The data protection principles contained in the EU privacy Directive (1995)

Extract from - Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ( Official Journal L 281 , 23/11/1995 p. 0031 - 0050)
The full Directive is at http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html
 

CHAPTER II GENERAL RULES ON THE LAWFULNESS OF THE PROCESSING OF PERSONAL DATA

Article 5

Member States shall, within the limits of the provisions of this Chapter, determine more precisely the

 conditions under which the processing of personal data is lawful.
 
 

SECTION I PRINCIPLES RELATING TO DATA QUALITY

Article 6

1. Member States shall provide that personal data must be:

 (a) processed fairly and lawfully;

 (b) collected for specified, explicit and legitimate purposes and not further processed in a way

 incompatible with those purposes. Further processing of data for historical, statistical or scientific

 purposes shall not be considered as incompatible provided that Member States provide appropriate

 safeguards;

 (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or

 further processed;

 (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data

 which are inaccurate or incomplete, having regard to the purposes for which they were collected or for

 which they are further processed, are erased or rectified;

 (e) kept in a form which permits identification of data subjects for no longer than is necessary for the

 purposes for which the data were collected or for which they are further processed. Member States shall

 lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or

 scientific use.

 2. It shall be for the controller to ensure that paragraph 1 is complied with.
 
 

SECTION II CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE

Article 7

Member States shall provide that personal data may be processed only if:

 (a) the data subject has unambiguously given his consent; or

 (b) processing is necessary for the performance of a contract to which the data subject is party or in order

 to take steps at the request of the data subject prior to entering into a contract; or

 (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or

 (d) processing is necessary in order to protect the vital interests of the data subject; or

 (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise

 of official authority vested in the controller or in a third party to whom the data are disclosed; or

 (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the

 third party or parties to whom the data are disclosed, except where such interests are overridden by the

 interests for fundamental rights and freedoms of the data subject which require protection under Article 1

 (1).
 
 

SECTION III SPECIAL CATEGORIES OF PROCESSING

Article 8 The processing of special categories of data

1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political

 opinions, religious or philosophical beliefs, trade-union membership, and the processing of data

 concerning health or sex life.

 2. Paragraph 1 shall not apply where:

 (a) the data subject has given his explicit consent to the processing of those data, except where the laws of

 the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data

 subject's giving his consent; or

 (b) processing is necessary for the purposes of carrying out the obligations and specific rights of the

 controller in the field of employment law in so far as it is authorized by national law providing for

 adequate safeguards; or

 (c) processing is necessary to protect the vital interests of the data subject or of another person where the

 data subject is physically or legally incapable of giving his consent; or

 (d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a

 foundation, association or any other non-profit-seeking body with a political, philosophical, religious or

 trade-union aim and on condition that the processing relates solely to the members of the body or to

 persons who have regular contact with it in connection with its purposes and that the data are not disclosed

 to a third party without the consent of the data subjects; or

 (e) the processing relates to data which are manifestly made public by the data subject or is necessary for

 the establishment, exercise or defence of legal claims.

 3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive

 medicine, medical diagnosis, the provision of care or treatment or the management of health-care services,

 and where those data are processed by a health professional subject under national law or rules established

 by national competent bodies to the obligation of professional secrecy or by another person also subject to

 an equivalent obligation of secrecy.

 4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public

 interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by

 decision of the supervisory authority.

 5. Processing of data relating to offences, criminal convictions or security measures may be carried out

 only under the control of official authority, or if suitable specific safeguards are provided under national

 law, subject to derogations which may be granted by the Member State under national provisions

 providing suitable specific safeguards. However, a complete register of criminal convictions may be kept

 only under the control of official authority.

 Member States may provide that data relating to administrative sanctions or judgements in civil cases shall

 also be processed under the control of official authority.

 6. Derogations from paragraph 1 provided for in paragraphs 4 and 5 shall be notified to the Commission.

 7. Member States shall determine the conditions under which a national identification number or any other

 identifier of general application may be processed.
 
 

Article 9 Processing of personal data and freedom of expression

Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter

 IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the

 purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the

 rules governing freedom of expression.
 
 

SECTION IV INFORMATION TO BE GIVEN TO THE DATA SUBJECT

Article 10 Information in cases of collection of data from the data subject

Member States shall provide that the controller or his representative must provide a data subject from

 whom data relating to himself are collected with at least the following information, except where he already

 has it:

 (a) the identity of the controller and of his representative, if any;

 (b) the purposes of the processing for which the data are intended;

 (c) any further information such as

 - the recipients or categories of recipients of the data,

 - whether replies to the questions are obligatory or voluntary, as well as the possible consequences of

 failure to reply,

 - the existence of the right of access to and the right to rectify the data concerning him

 in so far as such further information is necessary, having regard to the specific circumstances in which the

 data are collected, to guarantee fair processing in respect of the data subject.
 
