Directive
95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 24 October 1995
on
the protection of individuals with regard to the processing of personal data
and on the free movement of such data
THE EUROPEAN
PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to
the Treaty establishing the European Community, and in particular Article 100a
thereof,
Having regard to
the proposal from the Commission (1) ,
Having regard to
the opinion of the Economic and Social Committee (2) ,
Acting in
accordance with the procedure referred to in Article 189b of the Treaty (3) ,
(1) Whereas the
objectives of the Community, as laid down in the Treaty, as amended by the
Treaty on European Union, include creating an ever closer union among the
peoples of Europe, fostering closer relations between the States belonging to
the Community, ensuring economic and social progress by common action to
eliminate the barriers which divide Europe, encouraging the constant
improvement of the living conditions of its peoples, preserving and
strengthening peace and liberty and promoting democracy on the basis of the
fundamental rights recognized in the constitution and laws of the Member
States and in the European Convention for the Protection of Human Rights and
Fundamental Freedoms;
(2) Whereas
data-processing systems are designed to serve man; whereas they must, whatever
the nationality or residence of natural persons, respect their fundamental
rights and freedoms, notably the right to privacy, and contribute to economic
and social progress, trade expansion and the well-being of individuals;
(3) Whereas the
establishment and functioning of an internal market in which, in accordance
with Article 7a of the Treaty, the free movement of goods, persons, services
and capital is ensured require not only that personal data should be able to
flow freely from one Member State to another, but also that the fundamental
rights of individuals should be safeguarded;
(4) Whereas
increasingly frequent recourse is being had in the Community to the processing
of personal data in the various spheres of economic and social activity;
whereas the progress made in information technology is making the processing
and exchange of such data considerably easier;
(5) Whereas the
economic and social integration resulting from the establishment and
functioning of the internal market within the meaning of Article 7a of the
Treaty will necessarily lead to a substantial increase in cross-border flows
of personal data between all those involved in a private or public capacity in
economic and social activity in the Member States; whereas the exchange of
personal data between undertakings in different Member States is set to
increase; whereas the national authorities in the various Member States are
being called upon by virtue of Community law to collaborate and exchange
personal data so as to be able to perform their duties or carry out tasks on
behalf of an authority in another Member State within the context of the area
without internal frontiers as constituted by the internal market;
(6) Whereas,
furthermore, the increase in scientific and technical cooperation and the
coordinated introduction of new telecommunications networks in the Community
necessitate and facilitate cross-border flows of personal data;
(7) Whereas the
difference in levels of protection of the rights and freedoms of individuals,
notably the right to privacy, with regard to the processing of personal data
afforded in the Member States may prevent the transmission of such data from
the territory of one Member State to that of another Member State; whereas
this difference may therefore constitute an obstacle to the pursuit of a
number of economic activities at Community level, distort competition and
impede authorities in the discharge of their responsibilities under Community
law; whereas this difference in levels of protection is due to the existence
of a wide variety of national laws, regulations and administrative provisions;
(8) Whereas, in
order to remove the obstacles to flows of personal data, the level of
protection of the rights and freedoms of individuals with regard to the
processing of such data must be equivalent in all Member States; whereas this
objective is vital to the internal market but cannot be achieved by the Member
States alone, especially in view of the scale of the divergences which
currently exist between the relevant laws in the Member States and the need to
coordinate the laws of the Member States so as to ensure that the cross-border
flow of personal data is regulated in a consistent manner that is in keeping
with the objective of the internal market as provided for in Article 7a of the
Treaty; whereas Community action to approximate those laws is therefore needed;
(9) Whereas,
given the equivalent protection resulting from the approximation of national
laws, the Member States will no longer be able to inhibit the free movement
between them of personal data on grounds relating to protection of the rights
and freedoms of individuals, and in particular the right to privacy; whereas
Member States will be left a margin for manoeuvre, which may, in the context
of implementation of the Directive, also be exercised by the business and
social partners; whereas Member States will therefore be able to specify in
their national law the general conditions governing the lawfulness of data
processing; whereas in doing so the Member States shall strive to improve the
protection currently provided by their legislation; whereas, within the limits
of this margin for manoeuvre and in accordance with Community law, disparities
could arise in the implementation of the Directive, and this could have an
effect on the movement of data within a Member State as well as within the
Community;
(10) Whereas the
object of the national laws on the processing of personal data is to protect
fundamental rights and freedoms, notably the right to privacy, which is
recognized both in Article 8 of the European Convention for the Protection of
Human Rights and Fundamental Freedoms and in the general principles of
Community law; whereas, for that reason, the approximation of those laws must
not result in any lessening of the protection they afford but must, on the
contrary, seek to ensure a high level of protection in the Community;
(11) Whereas the
principles of the protection of the rights and freedoms of individuals,
notably the right to privacy, which are contained in this Directive, give
substance to and amplify those contained in the Council of Europe Convention
of 28 January 1981 for the Protection of Individuals with regard to Automatic
Processing of Personal Data;
(12) Whereas the
protection principles must apply to all processing of personal data by any
person whose activities are governed by Community law; whereas there should be
excluded the processing of data carried out by a natural person in the
exercise of activities which are exclusively personal or domestic, such as
correspondence and the holding of records of addresses;
(13) Whereas the
acitivities referred to in Titles V and VI of the Treaty on European Union
regarding public safety, defence, State security or the acitivities of the
State in the area of criminal laws fall outside the scope of Community law,
without prejudice to the obligations incumbent upon Member States under
Article 56 (2) , Article 57 or Article 100a of the Treaty establishing the
European Community; whereas the processing of personal data that is necessary
to safeguard the economic well-being of the State does not fall within the
scope of this Directive where such processing relates to State security
matters;
(14) Whereas,
given the importance of the developments under way, in the framework of the
information society, of the techniques used to capture, transmit, manipulate,
record, store or communicate sound and image data relating to natural persons,
this Directive should be applicable to processing involving such data;
(15) Whereas the
processing of such data is covered by this Directive only if it is automated
or if the data processed are contained or are intended to be contained in a
filing system structured according to specific criteria relating to
individuals, so as to permit easy access to the personal data in question;
(16) Whereas the
processing of sound and image data, such as in cases of video surveillance,
does not come within the scope of this Directive if it is carried out for the
purposes of public security, defence, national security or in the course of
State activities relating to the area of criminal law or of other activities
which do not come within the scope of Community law;
(17) Whereas, as
far as the processing of sound and image data carried out for purposes of
journalism or the purposes of literary or artistic expression is concerned, in
particular in the audiovisual field, the principles of the Directive are to
apply in a restricted manner according to the provisions laid down in Article
9;
(18) Whereas, in
order to ensure that individuals are not deprived of the protection to which
they are entitled under this Directive, any processing of personal data in the
Community must be carried out in accordance with the law of one of the Member
States; whereas, in this connection, processing carried out under the
responsibility of a controller who is established in a Member State should be
governed by the law of that State;
(19) Whereas
establishment on the territory of a Member State implies the effective and
real exercise of activity through stable arrangements; whereas the legal form
of such an establishment, whether simply branch or a subsidiary with a legal
personality, is not the determining factor in this respect; whereas, when a
single controller is established on the territory of several Member States,
particularly by means of subsidiaries, he must ensure, in order to avoid any
circumvention of national rules, that each of the establishments fulfils the
obligations imposed by the national law applicable to its activities;
(20) Whereas the
fact that the processing of data is carried out by a person established in a
third country must not stand in the way of the protection of individuals
provided for in this Directive; whereas in these cases, the processing should
be governed by the law of the Member State in which the means used are located,
and there should be guarantees to ensure that the rights and obligations
provided for in this Directive are respected in practice;
(21) Whereas
this Directive is without prejudice to the rules of territoriality applicable
in criminal matters;
(22) Whereas
Member States shall more precisely define in the laws they enact or when
bringing into force the measures taken under this Directive the general
circumstances in which processing is lawful; whereas in particular Article 5,
in conjunction with Articles 7 and 8, allows Member States, independently of
general rules, to provide for special processing conditions for specific
sectors and for the various categories of data covered by Article 8;
(23) Whereas
Member States are empowered to ensure the implementation of the protection of
individuals both by means of a general law on the protection of individuals as
regards the processing of personal data and by sectorial laws such as those
relating, for example, to statistical institutes;
(24) Whereas the
legislation concerning the protection of legal persons with regard to the
processing data which concerns them is not affected by this Directive;
(25) Whereas the
principles of protection must be reflected, on the one hand, in the
obligations imposed on persons, public authorities, enterprises, agencies or
other bodies responsible for processing, in particular regarding data quality,
technical security, notification to the supervisory authority, and the
circumstances under which processing can be carried out, and, on the other
hand, in the right conferred on individuals, the data on whom are the subject
of processing, to be informed that processing is taking place, to consult the
data, to request corrections and even to object to processing in certain
circumstances;
(26) Whereas the
principles of protection must apply to any information concerning an
identified or identifiable person; whereas, to determine whether a person is
identifiable, account should be taken of all the means likely reasonably to be
used either by the controller or by any other person to identify the said
person; whereas the principles of protection shall not apply to data rendered
anonymous in such a way that the data subject is no longer identifiable;
whereas codes of conduct within the meaning of Article 27 may be a useful
instrument for providing guidance as to the ways in which data may be rendered
anonymous and retained in a form in which identification of the data subject
is no longer possible;
(27) Whereas the
protection of individuals must apply as much to automatic processing of data
as to manual processing; whereas the scope of this protection must not in
effect depend on the techniques used, otherwise this would create a serious
risk of circumvention; whereas, nonetheless, as regards manual processing,
this Directive covers only filing systems, not unstructured files; whereas, in
particular, the content of a filing system must be structured according to
specific criteria relating to individuals allowing easy access to the personal
data; whereas, in line with the definition in Article 2 (c) , the different
criteria for determining the constituents of a structured set of personal data,
and the different criteria governing access to such a set, may be laid down by
each Member State; whereas files or sets of files as well as their cover pages,
which are not structured according to specific criteria, shall under no
circumstances fall within the scope of this Directive;
(28) Whereas any
processing of personal data must be lawful and fair to the individuals
concerned; whereas, in particular, the data must be adequate, relevant and not
excessive in relation to the purposes for which they are processed; whereas
such purposes must be explicit and legitimate and must be determined at the
time of collection of the data; whereas the purposes of processing further to
collection shall not be incompatible with the purposes as they were originally
specified;
(29) Whereas the
further processing of personal data for historical, statistical or scientific
purposes is not generally to be considered incompatible with the purposes for
which the data have previously been collected provided that Member States
furnish suitable safeguards; whereas these safeguards must in particular rule
out the use of the data in support of measures or decisions regarding any
particular individual;
(30) Whereas, in
order to be lawful, the processing of personal data must in addition be
carried out with the consent of the data subject or be necessary for the
conclusion or performance of a contract binding on the data subject, or as a
legal requirement, or for the performance of a task carried out in the public
interest or in the exercise of official authority, or in the legitimate
interests of a natural or legal person, provided that the interests or the
rights and freedoms of the data subject are not overriding; whereas, in
particular, in order to maintain a balance between the interests involved
while guaranteeing effective competition, Member States may determine the
circumstances in which personal data may be used or disclosed to a third party
in the context of the legitimate ordinary business activities of companies and
other bodies; whereas Member States may similarly specify the conditions under
which personal data may be disclosed to a third party for the purposes of
marketing whether carried out commercially or by a charitable organization or
by any other association or foundation, of a political nature for example,
subject to the provisions allowing a data subject to object to the processing
of data regarding him, at no cost and without having to state his reasons;
(31) Whereas the
processing of personal data must equally be regarded as lawful where it is
carried out in order to protect an interest which is essential for the data
subject' s life;
(32) Whereas it
is for national legislation to determine whether the controller performing a
task carried out in the public interest or in the exercise of official
authority should be a public administration or another natural or legal person
governed by public law, or by private law such as a professional association;
(33) Whereas
data which are capable by their nature of infringing fundamental freedoms or
privacy should not be processed unless the data subject gives his explicit
consent; whereas, however, derogations from this prohibition must be
explicitly provided for in respect of specific needs, in particular where the
processing of these data is carried out for certain health-related purposes by
persons subject to a legal obligation of professional secrecy or in the course
of legitimate activities by certain associations or foundations the purpose of
which is to permit the exercise of fundamental freedoms;
(34) Whereas
Member States must also be authorized, when justified by grounds of important
public interest, to derogate from the prohibition on processing sensitive
categories of data where important reasons of public interest so justify in
areas such as public health and social protection - especially in order to
ensure the quality and costeffectiveness of the procedures used for settling
claims for benefits and services in the health insurance system - scientific
research and government statistics; whereas it is incumbent on them, however,
to provide specific and suitable safeguards so as to protect the fundamental
rights and the privacy of individuals;
(35) Whereas,
moreover, the processing of personal data by official authorities for
achieving aims, laid down in constitutional law or international public law,
of officially recognized religious associations is carried out on important
grounds of public interest;
(36) Whereas
where, in the course of electoral activities, the operation of the democratic
system requires in certain Member States that political parties compile data
on people' s political opinion, the processing of such data may be permitted
for reasons of important public interest, provided that appropriate safeguards
are established;
(37) Whereas the
processing of personal data for purposes of journalism or for purposes of
literary of artistic expression, in particular in the audiovisual field,
should qualify for exemption from the requirements of certain provisions of
this Directive in so far as this is necessary to reconcile the fundamental
rights of individuals with freedom of information and notably the right to
receive and impart information, as guaranteed in particular in Article 10 of
the European Convention for the Protection of Human Rights and Fundamental
Freedoms; whereas Member States should therefore lay down exemptions and
derogations necessary for the purpose of balance between fundamental rights as
regards general measures on the legitimacy of data processing, measures on the
transfer of data to third countries and the power of the supervisory
authority; whereas this should not, however, lead Member States to lay down
exemptions from the measures to ensure security of processing; whereas at
least the supervisory authority responsible for this sector should also be
provided with certain ex-post powers, e.g. to publish a regular report or to
refer matters to the judicial authorities;
(38) Whereas, if
the processing of data is to be fair, the data subject must be in a position
to learn of the existence of a processing operation and, where data are
