EUROPEAN COMMUNITY DIRECTIVE ON DATA PROTECTION
October 24, 1995
Download in Word Perfect 6.0 Format
RECITALS
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty establishing the European Community,
and in particular Article 100a thereof,
Having regard to the proposal from the Commission 1,
Having regard to the opinion of the Economic and Social Committee
2,
Acting in accordance with the procedure referred to in Article
189b of the Treaty 3,
(1) Whereas the objectives of the Community, as laid down in the
Treaty, as amended by the Treaty on European Union, include
creating an ever closer union among the peoples of Europe,
fostering closer relations between the States belonging to the
Community, ensuring economic and social progress by common action
to eliminate the barriers which divide Europe, encouraging the
constant improvement of the living conditions of its peoples,
preserving and strengthening peace and liberty and promoting
democracy on the basis of the fundamental rights recognized in
the constitution and laws of the Member States and in the
European Convention for the Protection of Human Rights and
Fundamental Freedoms;
(2) Whereas data-processing systems are designed to serve man;
whereas they must, whatever the nationality or residence of
natural persons, respect their fundamental rights and freedoms,
notably the right to privacy, and contribute to economic and
social progress, trade expansion and the well-being of
individuals;
(3)Whereas the establishment and functioning of an internal
market in which, in accordance with Article 7a of the Treaty, the
free movement of goods, persons, services and capital is ensured
require not only that personal data should be able to flow freely
from one Member State to another, but also that the fundamental
rights of individuals should be safeguarded;
(4) Whereas increasingly frequent recourse is being had in the
Community to the processing of personal data in the various
spheres of economic and social activity; whereas the progress
made in information technology is making the processing and
exchange of such data considerably easier;
(5) Whereas the economic and social integration resulting from
the establishment and functioning of the internal market within
the meaning of Article 7a of the Treaty will necessarily lead to
a substantial increase in cross-border flows of personal data
between all those involved in a private or public capacity in
economic and social activity in the Member States; whereas the
exchange of personal data between undertakings in different
Member States is set to increase; whereas the national
authorities in the various Member States are being called upon by
virtue of Community law to collaborate and exchange personal data
so as to be able to perform their duties or carry out tasks on
behalf of an authority in another Member State within the context
of the area without internal frontiers as constituted by the
internal market;
(6) Whereas, furthermore, the increase in scientific and
technical cooperation and the coordinated introduction of new
telecommunications networks in the Community necessitate and
facilitate cross-border flows of personal data;
(7) Whereas the difference in levels of protection of the rights
and freedoms of individuals, notably the right to privacy, with
regard to the processing of personal data afforded in the Member
States may prevent the transmission of such data from the
territory of one Member State to that of another Member State;
whereas this difference may therefore constitute an obstacle to
the pursuit of a number of economic activities at Community
level, distort competition and impede authorities in the
discharge of their responsibilities under Community law; whereas
this difference in levels of protection is due to the existence
of a wide variety of national laws, regulations and
administrative provisions;
(8) Whereas, in order to remove the obstacles to flows of
personal data, the level of protection of the rights and freedoms
of individuals with regard to the processing of such data must be
equivalent in all Member States; whereas this objective is vital
to the internal market but cannot be achieved by the Member
States alone, especially in view of the scale of the divergences
which currently exist between the relevant laws in the Member
States and the need to coordinate the laws of the Member States
so as to ensure that the cross-border flow of personal data is
regulated in a consistent manner that is in keeping with the
objective of the internal market as provided for in Article 7a of
the Treaty; whereas Community action to approximate those laws is
therefore needed;
(9) Whereas, given the equivalent protection resulting from the
approximation of national laws, the Member States will no longer
be able to inhibit the free movement between them of personal
data on grounds relating to protection of the rights and freedoms
of individuals, and in particular the right to privacy; whereas
Member States will be left a margin for manoeuvre, which may, in
the context of implementation of the Directive, also be exercised
by the business and social partners; whereas Member States will
therefore be able to specify in their national law the general
conditions governing the lawfulness of data processing; whereas
in doing so the Member States shall strive to improve the
protection currently provided by their legislation; whereas,
within the limits of this margin for manoeuvre and in accordance
with Community law, disparities could arise in the implementation
of the Directive, and this could have an effect on the movement
of data within a Member State as well as within the Community;
(10) Whereas the object of the national laws on the processing of
personal data is to protect fundamental rights and freedoms,
notably the right to privacy, which is recognized both in Article
8 of the European Convention for the Protection of Human Rights
and Fundamental Freedoms and in the general principles of
Community law; whereas, for that reason, the approximation of
those laws must not result in any lessening of the protection
they afford but must, on the contrary, seek to ensure a high
level of protection in the Community;
(11) Whereas the principles of the protection of the rights and
freedoms of individuals, notably the right to privacy, which are
contained in this Directive, give substance to and amplify those
contained in the Council of Europe Convention of 28 January 1981
for the Protection of Individuals with regard to Automatic
Processing of Personal Data;
(12) Whereas the protection principles must apply to all
processing of personal data by any person whose activities are
governed by Community law; whereas there should be excluded the
processing of data carried out by a natural person in the
exercise of activities which are exclusively personal or
domestic, such as correspondence and the holding of records of
addresses;
(13) Whereas the activities referred to in Titles V and VI of the
Treaty on European Union regarding public safety, defence, State
security or the activities of the State in the area of criminal
laws fall outside the scope of Community law, without prejudice
to the obligations incumbent upon Member States under Article 56
(2), Article 57 or Article 100a of the Treaty establishing the
European Community; whereas the processing of personal data that
is necessary to safeguard the economic well-being of the State
does not fall within the scope of this Directive where such
processing relates to State security matters;
(14) Whereas, given the importance of the developments under way,
in the framework of the information society, of the techniques
used to capture, transmit, manipulate, record, store or
communicate sound and image data relating to natural persons,
this Directive should be applicable to processing involving such
data;
(15) Whereas the processing of such data is covered by this
Directive only if it is automated or if the data processed are
contained or are intended to be contained in a filing system
structured according to specific criteria relating to
individuals, so as to permit easy access to the personal data in
question;
(16) Whereas the processing of sound and image data, such as in
cases of video surveillance, does not come within the scope of
this Directive if it is carried out for the purposes of public
security, defence, national security or in the course of State
activities relating to the area of criminal law or of other
activities which do not come within the scope of Community law;
(17) Whereas, as far as the processing of sound and image data
carried out for purposes of journalism or the purposes of
literary or artistic expression is concerned, in particular in
the audiovisual field, the principles of the Directive are to
apply in a restricted manner according to the provisions laid
down in Article 9;
(18) Whereas, in order to ensure that individuals are not
deprived of the protection to which they are entitled under this
Directive, any processing of personal data in the Community must
be carried out in accordance with the law of one of the Member
States; whereas, in this connection, processing carried out under
the responsibility of a controller who is established in a Member
State should be governed by the law of that State;
(19) Whereas establishment on the territory of a Member State
implies the effective and real exercise of activity through
stable arrangements; whereas the legal form of such an
establishment, whether simply branch or a subsidiary with a legal
personality, is not the determining factor in this respect;
