Good for business
    • A single set of rules would encourage a more consistent application of the law across the EU. Businesses would have clear rules on how to treat personal data
    • Companies would only have to deal with a single national data protection authority in the EU country where they have their main operations (saving businesses an estimated €2.3bn a year)
    • The obligation of appointment of a data protection officer for organizations with 250 employees and over (private sector
    • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data
    • Companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours)
    • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed
    • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens
    • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company
  • Better enforcement
    • The new rules would give national data protection authorities powers to enforce the EU rules more rigorously
    • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data. For the new Directive click here.
  • Next steps
    • The proposals is aimed to encourage more online commerce by improving consumer trust – contributing to economic growth and job creation. The new Data protection proposed legal framework (Regulation+Directive) must be approved by the European Parliament and Council before becoming law.
  • Commission Proposals on the data protection reform: legislative texts

Source: Directorat General Justice of the European Commission

Any questions can be submitted to:

Additional information can be found at:

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog


“Cookie” Directive

October 28, 2011 6 comments

From the same series which is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights, today it is presenting:

Directive 2009/136/EC amends and supplements Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.


Directive 2009/136/EC addresses the issues of unsolicited commercial messages, the use of technologies for telemarketing purpose the use of traffic and location data, public directories and cookies: “a message given to a Web browser by a Web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server”. Through the implementation of this Directive, which complements and amends Directive 2002/58/EC, a better protection of users’ personal data is aimed at. Additionally, a new framework for disclosure of security breaches from the electronic communication provider to their users is set.

Regarding the access of the stored data (Article 4 E-Privacy Directive), in the view of this new Directive, the electronic communication providers should ensure that users’ personal data can be accessed only by “authorized personnel for a legally authorized purpose”. The new requirement essentially is that the communication service providers should implement security policies regarding the processing of users’ personal data. In regards to this stipulation, the national authorities are granted rights to audit the measures taken by the providers of communication services in regard to security and the processing of users’ data, and could provide best practices and techniques in achieving the best security measures for users’ data protection.

In the view of this Directive, regarding the breach of security, the communication service providers are provided with clear definitions and meanings of security breaches and risks, and the notion of personal data breach has been introduced. The scope of this Directive referring to security breaches is that the communication service providers should take appropriate actions to try stop or reduce the effect of security breaches, inform the user about the data that was at risk or breached, and when well-defined and potential security breaches could occur such as: “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a publicly available communications service.” The scope of identifying and defining those security risks is that from the moment this Directive will be implemented (e.g. June 2011), every communication service provider will refer to security breaches as to something well determined and are also obliged under the new Art 4 (3) to give Notice of security breaches to the competent national authority and to the user whose data is at risk, suffered an adverse effect or when data at risk could potentially disclose the user’s identity. The Notice is not required if the communication service provider proves that all the technical and security measures available were taken to protect users’ privacy and security breaches.

This directive applies to the collection of personal data placed on a EU user’s terminal (i.e. computer hard drive, smartphone, iPad) by using cookies as a mean of equipment. Consequentially, the EU users are protected against any website that uses cookies (without users opt-in consent),

The Directive requires before any cookie is sent to a user terminal, consent should be obtained. The user needs to express the opt-in consent before any cookie is sent. The user’s terminal is regarded as his personal and private space and an illegitimate installation of a program such cookies, is a privacy intrusion. In addition, if the user gives consent for cookies installation, the user should also be informed about any exchange of private information retrieved from his terminal. Precedent views regarding the user’s browser settings, assumed that if the browser setting allows cookies (i.e. the user set up his browser to accept cookies), then the consent is given. Furthermore, this Directive requires, even if the browser settings allow cookies, still the user must be informed regarding any exchange of private information between his computer terminal and the communication service provider.

For example, when a third-party website which uses Facebook “Like” button (even when the button is not clicked on that particular website, when the user visits it), when it is visited by a Facebook user, because of the cookie assigned to its unique Facebook ID number, makes him identifiable to the third-party website as well. The website “knows” then who is the visitor and can get access to that particular user’s Facebook profile (the “Like” button is designed to post on one’s Facebook Wall the website/business he likes). By getting access to private information this is a breach of this directive because the user should “be informed about any exchange of private information retrieved from his terminal”.

This Directive entered into force as of 2010, but the EU Member States should have transposed it into their national legislation by June 2011.

If you would like to read another E-Crime Expert Article on how the cookie “notification” is actually done in practice, check “Privacy: search for it and claim it“, post.

