Disney Enterprises, Inc. et al v. Hotfile Corp. et al
Filing
81
MEMORANDUM of Law re 72 Plaintiff's MOTION to Compel RESPONSES TO REQUESTS FOR PRODUCTION OF DOCUMENTS AND INTERROGATORIES (Public Redacted Version)Plaintiff's MOTION to Compel RESPONSES TO REQUESTS FOR PRODUCTION OF DOCUMENTS AND INTERROGATORIES (Public Redacted Version) Memorandum of Law of Defendants Hotfile Corporation and Anton Titov In Opposition to Plaintiffs' Motion to Compel Responses to Requests for Production and Interrogatories by Hotfile Corp., Anton Titov. (Attachments: # 1 Exhibit 1, # 2 Exhibit A, # 3 Exhibit B, # 4 Exhibit C, # 5 Exhibit D, # 6 Exhibit E, # 7 Exhibit F, # 8 Exhibit G, # 9 Exhibit H, # 10 Exhibit I, # 11 Exhibit J, # 12 Exhibit K, # 13 Exhibit L, # 14 Exhibit M, # 15 Exhibit N, # 16 Exhibit O, # 17 Exhibit 2, # 18 Exhibit 3, # 19 Exhibit A)(Munn, Janet)
EXHIBIT K
23. 11. 95
EN
Official journal of the European Communities
No L 281/31
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 24 October 1995
on the protection of individuals with regard to the processing of personal data and on the free
movement of such data
THE EUROPEAN PARLIAMENT AND THE COUNCIL. OF
THE EUROPEAN UNION,
Article 7a of the Treaty, the free movement of
goods, persons, services and capital is ensured
require not only that personal data should be able
to flow freely. from one Member State to another,
but also that the fundamental rights of individuals
Should be safeguarded;
Having regard to the Treaty establishing the European
Community, and in particular Article 100a thereof,
Having regard to the proposal from the Commission (I),
(4)
Whereas increasingly frequent recourse is being
had in the Community to the processing of .
personal data in the various spheres of economic
and social activity; whereas the progress made in
information technology is making the processing
and exchange of such data considerably easier;
(5)
Whereas the economic and social integration
resulting from the establishment and functioning of
the internal market within the meaning of Article
7a of the Treaty will necessarily lead to a
substantial increase in cross-border flows of
personal data between all those involved in a
private or public capacity in economic and social
activity in the Member States; whereas the
exchange of personal data between undertakings in
different Member States is set to increase; whereas
the national authorities in the various Member
States are being called upon by virtue of
Community law to collaborate and exchange
personal data so as to be able to perform their
duties or carry out tasks on behalf of an authority
in another Member State within the context of the
area without internal frontiers as constituted by
the internal market;
(6)
Whereas, furthermore, the increase in scientific and
technical cooperation and the coordinated
introduction of new telecommunications networks
in the Community necessitate and facilitate
cross-border flows of personal data;
(7)
Whereas the difference in levels of protection of
the rights and freedoms of individuals, notably the
right to privacy, with regard to the processing of
personal data afforded in the Member States may
prevent the transmission of such data from the
territory of one Member State to that of another
Member State; whereas this difference may
therefore constitute an obstacle to the pursuit of a
number of economic activities at Community level,
Having regard to the opinion of the Economic and Social
Committee ( 2 ),
Acting in accordance with the procedure referred to in
Article 189h of the Treaty ( 3 ),
(1)
Whereas the objectives of the Community, as laid
down in the Treaty, as amended by the Treaty on
European Union, include creating an ever closer
union among the peoples of Europe, fostering
closer relations between the States belonging to the
Community, ensuring economic and social progress
by common action to eliminate the barriers which
divide
Europe,
encouraging
the
constant
improvement of the living conditions of its peoples,
preserving and strengthening peace and liberty and
promoting democracy on the basis of the
fundamental rights recognized in the constitution
and laws of the Member States and in the
European Convention for the Protection of Human
Rights and Fundamental Freedoms;
(2)
Whereas data-processing systenis are designed to
serve man; whereas they must, whatever the
nationality or residence of natural persons, respect
their fundamental rights and freedoms, notably the
right to privacy, and contribute to economic and
social progress, trade expansion and the well-being
of individuals;
(3)
Whereas the establishment and functioning of an
internal market in which, in accordance with
( I ) 0J No C 277, S. II. 1990, p. 3 and OJ No C 311, 27. 11.
1992, p. 30.
(2) OJ No C 159, 17. 6. 1991, p 38.
(3) Opinion of the European Parliament of 11 March 1992 (01
No C 94, 13. 4;1992, p. 198), confirmed on 2 December
1993 (0J No C 342, 20. 12. 1993, p. 30); Council common
position of 20 February 1995 (OJ No C 93, 13; 4. 1995,
p. 1) and Decision of the European Parliament of 15 June
1995 (0] No C 166, 3. 7. 1995).
No 1. 281/32.
EN
Official Journal of the European Communities
distort competition and impede authorities in the
23. 11. 95
discharge of their responsibilities under
Community law; whereas this difference in levels
Whereas the principles of the protection of the
rights and freedoms of individuals, notably the
right to privacy. which are contained in this
of protection is due to the existence of a wide
variety of national laws, regulations and
contained in the Council of Europe Convention of
(11)
Directive, give substance to and amplify those
28 January 1981 for the Protection of Individuals
with regard to Automatic Processing of Personal
administrative provisions;
Data;
(8)
Whereas, in order to remove the obstacles to flows
of personal data, the level of protection of the
(12)
rights and freedoms of individuals with regard to
the processing of such data must be equivalent in
all Member States; whereas this objective is vital to
the internal market but cannot he achieved by the
there should be excluded the processing of data
carried out by a natural person in the exercise of
activities which are exclusively personal or
Member States alone, especially in view of the
scale of the divergences which currently exist
domestic, such as correspondence and the holding
of records of addresses;
between the relevant laws in the Member States
and the need to coordinate the laws of the •
Member States so as to ensure that the
cross-border flow of personal data is regulated in a
consistent manner that is in keeping with the
objective of the internal market as provided for in
Article 7a of the Treaty; whereas Community
(13)
prejudice to the obligations incumbent upon
Member States under Article 56 (2), Article 57 or
needed;
Article 100a of the Treaty establishing the
European Community, whereas the processing of
personal data that is necessary to safeguard the
Whereas, given the equivalent protection resulting
economic well-being of the State does not fall
within the scope of this Directive where such
processing relates to State security matters;
from the approximation of national laws, the
Member States will no longer be able to inhibit the
free movement between them of personal data on
grounds relating to protection of the rights and
freedoms of individuals, and in partiCular the right
to privacy; whereas Member States will he left a
Whereas the acitivities referred to in Titles V and
VI of the Treaty On European Union regarding
public safety, defence, State security or the
acitivities of the State in the area of criminal laws
fall outside the scope of Community law, without
action to approximate those laws is therefore
(9)
Whereas the protection principles must apply to all
processing of personal data by any person whose
activities are governed by Community law; whereas
(14)
Whereas ;
given
the
importance
of
the
of implementation of the• Directive, also he
exercised by the business and social partners;
developments under way, in the framework of the
information society, of the techniques used to
capture, transmit, manipulate, record, store or
whereas Member States will therefore he able to
communicate sound and image data relating to
specify in their national law the general conditions
natural persons, this Directive shbuld he applicable
governing the lawfulness of data processing;
whereas in doing so the Member States shall strive
to improve the protection currently provided by
to processing involving such data;
margin for manoeuvre, which may, in the context
implementation of the Directive, and this could
have an effect on the movement of data within a
Whereas the processing of such data is covered by
this Directive only if it is automated or if the data
processed are contained or are intended to he
contained in a filing system structured according to
specific criteria relating to individuals, so as to
Member State as well as within the Community;
permit easy access to the personal data in
their legislation; whereas, within the limits of this
margin for manoeuvre and in accordance with
Community law, disparities could arise in the
(15)
question;
(10) Whereas the object of the national laws on the
(16)
fundamental rights and freedoms, notably. the right
to privacy, which is recognized both in Article 8 of