collected from him, must be given accurate and full information, bearing in
mind the circumstances of the collection;
(39) Whereas
certain processing operations involve data which the controller has not
collected directly from the data subject; whereas, furthermore, data can be
legitimately disclosed to a third party, even if the disclosure was not
anticipated at the time the data were collected from the data subject;
whereas, in all these cases, the data subject should be informed when the data
are recorded or at the latest when the data are first disclosed to a third
party;
(40) Whereas,
however, it is not necessary to impose this obligation of the data subject
already has the information; whereas, moreover, there will be no such
obligation if the recording or disclosure are expressly provided for by law or
if the provision of information to the data subject proves impossible or would
involve disproportionate efforts, which could be the case where processing is
for historical, statistical or scientific purposes; whereas, in this regard,
the number of data subjects, the age of the data, and any compensatory
measures adopted may be taken into consideration;
(41) Whereas any
person must be able to exercise the right of access to data relating to him
which are being processed, in order to verify in particular the accuracy of
the data and the lawfulness of the processing; whereas, for the same reasons,
every data subject must also have the right to know the logic involved in the
automatic processing of data concerning him, at least in the case of the
automated decisions referred to in Article 15 (1) ; whereas this right must
not adversely affect trade secrets or intellectual property and in particular
the copyright protecting the software; whereas these considerations must not,
however, result in the data subject being refused all information;
(42) Whereas
Member States may, in the interest of the data subject or so as to protect the
rights and freedoms of others, restrict rights of access and information;
whereas they may, for example, specify that access to medical data may be
obtained only through a health professional;
(43) Whereas
restrictions on the rights of access and information and on cer tain
obligations of the controller may similarly be imposed by Member States in so
far as they are necessary to safeguard, for example, national security,
defence, public safety, or important economic or financial interests of a
Member State or the Union, as well as criminal investigations and prosecutions
and action in respect of breaches of ethics in the regulated professions;
whereas the list of exceptions and limitations should include the tasks of
monitoring, inspection or regulation necessary in the three last-mentioned
areas concerning public security, economic or financial interests and crime
prevention; whereas the listing of tasks in these three areas does not affect
the legitimacy of exceptions or restrictions for reasons of State security or
defence;
(44) Whereas
Member States may also be led, by virtue of the provisions of Community law,
to derogate from the provisions of this Directive concerning the right of
access, the obligation to inform individuals, and the quality of data, in
order to secure certain of the purposes referred to above;
(45) Whereas, in
cases where data might lawfully be processed on grounds of public interest,
official authority or the legitimate interests of a natural or legal person,
any data subject should nevertheless be entitled, on legitimate and compelling
grounds relating to his particular situation, to object to the processing of
any data relating to himself; whereas Member States may nevertheless lay down
national provisions to the contrary;
(46) Whereas the
protection of the rights and freedoms of data subjects with regard to the
processing of personal data requires that appropriate technical and
organizational measures be taken, both at the time of the design of the
processing system and at the time of the processing itself, particularly in
order to maintain security and thereby to prevent any unauthorized processing;
whereas it is incumbent on the Member States to ensure that controllers comply
with these measures; whereas these measures must ensure an appropriate level
of security, taking into account the state of the art and the costs of their
implementation in relation to the risks inherent in the processing and the
nature of the data to be protected;
(47) Whereas
where a message containing personal data is transmitted by means of a
telecommunications or electronic mail service, the sole purpose of which is
the transmission of such messages, the controller in respect of the personal
data contained in the message will normally be considered to be the person
from whom the message originates, rather than the person offering the
transmission services; whereas, nevertheless, those offering such services
will normally be considered controllers in respect of the processing of the
additional personal data necessary for the operation of the service;
(48) Whereas the
procedures for notifying the supervisory authority are designed to ensure
disclosure of the purposes and main features of any processing operation for
the purpose of verification that the operation is in accordance with the
national measures taken under this Directive;
(49) Whereas, in
order to avoid unsuitable administrative formalities, exemptions from the
obligation to notify and simplification of the notification required may be
provided for by Member States in cases where processing is unlikely adversely
to affect the rights and freedoms of data subjects, provided that it is in
accordance with a measure taken by a Member State specifying its limits;
whereas exemption or simplification may similarly be provided for by Member
States where a person appointed by the controller ensures that the processing
carried out is not likely adversely to affect the rights and freedoms of data
subjects; whereas such a data protection official, whether or not an employee
of the controller, must be in a position to exercise his functions in complete
independence;
(50) Whereas
exemption or simplification could be provided for in cases of processing
operations whose sole purpose is the keeping of a register intended, according
to national law, to provide information to the public and open to consultation
by the public or by any person demonstrating a legitimate interest;
(51) Whereas,
nevertheless, simplification or exemption from the obligation to notify shall
not release the controller from any of the other obligations resulting from
this Directive;
(52) Whereas, in
this context, ex post facto verification by the competent authorities must in
general be considered a sufficient measure;
(53) Whereas,
however, certain processing operation are likely to pose specific risks to the
rights and freedoms of data subjects by virtue of their nature, their scope or
their purposes, such as that of excluding individuals from a right, benefit or
a contract, or by virtue of the specific use of new technologies; whereas it
is for Member States, if they so wish, to specify such risks in their
legislation;
(54) Whereas
with regard to all the processing undertaken in society, the amount posing
such specific risks should be very limited; whereas Member States must provide
that the supervisory authority, or the data protection official in cooperation
with the authority, check such processing prior to it being carried out;
whereas following this prior check, the supervisory authority may, according
to its national law, give an opinion or an authorization regarding the
processing; whereas such checking may equally take place in the course of the
preparation either of a measure of the national parliament or of a measure
based on such a legislative measure, which defines the nature of the
processing and lays down appropriate safeguards;
(55) Whereas, if
the controller fails to respect the rights of data subjects, national
legislation must provide for a judicial remedy; whereas any damage which a
person may suffer as a result of unlawful processing must be compensated for
by the controller, who may be exempted from liability if he proves that he is
not responsible for the damage, in particular in cases where he establishes
fault on the part of the data subject or in case of force majeure; whereas
sanctions must be imposed on any person, whether governed by private of public
law, who fails to comply with the national measures taken under this
Directive;
(56) Whereas
cross-border flows of personal data are necessary to the expansion of
international trade; whereas the protection of individuals guaranteed in the
Community by this Directive does not stand in the way of transfers of personal
data to third countries which ensure an adequate level of protection; whereas
the adequacy of the level of protection afforded by a third country must be
assessed in the light of all the circumstances surrounding the transfer
operation or set of transfer operations;
(57) Whereas, on
the other hand, the transfer of personal data to a third country which does
not ensure an adequate level of protection must be prohibited;
(58) Whereas
provisions should be made for exemptions from this prohibition in certain
circumstances where the data subject has given his consent, where the transfer
is necessary in relation to a contract or a legal claim, where protection of
an important public interest so requires, for example in cases of
international transfers of data between tax or customs administrations or
between services competent for social security matters, or where the transfer
is made from a register established by law and intended for consultation by
the public or persons having a legitimate interest; whereas in this case such
a transfer should not involve the entirety of the data or entire categories of
