Data Protection Directive in Europe
The Data Protection Directive 95/46/EC sets in Article 6 requirements for the quality of personal data which is to be processed. Apart from all processing activities being fair and lawful, the most important principle is purpose limitation.
The processing of personal data must be predetermined for a specific purpose. Only the data necessary and adequate for this purpose may be legitimately collected and processed further. Any later or downstream processing of the data for a different purpose is prohibited as long as it is incompatible with the original purpose that initiated the collection of the data in the first place.For instance, see Article 6 (1) lit. b) for the general requirement of purpose-binding and Article 8 EU Data Protection Directive 95/46/EC for the processing of special categories of personal data with the authorization of the EU Member States to regulate specific purpose cases; also, see recitals (28), (30) and (31) of the Directive.
So for such processing, new legitimizing grounds are necessary or elsewise the data has to be effectively deleted as soon as it is no longer necessary to fulfill the original purpose.
Data subject’s rights
To guarantee an effective protection, data protection law grants the concerned individuals specific and extensive rights. These are: to demand and get information, Article 10 and 11 Directive 95/46/EC, to gain access to that data, Article 12 Directive 95/46/EC, and to ask for the alteration or deletion of this data and object the collection of data in the first place, Article 14 Directive 95/46/EC. Explicitly, the Directive requires that the right to objection has to be free of charge and the controller may no longer involve the concerned personal data, if the objection is justified. The right to objection is limited in the case of legal duty to process personal data for the controller.
Technical and organizational measures
According to Articles 16 and 17 of the EU Data Protection Directive 95/46/EC, specific confidentiality and security safeguards must be provided for to ensure the protection of the data. Such safeguards can be the binding to the instruction of the controller, the prevention of unwanted disclosure (limited disclosure to processors, subcontractors and third parties only on legitimate grounds) and the prevention of undesired data destruction, loss, corruption or deletion and other unlawful forms of processing. Furthermore, the controller must ensure that these confidentiality and security safeguards also come into effect once a data processor processes the data on his behalf. In this context, the Directive explicitly refers to appropriate technical and organizational measures that shall be taken to realize these safeguards. Recital 46 of the Directive clarifies that such measures shall be taken both at the time of the design of the processing system and during the processing itself. It also demands a sufficient balancing of the state of the art in terms of possible security level, implementation costs and the risks of the processing act. Which technical and organizational security measures as mentioned in Article 17 (1) are appropriate highly depends on nature, manner and purpose of the data processing, the facilities and the organizational structure of the data controller.
The general rule is to install state-of-the-art security safeguards adequate for the nature of the data and processing activity, taking into account the specific risk for the data subject. A Data Protection Impact Assessment is the advised solution to assess and monitor the appropriateness of technical and organizational measures. Evaluation benchmarks are the six data protection goals: Availability, Integrity, Confidentiality, Transparency, Intervenability and Unlinkability.
If personal data is being disclosed across the borders of the Community area, the recipient country in question is referred to as “third country” by the EU Data Protection Directive (Chapter IV “Transfer Of Personal Data To Third Countries” of the European Data Protection Directive 95/46/EC).
In such cases, the data processing on behalf of the controller according to the EU Data Protection Directive is only possible as long as the third country ensures an adequate level of protection. (See Article 25 (1) European Data Protection Directive 95/46/EC). So far, this adequate level of protection is acknowledged by the European Commission for the following countries:
- Australia (for airline passenger data),
- Canada (for processing operations subject to the Canadian Personal Information Protection and Electronic Documentation Act and for airline passenger data),
- the Isle of Man,
- the Faroe Islands,
- the United States (if the data recipient in the US has adopted and self-certified the Safe Harbor Principles (however, the Safe Harbor self-certification is deemed insufficient by some Member States) and for airline passenger data)
The transmission of personal data into a third country, which has not such an acknowledged level of protection, is prohibited without additional contractual safeguards according to Article 25 (4) of the EU Data Protection Directive. These additional safeguards necessary to legitimize the data transfer are for instance the Standard Contractual Clauses provided by the European Commission (EU SCC), Binding Corporate Rules (BCR), and Binding Corporate Rules for Processors.
Data Protection Directive 95/46/EC and the Public Sector Information
Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (also known as “Data Protection Directive”) is the centrepiece legislation at EU level in the field of data protection. The Directive is a framework law, meaning that it is implemented in EU Member States through national laws. It aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when the processing is lawful. The guidelines mainly relate to the quality of the data; the legitimacy of the processing; the processing of special categories of data; information to be given to the data subject; the data subject’s right of access to data; the right to object to the processing of data; the confidentiality and security of processing; and the notification of the processing to a supervisory authority (NSAs). The Directive also sets out principles for the transfer of personal data to third countries and provides for the establishment of data protection authorities (NSAs) in each EU Member State. Source: https://www.edps.europa.eu/EDPSWEB/edps/lang/en/EDPS/Dataprotection/Glossary/pid/74 On 25th January 2012 the EC has launched its “Proposal of Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)”, which should replace the Directive 95/46/EC. Source: https://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf