Data Protection Directive
Several directives deal with personal data usage in the EU, but the most overarching is the general policy approved by the European Commission in 1995 (95/46EC) which protects individuals’ privacy and personal data use. The Directive was adopted in 1995, became effective in 1998 and protects individuals’ privacy and personal data use. The Directive recognizes the European view that privacy is a fundamental human right and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data. The Directive imposes an onerous set of requirements on any person that collects or processes data pertaining to individuals in their personal or professional capacity. It is based on a set of data protection principles, which include the legitimate basis, purpose limitation, data quality, proportionality and transparency principles, data security and confidentiality, data subjects’ rights of access, rectification, deletion and objection, restrictions on onwards transfers, additional protection where special categories of data and direct marketing are involved and a prohibition on automated individual decisions. The Directive applies to all sectors of industry, from financial institutions to consumer goods companies, and from list brokers to any employer. The Directive’s key provisions impose severe restrictions on personal data processing, grant individual rights to “data subjects” and set forth specific procedural obligations including notification to national authorities. This was followed in 1997 by a more specific directive for the telecom sector (97/66/EC), which was replaced in mid-2002 by the European institutions to adapt it to new technologies and business practices (2002/58/EC). The Directive has been supplemented by additional directives including a specific provision for e-commerce.
There is currently a proposal from the European Commission for an EU Data Protection Regulation that would supersede the directive if passed.
Reference(s) in IAPP Certification Textbooks: F18-19, 34-41; E37
Associated term(s): EU Data Protection Directive