the data contained in the register and, when the register is intended for
consultation by persons having a legitimate interest, the transfer should be
made only at the request of those persons or if they are to be the recipients;
(59) Whereas
particular measures may be taken to compensate for the lack of protection in a
third country in cases where the controller offers appropriate safeguards;
whereas, moreover, provision must be made for procedures for negotiations
between the Community and such third countries;
(60) Whereas, in
any event, transfers to third countries may be effected only in full
compliance with the provisions adopted by the Member States pursuant to this
Directive, and in particular Article 8 thereof;
(61) Whereas
Member States and the Commission, in their respective spheres of competence,
must encourage the trade associations and other representative organizations
concerned to draw up codes of conduct so as to facilitate the application of
this Directive, taking account of the specific characteristics of the
processing carried out in certain sectors, and respecting the national
provisions adopted for its implementation;
(62) Whereas the
establishment in Member States of supervisory authorities, exercising their
functions with complete independence, is an essential component of the
protection of individuals with regard to the processing of personal data;
(63) Whereas
such authorities must have the necessary means to perform their duties,
including powers of investigation and intervention, particularly in cases of
complaints from individuals, and powers to engage in legal proceedings;
whereas such authorities must help to ensure transparency of processing in the
Member States within whose jurisdiction they fall;
(64) Whereas the
authorities in the different Member States will need to assist one another in
performing their duties so as to ensure that the rules of protection are
properly respected throughout the European Union;
(65) Whereas, at
Community level, a Working Party on the Protection of Individuals with regard
to the Processing of Personal Data must be set up and be completely
independent in the performance of its functions; whereas, having regard to its
specific nature, it must advise the Commission and, in particular, contribute
to the uniform application of the national rules adopted pursuant to this
Directive;
(66) Whereas,
with regard to the transfer of data to third countries, the application of
this Directive calls for the conferment of powers of implementation on the
Commission and the establishment of a procedure as laid down in Council
Decision 87/373/EEC (1);
(67) Whereas an
agreement on a modus vivendi between the European Parliament, the Council and
the Commission concerning the implementing measures for acts adopted in
accordance with the procedure laid down in Article 189b of the EC Treaty was
reached on 20 December 1994;
(68) Whereas the
principles set out in this Directive regarding the protection of the rights
and freedoms of individuals, notably their right to privacy, with regard to
the processing of personal data may be supplemented or clarified, in
particular as far as certain sectors are concerned, by specific rules based on
those principles;
(69) Whereas
Member States should be allowed a period of not more than three years from the
entry into force of the national measures transposing this Directive in which
to apply such new national rules progressively to all processing operations
already under way; whereas, in order to facilitate their cost-effective
implementation, a further period expiring 12 years after the date on which
this Directive is adopted will be allowed to Member States to ensure the
conformity of existing manual filing systems with certain of the Directive' s
provisions; whereas, where data contained in such filing systems are manually
processed during this extended transition period, those systems must be
brought into conformity with these provisions at the time of such processing;
(70) Whereas it
is not necessary for the data subject to give his consent again so as to allow
the controller to continue to process, after the national provisions taken
pursuant to this Directive enter into force, any sensitive data necessary for
the performance of a contract concluded on the basis of free and informed
consent before the entry into force of these provisions;
(71) Whereas
this Directive does not stand in the way of a Member State' s regulating
marketing activities aimed at consumers residing in territory in so far as
such regulation does not concern the protection of individuals with regard to
the processing of personal data;
(72) Whereas
this Directive allows the principle of public access to official documents to
be taken into account when implementing the principles set out in this
Directive,
HAVE ADOPTED THIS
DIRECTIVE:
CHAPTER I GENERAL
PROVISIONS
Article 1
Object of the
Directive
1. In accordance
with this Directive, Member States shall protect the fundamental rights and
freedoms of natural persons, and in particular their right to privacy with
respect to the processing of personal data.
2. Member States
shall neither restrict nor prohibit the free flow of personal data between
Member States for reasons connected with the protection afforded under
paragraph 1.
Article 2
Definitions
For the purposes
of this Directive:
(a) ' personal
data' shall mean any information relating to an identified or identifiable
natural person (' data subject' ) ; an identifiable person is one who can be
identified, directly or indirectly, in particular by reference to an
identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity;
(b) ' processing
of personal data' (' processing' ) shall mean any operation or set of
operations which is performed upon personal data, whether or not by automatic
means, such as collection, recording, organization, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
blocking,, erasure or destruction;
(c) ' personal
data filing system' (' filing system' ) shall mean any structured set of
personal data which are accessible according to specific criteria, whether
centralized, decentralized or dispersed on a functional or geographical basis;
(d) '
controller' shall mean the natural or legal person, public authority, agency
or any other body which alone or jointly with others determines the purposes
and means of the processing of personal data; where the purposes and means of
processing are determined by national or Community laws or regulations, the
controller or the specific criteria for his nomination may be designated by
national or Community law;
(e) ' processor'
shall mean a natural or legal person, public authority, agency or any other
body which processes personal data on behalf of the controller;
(f) ' third
party' shall mean any natural or legal person, public authority, agency or any
other body other than the data subject, the controller, the processor and the
persons who, under the direct authority of the controller or the processor,
are authorized to process the data;
(g) ' recipient'
shall mean a natural or legal person, public authority, agency or any other
body to whom data are disclosed, whether a third party or not; however,
authorities which may receive data in the framework of a particular inquiry
shall not be regarded as recipients;
(h) ' the data
subject' s consent' shall mean any freely given specific and informed
indication of his wishes by which the data subject signifies his agreement to
personal data relating to him being processed.
Article 3
Scope
1.This Directive
shall apply to the processing of personal data wholly or partly by automatic
means, and to the processing otherwise than by automatic means of personal
data which form part of a filing system or are intended to form part of a
filing system.
2. This
Directive shall not apply to the processing of personal data:
- in the course
of an activity which falls outside the scope of Community law, such as those
provided for by Titles V and VI of the Treaty on European Union and in any
case to processing operations concerning public security, defence, State
security (including the economic well-being of the State when the processing
operation relates to State security matters) and the activities of the State
in areas of criminal law,
- by a natural
person in the course of a purely personal or household activity.
Article 4
National law
applicable
1. Each Member
State shall apply the national provisions it adopts pursuant to this Directive
to the processing of personal data where:
(a) the
processing is carried out in the context of the activities of an establishment
of the controller on the territory of the Member State; when the same
controller is established on the territory of several Member States, he must
take the necessary measures to ensure that each of these establishments
complies with the obligations laid down by the national law applicable;
(b) the
controller is not established on the Member State' s territory, but in a place
where its national law applies by virtue of international public law;
(c) the
controller is not established on Community territory and, for purposes of
processing personal data makes use of equipment, automated or otherwise,
situated on the territory of the said Member State, unless such equipment is
used only for purposes of transit through the territory of the Community.
2. In the
circumstances referred to in paragraph 1 (c) , the controller must designate a
representative established in the territory of that Member State, without
prejudice to legal actions which could be initiated against the controller
himself.
CHAPTER II
GENERAL RULES ON THE LAWFULNESS OF THE PROCESSING OF PERSONAL DATA
Article 5
Member States
shall, within the limits of the provisions of this Chapter, determine more
precisely the conditions under which the processing of personal data is
lawful.