Any questions can be submitted to:

Additional information can be found at:

Did you know about this Directive? Are you aware of the use of cookies? Are you informed about the use of cookies on your machine?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Data Retention Directive

October 26, 2011 Leave a comment

From the same series which is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights, today it is presenting:

Directive 2006/24/EC, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services.


Under Article 1 “Scope”, the Directive objective is to establish legal provisions concerning public communications providers in order for the traffic and location data (necessary to identify a user) to be stored for at least 6 month to a maximum period of 24 months. The purpose of users’ stored data is when criminal investigations, detection and prosecution of serious crimes require access to users’ traffic data, the communication service provider has to make it available.

From the definition section point of view, outlined under Article 2 “Definitions”, two new terms are introduced which are not mentioned under the Data Protection Directive.

i)       user ID: refers to a unique identifiable number or sequence of numbers, letters or a combination of two, assigned to users when they subscribe to an Internet Service Provider (ISP) or Internet Communication Service (ICS).

ii)      cell ID: refers to any means which could identify a user in relation with a cellular phone call, by determining the cell phone from where the phone call was made or terminated.

Further, the authorities’ access to the retained data is regulated under Article 5 as following:

i)       any necessary data which traces and identifies the communication type and the person or entity that made it. Here no distinction is made between data in general, private information, natural person or legal person. The access is granted for traffic or subscriber of data.

ii)      any traffic data which is made available through a digital, analog fixed telephony network or mobile network should be retained by the service provider in the scope of this Directive, whether is the calling number or/and the name and address of the user.

iii)    the  Internet ID (e.g. Internet Protocol address) or the VOIP number (e.g. Skype offers phone numbers to its subscribers), should be retained and made available for the scope of this Directive. Furthermore if a user is subscribed to a certain SNS (e.g. Facebook or YouTube) under an ID number or nickname, the identity of that user (if it could be determined) should be provided by that SNS provider in the cases outlined under Article 1 “Scope” of this Directive.

The same categories of information regarding the identification of the communication should be retained as well, as stipulated under Article 5 (b) “data necessary to identify the destination of a communication”. No content data of the communication can be retained.

The duration of retention of users’ data is regulated under Article 6 “Periods of retention” where this period of time should be between 6 months minimum and 24 months maximum.

Article 7 addresses the “Data protection and data security” issue by requiring the communication providers in relation with the stored data, to:

i)       ensure that they have all the organizational and technical means to preserve and protect the data at the same quality as they protect the users’ data in their networks.

ii)      provide all the technical and organizational means to protect users’ data from destruction, alteration, deletion (partial or total), processing, access or unlawful storage.

iii)    make available all the stored data for access only by specially authorized personal.

iv)    destroy all the data after the period of retention expires, except that data which is subject to necessary, appropriate and proportionate measures to safeguard national security, defence, public security, or prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system, as indicated under Article 15 (1) Directive 2002/58/EC.

Article 8 details that the requirements and standards for retained data are to be transmitted from the communication provider to the authorities, with no delay, and more specifically the users’ data is to be accessible and available in real time.

Article 9 refers to the obligation of providing supervision by the MS on how users’ data is stored, if it is secure, and thus not vulnerable or altered, etc. The supervisory authorities could be the same as described in Article 28 of Directive 95/46/EC.

The scope of this Directive is to require the operators of publicly available electronic communication networks to store and provide location and traffic data (not content data) processed through their networks, to the State authorities (e.g. police, intelligence service, government, etc) for the purpose of serving the detection, investigation and prosecution of serious crimes.

The corespondent national law that implemented this Directive in MS, was found unconstitutional in several countries already: Romania, Germany, Bulgaria, to name few. For the moment this Directive is suspended until will be decided its necessity in the existing form, in a new amended form or at all.

Stay tuned for the next post that will present the Directive 2009/136/EC  known as “Cookie Directive Directive”.

Any questions can be submitted to:

Additional information can be found at:

Did you know about this Directive? Do you think that the retention of data help you stay protected?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

E-privacy Directive

October 24, 2011 3 comments

From the same series which is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights, today it is presenting:

Directive 2002/58 on Privacy and Electronic Communications, otherwise known as E-Privacy Directive



The scope of his Directive is to complement the Data Protection Directive 95/46/EC. The objective is pursued by the harmonization of the provisions of the Member States (MS) in order to secure a uniform and equivalent level of protection of fundamental rights and freedoms among all the MS. It addresses the right to privacy when processing personal data in the electronic communication field (i.e. communication environment which allow content to be delivered digitally through networks, such as the Internet, as opposed to the analog telecom features); and it also secures the free movement of personal data and electronic communications. The Directive does not address issues regarding security and defense, covered by the title V of the Treaty on European Union. Criminal law is addressed by the Council Framework Decision 2008/977/JHA, formerly under title VI of the Treaty on European Union. While the Data Protection Directive refers just to natural persons, the 2002/58/EC Directive refers to legal persons as well.