the European Convention for the Protection of
Human - Rights and Fundamental Freedoms and in
the general principles of Community law; whereas,
for that reason, the approximation of those laws
must not result in any lessening of the protection
they afford but must, on the contrary, seek to
ensure a high level of protection in the
Comm unity;
Whereas the processing of sound and image data,
such as in cases of video surveillance, does not
come within the scope of this Directive if it is
processing of personal data is to protect
carried out for the purposes of public security, •
defence, national security or in the course of State
activities relating to the area of criminal law or of
other activities which do not come within the
scope of Community law;
(17)
Whereas, as far as the processing of sound and
image data carried out for purposes of journalism
23. 11. 95
EN
Official journal of the European Communities
or the purposes of literary or artistic expression is
No L 281/33
data and by sectorial laws such as those relating,
for example, to statistical institutes;
concerned, in particular in the audiovisual field,
the principles of the Directive are -to apply in a
restricted manner according to the provisions laid
down in Article 9;
(24)
(18)
Whereas the legislation concerning the protection
Whereas, in order to ensure that individuals are
of legal persons with regard to the processing data
not deprived of the protection to which they are
entitled under this Directive, any processing of
which concerns them is not affected by this
Directive;
personal data in the Community must he carried
out in accordance with the law of one of the
Member Stares; whereas, in this connection,
processing carried out under the responsibility of a
controller who -is established in a Member State
(25)
(19)
Whereas the principles of protection must be
reflected, on the one hand, in the obligations
imposed on persons, public authorities, enterprises,
should be governed by the law of that State;
agencies or other bodies responsible for processing,
in particular regarding data quality, technical
security, notification to the supervisory authority,
Whereas establishment on the territory of a
Member State implies the effective and real
and the circumstances under which processing can
he carried out, and, on the other hand, in the right
conferred on individuals, the data on whom are
the subject of processing, to he informed that
exercise of activity through stable arrangements;
whereas the legal form of such an establishment,
whether simply branch or a subsidiary with a legal
personality, is not the determining factor in this
processing is taking place, to consult the data; to
respect; whereas, when a single controller is
established on the territory of several Member
States, particularly by means of subsidiaries, he
must ensure, in order to avoid any circumvention
request corrections and even to object to
processing in certain circumstances;
of national rules, that each of the establishments
fulfils the obligations imposed by the national law
applicable to its activities;
(20)
•
(26)
Whereas the fact that the processing of data is
carried out by a person established in a third
all the means likely reasonably to he used either by
country must not stand in the way of. the
protection of individuals provided for in this
the controller or by any other person to identify
the said person; whereas the principles of
protection shall not apply to data rendered
Directive; whereas in these cases, the processing
should be governed by the law of the Member
State in which the means used are located, and
anonymous in such a way that the data subject is
no longer identifiable; whereas codes of conduct
within the meaning of Article 27 may he a useful
instrument for providing guidance as to the ways
in which data may he rendered anonymous and
retained in a form in which identification of the
there should he guarantees to ensure that the rights
and obligations provided for in this Directive are
respected in practice;
(21)
Whereas the principles of protection must apply to
any information concerning an identified or
identifiable person; whereas, to determine whether
a person is identifiable, account should be taken of
data subject is no longer possible;
Whereas this Directive is without prejudice to the
in criminal
rules of territoriality applicable
matters;
(22)
Whereas Member States shall more precisely define
in the laws they enact or when bringing into force
the measures taken under this Directive the general
circumstances in which processing is lawful;
whereas in partiCular Article 5, in conjunction with
(27)
Whereas the protection of individuals must apply
as much to automatic processing of data as to
manual processing; whereas the scope of this
protection must not in effect depend on the
techniques used, otherwise this would create a
Articles 7 and 8, allows Member States,
independently of general rules, to provide for
special processing conditions for • specific sectors
and for the various categories of data covered by
Article 8;
(23)
serious
Directive
covers
only
filing
systems,
not
unstructured files; whereas, ih particular, the
content of a filing system must be structured
Whereas Member States are empowered to ensure
the implementation of the protection of individuals
both by means of a general law on the protection
according to specific criteria relating to individuals
allowing easy access to the personal data; whereas,
in line with the definition in Article 2 (c), the
different criteria for determining the constituents
of a structured set of personal data, and the
of individuals as regards the processing of personal
different criteria governing access to such a set,
risk
of
circumvention;
whereas,
nonetheless, as regards manual processing, this
No L 281/34
EN
Official Journal of the European Communities
may he laid down by each Member State; whereas
files or sets of files as well as their cover pages,
which are not structured according to specific
criteria, shall under no circumstances fall within
the scope of this Directive;
(28)
(29)
Whereas any processing of personal data must be
lawful and fair to the individuals concerned;
whereas, in particular, the data must be adequate,
relevant and not excessive in relation to the
purposes for which they are processed; whereas
such purposes must be explicit and legitimate and
must he determined at the time of collection of the
data; whereas the purposes of processing further to
collection shall not be incompatible with the
purposes as they were originally specified;
Whereas the further processing of personal data
for historical, statistical or scientific purposes is
not generally to be considered incompatible with
the purposes for which the data have previously
been collected provided that Member States furnish
suitable safeguards; whereas these safeguards must
in particular rule out the use of the data in support
of measures or decisions regarding any particular
individual;
(32)
23. 11. 95
Whereas it is for national legislation to determine
whether the controller performing a task carried
Out in the public interest or in the exercise of
official authority should be a public administration
or another natural or legal person governed by
public law, or by private law such as a professional
association;
(.33) Whereas data which are capable by their nature of
infringing fundamental freedoms or privacy should
not be processed unless the data subject gives his
explicit consent; whereas, however, derogations
from this prohibition must be explicitly provided
for in respect of specific needs, in particular where
the processing of these data is carried out for
certain health-related purposes by persons subject
to a legal obligation of professional secrecy or in
the course of legitimate activities by certain
associations or foundations the purpose of which is
to permit the exercise of fundamental freedoms;
(31)
Whereas, in order to be lawful, the processing of
personal data must in addition be carried out with
the consent of the data subject or be necessary for
the conclusion or performance of a contract
binding on the data subject, or as a legal
requirement, or for the performance of a task
carried out in the public interest or in the exercise
of official authority, or in the legitimate interests of
a natural or legal person, provided that the
interests or the rights and freedoms of the data
subject are not overriding; whereas, in particular,
in order to maintain a balance between the
interests involved while .guaranteeing effective
competition, Member States may determine the
circumstances in which personal data may he used
or disclosed to a third party in the context of the
legitimate ordinary business activities of companies
and other bodies; whereas Member States may
similarly specify the conditions under which
personal data may be disclosed to a third party for
the purposes of marketing whether carried out
commercially or by a charitable organization or by
any other association or foundation, of a political
nature for example, subject to the provisions
allowing a data subject to object to the processing
of data regarding him, at no cost and without
having to state his reasons;
Whereas the processing of personal data must
equally be regarded as lawful where it is carried
out in order to protect an interest which is
.
