Global Security Intelligence
Home > Policy & Research > Research Centre > Privacy > EU Privacy Directive

EU Privacy Directive

The EU Privacy Directive, or Directive 95/46/EC, was created in order to protect the privacy and security of individuals’ personal data. It also provides common laws and regulations regarding privacy and data processing throughout the member states of the EU, making data transfer between member states easier and more efficient. The Directive is closely relates to Article 8 of the European Convention on Human Rights, which states that every individual has the right to privacy in his or her home, private and family life, and correspondence.

This directive applies to all member states of the EU, which currently consists of the following 25 countries: Austria, Belgium, Estonia, Finland, Hungary, Ireland, Luxembourg, Malta, Slovenia, Spain, Cyprus, The Czech Republic, France, Germany, Italy, Latvia, Poland, Portugal, Sweden, The Netherlands, Denmark, Greece, Lithuania, Slovakia, and The United Kingdom. It also applies to anyone using equipment that is situated in the EU to process data.

The directive sets forth the regulations that govern the processing of personal information in the EU. The term processing refers to virtually any operation that is performed upon the data, including transferring, collecting, recording, disclosing, retrieving, altering, erasing and destroying. Although the Directive sets forth the regulations and requirements for the EU in general, each member state is responsible for converting these regulations into specific laws and assigning penalties for noncompliance in accordance with its own legal system.

According to the Directive, data may only be processed if one of the following conditions is met:

  • The individual who the data pertains to, or “data subject” has given explicit consent
  • It is necessary in order to execute a contract that the data subject is party to
  • It is necessary due to a legal obligation
  • It is necessary in order to protect the vital interests of the data subject
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1.

If and when data is processed, the controller must ensure that it is processed in a way that adheres to the following standards:

  • The data is processed fairly and lawfully
  • It is done for legitimate, specific reasons, explicitly delineated, and not for any other purposes, with the exception of some historical, statistical, or scientific reasons where proper safeguards have been implemented
  • The data used is adequate and relevant, not excessive in terms of the purpose for which it is being processed.
  • The data accurate and up to date. Any incomplete or inaccurate data should be erased or corrected.
  • Data should be personally identifiable (kept in a form which allows the data subject to be identified) for the minimum amount of time necessary. Data that is kept for longer periods for historical, statistical or scientific purposes should be protected with additional security measures.

Also, the data measures must be taken so that the data is secure and protected at all times, whether this protection entails electronic safeguards or confidentiality agreements. All compliance is seen to by the controller, the individual who is in charge of the processing of the data and any decisions or issues pertaining to it.

Data may not be processed if it reveals the data subject’s race or ethnicity, political views, religion, philosophical beliefs, or trade-union membership, or if the data pertains to his or her health or sex life, except in the following circumstances:

  • He or she has given his or her explicit consent
  • Processing is a lawful obligation
  • It is being done to protect the data subject’s life or livelihood, or that of another individual, and the data subject is incapable of giving consent
  • The processing is done by a non-profit organization for a political, religious or philosophical reason, or one pertaining to a trade-union, and proper security regulations are implemented
  • The data processed has been made public be the data subject
  • The data must be processed in order for the exercise or defense of legal claims to occur
  • Processing is necessary for the provision or management of health care or treatment

Governments have the right to set down legislation restricting some aspects of the directive for the following reasons:

  1. National defense
  2. National or public security
  3. The prevention, investigation, and prosecution of criminal acts
  4. Reasons that relate to budget or taxation
  5. The protection of the rights and freedoms of the data subject and other individuals

Any individual who has personal data processed must receive at least the following information from the controller:

  • The controller’s identity
  • The reason the data is being processed
  • Who will receive the data
  • The fact that he or she has the right to access and (if necessary) rectify the data

Any individual that has personal information processed has the Right of Access, which entails the data subject’s right to know how the data is being processed (if at all), for what purpose, and who, if anyone, is receiving it. The data subject also has the right to block, correct, or destroy any incomplete or inaccurate data.

The Directive also gives data subjects the Right to Object, which allows him or her to issue a complaint and disallow the use of any data that violates the directive, and to object to the processing of his or her data for the purposes of direct marketing.

Member states must enact legislation to provide a judicial remedy for any breach of the directive, as well as sanctions to be imposed. The directive specifies that the data subject may receive compensation from the controller for any damage suffered due to noncompliance with the directive unless it is proven that the controller was not responsible.

For more information about this topic, please contact us at info@globalseci.com