Service tools

Language selector

EU flag

Navigation path


Last checked : 07/02/2018

Data protection and privacy

Collection and processing of personal data

EU data protection rules mean that your personal data can only be processed in certain situations and under certain conditions, such as:

  • if you've given your consent (you must be informed that your data is being collected)
  • if data processing is needed for a contract, for a job application or a loan request
  • if there is a legal obligation for your data to be processed
  • if processing is in your 'vital interest', for example if a doctor needs access to your private medical data when you've had an accident
  • if processing is needed to carry out tasks in the public interest or tasks carried out by government, tax authorities, the police or other public bodies

Personal data about your racial or ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade-union membership or health may not be processed except in specific cases (e.g. when you've given explicit consent or when processing is needed for reasons of substantial public interest, on the basis of EU or national law).

These rules apply to both public and private bodies.

Processing personal data

The person or body handling your data is called the 'data controller'. They have to respect EU rules about how they handle and store your personal data:

  • your data can only be collected for clearly defined legitimate purposes
  • the data requested from you must not be excessive
  • data which identifies you as an individual (i.e. your name or contact details) must not be kept any longer than needed
  • you must be able to correct, remove or block incorrect data about yourself
  • your data should be protected against accidental or unlawful destruction, loss, alteration and disclosure

If sensitive personal information is stolen, lost or illegally accessed – known as a 'personal data breach' – the provider must report it to the national data protection authority. The data controller must also inform you directly if there are any risks related to your personal data or privacy due to the breach.

Your privacy in electronic communications (internet and mobile phone networks)

EU rules on personal data protection and privacy in electronic communications cover internet communication, such as access to internet, and communication via mobile and fixed phone networks.

Your service provider must comply with the following rules:

  • confidential communications – banning the listening into, tapping or storage of communications without your consent
  • secure networks and services – ensuring that electronic communications providers put measures in place to ensure their services are secure
  • data breach notifications – if a provider experiences a security breach that leads to the loss or theft of personal data, it has to inform the national authority and, in some cases, the subscriber or individual
  • traffic and location data – this data must be erased or made anonymous when no longer required for communication or billing purposes, except if you've given your consent for it to be used in another way (or if required for law enforcement purposes)
  • spam – you must give your consent before unsolicited commercial communications (known as 'spam') are sent to you. This also covers SMS text messages and other electronic messages
  • public directories – you have to give prior consent before your telephone number, email address and postal address is listed in a public directory
  • caller identification – you must have the option for your telephone number not to be shown when you make a call

Sample story

Maria, from Spain, spends a lot of time chatting with friends on the internet. After seeing some stories in the news she began to get a bit worried that her service provider could be tracking her messages.

Maria then checked the website of the Spanish data protection authority and was reassured about her right to confidentiality while online, and what her service provider could or could not do with her personal data.

What about cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. Cookies are widely used to make websites work more efficiently by saving your preferences. Tracking cookies are also used to follow your internet use as you browse, make user profiles and then display targeted online advertising based on your preferences.

EU rules mean that any website using cookies has to inform you that they use cookies, and you have to give your consent. You should always have the option to deactivate or to not accept cookies on your device. You also have the right to know how the cookie information will be used.

The right to be forgotten

You have the right, in certain cases, to ask data controllers to correct, remove or block incorrect data about yourself. This is known as 'the right to be forgotten'. These rules also apply to search engines, such as Google, as they're also considered to be data controllers.

You can ask for links to personal information about yourself to be removed from a search engine where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of data processing.

What if your data is collected illegally or misused?

If you think that your data is not being handled according to the rules or has been processed illegally, you can send a complaint to the data controller (the person or body processing your data).

You have the right to:

  • ask for the data to be corrected, erased or blocked
  • demand that the data controller notify those who have already seen the incorrect data, unless this requires a disproportionate effort

If you don't get a reasonable answer from the data controller, you can send a complaint to your national data protection authority

National data protection authorities

Each EU country has to have at least 1 data protection supervisory authority. They make sure that data protection law is correctly applied and handle any complaints about breaches of the rules.

You should send your complaint in writing to your national data protection authority. In some countries there is a standard form for complaints or complaints can be sent by email.

If the supervisory authority finds that data protection law has not been respected, it can order data to be erased or destroyed, and can ban further data processing by the data controller in question.

Search in the list of national data protection authorities.

Infringements of the ePrivacy Directive are sometimes enforced by a different national authority rather than the data protection authority. Search in the list of competent authorities for ePrivacy.

You can also present your case directly to the competent national court.

Public consultations
    Need support from assistance services?
    Get help and advice