SECTION I
PRINCIPLES
RELATING TO DATA QUALITY
Article 6
1. Member States
shall provide that personal data must be:
(a) processed
fairly and lawfully;
(b) collected
for specified, explicit and legitimate purposes and not further processed in a
way incompatible with those purposes. Further processing of data for
historical, statistical or scientific purposes shall not be considered as
incompatible provided that Member States provide appropriate safeguards;
(c) adequate,
relevant and not excessive in relation to the purposes for which they are
collected and/or further processed;
(d) accurate
and, where necessary, kept up to date; every reasonable step must be taken to
ensure that data which are inaccurate or incomplete, having regard to the
purposes for which they were collected or for which they are further
processed, are erased or rectified;
(e) kept in a
form which permits identification of data subjects for no longer than is
necessary for the purposes for which the data were collected or for which they
are further processed. Member States shall lay down appropriate safeguards for
personal data stored for longer periods for historical, statistical or
scientific use.
2. It shall be
for the controller to ensure that paragraph 1 is complied with.
SECTION II
CRITERIA FOR
MAKING DATA PROCESSING LEGITIMATE
Article 7
Member States
shall provide that personal data may be processed only if:
(a) the data
subject has unambiguously given his consent; or
(b) processing
is necessary for the performance of a contract to which the data subject is
party or in order to take steps at the request of the data subject prior to
entering into a contract; or
(c) processing
is necessary for compliance with a legal obligation to which the controller is
subject; or
(d) processing
is necessary in order to protect the vital interests of the data subject; or
(e) processing
is necessary for the performance of a task carried out in the public interest
or in the exercise of official authority vested in the controller or in a
third party to whom the data are disclosed; or
(f) processing
is necessary for the purposes of the legitimate interests pursued by the
controller or by the third party or parties to whom the data are disclosed,
except where such interests are overridden by the interests for fundamental
rights and freedoms of the data subject which require protection under Article
1 (1).
SECTION III
SPECIAL
CATEGORIES OF PROCESSING
Article 8
The processing of
special categories of data
1. Member States
shall prohibit the processing of personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade-union
membership, and the processing of data concerning health or sex life.
2. Paragraph 1
shall not apply where:
(a) the data
subject has given his explicit consent to the processing of those data, except
where the laws of the Member State provide that the prohibition referred to in
paragraph 1 may not be lifted by the data subject' s giving his consent; or
(b) processing
is necessary for the purposes of carrying out the obligations and specific
rights of the controller in the field of employment law in so far as it is
authorized by national law providing for adequate safeguards; or
(c) processing
is necessary to protect the vital interests of the data subject or of another
person where the data subject is physically or legally incapable of giving his
consent; or
(d) processing
is carried out in the course of its legitimate activities with appropriate
guarantees by a foundation, association or any other non-profit-seeking body
with a political, philosophical, religious or trade-union aim and on condition
that the processing relates solely to the members of the body or to persons
who have regular contact with it in connection with its purposes and that the
data are not disclosed to a third party without the consent of the data
subjects; or
(e) the
processing relates to data which are manifestly made public by the data
subject or is necessary for the establishment, exercise or defence of legal
claims.
3. Paragraph 1
shall not apply where processing of the data is required for the purposes of
preventive medicine, medical diagnosis, the provision of care or treatment or
the management of health-care services, and where those data are processed by
a health professional subject under national law or rules established by
national competent bodies to the obligation of professional secrecy or by
another person also subject to an equivalent obligation of secrecy.
4. Subject to
the provision of suitable safeguards, Member States may, for reasons of
substantial public interest, lay down exemptions in addition to those laid
down in paragraph 2 either by national law or by decision of the supervisory
authority.
5. Processing of
data relating to offences, criminal convictions or security measures may be
carried out only under the control of official authority, or if suitable
specific safeguards are provided under national law, subject to derogations
which may be granted by the Member State under national provisions providing
suitable specific safeguards. However, a complete register of criminal
convictions may be kept only under the control of official authority. Member
States may provide that data relating to administrative sanctions or
judgements in civil cases shall also be processed under the control of
official authority.
6. Derogations
from paragraph 1 provided for in paragraphs 4 and 5 shall be notified to the
Commission.
7. Member States
shall determine the conditions under which a national identification number or
any other identifier of general application may be processed.
Article 9
Processing of
personal data and freedom of expression
Member States
shall provide for exemptions or derogations from the provisions of this
Chapter, Chapter IV and Chapter VI for the processing of personal data carried
out solely for journalistic purposes or the purpose of artistic or literary
expression only if they are necessary to reconcile the right to privacy with
the rules governing freedom of expression.
SECTION IV
INFORMATION TO BE
GIVEN TO THE DATA SUBJECT
Article 10
Information in
cases of collection of data from the data subject
Member States
shall provide that the controller or his representative must provide a data
subject from whom data relating to himself are collected with at least the
following information, except where he already has it:
(a) the identity
of the controller and of his representative, if any;
(b) the purposes
of the processing for which the data are intended;
(c) any further
information such as
- the recipients
or categories of recipients of the data,
- whether
replies to the questions are obligatory or voluntary, as well as the possible
consequences of failure to reply,
- the existence
of the right of access to and the right to rectify the data concerning him in
so far as such further information is necessary, having regard to the specific
circumstances in which the data are collected, to guarantee fair processing in
respect of the data subject.
Article 11
Information where
the data have not been obtained from the data subject
1. Where the
data have not been obtained from the data subject, Member States shall provide
that the controller or his representative must at the time of undertaking the
recording of personal data or if a disclosure to a third party is envisaged,
no later than the time when the data are first disclosed provide the data
subject with at least the following information, except where he already has
it:
(a) the identity
of the controller and of his representative, if any;
(b) the purposes
of the processing;
(c) any further
information such as
- the categories
of data concerned,
- the recipients
or categories of recipients,
- the existence
of the right of access to and the right to rectify the data concerning him in
so far as such further information is necessary, having regard to the specific
circumstances in which the data are processed, to guarantee fair processing in
respect of the data subject.
2. Paragraph 1
shall not apply where, in particular for processing for statistical purposes
or for the purposes of historical or scientific research, the provision of
such information proves impossible or would involve a disproportionate effort
or if recording or disclosure is expressly laid down by law. In these cases
Member States shall provide appropriate safeguards.
SECTION V
THE DATA SUBJECT'
S RIGHT OF ACCESS TO DATA
Article 12
Right of access
Member States
shall guarantee every data subject the right to obtain from the controller:
(a) without
constraint at reasonable intervals and without excessive delay or expense:
- confirmation
as to whether or not data relating to him are being processed and information
at least as to the purposes of the processing, the categories of data
concerned, and the recipients or categories of recipients to whom the data are
disclosed,
- communication
to him in an intelligible form of the data undergoing processing and of any
available information as to their source,
- knowledge of
the logic involved in any automatic processing of data concerning him at least
in the case of the automated decisions referred to in Article 15 (1) ;
(b) as
appropriate the rectification, erasure or blocking of data the processing of
which does not comply with the provisions of this Directive, in particular
because of the incomplete or inaccurate nature of the data;
(c) notification
to third parties to whom the data have been disclosed of any rectification,
erasure or blocking carried out in compliance with (b), unless this proves
impossible or involves a disproportionate effort.
