Skip to main content

Article Category


Article available in the folowing languages:

Council adopts Directive on protection of personal data

The EU Directive on the protection of personal data was formally adopted by the Council of Ministers (Ministers for Economy and Finance) on 24 July 1995. The Directive will establish a clear and stable regulatory framework, necessary to guarantee free movement of personal dat...

The EU Directive on the protection of personal data was formally adopted by the Council of Ministers (Ministers for Economy and Finance) on 24 July 1995. The Directive will establish a clear and stable regulatory framework, necessary to guarantee free movement of personal data, while leaving individual EU countries room for manoeuvre with regard to the way in which the Directive is implemented. Free movement of data is particularly important for all services with a large customer base and depending on processing personal data. In practice, banks and insurance companies process large quantities of personal data, including data on such highly sensitive issues as credit ratings and credit-worthiness. If each Member State had its own set of rules on data protection, for example on how data subjects could verify the information held on them, cross-border provision of services, notably over the information superhighways, would be virtually impossible and this extremely valuable new market opportunity would be lost. The Directive aims to narrow divergences between national data protection laws to the extent necessary to remove obstacles to the free movement of personal data within the EU. As a result, any person whose personal data is processed in the Community will be afforded an equivalent level of protection, in particular with regard to privacy rights, irrespective of the Member State in which the processing is carried out. Until now, differences between national data protection laws have resulted in obstacles to transfers of personal data between Member States. This has been true even in cases where States have ratified the 1981 Council of Europe Convention on personal data protection and has resulted in particular problems, for example, for multinational companies wishing to transfer data concerning their employees between their operations in different Member States. To prevent abuses in the use of personal data, and ensure that data subjects are informed of the existence of processing operations, the Directive lays down common rules to be observed by those who collect, hold or transmit personal data as part of their economic or administrative activities or in the course of the activities of their association. In particular, there is an obligation to collect data only for specified, explicit and legitimate purposes and to hold it only so long as it remains relevant, accurate and up-to-date. The Directive also establishes the principle of transparency with regard to the collection of data. This gives individuals the option of whether to provide the information or not and entitles them to be informed about the identity of the organisation intending to process the data and the main purpose of such processing. The Directive requires all data processing to have a proper legal basis. The legal grounds defined in the Directive are: - Consent; - Contract; - Legal obligation; - Vital interest of the data subject; - Balance between the legitimate interests of the people controlling the data and the people on whom data is held. This last option gives Member States room for manoeuvre in their implementation and application of the Directive. Under the Directive, data subjects are granted a number of important rights including the right of access to data, the right to know where the data originated (if such information is available), the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use their data in certain circumstances. Individuals will, for example, have the right to opt-out, free of charge and without providing any specific reason, from being sent direct marketing material. In the case of particularly sensitive data (ethnic or racial origin, political or religious beliefs, trade union membership or data concerning health or sexual life), the Directive establishes that this can only be processed with the explicit consent of the individual concerned. Exceptions may be allowed in specific cases where there is an important public interest (e.g. for medical or scientific research), in which event alternative safeguards must be established. The flexibility of the Directive means that some differences between national data protection regimes may still persist. It, therefore, lays down the principle that the law of the Member State where a data processor is established applies in cases where data is transferred between Member States. In the specific case of personal data used exclusively for journalistic, artistic or literary purposes, the Directive requires Member States to ensure appropriate exemptions and derogations exist which strike a balance between guaranteeing freedom of expression while protecting the individual's right to privacy. With regard to the transfer of data to non-EU countries, the Directive includes provisions to prevent the EU rules from being circumvented. The basic rule is that the non-EU country receiving the data should ensure an adequate level of protection. The advantage for those non-EU countries who are able to provide adequate data protection is that they will be able to benefit from the free flow of data from all 15 EU Member States.

Related articles

Policy making and guidelines

26 October 1998