What Is the Data Protection Directive?
The Data Protection Directive is a directive adopted by the European Union in 1995 to deal with personal data within the European Union. It is an important part of EU privacy and human rights law.
- Rightward privacy is a highly developed area of law in Europe. [1]
- The directive regulates the processing of personal data, whether or not such processing is automated.
Data protection directive scope
- Personal data is defined as "any information related to an identified or identifiable natural person (" data subject "); an identifiable person is a person that can be identified directly or indirectly, especially by reference to a reference number or one or more specific Factors related to his physical, physical, psychological, economic, cultural or social identity.
- This definition means very broad. When someone can link information to someone, the data is "personal data" even if the person holding the data cannot establish the link. Some examples of "personal data" are: addresses, credit card numbers, bank statements, criminal records, etc.
- Conceptual processing refers to "any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, transmission through transmission, disclosure or disclosure Provide, align or combine in other ways, prevent, erase or destroy; ".
- The responsibility for compliance lies with the controller, which means natural or man-made persons, public authorities, agencies or any other organization that determines the purpose and method of processing personal data, either alone or in conjunction with others;
- Data protection rules apply not only to the establishment of controllers within the European Union, but also to situations where the controller uses equipment located within the European Union to process data. (Article 4) Controllers who process data from outside the EU must comply with data protection regulations. In principle, any online business transaction with EU residents will process some personal data and will use EU equipment to process the data (ie the customer's computer). Therefore, website operators must comply with European data protection rules. The directive was written before a breakthrough in the Internet, and so far there is very little jurisprudence on this subject.
Data Protection Directive Principles
- Personal data should not be processed unless certain conditions are met. These conditions fall into three categories: transparency, legitimate purpose, and proportionality.
- 1) Transparency
- Data subjects have the right to be notified when processing their personal data. The controller must provide his name and address, the purpose of the processing, the recipient of the data, and all other information necessary to ensure fair processing.
- Data can only be processed if one of the following conditions is met (Article 7):
- When the data subject expresses consent.
- When processing is necessary to perform or sign a contract.
- When dealing with compliance with legal obligations.
- When processing is needed to protect the vital interests of the data subject.
- Processing is necessary to perform tasks performed in the public interest or the official authority of a third party that exercises control or disclosure of data.
- Processing is necessary for the legitimate interests pursued by the controller or the third party or party that disclosed the data, unless those interests are covered by the fundamental rights and freedoms of the data subject. The data subject has access to all data that he processes. The data subject even has the right to request correction, deletion or prevention of incomplete, inaccurate or data not processed in accordance with data protection rules.
- 2) Legal purpose
- Personal data may only be processed for the specified clear and legal purposes, and may not be further processed in a manner incompatible with these purposes. Personal data must be protected against misuse and respect for "certain rights of data owners guaranteed by EU law".
- 3) Proportion
- Personal data may only be processed if it is relevant and sufficient, relevant and not excessive for the purpose for which it was collected and / or further processed. Data must be accurate and up-to-date when necessary; all reasonable steps must be taken to ensure that inaccurate or incomplete data is deleted or corrected after taking into account the purpose of collection or further processing; the data should not be stored in a way that allows identification The data subject is longer than the data required for the purpose of collecting or further processing the data. Member States should establish appropriate safeguards for personal data that is stored long-term for historical, statistical or scientific use.
- If sensitive personal data (possibly: religion, political opinions, health, sexual orientation, ethnicity, membership of past organizations) are being processed, additional restrictions are required. The data subject may at any time object to the processing of personal data for direct marketing. Algorithm-based decisions that produce legal effects or significantly affect data subjects may be more than just automatic processing based on data. When using automated decision-making procedures, an appeal form should be provided.