whereas, when a single controller is established on the territory
of several Member States, particularly by means of subsidiaries,
he must ensure, in order to avoid any circumvention of national
rules, that each of the establishments fulfils the obligations
imposed by the national law applicable to its activities;
(20) Whereas the fact that the processing of data is carried out
by a person established in a third country must not stand in the
way of the protection of individuals provided for in this
Directive; whereas in these cases, the processing should be
governed by the law of the Member State in which the means used
are located, and there should be guarantees to ensure that the
rights and obligations provided for in this Directive are
respected in practice;
(21) Whereas this Directive is without prejudice to the rules of
territoriality applicable in criminal matters;
(22) Whereas Member States shall more precisely define in the
laws they enact or when bringing into force the measures taken
under this Directive the general circumstances in which
processing is lawful; whereas in particular Article 5, in
conjunction with Articles 7 and 8, allows Member States,
independently of general rules, to provide for special processing
conditions for specific sectors and for the various categories of
data covered by Article 8;
(23) Whereas Member States are empowered to ensure the
implementation of the protection of individuals both by means of
a general law on the protection of individuals as regards the
processing of personal data and by sectorial laws such as those
relating, for example, to statistical institutes;
(24) Whereas the legislation concerning the protection of legal
persons with regard to the processing data which concerns them is
not affected by this Directive;
(25) Whereas the principles of protection must be reflected, on
the one hand, in the obligations imposed on persons, public
authorities, enterprises, agencies or other bodies responsible
for processing, in particular regarding data quality, technical
security, notification to the supervisory authority, and the
circumstances under which processing can be carried out, and, on
the other hand, in the right conferred on individuals, the data
on whom are the subject of processing, to be informed that
processing is taking place, to consult the data, to request
corrections and even to object to processing in certain
circumstances;
(26) Whereas the principles of protection must apply to any
information concerning an identified or identifiable person;
whereas, to determine whether a person is identifiable, account
should be taken of all the means likely reasonably to be used
either by the controller or by any other person to identify the
said person; whereas the principles of protection shall not apply
to data rendered anonymous in such a way that the data subject is
no longer identifiable; whereas codes of conduct within the
meaning of Article 27 may be a useful instrument for providing
guidance as to the ways in which data may be rendered anonymous
and retained in a form in which identification of the data
subject is no longer possible;
(27) Whereas the protection of individuals must apply as much to
automatic processing of data as to manual processing; whereas the
scope of this protection must not in effect depend on the
techniques used, otherwise this would create a serious risk of
circumvention; whereas, nonetheless, as regards manual
processing, this Directive covers only filing systems, not
unstructured files; whereas, in particular, the content of a
filing system must be structured according to specific criteria
relating to individuals allowing easy access to the personal
data; whereas, in line with the definition in Article 2 (c), the
different criteria for determining the constituents of a
structured set of personal data, and the different criteria
governing access to such a set, may be laid down by each Member
State; whereas files or sets of files as well as their cover
pages, which are not structured according to specific criteria,
shall under no circumstances fall within the scope of this
Directive;
(28) Whereas any processing of personal data must be lawful and
fair to the individuals concerned; whereas, in particular, the
data must be adequate, relevant and not excessive in relation to
the purposes for which they are processed; whereas such purposes
must be explicit and legitimate and must be determined at the
time of collection of the data; whereas the purposes of
processing further to collection shall not be incompatible with
the purposes as they were originally specified;
(29) Whereas the further processing of personal data for
historical, statistical or scientific purposes is not generally
to be considered incompatible with the purposes for which the
data have previously been collected provided that Member States
furnish suitable safeguards; whereas these safeguards must in
particular rule out the use of the data in support of measures or
decisions regarding any particular individual;
(30) Whereas, in order to be lawful, the processing of personal
data must in addition be carried out with the consent of the data
subject or be necessary for the conclusion or performance of a
contract binding on the data subject, or as a legal requirement,
or for the performance of a task carried out in the public
interest or in the exercise of official authority, or in the
legitimate interests of a natural or legal person, provided that
the interests or the rights and freedoms of the data subject are
not overriding; whereas, in particular, in order to maintain a
balance between the interests involved while guaranteeing
effective competition, Member States may determine the
circumstances in which personal data may be used or disclosed to
a third party in the context of the legitimate ordinary business
activities of companies and other bodies; whereas Member States
may similarly specify the conditions under which personal data
may be disclosed to a third party for the purposes of marketing
whether carried out commercially or by a charitable organization
or by any other association or foundation, of a political nature
for example, subject to the provisions allowing a data subject to
object to the processing of data regarding him, at no cost and
without having to state his reasons;
(31) Whereas the processing of personal data must equally be
regarded as lawful where it is carried out in order to protect an
interest which is essential for the data subject's life;
(32) Whereas it is for national legislation to determine whether
the controller performing a task carried out in the public
interest or in the exercise of official authority should be a
public administration or another natural or legal person governed
by public law, or by private law such as a professional
association;
(33) Whereas data which are capable by their nature of infringing
fundamental freedoms or privacy should not be processed unless
the data subject gives his explicit consent; whereas, however,
derogations from this prohibition must be explicitly provided for
in respect of specific needs, in particular where the processing
of these data is carried out for certain health-related purposes
by persons subject to a legal obligation of professional secrecy
or in the course of legitimate activities by certain associations
or foundations the purpose of which is to permit the exercise of
fundamental freedoms;
(34) Whereas Member States must also be authorized, when
justified by grounds of important public interest, to derogate
from the prohibition on processing sensitive categories of data
where important reasons of public interest so justify in areas
such as public health and social protection - especially in order
to ensure the quality and cost-effectiveness of the procedures
used for settling claims for benefits and services in the health
insurance system - scientific research and government statistics;
whereas it is incumbent on them, however, to provide specific and
suitable safeguards so as to protect the fundamental rights and
the privacy of individuals;
(35) Whereas, moreover, the processing of personal data by
official authorities for achieving aims, laid down in
constitutional law or international public law, of officially
recognized religious associations is carried out on important
grounds of public' interest;
(36) Whereas where, in the course of electoral activities, the
operation of the democratic system requires in certain Member
States that political parties compile data on people's political
opinion, the processing of such data may be permitted for reasons
of important public interest, provided that appropriate
safeguards are established;
(37) Whereas the processing of personal data for purposes of
journalism or for purposes of literary of artistic expression, in
particular in the audiovisual field, should qualify for exemption
from the requirements of certain provisions of this Directive in
so far as this is necessary to reconcile the fundamental rights
of individuals with freedom of information and notably the right
to receive and impart information, as guaranteed in particular in
Article 10 of the European Convention for the Protection of Human
Rights and Fundamental Freedoms; whereas Member States should
therefore lay down exemptions and derogations necessary for the
purpose of balance between fundamental rights as regards general
measures on the legitimacy of data processing, measures on the
transfer of data to third countries and the power of the
supervisory authority; whereas this should not, however, lead
Member States to lay down exemptions from the measures to ensure