 

Article 11 Information where the data have not been obtained from the data subject

1. Where the data have not been obtained from the data subject, Member States shall provide that the

 controller or his representative must at the time of undertaking the recording of personal data or if a

 disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the

 data subject with at least the following information, except where he already has it:

 (a) the identity of the controller and of his representative, if any;

 (b) the purposes of the processing;

 (c) any further information such as

 - the categories of data concerned,

 - the recipients or categories of recipients,

 - the existence of the right of access to and the right to rectify the data concerning him

 in so far as such further information is necessary, having regard to the specific circumstances in which the

 data are processed, to guarantee fair processing in respect of the data subject.

 2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the

 purposes of historical or scientific research, the provision of such information proves impossible or would

 involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases

 Member States shall provide appropriate safeguards.
 
 

SECTION V THE DATA SUBJECT'S RIGHT OF ACCESS TO DATA

Article 12 Right of access

Member States shall guarantee every data subject the right to obtain from the controller:

 (a) without constraint at reasonable intervals and without excessive delay or expense:

 - confirmation as to whether or not data relating to him are being processed and information at least as to

 the purposes of the processing, the categories of data concerned, and the recipients or categories of

 recipients to whom the data are disclosed,

 - communication to him in an intelligible form of the data undergoing processing and of any available

 information as to their source,

 - knowledge of the logic involved in any automatic processing of data concerning him at least in the case

 of the automated decisions referred to in Article 15 (1);

 (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply

 with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the

 data;

 (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or

 blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate

 effort.
 
 

SECTION VI EXEMPTIONS AND RESTRICTIONS

Article 13 Exemptions and restrictions

1. Member States may adopt legislative measures to restrict the scope of the obligations and rights

 provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary

 measures to safeguard:

 (a) national security;

 (b) defence;

 (c) public security;

 (d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics

 for regulated professions;

 (e) an important economic or financial interest of a Member State or of the European Union, including

 monetary, budgetary and taxation matters;

 (f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of

 official authority in cases referred to in (c), (d) and (e);

 (g) the protection of the data subject or of the rights and freedoms of others.

 2. Subject to adequate legal safeguards, in particular that the data are not used for taking measures or

 decisions regarding any particular individual, Member States may, where there is clearly no risk of

 breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article

 12 when data are processed solely for purposes of scientific research or are kept in personal form for a

 period which does not exceed the period necessary for the sole purpose of creating statistics.
 
 

SECTION VII THE DATA SUBJECT'S RIGHT TO OBJECT

Article 14 The data subject's right to object

Member States shall grant the data subject the right:

 (a) at least in the cases referred to in Article 7 (e) and (f), to object at any time on compelling legitimate

 grounds relating to his particular situation to the processing of data relating to him, save where otherwise

 provided by national legislation. Where there is a justified objection, the processing instigated by the

 controller may no longer involve those data;

 (b) to object, on request and free of charge, to the processing of personal data relating to him which the

 controller anticipates being processed for the purposes of direct marketing, or to be informed before

 personal data are disclosed for the first time to third parties or used on their behalf for the purposes of

 direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses.

 Member States shall take the necessary measures to ensure that data subjects are aware of the existence of

 the right referred to in the first subparagraph of (b).
 
 

Article 15 Automated individual decisions

1. Member States shall grant the right to every person not to be subject to a decision which produces legal

 effects concerning him or significantly affects him and which is based solely on automated processing of

 data intended to evaluate certain personal aspects relating to him, such as his performance at work,

 creditworthiness, reliability, conduct, etc.

 2. Subject to the other Articles of this Directive, Member States shall provide that a person may be

 subjected to a decision of the kind referred to in paragraph 1 if that decision:

 (a) is taken in the course of the entering into or performance of a contract, provided the request for the

 entering into or the performance of the contract, lodged by the data subject, has been satisfied or that there

 are suitable measures to safeguard his legitimate interests, such as arrangements allowing him to put his

 point of view; or

 (b) is authorized by a law which also lays down measures to safeguard the data subject's legitimate

 interests.
 
 

SECTION VIII CONFIDENTIALITY AND SECURITY OF PROCESSING

Article 16 Confidentiality of processing

Any person acting under the authority of the controller or of the processor, including the processor

 himself, who has access to personal data must not process them except on instructions from the controller,

 unless he is required to do so by law.
 
