Data protected.

Transcription

Data protected.

Data protected.
A report on the status of data protection legislation in the
European Union in 2005.
Foreword.
Welcome to the 2005 edition of ‘Data Protected’, a special report prepared by Linklaters’ Technology, Media &
Telecommunications Group which outlines and analyses current EU data protection legislation. The report covers each
EU Member State, as well as Iceland, Liechtenstein and Norway (which together with the EU Member States make up
the European Economic Area) and Switzerland.
Since 24 October 1995, when Directive 95/46/EC on “the protection of individuals with regard to the processing of
personal data and on the free movement of such data” was adopted, data protection has become a subject with
significant legal implications for individuals and organisations. In a market of about 470 million people, it is critical
that businesses address compliance with data protection legislation in all relevant countries, especially as a failure to
process personal data in accordance with the relevant legislation may lead to severe consequences, including payment
of damages and fines as well as reputation issues.
For this reason, the report, now in its second year of publication, has been revised to include more detailed
information on the sanctions imposed for infringement of data protection provisions in each of the countries. A
commentary on the extent of these sanctions and the variation between jurisdictions precedes the individual country
sections and is included on page 5 of the report.
The report has been updated to reflect the major changes to France’s data protection legislation which occurred on
6 August 2004 when France, the last EU Member State to do so, finally implemented the Directive. Additionally, the
report reflects significant changes that have been made to data protection legislation in Slovakia and Slovenia. The
report has also been amended to reflect the recent implementation, in a number of the jurisdictions, of Article 13 of
Directive 2002/58/EC which relates to marketing by email.
The purpose of this report is not to provide exhaustive information regarding data protection in all the countries
profiled but rather to create awareness of the main applicable rules. As with the previous edition of the report, the
relevant issues for each jurisdiction are presented in a standard format, allowing a simple comparison of the legal
situation to be made between countries. Needless to say, each contributor law firm is responsible for the contents of
its own section.
This edition of the report was prepared with input from the various law firms as of September 2005.
Should you have any questions in connection with the issues raised or if specific advice is needed, please consult any
of the lawyers referred to in the contact list at the end of this report.
Christopher Millard
Partner
Technology, Media and Telecommunications
London
November 2005
⏐Data protection legislation in the European Union⏐November 2005
Contents.
Commentary: A Survey of Current Levels of Enforcement of European Data Protection Legislation
1
Country overviews
Austria
11
Belgium
14
Cyprus
18
Czech Republic
22
Denmark
26
Estonia
29
Finland
32
France
36
Germany
40
Greece
43
Hungary
47
Iceland
51
Ireland
56
Italy
60
Latvia
63
Liechtenstein
66
Lithuania
69
Luxembourg
73
Malta
76
The Netherlands
79
Norway
83
Poland
86
Portugal
89
Slovakia
93
Slovenia
97
Spain
100
Sweden
104
Switzerland
107
United Kingdom
111
Contacts
114
Commentary: A Survey of Current Levels of
Enforcement of European Data Protection
Legislation.
⏐Data protection legislation in the European Union⏐November 2005
Commentary: A Survey of Current Levels of Enforcement
of European Data Protection Legislation.
Richard Cumbley, Linklaters TMT Group, London
Introduction
“What happens if it goes wrong?” It’s the most consistently asked of all questions faced by data protection
practitioners. For both internal and external clients, understanding the potential consequences of non-compliance is
essential in coming to a sensible risk based assessment of how to improve compliance. Yet, to date, a comprehensive
picture of the theoretical sanctions available and how they have been applied across the EEA has been extremely
difficult to discover.
As a result, “Data Protected” 2005 now contains details on not just theoretical sanctions, but also for the first time
details of levels of actual enforcement activity. Details include:
−
the number of investigations made by regulators in 2004-5;
−
the number of prosecutions during that period;
−
the typical level of penalties imposed by regulators; and
−
the most significant penalty levied to date with brief details of the case. Where the information is not publicly
available, contributors have sought the information direct from regulators.
