Transcript EU Directive

EU Directive 95/46/EC
• (Paragraph 2) “Whereas data-processing systems are
designed to serve man; whereas they must . . . Respect
their fundamental rights and freedoms, notably the right
to privacy, and contribute to economic and social
progress, trade expansion and the well-being of
individuals.”
• (Paragraph15) Whereas the processing of such data is
covered by this Directive only if it is automated or if the
data processed are contained or are intended to be
contained in a filing system structure according to
specific criteria relating to individuals, so as to permit
easy access to the personal data in question . . “
• (Paragraph 27) “Whereas the protection of individuals
must apply as much to automatic processing of data as
to manual processing . . . This Directive covers only filing
systems, not unstructured files; whereas, in particular,
the content of a filing system must be structured
according to specific criteria relating to individuals
allowing easy access to the personal data . . . different
criteria for determining the constituents of a structured
set of personal data, and the different criteria governing
access to such a set may be laid down by each Member
State . . .”
EU Directive 95/46/EC
• Three Sections
– Regulation regarding the collection and handling of
personal data
– Regulations concerning the legitimate processing of
personal data
– Regulations regarding the exportation of personal
data from the EU
• Requires member states to ensure that they give
individuals a direct right of action for mishandling
of personal data (“any information relating to an
indentified or identifiable natural person”)
Collection of personal data
• Collected for specified and legitimate purposes
and not processed further
• Relevant and not excessive for the purpose
collected
• Accurate and updated as necessary
• Kept in a form that permits identification of data
subjects no longer than necessary
• Kept confidential and secure
• Also data subjects must be informed of identity
of individual in charge of data and their right of
access and correction of errors
Processing of personal data
• “lawful and fair to the individuals concerned”
– Adequate, relevant and not excessive in relation to
the purposes for which they are processed
• Only if data subject has unambiguously given consent,
or
• Processing is necessary for the performance of a
contract to which the data subject is a party, or
• Necessary for compliance with data subject’s legal
obligations, or
• Necessary to protect the vital interests of the data
subject or the official authority of data controller, or
More on processing
• Necessary to legitimate interest pursued
by the data controller, except where data
subject’s privacy interests outweigh
• Controller must tell Member State’s data
protection authority of carrying out any
wholly or partly automated processing
operation
Exported from EU
• Country provides an “adequate level of
protection”
• Data subject has given unambiguous consent
• Necessary to the performance of a contract
between data subject and controller
• Necessary for the conclusion or performance of
a contract between the controller and third party
in the data subject’s interest
More on exported from EU
• Necessary or legally required in the public
interest or for legal claims
• Necessary to protect the vital interests of
the data subject
• Transfer is made from a register which
according to laws and regulations is
intended to provide information to the
public.
• Safe Harbor