essential for the data subject's life;
Whereas Member States must also be authorized,
when justified by grounds of important public
interest, to derogate from the prohibition on
processing sensitive categories of data where
important reasons of public interest so justify in
areas such as public health and social protection
especially in order to ensure the quality and
cost-effectiveness of the procedures used for
settling claims for benefits and services in the
health insurance system - scientific research and
government statistics; whereas it is incumbent on
them, however, to provide specific and suitable
safeguards so as to protect the fundamental rights
and the privacy of individuals;
(35)
Whereas, moreover, the processing of personal
data by official authorities for achieving aims, laid
down in constitutional law or international public
law, of officially recognized religious associations is
carried out on important grounds of public
interest;
(36)
Whereas where, in the course of electoral activities,
the operation of the democratic system requires in
certain Member States that political parties
compile data on people's political opinion, the
processing of such data may be permitted for
reasons of important public interest, provided that
appropriate safeguards are established;
(37)
(30)
(34)
Whereas the processing of personal data for
purposes of journalism or for purposes of literary
of artistic expression, in particular in the
audiovisual field, should qualify for exemption
from the requirements of certain provisions of this
Directive in so far as this is necessary to reconcile
23. 11. 95
EN
Official Journal of the European Communities
the fundamental rights of individuals with freedom
of information and notably the right to receive and
impart information, as guaranteed in particular in
Article 10 of the European Convention for the
Protection of Human Rights and Fundamental
Freedoms; whereas Member States should
therefore lay down exemptions and derogations
necessary for the purpose of balance between
fundamental rights as regards general measures on
the legitimacy of data processing, measures on the
transfer of data to third countries and the power
of the supervisory authority; whereas this should
not, however, lead Member States to lay down
exemptions from the measures to ensure security of
processing; whereas at least the supervisory
authority responsible for this sector should also he
provided with certain ex-post powers, e.g. to
publish a regular report or to refer matters to the
judicial authorities;
No L 281/35
concerning him, at least in the case of the
automated decisions referred to in Article 15 (1);
whereas this right must not adversely affect trade
secrets or intellectual property and in particular the
copyright protecting the software; whereas these
considerations must not, however, result in the
data subject being refused all information;
Whereas restrictions on the rights of access and
information and on certain obligations of the
controller may similarly be imposed by Member
States in.so far as they are necessary to safeguard,
for example, national security, defence, public
safety, or important economic or financial interests
of a Member State or the Union, as well as
criminal investigations and prosecutions and action
in respect of breaches of ethics in the regulated
professions; whereas the list of exceptions and
limitations should include the tasks of monitoring,
inspection or regulation necessary in the three
last-mentioned areas concerning public security,
economic or financial interests and crime
prevention; - whereas the listing of tasks in these
three areas does not affect the legitimacy of
exceptions or restrictions for reasons of State
security or defence;
(44)
Whereas Member States may also be led, by virtue
of the provisions of Community law, to derogate
from the provisions of this Directive concerning
the right of access, the obligation to inform
individuals, and the quality of data, in order to
secure certain of the purposes referred to above;
(45)
Whereas, in cases where data might lawfully be
processed .on grounds of public interest, official
authority or the legitimate interests of a natural or
legal person, any data subject should nevertheless
be entitled; on legitimate and compelling grounds
relating to his particular situation, to object to the
processing of any data relating to himself; whereas
Member States may nevertheless lay down national
provisions to rile contrary;
(46)
Whereas the protection of the rights and freedoms
of data subjects with regard to the processing of
personal data requires that appropriate technical
Whereas, if the processing of data is to be fair, the
data subject must be in a position to learn of the
existence of a processing operation and, where
data are collected from him, must be given
accurate and full information, bearing in mind the
circumstances of the collection;
(39)
Whereas Member States may, in the interest of the
data subject or so as to protect the rights and
freedoms of others, restrict rights of access and
information; whereas they may, for example,
specify that access to medical data may be
obtained only through a health professional;
(43)
(38)
(42)
Whereas certain processing operations involve data
which the controller has not collected directly from
the data subject; whereas, furthermore, data can be
legitimately disclosed to a third party, even if the
disclosure was not anticipated at the time the data
were collected from the data subject; whereas, in
all these cases, the data subject should be informed
when the data are recorded or at the latest when
the data are first disclosed to a third party;
(40)
(41)
Whereas, however, it is not necessary to impose
this obligation of the data subject already has the
information; whereas, moreover, there will be no
such obligation if the recording or disclosure are
expressly provided for by law or if the provision of
information to the data subject proves impossible
or would involve disproportionate efforts, which
could be the case where processing is for historical,
statistical or scientific purposes; whereas, in this
regard, the number of data subjects, the age of the
data, and any compensatory measures adopted
may he taken into consideration;
Whereas any person must be able to exercise the
right of access to data relating to him which are
being processed, in order to verify in particular the
accuracy of the data and the lawfulness of the
processing; whereas, for the same reasons, every
data subject must also haYe the right to know the
logic involved in the automatic processing of data
No L 281/36
EN
Official journal of the European Communities
and organizational measures be taken, both at the
time of the design of the processing system and at
(51)
the time of the processing itself, particularly in
23. 11. 95
Whereas, nevertheless, simplification or exemption
from the obligation to notify shall not release the
controller from any of the other obligations
resulting from this Directive;
order to maintain security and thereby to prevent
any unauthorized processing; whereas it is
incumbent on the Member States to ensure that
controllers comply with these measures; whereas
(52)
Whereas, in this context, ex Post facto verification
by the competent authorities must in general be
considered a sufficient measure; .
(53)
these measures must ensure an appropriate level of
Whereas, however, certain processing operation are
likely to pose specific risks to the rights and
security, taking into account the state of the art
and the costs of their implementation in relation to
the risks inherent in the processing and the nature
of the data to be protected;
(47)
Whereas where a message containing personal data
is transmitted by means of a telecommunications
or electronic mail service, the sole purpose of
freedoms of data subjects by virtue of their nature,
their scope or their purposes, such as that of
excluding individuals from a right, benefit or a
which is the transmission of such messages, the
controller in respect of the personal data contained
contract, or by virtue of the specific use of new
technologies; whereas it is for Member States, if
they so wish, to specify such risks in their
in the message will normally be considered to he
the person from whom the message origindtes,
rather than the person offering the transmission
services; whereas, nevertheless, those offering such
legislation;
services will normally be considered controllers in
respect of the processing of the additional personal
data necessary for the operation of the service;
(54)
Whereas with regard to all the processing
undertaken in society, the amount posing such
specific risks should be very limited; whereas
Member States must provide that the supervisory
Whereas the procedures for notifying the
authority, or the data protection official in
supervisory authority are designed to ensure
disclosure of the purposes and main features of
any processing operation for the purpose of
cooperation with the authority, check such
processing prior to it being carried out; whereas
following this prior check, the supervisory
verification that the operation is in accordance
(48)
authority may, according to its national law, give
an opinion or an authorization regarding the
with the national measures taken under this
processing; whereas such checking may equally
take place in the course of the preparation either of
a measure of the national parliament or of a
measure based on such a legislative measure, which
Directive;
(49)
unsuitable
to
avoid
in
order
Whereas,
administrative formalities, exemptions from the
obligation to notify and simplification of the
notification required may be provided for by
Member States in cases • where processing is
unlikely adversely to affect the rights and freedoms
of data subjects, provided that it is in accordance
defines the nature of the processing and lays down
appropriate safeguards;
(55)
with a measure taken by a Member State
Whereas, if the controller fails to respect the rights
of data subjects, national legislation must provide
for a judicial remedy; whereas any damage which a
person may suffer as a result of unlawful
specifying its limits; whereas exemption or
simplification may similarly he provided for by
processing must be compensated for by the
Member States where a person appointed by the
controller ensures that the processing carried out is
not likely adversely to affect the rights and
freedoms of data subjects; whereas such a data