SECTION VI
EXEMPTIONS AND
RESTRICTIONS
Article 13
Exemptions and
restrictions
1. Member States
may adopt legislative measures to restrict the scope of the obligations and
rights provided for in Articles 6 (1) , 10, 11 (1) , 12 and 21 when such a
restriction constitutes a necessary measures to safeguard:
(a) national
security;
(b) defence;
(c) public
security;
(d) the
prevention, investigation, detection and prosecution of criminal offences, or
of breaches of ethics for regulated professions;
(e) an important
economic or financial interest of a Member State or of the European Union,
including monetary, budgetary and taxation matters;
(f) a
monitoring, inspection or regulatory function connected, even occasionally,
with the exercise of official authority in cases referred to in (c) , (d) and
(e) ;
(g) the
protection of the data subject or of the rights and freedoms of others.
2. Subject to
adequate legal safeguards, in particular that the data are not used for taking
measures or decisions regarding any particular individual, Member States may,
where there is clearly no risk of breaching the privacy of the data subject,
restrict by a legislative measure the rights provided for in Article 12 when
data are processed solely for purposes of scientific research or are kept in
personal form for a period which does not exceed the period necessary for the
sole purpose of creating statistics.
SECTION VII
THE DATA SUBJECT'
S RIGHT TO OBJECT
Article 14
The data subject'
s right to object
Member States
shall grant the data subject the right:
(a) at least in
the cases referred to in Article 7 (e) and (f) , to object at any time on
compelling legitimate grounds relating to his particular situation to the
processing of data relating to him, save where otherwise provided by national
legislation. Where there is a justified objection, the processing instigated
by the controller may no longer involve those data;
(b) to object,
on request and free of charge, to the processing of personal data relating to
him which the controller anticipates being processed for the purposes of
direct marketing, or to be informed before personal data are disclosed for the
first time to third parties or used on their behalf for the purposes of direct
marketing, and to be expressly offered the right to object free of charge to
such disclosures or uses. Member States shall take the necessary measures to
ensure that data subjects are aware of the existence of the right referred to
in the first subparagraph of (b) .
Article 15
Automated
individual decisions
1. Member States
shall grant the right to every person not to be subject to a decision which
produces legal effects concerning him or significantly affects him and which
is based solely on automated processing of data intended to evaluate certain
personal aspects relating to him, such as his performance at work,
creditworthiness, reliability, conduct, etc.
2. Subject to
the other Articles of this Directive, Member States shall provide that a
person may be subjected to a decision of the kind referred to in paragraph 1
if that decision:
(a) is taken in
the course of the entering into or performance of a contract, provided the
request for the entering into or the performance of the contract, lodged by
the data subject, has been satisfied or that there are suitable measures to
safeguard his legitimate interests, such as arrangements allowing him to put
his point of view; or (b) is authorized by a law which also lays down measures
to safeguard the data subject' s legitimate interests.
SECTION VIII
CONFIDENTIALITY
AND SECURITY OF PROCESSING
Article 16
Confidentiality
of processing
Any person
acting under the authority of the controller or of the processor, including
the processor himself, who has access to personal data must not process them
except on instructions from the controller, unless he is required to do so by
law.
Article 17
Security of
processing
1. Member States
shall provide that the controller must implement appropriate technical and
organizational measures to protect personal data against accidental or
unlawful destruction or accidental loss, alteration, unauthorized disclosure
or access, in particular where the processing involves the transmission of
data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation,
such measures shall ensure a level of security appropriate to the risks
represented by the processing and the nature of the data to be protected.
2. The Member
States shall provide that the controller must, where processing is carried out
on his behalf, choose a processor providing sufficient guarantees in respect
of the technical security measures and organizational measures governing the
processing to be carried out, and must ensure compliance with those measures.
3. The carrying
out of processing by way of a processor must be governed by a contract or
legal act binding the processor to the controller and stipulating in
particular that:
- the processor
shall act only on instructions from the controller,
- the
obligations set out in paragraph 1, as defined by the law of the Member State
in which the processor is established, shall also be incumbent on the
processor.
4. For the
purposes of keeping proof, the parts of the contract or the legal act relating
to data protection and the requirements relating to the measures referred to
in paragraph 1 shall be in writing or in another equivalent form.
SECTION IX
NOTIFICATION
Article 18
Obligation to
notify the supervisory authority
1. Member States
shall provide that the controller or his representative, if any, must notify
the supervisory authority referred to in Article 28 before carrying out any
wholly or partly automatic processing operation or set of such operations
intended to serve a single purpose or several related purposes.
2. Member States
may provide for the simplification of or exemption from notification only in
the following cases and under the following conditions:
- where, for
categories of processing operations which are unlikely, taking account of the
data to be processed, to affect adversely the rights and freedoms of data
subjects, they specify the purposes of the processing, the data or categories
of data undergoing processing, the category or categories of data subject, the
recipients or categories of recipient to whom the data are to be disclosed and
the length of time the data are to be stored, and/or
- where the
controller, in compliance with the national law which governs him, appoints a
personal data protection official, responsible in particular:
- for ensuring
in an independent manner the internal application of the national provisions
taken pursuant to this Directive
- for keeping
the register of processing operations carried out by the controller,
containing the items of information referred to in Article 21 (2) , thereby
ensuring that the rights and freedoms of the data subjects are unlikely to be
adversely affected by the processing operations.
3. Member States
may provide that paragraph 1 does not apply to processing whose sole purpose
is the keeping of a register which according to laws or regulations is
intended to provide information to the public and which is open to
consultation either by the public in general or by any person demonstrating a
legitimate interest.
4. Member States
may provide for an exemption from the obligation to notify or a simplification
of the notification in the case of processing operations referred to in
Article 8 (2) (d)
5. Member States
may stipulate that certain or all non-automatic processing operations
involving personal data shall be notified, or provide for these processing
operations to be subject to simplified notification.
Article 19
Contents of
notification
1. Member States
shall specify the information to be given in the notification. It shall
include at least:
(a) the name and
address of the controller and of his representative, if any;
(b) the purpose
or purposes of the processing;
(c) a
description of the category or categories of data subject and of the data or
categories of data relating to them;
(d) the
recipients or categories of recipient to whom the data might be disclosed;
(e) proposed
transfers of data to third countries;
(f) a general
description allowing a preliminary assessment to be made of the
appropriateness of the measures taken pursuant to Article 17 to ensure
security of processing.
2. Member States
shall specify the procedures under which any change affecting the information
referred to in paragraph 1 must be notified to the supervisory authority.
Article 20
Prior checking
1. Member States
shall determine the processing operations likely to present specific risks to
the rights and freedoms of data subjects and shall check that these processing
operations are examined prior to the start thereof.
2. Such prior
checks shall be carried out by the supervisory authority following receipt of
a notification from the controller or by the data protection official, who, in
cases of doubt, must consult the supervisory authority.
3. Member States
may also carry out such checks in the context of preparation either of a
measure of the national parliament or of a measure based on such a legislative
measure, which define the nature of the processing and lay down appropriate
safeguards.
Article 21
Publicizing of
processing operations
1. Member States
shall take measures to ensure that processing operations are publicized.
2. Member States
shall provide that a register of processing operations notified in accordance
with Article 18 shall be kept by the supervisory authority. The register shall
contain at least the information listed in Article 19 (1) (a) to (e) . The
register may be inspected by any person.
3. Member States
shall provide, in relation to processing operations not subject to
notification, that controllers or another body appointed by the Member States
make available at least the information referred to in Article 19 (1) (a) to
(e) in an appropriate form to any person on request. Member States may provide
that this provision does not apply to processing whose sole purpose is the
keeping of a register which according to laws or regulations is intended to
provide information to the public and which is open to consultation either by
the public in general or by any person who can provide proof of a legitimate
interest.