Under Article 2 “Definitions” new terms are provided for the electronic services providers, in order to supply better protection for the users of such services with regards to:

i)           the user: identified as a any private person that is using a publicly available electronic communication service for personal or business purposes, which does not have necessary to be subscribed to a determined service (e.g. visiting a website does not require subscription, but personal data could be retrieved).

ii)          traffic data: refers to any data necessary for carrying a communication on an electronic communication network (such as IP address, user name, email address) but not limited to billing purpose (i.e. to establish the cost of the services provided). The electronic communication providers argued that they needed to keep traffic data for billing purposes.

iii)        location data: refers to any data processed in an electronic communication network which determines a geographic position or location with regards to a user or the user’s equipment while using publicly available electronic communication services. This definition is important for users which use for example a cellular as a terminal for their communication instead of a computer. Using a cellular (mobile phone, which is different then a fixed computer station), user’s particular location may be determined by the communication service provider based on the signals sent and received to the closest communication “cell” in the proximity of that user, as any cellular has an unique identity number (IMEI). The Internet Protocol (IP) address used by computers for Internet connections can identify a user located in a certain geographical area. For example, when one logs into their computer while in The Netherlands, his web browser provides information in Dutch, while another person in the UK is provided the same information in English, and there is a clear differentiation made between their geographical location.

iv)        communication: is identified as an information exchange between users when using publicly available communication services (e.g. email). It does not refer to TV or radio broadcasting. The communication could take the form of text, audio, video or photo, or code.

v)          call: refers to any connection performed through a publicly available telephone service, by allowing a two-way communication in real time.

vi)        consent: refers to user or subscriber approval given to any entity for processing, retrieving, using, etc. data in accordance with the Directive 95/46/EC stipulations.

vii)       value added service: refers to any service that requires the processing of traffic or location data other than the traffic data required for the communication itself or billing purpose.

viii)     electronic mail: refers to any sound, voice, text, image, or message sent through a public communication network  that can be stored  in the network or on the user’s terminal. By establishing the “electronic mail” term to more than a “written message” clarifies that under electronic mail (as Web 2.0 is in use), can fall any kind of communication between users such as family pictures, music, or videos.

Establishing these definitions is an important step taken in eliminating confusion between users and providers, ensuring that now both parties have the same understanding and terms of reference when dealing with “communication”, “location data”, “electronic mail”, “user”, and “consent”, etc.

Under Article 4 (1) “Security”, the Directive established as a general obligation for the provider of electronic services to supply security of services by ensuring that technical and organizational measures are in place in order for personal data concerning the users is appropriately protected. Under Article 4 (2) “Security” the Directive established new obligations for the electronic service providers by requiring them to inform the subscribers when risks (e.g. viruses, malwares) are detected in the network or are imminent to occur.

Article 5 sets forward another obligation for the providers of electronic communication, as they have to provide confidentiality of the information regarding their users. The Directive clearly prohibits any type of listening, tapping, storage, interception, and surveillance of communication and traffic data if the users did not expressly give their consent or if no exemptions apply such as: necessary, appropriate and proportionate measures to safeguard national security, defence, public security, or prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system, as indicated under Article 15 (1).

Article 6 concerns traffic data and expressly requires the providers of public communication networks to erase or make it anonymous when it is no longer required for the transmission of a communication. Furthermore no electronic communication provider can keep this data for marketing, advertising or value added services without the consent of the users. This consent could be withdrawn at any time. The provider should inform the user which type of data is processed, for how long, and the scope of the processing. The processing of the data should be done just by the legitimate and authorized personnel from the provider’s side or on its behalf with regards to billing, marketing, fraud detection, and customer services and it must be restricted to what is necessary for providing the communication service.

Under Article 9, location data is dealt with such that data, which provides a geographical position or location obtained through a public communication network, but which is not traffic data, and can be processed only when the users are made anonymous or they gave their consent. The purpose of data processing, duration, and transition to third parties can be done only when the users expressed their consent. Once the user has given their consent, they can also withdraw it. The users could discretionarily give consent regarding each time when location data is processed, transmitted or manipulated by the service providers. The transmission to third parties of location data is restricted to the scope of offering value added services.

Article 12 requires providers of electronic communication to inform the users before they are included in any kind of directory of the purpose of the directory and the usage availability of that directory whether is offline or online. The users have the right to identify that data, modify or withdraw from the directory.

Under Article 13, the Directive establishes rules and defines unsolicited email (e.g. Spam) and restricts the use of email addresses for marketing purpose. This Article establishes an opt-in regime when the users give prior agreement. Under the scope of this Article falls also the text messages, push mail (i.e. the message is received from the server where it is stored; always-on e-mail receiving capabilities) or similar forms, which target users’ portable devices such as, smartphones, PDA’s (e.g. iPhone, HTC).

Directive 2002/58 is a continuation of the Data Protection Directive and addresses a number of new important issues, which come along with the new advanced digital technologies in the field of the communication networks. This Directive also implements specific requirements regarding the protection of personal data, which at the time when Directive 95/46/EC came into place, have not been foreseen due to the technological developments available at that time (i.e. 1995). The development of the information society comes with new electronic communication services such as digital networks, which facilitate a faster, and more global transfer of personal data between users. Besides the economical and technological benefits, the users’ privacy should be properly protected with up-to-date regulatory measures

Stay tuned for the next post that will present the Directive 2006/24/EC  known as “Data retention Directive”.

Any questions can be submitted to:

Additional information can be found at:

Did you know about this Directive? Do you think that it effectively protects your rights in relation to the electronic communication field?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Data protection Directive-part II.

October 21, 2011 Leave a comment

E-Crime Expert started a new series where is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights.

This post is presenting the second part of the Directive 95/46-data protection Directive, which it is the central piece of legislation on the protection of personal data in Europe. The Directive stipulates general rules on the lawfulness of personal data processing and rights of the people whose data are processed (‘data subjects’). The Directive also provides that at least one independent supervisory authority in each Member State shall be responsible for monitoring its implementation.

Under the first level of protection concerning data subjects, they have the right to know who the data controller is, who the recipient of the data is and the purpose of data processing. If data concerning a private person is not accurate or incomplete, that person has the right to claim the rectification, update or completion of that data referring to his person. The data controller should carefully act when processing data in order to protect that personal data from destruction, alteration, deletion or unlawful processing. The controller is the entity that gives approval and instruction for data processing, which should provide security measures against deletion, alteration and unlawful processing. The data subject is fully entitled to express his consent regarding: if, when and how his personal data is processed with regards to receiving for example, direct marketing material.

The second level addresses the processing of sensitive data by setting out criteria for a special category of data as such:

Article 8 (1) DPD: prohibition to process special categories of data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life”.

The specific exemptions are as follows: Article 8 (2): when the subject gave his explicit consent, or it is a matter of employment law; vital interest; legitimate activities (non-profit organization); data is made available by the subject himself; medical data; public interest; criminal data; national identification number; or Article 9: journalistic, artistic purpose.

The information regarding sensitive personal data and its use includes, but is not limited to, philosophical and religious beliefs, sex life, health, and race which are given special status and they cannot be subject of data processing unless the data subject expressed her consent or in any other inapplicable situations expressly established through this Directive. The supervisory authority can achieve the enforcement of data processing. This authority is empowered to investigate, block, erase, destroy or stop processing when the data was obtained unlawfully. Furthermore, if a private person suffered damage or losses from an unlawful data processing, he could claim compensation for the damage or lose from the controller in charge. Exemptions of these stipulations apply as identified under Article 8 (2) above. However, when a data controller processes sensitive personal data he should both comply with level one and two of the protection of sensitive data.

The third level of protection is in regards to the transfer criterion of personal data to third countries:

Article 25 (1): Adequate level of protection: “transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection” :

Article 26 (1) Derogations regarding data that could be transferred to third countries when:

a)     the subject gives unambiguous consent

b)    it is a contractual obligation (matter)

c)     contract between controller and third party in the interest of the subject;

d)    matter of important public interest;

e)     vital interest of the data subject;

f)     transfer is made from a public register.

Article 26 (2): authorization is given by the MS “…transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses”.