protection official, whether or not an employee of
the controller, must be in a position to exercise his
damage, in particular in cases where he establishes
fault on the part of the data subject or in case of
force majeure; whereas sanctions must be imposed
functions in complete independence;
(50)
controller, who may be exempted from liability if
he proves that he is not responsible for the
public law, who fails to comply with the national
measures taken under this Directive;
Whereas exemption or simplification could be
provided for in cases of processing operations
whose sole purpose is the keeping of a register
intended, according to national law, to provide
information to the public and open to consultation
by the public or by any person demonstrating a
legitimate interest;
on any person, whether governed by private of
(56)
Whereas cross-border flows of personal data are
necessary to the expansion of international trade;
whereas the protection of individuals guaranteed in
the Community by this Directive does not stand in
the way of transfers of personal data to third
23. 11. 95
EN
Official Journal of the European Communities
Countries which ensure an adequate level of
protection; whereas the adequacy of the level of
protection afforded by a third country must be
assessed in the light of all the circumstances
surrounding the transfer operation or ser of
transfer operations;
(57)
(58)
(59)
(60)
(61)
(62)
Whereas, on the other hand, the transfer of
personal data to a third country which does not
ensure an adequate level of protection must be
prohibited;
be made for
Whereas provisions should
exemptions from this prohibition in certain
circumstances where the data subject has given his
consent, where the transfer is necessary in relation
to a contract or a legal claim, where protection of
an important public interest so requires, for
example in cases of international transfers of data
between tax or customs administrations or
between services competent for social security
matters, or where the transfer is made from a
register established by law and intended for
consultation by the public or persons having a
legitiMate interest; whereas in this case such a
transfer should not involve the entirety of the data
or entire categories 'of the data contained in the
register and, when the register is intended for
consultation by persons having a legitimate
interest, the transfer should he made only at the
request of those persons or if they arc to be the
recipients;
Whereas particular measures may be taken to
compensate for the lack of protection in a third
country in cases where the controller offers
whereas,
moreover,
appropriate
safeguards;
provision must be made for procedures for
negotiations between the Community and such
third countries;
Whereas, in any event, transfers to third countries
may he effected only in full compliance with the
prOvisions adopted by the Member States pursuant
to this Directive, and in particular Article 8
thereof;
Whereas Member States and the Commission, in
their respective spheres of competence, must
encourage the trade associations and other
representative organizations concerned to draw up
codes of conduct so as to facilitate the application
of this Directive, taking account of the specific
characteristics of the processing carried out in
certain sectors, and respecting the national
provisions adopted for its implementation;
Whereas the establishment in Member States of
supervisory authorities, exercising their functions
with complete independence, is an essential
component of the protection of individuals with
regard to the processing of personal data;
No 1. 281/37
(63)
Whereas such authorities must have the necessary
means to perform their duties, including powers of
investigation and intervention, particularly in cases
of complaints from individuals, and powers to
engage in legal proceedings; whereas. such
authorities must help to ensure transparency of
processing in the Member States within whose
Mrisdiction they fall;
(64)
Whereas the authorities in the different Member
States will need ro assist one another in performing
their duties so as to ensure that the rules of
protection are properly respected throughout the
European Union;
(65)
Whereas, at Community level, a Working Party on
the Protection of Individuals with regard' to the
Processing of Personal Data must he set up and be
completely independent in the performance of its
functions; whereas, having regard to its specific
nature, it must advise the Commission and, in
particular, contribute to the uniform application of
the national rules adopted pursuant to this
Directive;
(66)
Whereas, with regard to the transfer of data to
third countries, the application of this Directive
calls
for
the conferment of powers of
implementation on the Commission and the
establishment of a procedure as laid down in
Council Decision 87/373/EEC (');
(67)
Whereas an agreement on a modus Mvendi
between the European Parliament, the Council and
the Commission concerning the implementing
measures for acts adopted in accordance with the
procedure laid down in Article 189b of the EC
'Treaty was reached on 20 December 1994;
(68)
Whereas the principles set out in this Directive
regarding the protection of the rights and freedoms
of individuals, notably their right to privacy, with
regard to the processing of personal data may he
supplemented or clarified, in particular as far as
certain sectors are concerned, by specific rules
based on those principles;
(69)
Whereas Member. States should be allowed a
period of not more than three years from the entry
into force of the national measures transposing this
Directive in which to apply such new national rules
progressively to all processing operations already
under way; whereas, in order to facilitate their
cost-effective implementation, a further period
0) No I. 197,_18. 7. 1987, p. 33.
No L 251/38
Official Journal of the European Communities
EN
expiring 12 years after the date on which this
Directive is adopted will be allowed to Member
States to ensure the conformity of existing manual
filing systems with certain of the Directive's
provisions; whereas, where data contained in such
filing systems are manually processed during this
extended transition period, those systems must be
brought into conformity. with these provisions at
the time of such processing;
23. 11. 95
performance of a contract concluded on the basis
of free and informed consent before the entry into
force of these proVisions; •
Whereas this Directive does not stand in the way
of a Member Stare's regulating marketing activities
aimed at consumers residing in territory in so far
as such regulation does not concern the protection
of individuals with regard to the processing of
personal data;
(72)
(70) Whereas it is not necessary for the data subject to
give his consent again so as to allow the controller
to continue to process, after the national
provisions taken pursuant to this Directive enter
into force, any sensitive data necessary for the
(71)
Whereas this Directive allows the principle of
public access to official documents to be taken into
account when implementing the principles set Out
in this Directive,
HAVE ADOPTED THIS DIRECTIVE:
CHAPTER I
GENERAL PROVISIONS
Article 1
Object of the Directive
1. In accordance with this Directive, Member States
shall protect the fundamental rights and freedoms of
natural persons, and in particular their right to privacy
with respect to the processing of personal data.
2. Member States shall neither restrict nor prohibit the
free flow of personal data between Member States for
reasons connected with the protection afforded under
paragraph 1.
means, such as collection, recording, organization,
retrieval,
adaptation
or
alteration,
storage,
use, disclosure by - transmission,
consultation,
dissemination or otherwise making available,
alignment or combination, blocking, erasure or
destruction;
(c) 'personal data filing system' (`filing system') shall
mean any structured set of personal data which are
accessible according to specific criteria, whether
centralized, decentralized or dispersed on a functional
or geographical basis;
Article 2
Definitions
For the purposes of this Directive:
(a) 'personal data' shall mean any information relating to
an identified or identifiable natural person (`data
subject'); an identifiable person is one who can be
identified, directly or indirectly, in particular by
reference to an identification number or to one or
more factors specific to his physical, physiological,
mental, economic, cultural or social identity;
(b) `processing of personal data' (`processing') shall mean
any operation or set of operations which is performed
upon personal data, whether or not by automatic
(d) 'controller' shall mean the natural or legal person,
public authority, agency or any other body which
alone or jointly with others determines the purposes
and means of the proceSsing of personal data; where
the purposes and means of processing are determined
by national or ComMunity laws or• regulations, the
controller or the specific criteria for his nomination
may he designated by national or Community law;
(e) `processor' shall mean a natural or legal person,
public authority, agency or any other body which
processes personal data on behalf of the controller;
23. 13. 95
No L 281/39
Official journal of the European Communities
EN
economic well-being of the State when the processing
operation relates to State security matters) and the
activities of the State in areas of criminal law,
(f) 'third party' shall mean any natural or legal person,
public authority, agency or any other body other than
the data subject, the controller, the processor and the
persons who, under the direct authority of the
controller or the processor, are authorized to process
the data;
— by a natural person in the course of a purely personal
Or household activity.
(g) 'recipient' shall mean a natural or legal person, public
authority, agency or any other body to whom data
are disclosed, whether a third party or not; however,
authorities which may receive data in the framework
of a particular inquiry shall nor be regarded as
recipients;
Article 4
National law applicable
1. Each Member State shall apply the national
provisions it adopts pursuant to this Directive to the
processing of personal data where:
(h) 'the data subject's consent' shall mean any freely
given specific and informed indication of his wishes
by which the data subject signifies his agreement to
personal data relating to him being processed.