CHAPTER III
JUDICIAL
REMEDIES, LIABILITY AND SANCTIONS
Article 22
Remedies
Without
prejudice to any administrative remedy for which provision may be made, inter
alia before the supervisory authority referred to in Article 28, prior to
referral to the judicial authority, Member States shall provide for the right
of every person to a judicial remedy for any breach of the rights guaranteed
him by the national law applicable to the processing in question.
Article 23
Liability
1. Member States
shall provide that any person who has suffered damage as a result of an
unlawful processing operation or of any act incompatible with the national
provisions adopted pursuant to this Directive is entitled to receive
compensation from the controller for the damage suffered.
2. The
controller may be exempted from this liability, in whole or in part, if he
proves that he is not responsible for the event giving rise to the damage.
Article 24
Sanctions
The Member
States shall adopt suitable measures to ensure the full implementation of the
provisions of this Directive and shall in particular lay down the sanctions to
be imposed in case of infringement of the provisions adopted pursuant to this
Directive.
CHAPTER IV
TRANSFER OF
PERSONAL DATA TO THIRD COUNTRIES
Article 25
Principles
1. The Member
States shall provide that the transfer to a third country of personal data
which are undergoing processing or are intended for processing after transfer
may take place only if, without prejudice to compliance with the national
provisions adopted pursuant to the other provisions of this Directive, the
third country in question ensures an adequate level of protection.
2. The adequacy
of the level of protection afforded by a third country shall be assessed in
the light of all the circumstances surrounding a data transfer operation or
set of data transfer operations; particular consideration shall be given to
the nature of the data, the purpose and duration of the proposed processing
operation or operations, the country of origin and country of final
destination, the rules of law, both general and sectoral, in force in the
third country in question and the professional rules and security measures
which are complied with in that country.
3. The Member
States and the Commission shall inform each other of cases where they consider
that a third country does not ensure an adequate level of protection within
the meaning of paragraph 2.
4. Where the
Commission finds, under the procedure provided for in Article 31 (2) , that a
third country does not ensure an adequate level of protection within the
meaning of paragraph 2 of this Article, Member States shall take the measures
necessary to prevent any transfer of data of the same type to the third
country in question.
5. At the
appropriate time, the Commission shall enter into negotiations with a view to
remedying the situation resulting from the finding made pursuant to paragraph
4.
6. The
Commission may find, in accordance with the procedure referred to in Article
31 (2) , that a third country ensures an adequate level of protection within
the meaning of paragraph 2 of this Article, by reason of its domestic law or
of the international commitments it has entered into, particularly upon
conclusion of the negotiations referred to in paragraph 5, for the protection
of the private lives and basic freedoms and rights of individuals. Member
States shall take the measures necessary to comply with the Commission' s
decision.
Article 26
Derogations
1. By way of
derogation from Article 25 and save where otherwise provided by domestic law
governing particular cases, Member States shall provide that a transfer or a
set of transfers of personal data to a third country which does not ensure an
adequate level of protection within the meaning of Article 25 (2) may take
place on condition that:
(a) the data
subject has given his consent unambiguously to the proposed transfer; or
(b) the transfer
is necessary for the performance of a contract between the data subject and
the controller or the implementation of precontractual measures taken in
response to the data subject' s request; or
(c) the transfer
is necessary for the conclusion or performance of a contract concluded in the
interest of the data subject between the controller and a third party; or (d)
the transfer is necessary or legally required on important public interest
grounds, or for the establishment, exercise or defence of legal claims; or
(e) the transfer
is necessary in order to protect the vital interests of the data subject; or
(f) the transfer
is made from a register which according to laws or regulations is intended to
provide information to the public and which is open to consultation either by
the public in general or by any person who can demonstrate legitimate
interest, to the extent that the conditions laid down in law for consultation
are fulfilled in the particular case.
2. Without
prejudice to paragraph 1, a Member State may authorize a transfer or a set of
transfers of personal data to a third country which does not ensure an
adequate level of protection within the meaning of Article 25 (2) , where the
controller adduces adequate safeguards with respect to the protection of the
privacy and fundamental rights and freedoms of individuals and as regards the
exercise of the corresponding rights; such safeguards may in particular result
from appropriate contractual clauses.
3. The Member
State shall inform the Commission and the other Member States of the
authorizations it grants pursuant to paragraph 2. If a Member State or the
Commission objects on justified grounds involving the protection of the
privacy and fundamental rights and freedoms of individuals, the Commission
shall take appropriate measures in accordance with the procedure laid down in
Article 3(2). Member States shall take the necessary measures to comply with
the Commission' s decision.
4. Where the
Commission decides, in accordance with the procedure referred to in Article 31
(2) , that certain standard contractual clauses offer sufficient safeguards as
required by paragraph 2, Member States shall take the necessary measures to
comply with the Commission' s decision.
CHAPTER V
CODES OF CONDUCT
Article 27
1. The Member
States and the Commission shall encourage the drawing up of codes of conduct
intended to contribute to the proper implementation of the national provisions
adopted by the Member States pursuant to this Directive, taking account of the
specific features of the various sectors.
2. Member States
shall make provision for trade associations and other bodies representing
other categories of controllers which have drawn up draft national codes or
which have the intention of amending or extending existing national codes to
be able to submit them to the opinion of the national authority. Member States
shall make provision for this authority to ascertain, among other things,
whether the drafts submitted to it are in accordance with the national
provisions adopted pursuant to this Directive. If it sees fit, the authority
shall seek the views of data subjects or their representatives.
3. Draft
Community codes, and amendments or extensions to existing Community codes, may
be submitted to the Working Party referred to in Article 29. This Working
Party shall determine, among other things, whether the drafts submitted to it
are in accordance with the national provisions adopted pursuant to this
Directive. If it sees fit, the authority shall seek the views of data subjects
or their representatives. The Commission may ensure appropriate publicity for
the codes which have been approved by the Working Party.
CHAPTER VI
SUPERVISORY
AUTHORITY AND WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO
THE PROCESSING OF PERSONAL DATA
Article 28
Supervisory
authority
1. Each Member
State shall provide that one or more public authorities are responsible for
monitoring the application within its territory of the provisions adopted by
the Member States pursuant to this Directive. These authorities shall act with
complete independence in exercising the functions entrusted to them.
2. Each Member
State shall provide that the supervisory authorities are consulted when
drawing up administrative measures or regulations relating to the protection
of individuals' rights and freedoms with regard to the processing of personal
data.
3. Each
authority shall in particular be endowed with:
- investigative
powers, such as powers of access to data forming the subject-matter of
processing operations and powers to collect all the information necessary for
the performance of its supervisory duties,
- effective
powers of intervention, such as, for example, that of delivering opinions
before processing operations are carried out, in accordance with Article 20,
and ensuring appropriate publication of such opinions, of ordering the
blocking, erasure or destruction of data, of imposing a temporary or
definitive ban on processing, of warning or admonishing the controller, or
that of referring the matter to national parliaments or other political
institutions,
- the power to
engage in legal proceedings where the national provisions adopted pursuant to
this Directive have been violated or to bring these violations to the
attention of the judicial authorities. Decisions by the supervisory authority
which give rise to complaints may be appealed against through the courts.