security of processing; whereas at least the supervisory
authority responsible for this sector should also be provided
with certain ex-post powers, e.g. to publish a regular report or
to refer matters to the judicial authorities;
(38) Whereas, if the processing of data is to be fair, the data
subject must be in a position to learn of the existence of a
processing operation and, where data are collected from him, must
be given accurate and full information, bearing in mind the
circumstances of the collection;
(39) Whereas certain processing operations involve data which the
controller has not collected directly from the data subject;
whereas, furthermore, data can be legitimately disclosed to a
third party, even if the disclosure was not anticipated at the
time the data were collected from the data subject; whereas, in
all these cases, the data subject should be informed when the
data are recorded or at the latest when the data are first
disclosed to a third party;
(40) Whereas, however, it is not necessary to impose this
obligation of the data subject already has the information;
whereas, moreover, there will be no such obligation if the
recording or disclosure are expressly provided for by law or if
the provision of information to the data subject proves
impossible or would involve disproportionate efforts, which could
be the case where processing is for historical, statistical or
scientific purposes; whereas, in this regard, the number of data
subjects, the age of the data, and any compensatory measures
adopted may be taken into consideration;
(41) Whereas any person must be able to exercise the right of
access to data relating to him which are being processed, in
order to verify in particular the accuracy of the data and the
lawfulness of the processing; whereas, for .the same reasons,
every data subject must also have the right to know the logic
involved in the automatic processing of data concerning him, at
least in the case of the automated decisions referred to in
Article 15 (1); whereas this right must not adversely affect
trade secrets or intellectual property and in particular the
copyright protecting the software; whereas these considerations
must not, however, result in the data subject being refused all
information;
(42) Whereas Member States may, in the interest of the data
subject or so as to protect the rights and freedoms of others,
restrict rights of access and information; whereas they may, for
example, specify that access to medical data may be obtained only
through a health professional;
(43) Whereas restrictions on the rights of access and information
and on certain obligations of the controller may similarly be
imposed by Member States in so far as they are necessary to
safeguard, for example, national security, defence, public
safety, or important economic or financial interests of a Member
State or the Union, as well as criminal investigations and
prosecutions and action in respect of breaches of ethics in the
regulated professions; whereas the list of exceptions and
limitations should include the tasks of monitoring, inspection or
regulation necessary in the three last-mentioned areas concerning
public security, economic or financial interests and crime
prevention; whereas the listing of tasks in these three areas
does not affect the legitimacy of exceptions or restrictions for
reasons of State security or defence;
(44) Whereas Member States may also be led, by virtue of the
provisions of Community law, to derogate from the provisions of
this Directive concerning the right of access, the obligation to
inform individuals, and the quality of data, in order to secure
certain of the purposes referred to above;
(45) Whereas, in cases where data might lawfully be processed on
grounds of public interest, official authority or the legitimate
interests of a natural or legal person, any data subject should
nevertheless be entitled, on legitimate and compelling grounds
relating to his particular situation, to object to the processing
of any data relating to himself; whereas Member States may
nevertheless lay down national provisions to the contrary;
(46) Whereas the protection of the rights and freedoms of data
subjects with regard to the processing of personal data requires
that appropriate technical and organizational measures be taken,
both at the time of the design of the processing system and at
the time of the processing itself, particularly in order to
maintain security and thereby to prevent any unauthorized
processing; whereas it is incumbent on the Member States to
ensure that controllers comply with these measures; whereas these
measures must ensure an appropriate level of security, taking
into account the state of the art and the costs of their
implementation in relation to the risks inherent in the
processing and the nature of the data to be protected;
(47) Whereas where a message containing personal data is
transmitted by means of a telecommunications or electronic mail
service, the sole purpose of which is the transmission of such
messages, the controller in respect of the personal data
contained in the message will normally be considered to be the
person from whom the message originates, rather than the person
offering the transmission services; whereas, nevertheless, those
offering such services will normally be considered controllers in
respect of the processing of the additional personal data
necessary for the operation of the service;
(48) Whereas the procedures for notifying the supervisory
authority are designed to ensure disclosure of the purposes and
main features of any processing operation for the purpose of
verification that the operation is in accordance with the
national measures taken under this Directive;
(49) Whereas, in order to avoid unsuitable administrative
formalities, exemptions from the obligation to notify and
simplification of the notification required may be provided for
by Member States in cases where processing is unlikely adversely
to affect the rights and freedoms of data subjects, provided that
it is in accordance with a measure taken by a Member State
specifying its limits; whereas exemption or simplification may
similarly be provided for by Member States where a person
appointed by the controller ensures that the processing carried
out is not likely adversely to affect the rights and freedoms of
data subjects; whereas such a data protection official, whether
or not an employee of the controller, must be in a position to
exercise his functions in complete independence;
(50) Whereas exemption or simplification could be provided for in
cases of processing operations whose sole purpose is the keeping
of a register intended, according to national law, to provide
information to the public and open to consultation by the public
or by any person demonstrating a legitimate interest;
(51) Whereas, nevertheless, simplification or exemption from the
obligation to notify shall not release the controller from any of
the other obligations resulting from this Directive;
(52) Whereas, in this context, ex post facto verification by the
competent authorities must in general be considered a sufficient
measure;
(53) Whereas, however, certain processing operation are likely to
pose specific risks to the rights and freedoms of data subjects
by virtue of their nature, their scope or their purposes, such as
that of excluding individuals from a right, benefit or a
contract, or by virtue of the specific use of new technologies;
whereas it is for Member States, if they so wish, to specify such
risks in their legislation;
(54) Whereas with regard to all the processing undertaken in
society, the amount posing such specific risks should be very
limited; whereas Member States must provide that the supervisory
authority, or the data protection official in cooperation with
the authority, check such processing prior to it being carried
out; whereas following this prior check, the supervisory
authority may, according to its national law, give an opinion or
an authorization regarding the processing; whereas such checking
may equally take place in the course of the preparation either of
a measure of the national parliament or of a measure based on
such a legislative measure, which defines the nature of the
processing and lays down appropriate safeguards;
(55) Whereas, if the controller fails to respect the rights of
data subjects, national legislation must provide for a judicial
remedy; whereas any damage which a person may suffer as a result
of unlawful processing must be compensated for by the controller,
who may be exempted from liability if he proves that he is not
responsible for the damage, in particular in cases where he
establishes fault on the part of the data subject or in case of
force majeure; whereas sanctions must be imposed on any person,
whether governed by private of public law, who fails to comply
with the national measures taken under this Directive;
(56) Whereas cross-border flows of personal data are necessary to
the expansion of international trade; whereas the protection of
individuals, guaranteed in the Community by this Directive does
not stand in the way of transfers of personal data to third
countries which ensure an adequate level of protection; whereas
the adequacy of the level of protection afforded by a third
country must be assessed in the light of all the circumstances
surrounding the transfer operation or set of transfer operations;
(57) Whereas, on the other hand, the transfer of personal data to
a third country which does not ensure an adequate level of
protection must be prohibited;
(58) Whereas provisions should be made for exemptions from this