(a) the processing is carried out in the context of the
activities of an establishment of the controller on the
territory of the Member State; when the same
controller is established on the territory of several
Member States, he must take the necessary measures
to ensure that each of these establishments complies
with the obligations laid down by the national law
applicable;
Article 3
Scope
1. This Directive shall apply to the processing of
personal data wholly or partly by automatic means, and
to the processing otherwise than by automatic means of
personal data which form part of a filing system or are
intended to form part of a filing system.
2. This Directive shall not apply to the processing of
personal data:
— in the course of an activity which falls outside the
scope of Community law, such as those provided for
by Titles V and VI of the Treaty on European Union
and in any case to processing operations concerning
public security, defence, State security (including the
(b) the controller is not established on the Member
State's territory, but in a place where its national law
applies by virtue of international public law;
(c) 'the controller is not established on Community
territory and, for purposes of processing personal
data makes use of equipment, automated or
otherwise, situated on the territory of the said
Member State, unless such equipment is used only for
purposes of transit through the territory of the
Community.
2. In the circumstances referred to in paragraph 1 (c),
the controller must designate a representative established
in the territory of that Member State, without prejudice
to legal actions which could be initiated against the
controller himself.
CHAPTER II
GENERAL RULES ON THE LAWFULNESS OF THE PROCESSING OF PERSONAL
DATA
Article S
Member States shall, within the limits of the provisions of this Chapter, determine more
precisely the conditions under which the processing of personal data is lawful.
No 1. 281/40
EN
Official journal of the European Communities
SECTION I
23. 11. 95
(d) processing is necessary in order to protect the vital
interests of the data subject; or
PRINCIPLES RELATING TO DATA QUALITY
(e) processing is necessary for the performance of a task
carried out in the public interest or in the exercise of
official authority vested in the controller or in a third
party to whom the data are disclosed; or
Article 6
I. Member StateS shall provide that personal data must
he:
(f)
processing is necessary for the purposes of the
legitimate interests pursued by the controller or by the
third party or parties to whom the data are disclosed,
except where such interests are overridden by the
interests for fundamental rights and freedoms of the
(a) processed fairly and lawfully;
for specified, explicit and legitimate
(h) collected
purposes and not further processed in a way
data subject which require protection under Article
1 (1).
incompatible with those purposes. Further processing
of data for historical, statistical or scientific purposes
shall not he considered as incompatible provided that
Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the
purposes for which they are collected and/or further
SECTION III
. processed;
SPECIAL CATEGORIES OF PROCESSING
(d) accurate and, where necessary, kept up to date; every
reasonable step must he taken to ensure that data
which are inaccurate or incomplete, having regard to
the purposes for which they were collected or for
Article
which they are further processed, are erased or
8
The processing of special categories of data
rectified;
(e) kept in a form which permits identification of data
subjects for no longer than is necessary for the
purposes for which the data were collected or for
which they are further processed. Member States shall
1. Member States shall prohibit the processing of
personal data revealing racial or ethnic origin, political
opinions ; religious or philosophical beliefs, trade-union
lay down appropriate safeguards for personal data
membership, and the processing of data concerning
stored for longer periods for historical, statistical or
health or sex life.
scientific use.
2. It shall be for the controller to ensure•that paragraph
2.
Paragraph I shall not apply where:
1 is complied with.
(a) the data subject has given his explicit consent to the
processing of those data, except where the laws of the
Member State provide that the prohibition referred to
SECTION II
in paragraph 1 may not be lifted by
the data subject's
giving his consent; or
CRITERIA FOR MAKING DATA PROCESSING
LEGITIMATE
Article
7
Member States shall provide that personal data may he
processed only if:
(a) the data subject has unambiguously given his consent;
or
(b) processing is necessary for the performance of a
contract to which the data subject is party or in order
to take steps at the request of the data subject prior
to entering into a contract; or
(c) processing is necessary for compliance with a legal
obligation to which the controller is subject; or
(b) processing is necessary for the purposes of carrying
out the obligations and specific rights of the
controller in the field of employment law in so far as
it is authorized by national law providing for
adequate. safeguards; or
(c) processing is necessary to protect the vital interests of
the data subject or of another person where the data
subject is physically or legally incapable of giving his
consent; or
(d) processing is carried out in the course of its legitimate
a
guarantees
by
activities
with
appropriate
any
other
association
or
foundation,
non-profit-seeking • body with a political,
philosophical, religious or trade-union aim and on
condition that the processing relates solely to the
members of the body or to persons who have regular
23. 11. 9.5
EN
Official Journal of the European Communities
contact with it in connection with its purposes and
that the data are not disclosed to a third 'party
without the consent of the data subjects; or
No L 281/41
of artistic or literary expression only if they are necessary
to reconcile the right ro privacy with the rules governing
freedom of expression.
(e) the processing relates to data which are manifestly
made public by the data subject or is necessary for
the establishment, exercise or defence of legal
SECTION IV
claims.
INFORMATION TO BE GIVEN TO THE DATA SUBJECT
3. Paragraph 1 shall not apply where processing of the
data'is required for the purposes of preventive medicine,
medical diagnosis, the provision of care or treatment or
Article 10
the management of health-care services, and where those
data are processed by a health professional subject under
Information in cases of collection of data from the data
national law or rules established by national competent
bodies to the obligation of professional secrecy or by
another person also subject to an equivalent obligation of
secrecy.
subject
Member States shall provide that the controller or his
representative must provide a data subject from whom
data relating to himself are collected with at least the
following information, except where he already has it:
4. Subject to the provision of suitable safeguards,
Member States may, for reasons of substantial public
interest, lay down exemptions in addition to those laid
(a) the identity of the controller and of his representative,
if any;
down in paragraph 2 either by national law or by
decision of the supervisory authority.
(b) the purposes of the processing for which the data are
intended;
5. Processing of data relating to offences, criminal
convictions Or security measures may be carried out only
under the control of official authority, or if suitable
(c) any further information such as
—
the recipients or categories of recipients of the
data.
—
specific safeguards are provided under national law,
subject to derogations which may he granted by the
Member State under national provisions providing
whether replies to the questions are obligatory or
voluntary, as well as the possible consequences of
suitable specific safeguards. However, a complete register
of criminal convictions may he kept only under the
failure to reply,
—
control of official authority.
the existence of the right of access to and the right
to rectify the data concerning him
in so far as such further information is necessary,
having regard to the specific circumstances in which
Member States may provide that data relating to
administrative sanctions or judgements in civil cases shall
also he processed under the control of official authority.
the data are collected, to guarantee lair processing in
respect of the data subject.
6. Derogations from paragraph 1 provided for in
paragraphs 4 and 5 shall be notified to the Com-
Article 11
mission.
Information where the data have not been obtained from
the data subject
7. MeMber States shall determine the conditions under
which a national identification number or any other
identifier of general application may he processed.
1. Where the data have not been obtained from the data
subject, Member States shall provide that the controller
or his representative must at the time of undertaking the
recording of personal data or if a disclosure to a third
Article 9
Processing of personal data and freedom of expression
party is envisaged, no later than the time when the data
are first disclosed provide the data subject with at least
the following information, except where he already has
it:
Member States shall provide for exemptions or
derogations from the provisions of this Chapter, Chapter
IV and Chapter VI for the processing of personal data
carried out solely for journalistic purposes or the purpose
(a) the identity of the controller and of his representative,
if any;
(b) the purposes of the processing;
No L 281/42
EN
Official Journal of the European Communities
SECTION VI
(c) any further information such as
— the categories of data concerned,
23. 11. 95
EXEMPTIONS AND RESTRICTIONS
— the recipients or categories of recipients,
— the existence of the right of access to and the right
to rectify the data concerning him
Article 13
Exemptions and restrictions
in so far as such further information is necessary,
having regard to the specific circumstances in which
the data are processed, to guarantee fair processing in
respect of the data subject.
