Protection of personal data
Directive 95/46/EC is the reference text, at European level, on the protection of personal data. It sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the European Union (EU). To do so, the Directive sets strict limits on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the protection of these data.
European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [Official Journal L 281 of 23.11.1995] [See amending acts].
This Directive applies to data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non automated filing systems (traditional paper files).
It does not apply to the processing of data:
- by a natural person in the course of purely personal or household activities;
- in the course of an activity which falls outside the scope of Community law, such as operations concerning public security, defence or State security.
The Directive aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when this processing is lawful. The guidelines relate to:
- the quality of the data: personal data must be processed fairly and lawfully, and collected for specified, explicit and legitimate purposes. They must also be accurate and, where necessary, kept up to date;
- the legitimacy of data processing: personal data may be processed only if the data subject has unambiguously given his/her consent or processing is necessary:
- for the performance of a contract to which the data subject is party or;
- for compliance with a legal obligation to which the controller is subject or;
- in order to protect the vital interests of the data subject or;
- for the performance of a task carried out in the public interest or;
- for the purposes of the legitimate interests pursued by the controller;
- special categories of processing: it is forbidden to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. This provision comes with certain qualifications concerning, for example, cases where processing is necessary to protect the vital interests of the data subject or for the purposes of preventive medicine and medical diagnosis;
- information to be given to the data subject: the controller must provide the data subject from whom data are collected with certain information relating to himself/herself (the identity of the controller, the purposes of the processing, recipients of the data etc.);
- the data subject's right of access to data: every data subject should have the right to obtain from the controller:
- confirmation as to whether or not data relating to him/her are being processed and communication of the data undergoing processing;
- the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive in particular, either because of the incomplete or inaccurate nature of the data, and the notification of these changes to third parties to whom the data have been disclosed.
- exemptions and restrictions: the scope of the principles relating to the quality of the data, information to be given to the data subject, right of access and the publicising of processing may be restricted in order to safeguard aspects such as national security, defence, public security, the prosecution of criminal offences, an important economic or financial interest of a Member State or of the European Union or the protection of the data subject;
- the right to object to the processing of data: the data subject should have the right to object, on legitimate grounds, to the processing of data relating to him/her. He/she should also have the right to object, on request and free of charge, to the processing of personal data that the controller anticipates being processed for the purposes of direct marketing. He/she should finally be informed before personal data are disclosed to third parties for the purposes of direct marketing, and be expressly offered the right to object to such disclosures;
- the confidentiality and security of processing: any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller. In addition, the controller must implement appropriate measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access;
- the notification of processing to a supervisory authority: the controller must notify the national supervisory authority before carrying out any processing operation. Prior checks to determine specific risks to the rights and freedoms of data subjects are to be carried out by the supervisory authority following receipt of the notification. Measures are to be taken to ensure that processing operations are publicised and the supervisory authorities must keep a register of the processing operations notified.
Every person shall have the right to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question. In addition, any person who has suffered damage as a result of the unlawful processing of their personal data is entitled to receive compensation for the damage suffered.
Transfers of personal data from a Member State to a third country with an adequate level of protection are authorised. However, they may not be made to a third country which does not ensure this level of protection, except in the cases of the derogations listed.
The Directive aims to encourage the drawing up of national and Community codes of conduct intended to contribute to the proper implementation of the national and Community provisions.
Each Member State is to provide one or more independent public authorities responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to the Directive.
A Working Party on the Protection of Individuals with regard to the Processing of Personal Data is set up, composed of representatives of the national supervisory authorities, representatives of the supervisory authorities of the Community institutions and bodies, and a representative of the Commission.
|Act||Entry into force||Deadline for transposition in the Member States||Official Journal|
OJ L 281 of 23.11.1995
|Amending act(s)||Entry into force||Deadline for transposition in the Member States||Official Journal|
|Regulation (EC) No 1882/2003||
OJ L 284 of 31.10.2003
Successive amendments and corrections to Directive 95/46/EC have been incorporated in the basic text. This consolidated version is for reference purpose only.