prohibition in certain circumstances where the data subject has
given his consent, where the transfer is necessary in relation to
a contract or a legal claim, where protection of an important
public interest so requires, for example in cases of
international transfers of data between tax or customs
administrations or between services competent for social security
matters, or where the transfer is made from a register
established by law and intended for consultation by the public or
persons having a legitimate interest; whereas in this case such a
transfer should not involve the entirety of the data or entire
categories of the data contained in the register and, when the
register is intended for consultation by persons having a
legitimate interest, the transfer should be made only at the
request of those persons or if they are to be the recipients;
(59) Whereas particular measures may be taken to compensate for
the lack of protection in a third country in cases where the
controller offers appropriate safeguards; whereas, moreover,
provision must be made for procedures for negotiations between
the Community and such third countries;
(60) Whereas, in any event, transfers to third countries may be
effected only in full compliance with the provisions adopted by
the Member States pursuant to this Directive, and in particular
Article 8 thereof;
(61) Whereas Member States and the Commission, in their
respective spheres of competence, must encourage the trade
associations and other representative organizations concerned to
draw up codes of conduct so as to facilitate the application of
this Directive, taking account of the specific characteristics of
the processing carried out in certain sectors, and respecting the
national provisions adopted for its implementation;
(62) Whereas the establishment in Member States of supervisory
authorities, exercising their functions with complete
independence, is an essential component of the protection of
individuals with regard to the processing of personal data;
(63) Whereas such authorities must have the necessary means to
perform their duties, including powers of investigation and
intervention, particularly in cases of complaints from
individuals, and powers to engage in legal proceedings; whereas
such authorities must help to ensure transparency of processing
in the Member States within whose jurisdiction they fall;
(64) Whereas the authorities in the different Member States will
need to assist one another in performing their duties so as to
ensure that the rules of protection are properly respected
throughout the European Union;
(65) Whereas, at Community level, a Working Party on the
Protection of Individuals with regard to the Processing of
Personal Data must be set up and be completely independent in the
performance of its functions; whereas, having regard to its
specific nature, it must advise the Commission and, in
particular, contribute to the uniform application of the national
rules adopted pursuant to this Directive;
(66) Whereas, with regard to the transfer of data to third
countries, the application of this Directive calls for the
conferment of powers of implementation on the Commission and the
establishment of a procedure as laid down in Council Decision
87/373/EEC 4;
(67) Whereas an agreement on a modus vivendi between the European
Parliament, the Council and the Commission concerning the
implementing measures for acts adopted in accordance with the
procedure laid down in Article 189b of the EC Treaty was reached
on 20 December 1994;
(68) Whereas the principles set out in this Directive regarding
the protection of the rights and freedoms of individuals, notably
their right to privacy, with regard to the processing of personal
data may be supplemented or clarified, in particular as far as
certain sectors are concerned, by specific rules based on those
principles;
(69) Whereas Member States should be allowed a period of not more
than three years from the entry into force of the national
measures transposing this Directive in which to apply such new
national rules progressively to all processing operations already
under way; whereas, in order to facilitate their cost-effective
implementation, a further period expiring 12 years after the date
on which this Directive is adopted will be allowed to Member
States to ensure the conformity of existing manual filing systems
with certain of the Directive's provisions; whereas, where data
contained in such filing systems are manually processed during
this extended transition period, those systems must be brought
into conformity with these provisions at the time of
such processing;
(70) Whereas it is not necessary for the data subject to give his
consent again so as to allow the controller to continue to
process, after the national provisions taken pursuant to this
Directive enter into force, any sensitive data necessary for the
performance of a contract concluded on the basis of free and
informed consent before the entry into force of these provisions;
(71) Whereas this Directive does not stand in the way of a Member
State's regulating marketing activities aimed at consumers
residing in territory in so far as such regulation does not
concern the protection of individuals with regard to the
processing of personal data;
(72) Whereas this Directive allows the principle of public access
to official documents to be taken into account when implementing
the principles set out in this Directive,
HAVE ADOPTED THIS DIRECTIVE:
CHAPTER I GENERAL PROVISIONS
Article 1: Object of the Directive
1. In accordance with this Directive, Member States shall protect
the fundamental rights and freedoms of natural persons, and in
particular their right to privacy with respect to the processing
of personal data.
2. Member States shall neither restrict nor prohibit the free
flow of personal data between Member States for reasons connected
with the protection afforded under paragraph 1.
Article 2: Definitions
For the purposes of this Directive:
(a) 'personal data' shall mean any information relating to an
identified or identifiable natural person ('data subject'); an
identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification
number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity;
(b)'processing of personal data'('processing') shall mean any
operation or set of operations which is performed upon personal
data, whether or not by automatic means, such as collection,
recording, organization, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or
combination, blocking, erasure or destruction;
(c) 'personal data filing system' ('filing system') shall mean
any structured set of personal data which are accessible
according to specific criteria, whether centralized,
decentralized or dispersed on a functional or geographical basis;
(d)'controller' shall mean the natural or legal person, public
authority, agency or any other body which alone or jointly with
others determines the purposes and means of the processing of
personal data; where the purposes and means of processing are
determined by national or Community laws or regulations, the
controller or the specific criteria for his nomination may be
designated by national or Community law;
(e) 'processor' shall mean a natural or legal person, public
authority, agency or any other body which processes personal data
on behalf of the controller;
(f) 'third party' shall mean any natural or legal person, public
authority, agency or any other body other than the data subject,
the controller, the processor and the persons who, under the
direct authority of the controller or the processor, are
authorized to process the data;
(g) 'recipient' shall mean a natural or legal person, public
authority, agency or any other body to whom data are disclosed,
whether a third party or not; however, authorities which may
receive data in the framework of a particular inquiry shall not
be regarded as recipients;
(h)'the data subject's consent' shall mean any freely given
specific and informed indication of his wishes by which the data
subject signifies his agreement to personal data relating to him
being processed.
Article 3: Scope
1. This Directive shall apply to the processing of personal data
wholly or partly by automatic means, and to the processing
otherwise than by automatic means of personal data which form
part of a filing system or are intended to form part of a filing
system.
2. This Directive shall not apply to the processing of personal
data:
•in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,
•by a natural person in the course of a purely personal or household activity.
Article 4: National Law Applicable
1. Each Member State shall apply the national provisions it
adopts pursuant to this Directive to the processing of personal
data where:
(a) the processing is carried out in the context of the
activities of an establishment of the controller on the territory
of the Member State; when the same controller is established on
the territory of several Member States, he must take the
necessary measures to ensure that each of these establishments
complies with the obligations laid down by the national law
applicable;
(b) the controller is not established on the Member State's
territory, but in a place where its national law applies by
virtue of international public law;
(c) the controller is not established on Community territory and,
for purposes of processing personal data makes use of equipment,
automated or otherwise, situated on the territory of the said
Member State, unless such equipment is used only for purposes of
transit through the territory of the Community.