 

Article 17 Security of processing

1. Member States shall provide that the controller must implement appropriate technical and organizational

 measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration,

 unauthorized disclosure or access, in particular where the processing involves the transmission of data over

 a network, and against all other unlawful forms of processing.

 Having regard to the state of the art and the cost of their implementation, such measures shall ensure a

 level of security appropriate to the risks represented by the processing and the nature of the data to be

 protected.

 2. The Member States shall provide that the controller must, where processing is carried out on his behalf,

 choose a processor providing sufficient guarantees in respect of the technical security measures and

 organizational measures governing the processing to be carried out, and must ensure compliance with

 those measures.

 3. The carrying out of processing by way of a processor must be governed by a contract or legal act

 binding the processor to the controller and stipulating in particular that:

 - the processor shall act only on instructions from the controller,

 - the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor

 is established, shall also be incumbent on the processor.

 4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection

 and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another

 equivalent form.
 
 

SECTION IX NOTIFICATION

Article 18 Obligation to notify the supervisory authority

1. Member States shall provide that the controller or his representative, if any, must notify the supervisory

 authority referred to in Article 28 before carrying out any wholly or partly automatic processing operation

 or set of such operations intended to serve a single purpose or several related purposes.

 2. Member States may provide for the simplification of or exemption from notification only in the

 following cases and under the following conditions:

 - where, for categories of processing operations which are unlikely, taking account of the data to be

 processed, to affect adversely the rights and freedoms of data subjects, they specify the purposes of the

 processing, the data or categories of data undergoing processing, the category or categories of data subject,

 the recipients or categories of recipient to whom the data are to be disclosed and the length of time the data

 are to be stored, and/or

 - where the controller, in compliance with the national law which governs him, appoints a personal data

 protection official, responsible in particular:

 - for ensuring in an independent manner the internal application of the national provisions taken pursuant

 to this Directive

 - for keeping the register of processing operations carried out by the controller, containing the items of

 information referred to in Article 21 (2),

 thereby ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by

 the processing operations.

 3. Member States may provide that paragraph 1 does not apply to processing whose sole purpose is the

 keeping of a register which according to laws or regulations is intended to provide information to the

 public and which is open to consultation either by the public in general or by any person demonstrating a

 legitimate interest.

 4. Member States may provide for an exemption from the obligation to notify or a simplification of the

 notification in the case of processing operations referred to in Article 8 (2) (d).

 5. Member States may stipulate that certain or all non-automatic processing operations involving personal

 data shall be notified, or provide for these processing operations to be subject to simplified notification.
 
 

Article 19 Contents of notification

1. Member States shall specify the information to be given in the notification. It shall include at least:

 (a) the name and address of the controller and of his representative, if any;

 (b) the purpose or purposes of the processing;

 (c) a description of the category or categories of data subject and of the data or categories of data relating

 to them;

 (d) the recipients or categories of recipient to whom the data might be disclosed;

 (e) proposed transfers of data to third countries;

 (f) a general description allowing a preliminary assessment to be made of the appropriateness of the

 measures taken pursuant to Article 17 to ensure security of processing.

 2. Member States shall specify the procedures under which any change affecting the information referred

 to in paragraph 1 must be notified to the supervisory authority.
 
 

Article 20 Prior checking

1. Member States shall determine the processing operations likely to present specific risks to the rights

 and freedoms of data subjects and shall check that these processing operations are examined prior to the

 start thereof.

 2. Such prior checks shall be carried out by the supervisory authority following receipt of a notification

 from the controller or by the data protection official, who, in cases of doubt, must consult the supervisory

 authority.

 3. Member States may also carry out such checks in the context of preparation either of a measure of the

 national parliament or of a measure based on such a legislative measure, which define the nature of the

 processing and lay down appropriate safeguards.
 
 

Article 21 Publicizing of processing operations

1. Member States shall take measures to ensure that processing operations are publicized.

 2. Member States shall provide that a register of processing operations notified in accordance with Article

 18 shall be kept by the supervisory authority.

 The register shall contain at least the information listed in Article 19 (1) (a) to (e).

 The register may be inspected by any person.

 3. Member States shall provide, in relation to processing operations not subject to notification, that

 controllers or another body appointed by the Member States make available at least the information

 referred to in Article 19 (1) (a) to (e) in an appropriate form to any person on request.

 Member States may provide that this provision does not apply to processing whose sole purpose is the

 keeping of a register which according to laws or regulations is intended to provide information to the

 public and which is open to consultation either by the public in general or by any person who can provide

 proof of a legitimate interest.