This comprehensive picture of enforcement activity in the European Union identifies a number of significant issues for
both the public and private sectors.
Overview of Findings
Theoretical sanctions, and the level of actual enforcement activity, vary very substantially across the continent.
Although there are exceptions, in general theoretical sanctions in the newer EU member states are set out at a lower
level than the EU15. Perhaps more surprisingly, the courts of many countries whose legislation provides significant
penalties have shown a reluctance to impose such significant penalties. Denmark and the UK stand out particularly in
this regard.
At the upper end of the range of penalties imposed are some striking examples. A number of jail terms and suspended
jail terms have been imposed, for example in Sweden, Switzerland and the Netherlands. As well as jail terms, there
have also been some substantial fines for breaches of data protection laws in Europe, including one of over 1 million
Euros. The case studies below highlight the significant cost of failing to comply with data protection law experienced
in particular by companies in the Netherlands and Spain.
Nevertheless, these headline examples are at the upper end of European practice, and in the majority of European
countries enforcement activity for breaches of data protection legislation remains low.
⏐Data protection legislation in the European Union⏐November 2005⏐3
Data on Potential and Actual Enforcement Provisions for the Infringements of Data Protection Legislation
Figure 1: Potential Jail Terms and Fines for Infringements of Data Protection Legislation
Potential Jail Terms and Fines
2000000
12
1800000
Maximum Fine (Euros)
1400000
8
1200000
1000000
6
800000
4
600000
400000
Maximum Jail Term (Years)
10
1600000
2
200000
0
Au
st
r
Be ia
lg
iu
m
C
ze Cy
pr
ch
u
s
R
ep
u
D blic
en
m
ar
Es k
to
ni
a
Fi
nl
an
Fr d
an
c
G
er e
m
an
G y
re
ec
e
H
un
ga
ry
Ic
el
an
d
Ire
EU lan
M d
ed
ia
n
Ita
ly
L
Li
ec atv
i
ht
en a
st
Li ein
th
Lu ua
xe nia
m
bo
ur
Th
g
e
M
N
a
et
he lta
rla
nd
s
N
or
w
ay
Po
la
Po nd
rtu
g
Sl al
ov
ak
ia
Sl
ov
en
ia
Sp
a
Sw in
Sw ed
en
U
ni itze
te
rla
d
Ki nd
ng
do
m
0
Countries
Maximum Potential Fine (EUR)
Unlimited Fines
Maximum Potential Jail Term (Years)
Notes for Figure 1 : In the cases of Denmark and the UK potential fines are unlimited. In Iceland fines are €1,220 a
day and in Liechtenstein the level will depend on the financial status of the offender but there is no maximum
amount. In Finland the fines will be 1/60 of the offender’s average monthly income per day for a maximum of 120
days.
As one might expect the newest accession states still have relatively low maximum potential fine levels. For example,
in Estonia, infringement of the requirements for the processing of personal data stipulated under the Personal Data
Protection Act of 12 February 2003 is treated as a misdemeanour and punishable by a fine of up to 50,000 kroons
(approximately EUR 3,195). However, in 2004 the Data Protection Inspectorate applied penalty payments on six
occasions with the average penalty being just 5,000 kroons (approximately EUR 320). Over time, one would expect
such fines in the newest accession states to increase in line with the older member states.
As the data above suggests, the potential financial implications for infringements are enormous, but it is the potential
for a custodial sentence in most member states that demonstrates the serious nature with which data protection
infringement is viewed by EU legislatures. In just seven of the 25 EU members states (the Baltic states, Slovakia,
Spain, Ireland and the UK) there are no jail terms directly available for data protection related offences.