2. In the circumstances referred to in paragraph 1 (c), the
controller must designate a representative established in the
territory of that Member State, without prejudice to legal
actions which could be initiated against the controller himself.
CHAPTER II - GENERAL RULES ON THE LAWFULNESS OF THE
PROCESSING OF PERSONAL DATA
Article 5
Member States shall, within the limits of the provisions of this
Chapter, determine more precisely the conditions under which the
processing of personal data is lawful.
SECTION I - PRINCIPLES RELATING TO DATA QUALITY
Article 6
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and
not further processed in a way incompatible with those purposes.
Further processing of data for historical, statistical or
scientific purposes shall not be considered as incompatible
provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the
purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every
reasonable step must be taken to ensure that data which are
inaccurate or incomplete, having regard to the purposes for which
they were collected or for which they are further processed, are
erased or rectified;
(e) kept in a form which permits identification of data subjects
for no longer than is necessary for the purposes for which the
data were collected or for which they are further processed.
Member States shall lay down appropriate safeguards for personal
data stored for longer periods for historical, statistical or
scientific use.
2. It shall be for the controller to ensure that paragraph 1 is
complied with.
SECTION II - CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE
Article 7
Member States shall provide that personal data may be processed
only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to
which the data subject is party or in order to take steps at the
request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal
obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital
interests of the data subject; or
(e) processing is necessary for the performance of a task carried
out in the public interest or in the exercise of official
authority vested in the controller or in a third party to whom
the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate
interests pursued by the controller or by the third party or
parties to whom the data are disclosed, except where such
interests are overridden by the interests for fundamental rights
and freedoms of the data subject which require protection under
Article 1 (1).
SECTION III - SPECIAL CATEGORIES OF PROCESSING
Article 8: The Processing of Special Categories of Data
1. Member States shall prohibit the processing of personal data
revealing racial or ethnic origin, political opinions, religious
or philosophical beliefs, trade-union membership, and the
processing of data concerning health or sex life.
2. Paragraph 1 shall not apply where:
(a) the data subject has given his explicit consent to the
processing of those data, except where the laws of the Member
State provide that the prohibition referred to in paragraph 1 may
not be lifted by the data subject's giving his consent; or
(b) processing is necessary for the purposes of carrying out the
obligations and specific rights of the controller in the field of
employment law in so far as it is authorized by national law
providing for adequate safeguards; or
(c) processing is necessary to protect the vital interests of the
data subject or of another person where the data subject is
physically or legally incapable of giving his consent; or
(d) processing is carried out in the course of its legitimate
activities with appropriate guarantees by a foundation,
association or any other non-profit-seeking body with a
political, philosophical, religious or trade-union aim and on
condition that the processing relates solely to the members of
the body or to persons who have regular contact with it in
connection with its purposes and that' the data are not disclosed
to a third party without the consent of the data subjects; or
(e) the processing relates to data which are manifestly made
public by the data subject or is necessary for the establishment,
exercise or defence of legal claims.
3. Paragraph 1 shall not apply where processing of the data is
required for the purposes of preventive medicine, medical
diagnosis, the provision of care or treatment or the management
of health-care services, and where those data are processed by a
health professional subject under national law or rules
established by national competent bodies to the obligation of
professional secrecy or by another person also subject to an
equivalent obligation of secrecy.
4. Subject to the provision of suitable safeguards, Member States
may, for reasons of substantial public interest, lay down
exemptions in addition to those laid down in paragraph 2 either
by national law or by decision of the supervisory authority.
5. Processing of data relating to offences, criminal convictions
or security measures may be carried out only under the control of
official authority, or if suitable specific safeguards are
provided under national law, subject to derogations which may be
granted by the Member State under national provisions providing
suitable specific safeguards. However, a complete register of
criminal convictions may be kept only under the control of
official authority.
Member States may provide that data relating to administrative
sanctions or judgements in civil cases shall also be processed
under the control of official authority.
6. Derogations from paragraph I provided for in paragraphs 4 and
5 shall be notified to the Commission
7. Member States shall determine the conditions under which a
national identification number or any other identifier of general
application may be processed.
Article 9: Processing of Personal Data and Freedom of Expression
Member States shall provide for exemptions or derogations from
the provisions of this Chapter, Chapter IV and Chapter VI for the
processing of personal data carried out solely for journalistic
purposes or the purpose of artistic or literary expression only
if they are necessary to reconcile the right to privacy with the
rules governing freedom of
expression.
SECTION IV - INFORMATION TO BE GIVEN TO THE DATA SUBJECT
Article 10: Information in Cases of Collection of Data from the
Data Subject
Member States shall provide that the controller or his
representative must provide a data subject from whom data
relating to himself are collected with at least the following
information, except where he already has it:
(a) the identity of the controller and of his representative, if
any;
(b) the purposes of the processing for which the data are
intended;
(c) any further information such as
•the recipients or categories of recipients of the data,
•whether replies to the questions are obligatory or voluntary, as well as the
possible consequences of failure to reply,
- the existence of the right of access to and the right to
rectify the data concerning him in so far as such further
information is necessary, having regard to the specific
circumstances in which the data are collected, to guarantee fair
processing in respect of the data subject.
Article 11: Information Where the Data Have Not Been Obtained
from the Data Subject
1. Where the data have not been obtained from the data subject,
Member States shall provide that the controller or his
representative must at the time of undertaking the recording of
personal data or if a disclosure to a third party is envisaged,
no later than the time when the data are first disclosed provide
the data subject with at least the following information, except
where he already has it:
(a) the identity of the controller and of his representative, if
any;
(b) the purposes of the processing;
(c) any further information such as
•the categories of data concerned,
•the recipients or categories of recipients,
•the existence of the right of access to and the right to rectify the data concerning him in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.
2. Paragraph 1 shall not apply where, in particular for
processing for statistical purposes or for the purposes of
historical or scientific research, the provision of such
information proves impossible or would involve a disproportionate
effort or if recording or disclosure is expressly laid down by
law. In these cases Member States shall provide appropriate
safeguards.
SECTION V - THE DATA SUBJECT'S RIGHT OF ACCESS TO DATA
Article 12: Right of Access
Member States shall guarantee every data right to obtain from the
controller:
(a) without constraint at reasonable intervals and without
excessive delay or expense:
•confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
•communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
•knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1);
(b) as appropriate the rectification, erasure or blocking of
data the processing of which does not comply with the provisions
of this Directive, in particular because of the incomplete or
inaccurate nature of the data;
(c) notification to third parties to whom the data have been
disclosed of any rectification, erasure or blocking carried out
in compliance with (b), unless this proves impossible or involves
a disproportionate effort.