The transfer of personal data outside of the EU territory should comply with an adequate level of protection provided by the third country where the data is transferred. When a third country does not offer an adequate level of protection regarding data from EU space, then the data controller should employ any measure in order to prevent any transfer to that third country. When the data processor transfers personal information to third countries, it should also comply with the first level of protection (processing of personal data), and the second level of protection (processing of sensitive personal data). Additional protection is provided as at a fourth and fifth level regarding the right to privacy when processing personal data in the electronic communication field (Directive 2002/58) and respectively the data retention protection (Directive 2006/24/EC).

The purpose of having a layered system is that the appropriate protection should be granted in regards to private information and personal data. As there are different categories of data (general data and sensitive data), the protection is also granted on different levels in order to not over regulate, but what is most important is to provide a sufficient level of protection.

In addition, the Directive 95/46/EC sets forward clear definitions regarding: personal data, data subject, identifiable information, processing of personal data, personal data filling system, controller, processor of personal data, third party, recipient and data subject consent.

i)       “data subject” means any natural person who could be identified or identifiable by any information (personal data) regarding his person”.

ii)      “personal data” means any information that could identify or make identifiable a natural person, such as: name, address, telephone number, pictures, videos, identification number, place of birth, educational, employment, financial, physical, mental or social information, sex, religion, race”.

iii)    “Identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

iv)    Processing of personal data as any type of action, operation or set of operations applied to personal data regardless if the action is done automatically or not, by a computer or manually. The actions considered as processing of personal data under Article 2 (b) are: “collection, recording, organizing, storage, adaption, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction” of personal data. In other words, in the view of this Directive, any person or entity who collects, organizes, use, retrieves or makes personal data available to another party, without right, consent, or without following the specific requirements and exemptions of this Directive, is in non-compliance with this normative act. Collection of personal data means when for example someone submits an application for a university program and the registry office collects the applicant’s personal information such as: name, contact details, address, etc. Also, collection of personal information is when someone subscribes to a website, an email client, or a SNS when setting up a user account. The receiver (e.g. university) could organize this personal information based on different purposes such as: entrance to a particular program, scholarship applications, etc. In the online case, this information could also be categorized for the purpose of granting access to different services as basic user, premium user, etc.

v)         Personal data filling system means when a system is in place to identify and retrieve information regarding a person, based on a determined request and criterion such as: listing the entire number of the subjects stored in that particular system based on age groups, sex, certain location, etc, whether the system is in one place, or dispersed in multiple locations and geographical areas (e.g. part in Europe, another part in US).

vi)        Controller means a private or juridical person, which nomination and appointment are subject to the EU or Community Law, that is invested with the power to determine who, when, how, for how long, in what way, and why the personal data could be processed.

vii)      Processor of personal data is the person or entity that is granted authority by the Controller to process personal data.

viii)     By third party, the Article 2 of the Directive, refers to any private person or entity which is different than the subject the data refers to, the controller or the processor as identified above, which is authorized to process personal data under the direct control of the controller or processor.

ix)        The recipient is any private natural or legal person, public authority, agency or any other body, which receives, disclosed data. If during a police investigation, a certain entity was empowered to receive particular personal data, this falls under the scope of this article. For example, anyone who receives personal information (e.g. contact details and address) of someone, from another person or entity could be considered the recipient.

x)          Data subject consent means the expressed, explicit and free consent of a subject, regarding the processing of personal data referring to his person. In practice, consent means when a person provides another person with his address or personal contact details for a university application, regardless that the data are part of a filing or processing system, and/or signs a legal Disclaimer for processing of personal data, for that University application process.

This Directive identifies and defines the minimum data protection elements, which the MS should transpose into their national legislation through their own ways and means, but at the level of protection this Directive aims for.

This Directive establishes also what data controller means and its obligation to verify the applicability of the principles and rules regarding data quality and data processing. Also, the data controller has obligations regarding the subject and the personal data refers to whether the data is obtained from the person himself or through other means. In both cases, the personal data should be processed, filed, manipulated, stored, disclosed, accessed only in the spirit of this Directive. In other words, even if the data is obtained with consent from the subject, the data controller should ensure that all the actions regarding data processing, filing, manipulation, use, storage, etc. are in compliance with this Directive. Furthermore, a comprehensive set of definitions and specific terms are provided in this Directive in order to help understand, implement and protect individuals with regard to the processing of personal data and on the free movement of such data.

Stay tuned for the next post that will present the Directive 2002/58/EC.

Any questions can be submitted to:

Additional information can be found at:

Did you know about this Directive 95/46? Do you think that it effectively protects your rights?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

%d bloggers like this: