EU directives


In Europe, the protection of personal data is enshrined in both the European Convention on Human Rights (where Article 8 states that "everyone has the right to respect for his private and family life...") and more specifically in the Charter of Fundamental Rights in the European Union (2000/C 364/1), where Article 8 focuses on the protection of personal data, with 8.1 stating "Everyone has the right to protection of personal data concerning him or her".

In an attempt to harmonise data laws across Europe, and to allow data flow across member states, a Data Protection Directive (95/46/EC) was published in October 1995. This sets out the expected standards for data control within Europe, and applies to data that are processed by automated means and data that are part of non-automated systems but are accesible using specific criteria.  

EU directives are enacted into each member state's legislative framework in accordance with its own laws and conventions. Therefore some differences exist between countries.

The directive

The directive sets out two 'roles' - that of the data controller (the individual or body who decides on the reasons and methods for processing) and the data subject (the individual to whom the personal data relates).

Data controllers have an important role in ensuring that data is processed fairly, and in accordance with what the data subject has agreed to. Data subjects have a number of rights in relation to their own data and must provide consent to its processing.

'Processing' in this context can include (but is not limited to): collection of personal data, its recording, storage, disclosure, consultation and adaptation.

Data protection principles

The data controller must adhere to the following principles:

  • Data must be processed fairly and lawfully and must be collected for explicit and legitimate purposes and used accordingly.
  • Data must be relevant and not excessive in relation to the purpose for which they are processed.
  • Data must be accurate and, where necessary, kept up to date.
  • Data controllers are required to provide reasonable measures for data subjects to rectify, erase or block incorrect data about them.
  • Data that identify individuals must not be kept longer than necessary.
  • Member States must provide one or more supervisory authorities to monitor the application of the directive.
  • In principle, all data controllers must notify supervisory authorities when they process data.