SECTION VI - EXEMPTIONS AND RESTRICTIONS
Article 13
1. Member States may adopt legislative measures to restrict the
scope of the obligations and rights provided for in Articles 6
(1), 10, 11 (1), 12 and 21 when such a restriction constitutes a
necessary measures to safeguard:
(a) national security;
(b) defence;
(c) public security;
(d) the prevention, investigation, detection and prosecution of
criminal offences, or of breaches of ethics for regulated
professions;
(e) an important economic or financial interest of a Member State
or of the European Union, including monetary, budgetary and
taxation matters;
(f) a monitoring, inspection or regulatory function connected,
even occasionally, with the exercise of official authority in
cases referred to in (c), (d) and (e);
(g) the protection of the data subject or of the rights and
freedoms of others.
2. Subject to adequate legal safeguards, in particular that the
data are not used for taking measures or decisions regarding any
particular individual, Member States may, where there is clearly
no risk of breaching the privacy of the data subject, restrict by
a legislative measure the rights provided for in Article 12 when
data are processed solely for purposes of scientific research or
are kept in personal form for a period which does not exceed the
period necessary for the sole purpose of creating statistics.
SECTION VII - THE DATA SUBJECT'S RIGHT TO OBJECT
Article 14: The Data Subject's Right to Object
Member States shall grant the data subject the right:
(a) at least in the cases referred to in Article 7 (e) and (f),
to object at any time on compelling legitimate grounds relating
to his particular situation to the processing of data relating to
him, save where otherwise provided by national legislation. Where
there is a justified objection, the processing instigated by the
controller may no longer involve those data;
(b) to object, on request and free of charge, to the processing
of personal data relating to him which the controller anticipates
being processed for the purposes of direct marketing, or to be
informed before personal data are disclosed for the first time to
third parties or used on their behalf for the purposes of direct
marketing, and to be expressly offered the right to object free
of charge to such disclosures or uses.
Member States shall take the necessary measures to ensure that
data subjects are aware of the existence of the right referred to
in the first subparagraph of (b).
Article 15: Automated Individual Decisions
1. Member States shall grant the right to every person not to be
subject to a decision which produces legal effects concerning him
or significantly affects him and which is based solely on
automated processing of data intended to evaluate certain
personal aspects relating to him, such as his performance at
work, creditworthiness, reliability, conduct, etc.
2. Subject to the other Articles of this Directive, Member States
shall provide that a person may be subjected to a decision of the
kind referred to in paragraph 1 if that decision:
(a) is taken in the course of the entering into or performance of
a contract, provided the request for the entering into or the
performance of the contract, lodged by the data subject, has been
satisfied or that there are suitable measures to safeguard his
legitimate interests, such as arrangements allowing him to put
his point of view; or
(b) is authorized by a law which also lays down measures to
safeguard the data subject's legitimate interests.
SECTION VIII - CONFIDENTIALITY AND SECURITY OF PROCESSING
Article 16: Confidentiality of Processing
Any person acting under the authority of the controller or of the
processor, including the processor himself, who has access to
personal data must not process them except on instructions from
the controller, unless he is required to do so by law.
Article 17: Security of Processing
1. Member States shall provide that the controller must implement
appropriate technical and organizational measures to protect
personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorized disclosure or access,
in particular where the processing involves the transmission of
data over a network, and against all other unlawful forms of
processing.
Having regard to the state of the art and the cost of their
implementation, such measures shall ensure a level of security
appropriate to the risks represented by the processing and the
nature of the data to be protected.
2. The Member States shall provide that the controller must,
where processing is carried out on his behalf, choose a processor
providing sufficient guarantees in respect of the technical
security measures and organizational measures governing the
processing to be carried out, and must ensure compliance with
those measures.
3. The carrying out of processing by way of a processor must be
governed by a contract or legal act binding the processor to the
controller and stipulating in particular that:
- the processor shall act only on instructions from the
controller,
- the obligations set out in paragraph 1, as defined by the law
of the Member State in which the processor is established, shall
also be incumbent on the processor.
4. For the purposes of keeping proof, the parts of the contract
or the legal act relating to data protection and the requirements
relating to the measures referred to in paragraph 1 shall be in
writing or in another equivalent form.
SECTION IX - NOTIFICATION
Article 18: Obligation to Notify the Supervisory Authority
1. Member States shall provide that the controller or his
representative, if any, must notify the supervisory authority
referred to in Article 28 before carrying out any wholly or
partly automatic processing operation or set of such operations
intended to serve a single purpose or several related purposes.
2. Member States may provide for the simplification of or
exemption from notification only in the following cases and under
the following conditions:
•where, for categories of processing operations which are
unlikely,
taking account of the data to be processed, to affect adversely
the
rights and freedoms of data subjects, they specify the purposes
of the
processing, the data or categories of data undergoing processing,
the
category or categories of data subject, the recipients or
categories of
recipient to whom the data are to be disclosed and the length of
time
the data are to be stored, and/or
•where the controller, in compliance with the national law which governs him, appoints a personal data protection official, responsible in particular:
•for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive
•for keeping the register of processing operations carried out by the controller, containing the items of information referred to in Article 21 (2),
thereby ensuring that the rights and freedoms of the data
subjects are unlikely to be adversely affected by the processing
operations.
3. Member States may provide that paragraph 1 does not apply to
processing whose sole purpose is the keeping of a register which
according to laws or regulations is intended to provide
information to the public and which is open to consultation
either by the public in general or by any person demonstrating a
legitimate interest.
4. Member States may provide for an exemption from the obligation
to notify or a simplification of the notification in the case of
processing operations referred to in Article 8 (2) (d).
5. Member States may stipulate that certain or all non-automatic
processing operations involving personal data shall be notified,
or provide for these processing operations to be subject to
simplified notification.
Article 19: Contents of Notification
1. Member States shall specify the information to be given in the
notification. It shall include at least:
(a) the name and address of the controller and of his
representative, if any;
(b) the purpose or purposes of the processing;
(c) a description of the category or categories of data subject
and of the data or categories of data relating to them;
(d) the recipients or categories of recipient to whom the data
might be disclosed;
(e) proposed transfers of data to third countries;
(f) a general description allowing a preliminary assessment to be
made of the appropriateness of the measures taken pursuant to
Article 17 to ensure security of processing.
2. Member States shall specify the procedures under which any
change affecting the information referred to in paragraph I must
be notified to the supervisory authority.
Article 20: Prior Checking
1. Member States shall determine the processing operations likely
to present specific risks to the rights and freedoms of data
subjects and shall check that these processing operations are
examined prior to the start thereof.
2. Such prior checks shall be carried out by the supervisory
authority following receipt of a notification from the controller
or by the data protection official, who, in cases of doubt, must
consult the supervisory authority.
3. Member States may also carry out such checks in the context of
preparation either of a measure of the national parliament or of
a measure based on such a legislative measure, which define the
nature of the processing and lay down appropriate safeguards.
Article 21: Publicizing of Processing Operations
1. Member States shall take measures to ensure that processing
operations are publicized.
2. Member States shall provide that a register of processing
operations notified in accordance with Article 18 shall be kept
by the supervisory authority.
The register shall contain at least the information listed in
Article 19(1) (a) to (e).
The register may be inspected by any person.
3. Member States shall provide, in relation to processing
operations not subject to notification, that controllers or
another body appointed by the Member States make available at
least the information referred to in Article 19 (1) (a) to (e) in
an appropriate form to any person on request.
Member States may provide that this provision does not apply to
processing whose sole purpose is the keeping of a register which
according to laws or regulations is intended to provide
information to the public and which is open to consultation
either by the public in general or by any person who can provide
provide of a legitimate interest.
CHAPTER III - JUDICIAL REMEDIES, LIABILITY AND SANCTIONS
Article 22: Remedies
Without prejudice to any administrative remedy for which
provision may be made, inter alia before the supervisory
authority referred to in Article 28, prior to referral to the
judicial authority, Member States shall provide for the right of
every person to a judicial remedy for any breach of the rights
guaranteed him by the national law applicable to the processing
in Question.
Article 23: Liability
1. Member States shall provide that any person who has suffered
damage as a result of an unlawful processing operation or of any
act incompatible with the national provisions adopted pursuant to
this Directive is entitled to receive compensation from the
controller for the damage suffered.
2. The controller may be exempted from this liability, in whole
or in part, if he proves that he is not responsible for the event
giving rise to the damage.
Article 24: Sanctions
The Member States shall adopt suitable measures to ensure the
full implementation of the' provisions of this Directive and
shall in particular lay down the sanctions to be imposed in case
of infringement of the provisions adopted pursuant to this
Directive.
CHAPTER IV - TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
Article 25: Principles
1. The Member States shall provide that the transfer to a third
country of personal data which are undergoing processing or are
intended for processing after transfer may take place only if,
without prejudice to compliance with the national provisions
adopted pursuant to the other provisions of this Directive, the
third country in question ensures an adequate level of
protection,
2. The adequacy of the level of protection afforded by a third
country shall be assessed in the light of all the circumstances
surrounding a data transfer operation or set of data transfer
operations; particular consideration shall be given to the nature
of the data, the purpose and duration of the proposed processing
operation or operations, the country of origin and country of
final destination, the rules of law, both general and sectoral,
in force in the third country in question and the professional
rules and security measures which are complied with in that
country.
3. The Member States and the Commission shall inform each other
of cases where they consider that a third country does not ensure
an adequate level of protection within the meaning of paragraph
2.
4. Where the Commission finds, under the procedure provided for
in Article 31 (2), that a third country does not ensure an
adequate level of protection within the meaning of paragraph 2 of
this Article, Member States shall take the measures necessary to
prevent any transfer of data of the same type to the third
country in question.
5. At the appropriate time, the Commission shall enter into
negotiations with a view to remedying the situation resulting
from the finding made pursuant to paragraph 4.
6. The Commission may find, in accordance with the procedure
referred to in Article 31 (2), that a third country ensures an
adequate level of protection within the meaning of paragraph 2 of
this Article, by reason of its domestic law or of the
international commitments it has entered into, particularly upon
conclusion of the negotiations referred to in paragraph 5, for
the protection of the private lives and basic freedoms and rights
of individuals.
Member States shall take the measures necessary to comply with
the Commission's decision.
Article 26: Derogations
1. By way of derogation from Article 25 and save where otherwise
provided by domestic law governing particular cases, Member
States shall provide that a transfer or a set of transfers of
personal data to a third country which does not ensure an
adequate level of protection within the meaning of Article 25 (2)
may take place on condition that:
(a) the data subject has given his consent unambiguously to the
proposed transfer; or
(b) the transfer is necessary for the performance of a contract
between the data subject and the controller or the implementation
of precontractual measures taken in response to the data
subject's request; or
(c) the transfer is necessary for the conclusion or performance
of a contract concluded in the interest of the data subject
between the controller and a third party; or
(d) the transfer is necessary or legally required on important
public interest grounds, or for the establishment, exercise or
defence of legal claims; or
(e) the transfer is necessary in order to protect the vital
interests of the data subject; or
(f) the transfer is made from a register which according to laws
or regulations is intended to provide information to the public
and which is open to consultation either by the public in general
or by any person who can demonstrate legitimate interest, to the
extent that the conditions laid down in law for consultation are
fulfilled in the
particular case.
2. Without prejudice to paragraph 1, a Member State may authorize
a transfer or a set of transfers of personal data to a third
country which does not ensure an adequate level of protection
within the meaning of Article 25 (2), where the controller
adduces adequate safeguards with respect to the protection of the
privacy and fundamental rights and freedoms of individuals and as
regards the exercise of the corresponding rights; such safeguards
may in particular result from appropriate contractual clauses.
3. The Member State shall inform the Commission and the other
Member States of the authorizations it grants pursuant to
paragraph 2.
If a Member State or the Commission objects on justified grounds
involving the protection of the privacy and fundamental rights
and freedoms of individuals, the Commission shall take
appropriate measures in accordance with the procedure laid down
in Article 31 (2).
Member States shall take the necessary to comply with the
Commission's decision.
4. Where the Commission decides, in accordance with the procedure
referred to in Article 31 (2), that certain standard contractual
clauses offer sufficient safeguards as required by paragraph 2,
Member States shall take the necessary measures to comply with
the Commission's decision.
CHAPTER V - CODES OF CONDUCT
Article 27
1. The Member States and the Commission shall encourage the
drawing up of codes of conduct intended to contribute to the
proper implementation of the national provisions adopted by the
Member States pursuant to this Directive, taking account of the
specific features of the various sectors.
2. Member States shall make provision for trade associations and
other bodies representing other categories of controllers which
have drawn up draft national codes or which have the intention of
amending or extending existing national codes to be able to
submit them to the opinion of the national authority.
Member States shall make provision for this authority to
ascertain, among other things, whether the drafts submitted to it
are in accordance with the national provisions adopted pursuant
to this Directive. If it sees fit, the authority shall seek the
views of data subjects or their representatives.
3. Draft Community codes, and amendments or extensions to
existing Community codes, may be submitted to the Working Party
referred to in Article 29. This Working Party shall determine,
among other things, whether the drafts submitted to it are in
accordance with the national provisions adopted pursuant to this
Directive. If it sees fit, the authority shall seek the views of
data subjects or their representatives. The Commission may ensure
appropriate publicity for the codes which have been approved by
the Working Party.
CHAPTER VI - SUPERVISORY AUTHORITY AND WORKING PARTY ON THE
PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF
PERSONAL DATA
Article 28: Supervisory Authority
1. Each Member State shall provide that one or more public
authorities are responsible for monitoring the application within
its territory of the provisions adopted by the Member States
pursuant to this Directive.
These authorities shall act with complete independence in
exercising the functions entrusted to them.
2. Each Member State shall provide that the supervisory
authorities are consulted when drawing up administrative measures
or regulations relating to the protection of individuals' rights
and freedoms with regard to the processing of personal data.
3. Each authority shall in particular be endowed with:
•investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,
•effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political Institutions,
•the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.
Decisions by the supervisory authority which give rise to
complaints may
be appealed against through the courts.