2. Paragraph 1 shall not apply where; in particular for
processing for statistical purposes or for the purposes of
historical or scientific research, the provision of such
information proves impossible or would involve a
disproportionate effort or if recording or disclosure is
expressly laid down by law. In these cases Member States
shall provide appropriate safeguards.
SECTION V
1, Member States may adopt legislative measures to
restrict the scope of the obligations and rights provided
for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a
restriction constitutes a necessary measures to safeguard:
(a) national security;
(b) defence;
(c) public security;
(d) the
prevention,
investigation,
detection
and
prosecution of criminal offences, or of breaches of
ethics for regulated professions;
(e) an important economic or financial interest of a
Member State or of the European Union, including
monetary, budgetary and taxation matters;
THE DATA SUBJECT'S RIGHT OF ACCESS TO DATA
Article 12
Right of access
Member States shall guarantee every data subject the
right to obtain from the controller:
(a) without constraint at reasonable intervals and
without excessive delay or expense:
confirmation as to whether or not data relating to
him are being processed and information at least
as to the purposes of the processing, the categories
of data concerned, and the recipients or categories
of recipients to whom the data are disclosed,
(f) a monitoring, inspection or regulatory function
connected, even occasionally, with the exercise of
official authority in cases referred to in (c), (d) and
(e);
(g) the protection of the data subject or of the rights and
freedoms of others.
2. Subject to adequate legal safeguards, in particular
that the data are not used for taking measures or
decisions regarding any particular individual, Member
States may, where there is clearly no risk of breaching the
privacy of the data subject, restrict by a legislative
measure the rights provided for in Article 12 when data
are processed solely for purposes of scientific research or
are kept in personal form for a period which does not
exceed the period necessary for the sole purpose of
creating statistics.
communication to him in an intelligible form of
the data undergoing processing and of any
available information as to their source,
knowledge of the logic involved in any automatic
processing of data concerning him at least in the
case of the automated decisions referred to in
. Article 15 (1);
(b) as appropriate the rectification, erasure or blocking of
data the processing of which does not comply with
the provisions of this Directive, in particular because
of the incomplete or inaccurate nature of the data;
SECTION Vii
THE DATA SUBJECT'S RIGHT TO OBJECT
Article 14
The data subject's right to object
Member States shall grant the data subject the right:
(c) notification to third parties to whom the data have
been disclosed of any rectification, erasure or
blocking carried out in compliance with (b), unless
this proves impossible or involves a disproportionate
effort.
(a) at least in the cases referred to in Article 7 (e) and (f),
to object at any time on compelling legitimate
grounds relating to his particular situation to the
processing of data relating to him, save where
23.. 11. 95
No L 281/43
Official Journal of the European Communities
EN
otherwise provided by national legislation. Where
there is a justified objection, the processing instigated
by the controller may no longer involve those data;
(h) to object, on request and free of charge, to the
processing of personal data relating to him which the
controller anticipates being processed for the purposes
of direct marketing, or to be informed before
personal data are disclosed for the first time to third
parties or used on their behalf for the purposes of
direct marketing, and to be expressly offered the right
to object free of charge to such disclosures or uses.
Member States shall take the necessary measures to
ensure that data subjects are aware of the existence of the
right referred to in the first subparagraph of (b).
has access to personal data must not process them except
on instructions from the controller, unless he is required
to do so by law.
Article 17
Security of processing
1. Member States shall provide that the controller must
implement appropriate technical and organizational
measures to protect personal data against accidental or
unlawful destruction or accidental loss, alteration,
unauthorized disclosure or access, in particular where the
processing involves the transmission of data over a
network, and against all other unlawful forms of
processing.
Automated individual decisions
Having regard to the state of the art and the cost of their
implementation, such measures shall ensure a level of
security apprOpriate to the risks represented by the
processing and the nature of the data to he protected.
1. Member States shall grant the right to every person
not to he subject to a decision which produces legal
effects concerning him or significantly affects him and
which is based solely on automated processing of data
intended to evaluate certain personal aspects relating to
him, such as his performance at work, creditworthiness,
reliability, conduct, etc.
2. The Member States shall provide that the controller
must, Where prOcessing is carried out on his behalf,
choose a processor providing sufficient guarantees in
respect of the technical security measures and
organizational measures governing the processing to be
carried out, and must ensure compliance with those
measures.
Article 15
2. Subject to the other Articles of this Directive,
Member States shall provide that a person may be
subjected to a decision of the kind referred to in
paragraph 1 if that decision:
(a) is taken in the course of the entering into or
performance of a contract, provided the request for
the entering into or the performance of the contract,
lodged by the data subject, has been satisfied or that
there are suitable measures to safeguard his legitimate .
interests, such as arrangements allowing him to put
his point of view; or
(b) is authorized by a law which also lays down measures
to safeguard the data subject's legitimate interests.
3. The carrying out of processing by way of a processor
must be governed by a contract or legal act binding the
processor to the controller and stipulating in particular
that:
— the processor shall act only on instructions from the
controller,
— the obligations set out in paragraph 1, as defined by
the law of the Member State in which the processor is
established, shall also be incumbent on the
processor.
4. For the purposes of keeping proof, the parts of the
contract or the legal act relating to data protection and
the requirements relating to the measures referred to in
paragraph I shall be in writing or in another equivalent
form.
SECTION VIII
SECTION IX
CONFIDENTIALITY AND SECURITY OF PROCESSING
NOTIFICATION
Article 16
Article 18
Confidentiality of processing
Obligation to notify the supervisory authority
Any person acting under the authority of the controller
or of the processor, including the processor himself, who
1. Member States shall provide that the controller or his
representative, if any, must notify the supervisory
No I. 281/44
Official Journal of the European Communities
EN
authority referred to in Article 28 before carrying out any
wholly or partly automatic processing operation or set of
such operations intended to serve a single purpose or
several related purposes.
2. Member States may provide for the simplification of
or exemption from notification only in the following
cases and under the following conditions:
where, for categories of processing operations which
are unlikely, taking account of the data to he
processed, to affect adversely the rights and freedoms
of data subjects, they specify the purposes of the
processing, the data or categories of data undergoing
processing, the category or categories of data subject,.
the recipients or categories of recipient to whom the
data are to he disclosed and the length of time the
data are to he stored, and/or
where the controller, in compliance with the national
law which governs him, appoints a personal data
protection official, responsible in particular: .
23. 11. 95
(a) the name and address of the controller and of his
representative, if any;
lb) the purpose or purposes of the processing;
(c) a description of the category or categories of data
subject and of the data or categories of data relating
to them;
Id) the recipients or categories of recipient to whom the
data might be disclosed;
(el proposed transfers of data to third countries;
(0 a general description allowing a preliminary
assessment to he made of the appropriateness of the
measures taken pursuant to Article 17 to ensure
security of processing. •
2. Member States shall specify the procedures under
which any change affecting the information referred to in
paragraph 1 must he notified to the supervisory
authority.
— for ensuring in an independent manner the
internal application of the national provisions
taken pursuant to this Directive
— for keeping the register of processing operations
carried out by the controller, containing the items
of information referred to in Article 21 (2),
thereby ensuring that the rights and freedoms of the
data subjects are unlikely to he adversely affected by
the processing operations.
3. Member States may provide that paragraph .1 does
not apply to processing whose sole purpose is the keeping
of a register which according to laws or regulations is
intended to provide information to the public and which
is open to consultation either by the public in general or
by any person demonstrating a legitimate interest.
4. Member States may provide for an exemption from
the obligation to notify or a simplification of the
notification in the case of processing operations referred
to in Article 8 (2) (d).
5. Member States may stipulate that certain or all
non-automatic processing operations involving personal
data shall be notified, or provide for these processing
operations to he subject to simplified notification.
