Home

Data Privacy in Europe

Posted May 15th, 2008 by DiscussHR
in

This article will give a quick and simple “Data Privacy” overview. What is it? What does it impact? Who is involved?

Let's start with some definitions! Data privacy refers to the right to privacy that each individual is entitled to. This right is an area highly developed within the European law (not to say highly complex).

Data is "personal data" when it can be linked directly or indirectly to a person. “personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity;" (Directive 95/46/EC art. 2 a).

Some examples of personal data are:

  • Name

  • Address

  • Telephone number

Some examples of “sensitive” personal data are:

  • Race
  • Ethnicity
  • National ID number
  • Date of birth
  • Financial data (credit card or bank account number)
  • Sexual orientation/history
  • Religious or political views
  • Membership in trade organizations
  • Criminal history
  • Health/medical data
  • Address


The European Union came up with a directive called “Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data”

The directive can be summarized in 10 principles. The organisation owning the data and deciding on the purpose and the meaning of the data is accountable for compliance.

  • processed fairly and lawfully
  • collected for specified, explicit and legitimate purposes
  • adequate, relevant and not excessive
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • secure
  • processed in accordance with the data subject's rights
  • not transferred to countries without adequate protection
  • the data subject has unambiguously given his consent
  • the data subject should be allowed to access their data and make corrections to any inaccurate data


Although the European Commission harmonized the data protection regulation, you will always find exceptions in each country

  • Private data might differ from one country to another (age in the UK, National ID in Netherland, etc…)
  • Works council approval
  • In the case of a transfer of personal data outside the country special requirements could need to be met (especially for outside countries with law Data Protections laws)
  • The same apply in the case personal data are stored within the country but accessed outside (this happens more and more with web applications)
  • Etc…


Each country in Europe must have a supervisory authority that will control the correct private data processing but also that will be able to give advice.

  • Anyone processing private data have the obligation to notify the supervisory authority (Directive 95/46/EC art. 18)
  • Member States shall specify the information to be given in the notification. It shall include at least: (Directive 95/46/EC art. 19)
    • the name and address of the controller and of his representative, if any;
    • the purpose or purposes of the processing;
    • a description of the category or categories of data subject and of the data or categories of data relating to them;
    • the recipients or categories of recipient to whom the data might be disclosed;
    • proposed transfers of data to third countries;
    • a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to Article 17 to ensure security of processing

External links

Council of Europe data protection page:

http://www.coe.int/T/E/Legal_affairs/Legal_co-operation/Data_protection/

 

EU data protection page:

http://ec.europa.eu/justice_home/doc_centre/privacy/law/index_en.htm#proposals