4. Each supervisory authority shall hear claims lodged by any
person, or by an association representing that person, concerning
the protection of his rights and freedoms in regard to the
processing of personal data. The person concerned shall be
informed of the outcome of the claim.
Each supervisory authority shall, in particular, hear claims for
checks on the lawfulness of data processing lodged by any person
when the national provisions adopted pursuant to Article 13 of
this Directive apply. The person shall at any rate be informed
that a check has taken place.
5. Each supervisory authority shall draw up a report on its
activities at regular intervals. The report shall be made public.
6. Each supervisory authority is competent, whatever the national
law applicable to the processing in question, to exercise, on the
territory of its own Member State, the powers conferred on it in
accordance with paragraph 3. Each authority may be requested to
exercise its powers by an authority of another Member State.
The supervisory authorities shall cooperate with one another to
the extent necessary for the performance of their duties, in
particular by exchanging all useful information.
7. Member States shall provide that the members and staff of the
supervisory authority, even after their employment has ended, are
to be subject to a duty of professional secrecy with regard to
confidential information to which they have access.
Article 29: Working Party on the Protection of Individuals with
Regard to the Processing of Personal Data
1. A Working Party on the Protection of Individuals with regard
to the Processing of Personal Data, hereinafter referred to as
'the Working Party', is hereby set up.
It shall have advisory status and act independently.
2. The Working Party shall be composed of a representative of the
supervisory authority or authorities designated by each Member
State and of a representative of the authority or authorities
established for the Community institutions and bodies, and of a
representative of the Commission.
Each member of the Working Party shall be designated by the
institution, authority or authorities which he represents. Where
a Member State has designated more than one supervisory
authority, they shall nominate a joint representative. The same
shall apply to the authorities established for Community
institutions and bodies.
3. The Working Party shall take decisions by a simple majority of
the representatives of the supervisory authorities.
4. The Working Party shall elect its chairman. The chairman's
term of office shall be two years. His appointment shall be
renewable.
5. The Working Party's secretariat shall be provided by the
Commission.
6. The Working Party shall adopt its own rules of procedure.
7. The Working Party shall consider items placed on its agenda by
its chairman, either on his own initiative or at the request of a
representative of the supervisory authorities or at the
Commission's request.
Article 30
1. The Working Party shall:
(a) examine any question covering the application of the national
measures adopted under this Directive in order to contribute to
the uniform application of such measures;
(b) give the Commission an opinion on the level of protection in
the Community and in third countries;
(c) advise the Commission on any proposed amendment of this
Directive, on any additional or specific measures to safeguard
the rights and freedoms of natural persons with regard to the
processing of personal data and on any other proposed Community
measures affecting such rights and freedoms;
(d) give an opinion on codes Community level.
2. If the Working Party finds that divergences likely to affect
the equivalence of protection for persons with regard to the
processing of personal data in the Community are arising between
the laws or practices of Member States, it shall inform the
Commission accordingly.
3. The Working Party may, on its own initiative, make
recommendations on all matters relating to the protection of
persons with regard to the processing of personal data in the
Community.
4. The Working Party's opinions and recommendations shall be
forwarded to the Commission and to the committee referred to in
Article 31.
.5. The Commission shall inform the Working Party of the action
it has taken in response to its opinions and recommendations. It
shall do so in a report which shall also be forwarded to the
European Parliament and the Council. The report shall be made
public.
6. The Working Party shall draw up an annual report on the
situation regarding the protection of natural persons with regard
to the processing of personal data in the Community and in third
countries, which it shall transmit to the Commission, the
European Parliament and the Council. The report shall be made
public.
CHAPTER VII - COMMUNITY IMPLEMENTING MEASURES
Article 31: The Committee
1. The Commission shall be assisted by a committee composed of
the representatives of the Member States and chaired by the
representative of the Commission.
2. The representative of the Commission shall submit to the
committee a draft of the measures to be taken. The committee
shall deliver its opinion on the draft within a time limit which
the chairman may lay down according to the urgency of the matter.
The opinion shall be delivered by the majority laid down in
Article 148 (2) of the Treaty. The votes of the representatives
of the Member States within the committee shall be weighted in
the manner set out in that Article. The chairman shall not vote.
The Commission shall adopt measures which shall apply
immediately. However, if these measures are not in accordance
with the opinion of the committee, they shall be communicated by
the Commission to the Council forthwith. In that event:
•the Commission shall defer application of the measures which it has
decided for a period of three months from the date of communication,
•the Council, acting by a qualified majority, may take a different
decision within the time limit referred to in the first indent.
FINAL PROVISIONS
Article 32
1. Member States shall bring into force the laws, regulations and
administrative provisions necessary to comply with this Directive
at the latest at the end of a period of three years from the date
of its adoption.
When Member States adopt these measures, they shall contain a
reference to this Directive or be accompanied by such reference
on the occasion of their official publication. The methods of
making such reference shall be laid down by the Member States.
2. Member States shall ensure that processing already under way
on the date the national provisions adopted pursuant to this
Directive enter into force, is brought into conformity with these
provisions within three years of this date.
By way of derogation from the preceding subparagraph, Member
States may provide that the processing of data already held in
manual filing systems on the date of entry into force of the
national provisions adopted in implementation of this Directive
shall be brought into conformity with Articles 6, 7 and 8 of this
Directive within 12 years of the date on which it is adopted.
Member States shall, however, grant the data subject the right to
obtain, at his request and in particular at the time of
exercising his right of access, the rectification, erasure or
blocking of data which are incomplete, inaccurate or stored in a
way incompatible with the legitimate purposes pursued by the
controller.
3. By way of derogation from paragraph 2, Member States may
provide, subject to suitable safeguards, that data kept for the
sole purpose of historical research need not be brought into
conformity with Articles 6, 7 and 8 of this Directive.
4. Member States shall communicate to the Commission the text of
the provisions of domestic law which they adopt in the field
covered by this Directive.
Article 33
The Commission shall report to the Council and the European
Parliament at regular intervals, starting not later than three
years after the date referred to in Article 32 (1), on the
implementation of this Directive, attaching to its report, if
necessary, suitable proposals for amendments. The report shall be
made public.
The Commission shall examine, in particular, the application of
this Directive to the data processing of sound and image data
relating to natural persons and shall submit any appropriate
proposals which prove to be necessary, taking account of
developments in information technology and in the light of the
state of progress in the information society.
Article 34
This Directive is addressed to the Member States.
Done at Luxembourg, 24 October 1995.
Footnotes
1. OJ No C 277, 5. 11. 1990, p. 3 and OJ No C 311, 27.11.1992, p.
30.
2. OJ No C 159, 17. 6. 1991, p 38.
3. Opinion of the European Parliament of 11 March 1992 (OJ No C
94, 13.4 1992, p. 198), confirmed on 2 December 1993 (OJ No C
342, 20. 12. 1993, p. 30); Council common position of 20 February
1995 (OJ No C 93, 13. 4. 1995, p. 1) and Decision of the European
Parliament of 15 June 1995 (OJ No C 166, 3. 7. 1995).
4. 0J No L 197, 18. 7. 1987, p. 33.