Article 20
Prior checking
1. Member States shall determine the processing
operations likely to present specific risks to the rights and
freedoms of data subjects and shall check that these
processing operations are examined prior to the start
thereof.
2. Such prior checks shall he carried out by the
supervisory authority following receipt of a notification
from the controller or by the data protection official,
who, in cases of doubt, must consult the supervisory
authority.
3. Member States may also carry out such checks in the
context of preparation either of a measure of the national
parliament or of a measure based on such a legislative
measure, which define the nature of the processing and
lay down appropriate safeguards.
Article 21
Publicizing of processing operations
Article 19
1. Member States shall take measures to ensure that
processing operations are publicized.
Contents of notification
1. Member States shall specify the information to be
given in the notification. It shall include at least:
2. Member States shall provide that a register of
processing operations notified in accordance with Article
18 shall he kept by the supervisory authority.
23. 11. 95
EN
Official Journal of the European Communities
No 1. 251/45
The register shall contain at least the information listed in
Article 19 (1) (a) to (e).
(1) (a) to (e) in an appropriate form to any person on
request.
The register may be inspected by any person.
Member States may provide that this provision does not
apply to processing whose sole purpose is the keeping of
a register which according to laws or regulations is
intended to provide information to the public and which
is open to consultation either by the public in general or
by any person who can provide proof of a legitimate
interest.
3. Member States shall provide, in relation to processing
operations not subject to notification, that controllers or
another body appointed by the Member States make
available at least the information referred to in Article 1'9
CHAPTER III
.
JUDICIAL REMEDIES, LIABILITY AND SANCTIONS
Article 22
Remedies
Without prejudice to any administrative remedy for which provision may he made, inter cilia
before the supervisory authority, referred to in Article 28, prior to referral to the judicial
authority, Member States shall provide for the right of every person to a judicial remedy for any
breach of the rights guaranteed him by the national law applicable to the processing in
question.
Article 23
Liability
1. Member States shall provide that any person who has suffered damage as a result of an
unlawful processing operation or of any act incompatible with the national provisions adopted
pursuant to this Directive is entitled to receive compensation from the controller for the damage
suffered.
2. The controller may be exempted from this liability, in whole or in part, if he proves that he
is not responsible for the event giving rise. to the damage.
Article 24
Sanctions
The Member States shall adopt suitable measures to ensure the full implementation of the
provisions of this Directive and shall in particular lay down the sanctions to be imposed in case
of infringement of the provisions adopted pursuant to this Directive.
CHAPTER IV
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
Principles
with the national provisions adopted pursbant to the
other provisions of this Directive, the third country in
question ensures an adequate level of protection.
I. The Member States shall provide that the transfer to
a third country of personal data which are undergoing
processing or are intended for processing after transfer
may take place only if, without prejudice to compliance
2. The adequacy of the level of protection afforded by a
third country shall he assessed in the light of all the
circumstances surrounding a data transfer operation or
set of data transfer operations; particular consideration
Article 25
No L 281/46
Official Journal of the European Communities
EN
shall be given to the nature of the data, the purpose and
duration of the proposed processing operation • or
operations, the country of origin and country of final
destination, the rules of law, both general and sectoral, in
force in the third country in question and the
professional rules and security measures which are
complied with in that country.
3. The Member States and the Commission shall inform
each other of cases where they consider that a third
country does not ensure an adequate level of protection
within the meaning of paragraph 2.
4. Where the Commission finds, under the procedure
provided for in Article 31 (2), that a third country does
not ensure an adequate level of protection within the
meaning of paragraph 2 of this Article, Member StateS
shall take the measures necessary to prevent any transfer
of data of the same type to the third country in
question.
5. At the appropriate time, the Commission shall enter
into negotiations with a view to remedying the situation
resulting from the finding made pursuant to paragraph
4.
6. The Commission may find, in accordance with the
procedure referred to in Article 31 (2), that a third
country ensures an adequate level of protection within
the meaning of paragraph 2 of this Article, by reason of
its domestic law or of the international commitments it
has entered into, particularly upon conclusion of the
negotiations referred to in paragraph 5, for the protection
of the private lives and basic freedoms and rights of
individuals.
Member States shall take the measures necessary to
comply with the Commission's decision.
Article 2 6
Derogations
I. By way of derogation from Article 25 and save where
otherwise provided by domestic law governing particular
cases, Member States shall provide that a transfer or a set
of transfers of personal data to a third country which
does not ensure an adequate level of protection within
the meaning of Article 25 (2) may take place on
condition that:.
(a) the data subject has given his consent unambiguously
to the proposed transfer; or
(b) the transfer is necessary for the performance of a
contract between the data subject and the controller
23. 11. 95
or the implementation of precontractual measures
taken in response to the data subject's request; or
(c) the transfer is necessary for the conclusion or
performance of a contract concluded in the interest of
the data subject between the controller and a third
party; or
(d) the transfer is necessary or legally required on
imPortant puhlir interest grounds, or for the
exercise or defence of legal claims; or
(e) the transfer is necessary in order to protect the vital
interests of the data subject; or
(f) the transfer is made from a register which according
to laws or regulations is intended to provide
information to the public and which is open to
consultation either by the public in general or by any
. person who can demonstrate legitimate interest, to
the extent that the conditions laid down in law for
consultation are fulfilled in the particular case.
2. Without prejudice to paragraph 1, a Member State
may authorize a transfer or a set of transfers of personal
data to a third country which does not ensure an
adequate level of protection within the meaning of Article
25 (2), where the controller adduces adequate safeguards
with respect to the protection of the privacy and
fundamental rights and freedoms of individuals and as
regards the exercise of the corresponding rights; such
safeguards may in particular result from appropriate
contractual clauses.
3. The Member State shall inform the Commission and
the other Member States of the authorizations it grants
pursuant to paragraph 2.
If a Member State or the Commission objects on justified
grounds involving the protection of the privacy and
fundamental rights and freedoms of individuals, the
Commission shall take appropriate measures in
accordance with the procedure laid down in Article 31
(2). -
Member States shall take the necessary measures to
comply with the Commission's decision.
4. Where the Commission decides, in accordance with
the procedure referred to in Article 31 (2), that certain
standard contractual clauses offer sufficient safeguards as
required by paragraph 2, Member States shall take the
necessary measures to comply with the Commission's
decision.
23. 11. 95
EN
Official Journal of the European Communities
No L 281/47
CHAPTER V
CODES OF CONDUCT
Article 27
1. The Member States and the Commission shall encourage the drawing up of codes of
conduct intended to contribute to the proper implementation of the national provisions adopted
by the Member States pursUant to this Directive, taking account of the specific features of the
various sectors.
2. Member States shall make provision for trade associations and other bodies representing
other categories of controllers which have drawn up draft national codes or which have the
intention of amending or extending existing national codes to be able to submit them to the
opinion of the national authority.
Member States shall make provision for this authority to ascertain, among other things, whether
the drafts submitted to it are in accordance with the national provisions adopted pursuant to
this Directive. If it sees fit, the authority shall seek the views of data subjects or their
representatives.
3. Draft Community codes, and amendments or extensions to existing Community codes, may
be submitted to the Working Party referred to in Article 29. This Working Party shall
determine, among other things, whether the drafts submitted to it are in accordance with the
national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the
views of data subjects or their representatives. The Commission may ensure appropriate
publicity for the codes which have been approved by the Working Party.
CHAPTER VI
SUPERVISORY AUTHORITY AND WORKING PARTY ON THE PROTECTION OF
INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA
Article 28
Supervisory authority
1. Each Member State shall provide that one or more
public authorities are responsible for monitoring the
application within its territory of the provisions adopted
by the Member States pursuant to this Directive.
These authorities shall act with complete independence in
exercising the functions entrusted to them.