4. Each
supervisory authority shall hear claims lodged by any person, or by an
association representing that person, concerning the protection of his rights
and freedoms in regard to the processing of personal data. The person
concerned shall be informed of the outcome of the claim. Each supervisory
authority shall, in particular, hear claims for checks on the lawfulness of
data processing lodged by any person when the national provisions adopted
pursuant to Article 13 of this Directive apply. The person shall at any rate
be informed that a check has taken place.
5. Each
supervisory authority shall draw up a report on its activities at regular
intervals. The report shall be made public.
6. Each
supervisory authority is competent, whatever the national law applicable to
the processing in question, to exercise, on the territory of its own Member
State, the powers conferred on it in accordance with paragraph 3. Each
authority may be requested to exercise its powers by an authority of another
Member State. The supervisory authorities shall cooperate with one another to
the extent necessary for the performance of their duties, in particular by
exchanging all useful information.
7. Member States
shall provide that the members and staff of the supervisory authority, even
after their employment has ended, are to be subject to a duty of professional
secrecy with regard to confidential information to which they have access.
Article 29
Working Party on
the Protection of Individuals with regard to the Processing of Personal Data
1. A Working
Party on the Protection of Individuals with regard to the Processing of
Personal Data, hereinafter referred to as the Working Party' , is hereby set
up. It shall have advisory status and act independently.
2. The Working
Party shall be composed of a representative of the supervisory authority or
authorities designated by each Member State and of a representative of the
authority or authorities established for the Community institutions and
bodies, and of a representative of the Commission. Each member of the Working
Party shall be designated by the institution, authority or authorities which
he represents. Where a Member State has designated more than one supervisory
authority, they shall nominate a joint representative. The same shall apply to
the authorities established for Community institutions and bodies.
3. The Working
Party shall take decisions by a simple majority of the representatives of the
supervisory authorities.
4. The Working
Party shall elect its chairman. The chairman' s term of office shall be two
years. His appointment shall be renewable.
5. The Working
Party' s secretariat shall be provided by the Commission.
6. The Working
Party shall adopt its own rules of procedure.
7. The Working
Party shall consider items placed on its agenda by its chairman, either on his
own initiative or at the request of a representative of the supervisory
authorities or at the Commission' s request.
Article 30
1. The Working
Party shall:
(a) examine any
question covering the application of the national measures adopted under this
Directive in order to contribute to the uniform application of such measures;
(b) give the
Commission an opinion on the level of protection in the Community and in third
countries;
(c) advise the
Commission on any proposed amendment of this Directive, on any additional or
specific measures to safeguard the rights and freedoms of natural persons with
regard to the processing of personal data and on any other proposed Community
measures affecting such rights and freedoms;
(d) give an
opinion on codes of conduct drawn up at Community level.
2. If the
Working Party finds that divergences likely to affect the equivalence of
protection for persons with regard to the processing of personal data in the
Community are arising between the laws or practices of Member States, it shall
inform the Commission accordingly.
3. The Working
Party may, on its own initiative, make recommendations on all matters relating
to the protection of persons with regard to the processing of personal data in
the Community.
4. The Working
Party' s opinions and recommendations shall be forwarded to the Commission and
to the committee referred to in Article 31.
5. The
Commission shall inform the Working Party of the action it has taken in
response to its opinions and recommendations. It shall do so in a report which
shall also be forwarded to the European Parliament and the Council. The report
shall be made public.
6. The Working
Party shall draw up an annual report on the situation regarding the protection
of natural persons with regard to the processing of personal data in the
Community and in third countries, which it shall transmit to the Commission,
the European Parliament and the Council. The report shall be made public.
CHAPTER VII
COMMUNITY
IMPLEMENTING MEASURES
Article 31
The Committee
1. The
Commission shall be assisted by a committee composed of the representatives of
the Member States and chaired by the representative of the Commission.
2. The
representative of the Commission shall submit to the committee a draft of the
measures to be taken. The committee shall deliver its opinion on the draft
within a time limit which the chairman may lay down according to the urgency
of the matter. The opinion shall be delivered by the majority laid down in
Article 148 (2) of the Treaty. The votes of the representatives of the Member
States within the committee shall be weighted in the manner set out in that
Article. The chairman shall not vote. The Commission shall adopt measures
which shall apply immediately. However, if these measures are not in
accordance with the opinion of the committee, they shall be communicated by
the Commission to the Council forthwith. It that event:
- the Commission
shall defer application of the measures which it has decided for a period of
three months from the date of communication,
- the Council,
acting by a qualified majority, may take a different decision within the time
limit referred to in the first indent.
FINAL PROVISIONS
Article 32
1. Member States
shall bring into force the laws, regulations and administrative provisions
necessary to comply with this Directive at the latest at the end of a period
of three years from the date of its adoption. When Member States adopt these
measures, they shall contain a reference to this Directive or be accompanied
by such reference on the occasion of their official publication. The methods
of making such reference shall be laid down by the Member States.
2. Member States
shall ensure that processing already under way on the date the national
provisions adopted pursuant to this Directive enter into force, is brought
into conformity with these provisions within three years of this date. By way
of derogation from the preceding subparagraph, Member States may provide that
the processing of data already held in manual filing systems on the date of
entry into force of the national provisions adopted in implementation of this
Directive shall be brought into conformity with Articles 6, 7 and 8 of this
Directive within 12 years of the date on which it is adopted. Member States
shall, however, grant the data subject the right to obtain, at his request and
in particular at the time of exercising his right of access, the
rectification, erasure or blocking of data which are incomplete, inaccurate or
stored in a way incompatible with the legitimate purposes pursued by the
controller.
3. By way of
derogation from paragraph 2, Member States may provide, subject to suitable
safeguards, that data kept for the sole purpose of historical research need
not be brought into conformity with Articles 6, 7 and 8 of this Directive.
4. Member States
shall communicate to the Commission the text of the provisions of domestic law
which they adopt in the field covered by this Directive.
Article 33
The Commission
shall report to the Council and the European Parliament at regular intervals,
starting not later than three years after the date referred to in Article 32
(1) , on the implementation of this Directive, attaching to its report, if
necessary, suitable proposals for amendments. The report shall be made public.
The Commission shall examine, in particular, the application of this Directive
to the data processing of sound and image data relating to natural persons and
shall submit any appropriate proposals which prove to be necessary, taking
account of developments in information technology and in the light of the
state of progress in the information society.
Article 34
This Directive
is addressed to the Member States.
Done at Luxembourg, 24 October 1995.
For the European Parliament
The President
K. HAENSCH
For the Council
The President
L. ATIENZA SERNA
(1) OJ No C 277, 5. 11. 1990, p. 3 and OJ No C 311, 27. 11. 1992, p. 30.
(2) OJ No C 159, 17. 6. 1991, p 38.
(3) Opinion of the European Parliament of 11 March 1992 (OJ No C 94, 13. 4.
1992, p. 198) , confirmed on 2 December 1993 (OJ No C 342, 20. 12. 1993, p.
30) ; Council common position of 20 February 1995 (OJ No C 93, 13. 4. 1995, p.
1) and Decision of the European Parliament of 15 June 1995 (OJ No C 166, 3. 7.
1995) .