2. Each Member State shall provide that the supervisory
authorities are consulted when drawing up administrative
measures or regulations relating to the protection of
individuals' rights and freedoms with regard to the
processing of personal data.
and powers to collect all the information necessary
for the performance of its supervisory duties,
effective powers of intervention, such as, for example,
that of delivering opinions before processing
operations are carried out, in accordance with Article
20, and ensuring appropriate publication of such
opinions, of ordering the blocking, erasure or
destruction of data, of imposing a temporary or
definitive ban on processing, of warning or
admonishing the controller, or that of referring the
matter to national parliaments or other political
institutions,
— the power to engage in legal proceedings where the
national provisions adopted pursuant to this Directive
have been violated or to bring these violations to the
attention of the judicial authorities.
3. Each authority shall in particular be endowed with:
— investigative powers, such as powers of access to data
forming the subject-matter of processing operations
Decisions by the supervisory authority which give rise to
complaints may be appealed against through the courts.
No [. 25 1 /45
EN
Official Journal of the European Communities
4. Each supervisory authority shall hear claims lodged
by any person, or by an association representing that
person, concerning the protection of his rights and
'freedoms in regard to the processing of personal data
The person concerned shall be informed of the outcome
of the claim.
23. 11. 95
3. The Working Party shall take decisions by a simple
majority of the representatives of the supervisory
authorities.
4.
The Working Party shall elect its chairman. The
chairman's term of office shall he two years. His
appointment shall be renewable.
Each supervisory authority shall, in particular, hear
claims for checks on the lawfulness of data 'processing
lodged by any person when the national provisions
S. The Working Parry's secretariat shall be provided by
adopted pursuant to Article 13 of this Directive apply.
the Commission.
The person shall at any rate he informed that a check has
taken place.
5. Each supervisory authority shall draw up a report on
its activities at regular intervals, The report shall he made
public.
6.
Each supervisory authority is competent, whatever
6. The Working Party shall adopt its own rules of
procedure.
7. The Working Party shall consider items placed on its
agenda by its chairman, either on his own initiative or at
the request of a representative of the supervisory
authorities or at the Commission's request.
the national law applicable to the processing in question,
to exercise, on the territory of its own Member State, the
powers conferred on it in accordance with paragraph 3.
Each authority may be requested to exercise its powers
by an authority of another Member State.
Article 30
1. The Working Party shall:
The supervisory authorities shall cooperate with one
(a) examine any question covering the application of the
another to the extent necessary for the performance of
their duties ; in particular by exchanging all useful
national measures adopted under this Directive in
order to contribute to the uniform application of such
information.
measures;
7. Member States shall provide that the members and
staff of the supervisory authority, even after their
employment has ended, are to he subject to a duty of
professional
information
secrecy with regard to confidential
to which they have access.
Article 29
Working Party on the Protection of Individuals with
regard to the Processing of Personal Data
(b) give the Commission an opinion on the level of
protection in the Community and in third countries;
(c) advise the Commission on any proposed amendment
of this Directive, on any additional or specific
measures to safeguard the rights and freedoms of
natural persons with regard to the processing of
personal data and on any other proposed Community
measures affecting such rights and freedoms;
(d) give an opinion on codes of conduct drawn up at
Community level.
1. A Working Party on the Protection of Individuals
with regard to the Processing of Personal Data,
hereinafter referred to as the Working Party', is hereby
2. If the Working Party finds that divergences likely to
affect the equivalence of protection for persons with
set up.
regard to the processing of personal data in the
Community are arising between the laws or practices of
Member States, it shall inform the Commission
It shall have advisory status and act independently.
accordingly.
2. The Working Party shall be composed of a
representative of the supervisory authority or authorities
designated by each Member State and of a representative
3. The Working Party may, on its own initiative, make
recommendations on all matters relating to the protection
of the authority or authorities established for the
of a
institutions and bodies, and
Community
of persons with regard to the processing of personal data
in the Community.
representative of the Commission.
Each member of the Working Party shall he designated
4. The Working Party's opinions and recommendations
shall be forwarded to the CommiSsion and to the
by the institution, authority or authorities which he
represents. Where )a Member State has designated more
than one supervisory authority, they shall nominate a
joint representative. The same shall apply to the
authorities established for Community institutions and
committee referred to in Article 31.
bodies.
recommendations. It shall do so in a report which shall
5. The Commission shall inform the Working Party of
the action it has taken in response to its opinions and
23. 11. 95
EN
Official Journal of the European Communities
also be forwarded to the European Parliament and the
Council. The report shall be made public.
6. The Working Party shall draw up an annual report
on the situation regarding the protection of natural
No C 281/49
persons with regard to the processing of personal data in
the Community and in third countries, which it shall
transmit to the Commission, the European Parliament
and the Council. The report shall be made public.
CHAPTER VII
COMMUNITY IMPLEMENTING MEASURES
Article 31
The Committee
1. The Commission shall be assisted by a committee composed of the representatives of the
Member States and chaired by the representative of the Commission.
2. The representative of the Commission shall submit to the committee a draft of the measureS
to be taken. The committee shall deliver its opinion on the draft within a time limit which the
chairman may lay down according to the urgency of the matter.
The opinion shall be delivered by the majority laid down in Article 148 (2) of the Treaty. 'The
votes of the representatives of the Member States within the committee shall he weighted in the
manner set out in that Article. The chairman shall not vote.
The Commission shall adopt measures which shall apply immediately. However, if these
measures are not in accordance with the opinion of the committee, they shall be communicated
by the Commission to the Council forthwith. It that event:
— the Commission shall defer application of the measures which it has decided for a period of
three months from the date of communication,
— the Council, acting by a qualified majority, may take a different decision within the time
limit referred to in the first indent.
FINAL PROVISIONS
When Member States adopt theSe measures, they shall
contain a reference to this Directive or he accompanied
by such reference on the occasion of their official
publication. The methods of making such reference shall
he laid down by the Member States.
By way of derogation from the preceding subparagraph,
Member States may provide that the processing of data
already held in manual filing systems on the date of entry
into force of the national provisions adopted in
implementation of this Directive shall be brought into
conformity with Articles 6, 7 and 8 of this Directive
within 12 years of the date on which it is adopted.
Member States shall, however, grant the data subject the
right to obtain, at his request and in particular at the
time of exercising his right of access, the rectification,
erasure or blocking of data which are incomplete,
inaccurate or stored in a way incompatible with the
legitimate purposes pursued by the controller.
2. Member States shall ensure that processing already
under way on the date the national provisions adopted
pursuant to this Directive enter into force, is brought into
conformity with these provisions within three years of
this date.
3. By way of derogation from paragraph 2, Member
States may provide, subject to suitable safeguards, that
data kept for the sole purpose of historical research need
Article 32
1. Member States shall bring into force the laws,
regulations and administrative provisions necessary to
comply with this Directive at the latest at the end of a
period of three years from the date of its adoption.
No L 281/50
Official Journal of the European Communities
EN
not be brought into conformity with Articles 6, 7 and 8
of this Directive.
4. Member States shall communicate to the Commission
the text of the provisions of domestic law which they
adopt in the field covered by this Directive
23. 11. 95
sound and image. data relating to natural persons and
shall submit any appropriate proposals which prove to he
necessary, taking account of developments in information
technology and in the light of the state of progress in the
information society.
.
Article 34
Article .33
This Directive is addressed to the Member States.
The Commission shall report to the Council and the
European Parliament at regular intervals, starting not
later than three years after the date referred to in Article
32 (1), on the implementation of this Directive, attaching
to its report, if necessary, suitable proposals for
amendments. The report shall be made public.
The Commission shall examine, in particular, the
application of this Directive to the data processing of
Done at Luxembourg, 24 October 1995.
For the European Parliament
For the Council
The President
The President
K. HANSCH
L. ATIENZA SERNA
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?