4⏐November 2005⏐Data protection legislation in the European Union⏐
Figure 2: Actual Jail Terms and Fines for Infringements of Data Protection Legislation
Actual Jail Terms and Fines
12
11
90000
10
80000
Actual Fines (Euros)
9
70000
8
60000
7
50000
6
40000
5
4
30000
3
20000
Actual Jail Terms (Months)
100000
2
1
0
0
Au
s
Be tria
lg
iu
C
m
ze
ch Cyp
R ru
ep s
u
D bli
en c
m
a
Es rk
to
n
Fi ia
nl
an
Fr d
a
G nc
er e
m
a
G ny
re
H ece
un
ga
Ic ry
EU ela
M nd
ed
ia
Ire n
la
nd
Ita
ly
Li
ec La
ht tvi
en a
s
Li tei
Lu thu n
xe an
m ia
bo
Th
ur
e
g
N
et Ma
he lta
rla
n
N ds
or
w
Po ay
la
Po nd
rtu
Sl ga
ov l
a
Sl kia
ov
en
ia
Sp
Sw ain
S
U wi ede
ni tz
te er n
d
l
Ki and
ng
do
m
10000
Countries
Maximum Fine Imposed To Date (Euro)
Maximum Jail Term To Date (Months)
Notwithstanding the potential for custodial sentences, authorities have as yet been hesitant to use them, although the
Swiss example was just one of at least five criminal convictions in the country as a result of data protection
infringement. The spike represented in the Netherlands is in fact a suspended jail term, resulting from the Bureau X
case, which is described further below.
The fines graph is dominated by the Spanish Zeppelin example (see below at Case Study 2) where a fine of over €1m
was incurred. The graph stops at EUR 100,000, giving a greater sense of just how far out of step with the rest of
Europe the Spanish regulator remains. In fact, the three largest fines levied in Europe to date were all imposed in
Spain. Serious fines were also handed out in Greece, and to a lesser extent in the Czech Republic, France,
Netherlands and Portugal amongst others.
Notwithstanding these significant fines, in much of the EU there remains a wide disparity between potential levels of
financial penalties and actual levels. Denmark and the UK stand out particularly in this regard. For example, under
Danish data protection law any person or legal entity that commits an offence is liable upon conviction to a fine or
imprisonment. However, there was only one prosecution in 2004 – a case that was decided by the Eastern Division of
the High Court, which imposed a fine of approximately EUR 6,500. So far only fines have been levied in Denmark. In
the United Kingdom, breaches may incur civil liability or criminal sanctions, which include unlimited fines but not jail
terms. During 2004-5, a total of 20,138 cases were closed by the Information Commissioner, but there were just 12
prosecutions. The penalties that were imposed ranged from £100 to £3,150, with the average fine being around
£250.
Finally, although it is tempting from the above graph to assume that in large parts of the European Union no
enforcement action has been taken at all, that conclusion should be resisted. A full picture of the level of sanctions
imposed across Europe remains impossible to gather, as the information is not only not published but in some cases in
Europe cannot be published. In many cases therefore, the blank columns reflect that even after discussions with
regulators direct, information is not available.
Case Studies – Examples of Enforcement Proceedings
Case Study 1 – Bureau X in The Netherlands
A complaint was made from an individual concerning the processing of data by an information agency “Bureau X” and
subsequently investigations were undertaken by the Dutch DPA.
Some of the information collected by Bureau X appeared to be derived from illegal sources and a raid was carried out.
In due course a formal complaint was registered with the public prosecutor on the grounds of fraud, breach of secrecy
and non-notification of the Dutch DPA.
On the orders of the defendant (the manager of the agency), employees had been obtaining private information
fraudulently and from illegal sources. Using false pretences the agency extracted information on people that according
to a report in April 2003 by the Dutch “College Bescheming Persoonsgegevens” included National Insurance numbers,
tax and social security information, Public Prosecution data and even bank account numbers.
Judgment was passed in September 2004. The defendant was fined and ordered to complete 240 hours of community
service as well as a one year suspended jail sentence. Bureau X was also threatened with financial sanctions if it did
not bring itself in line with the Dutch Data Protection Act. Furthermore some of the employees at the companies who
had been providing the illegal information were promptly dismissed.
Case Study 2 – Zeppelin in Spain
The fine imposed by the Spanish Data Protection Authority, the AEPD, on Zeppelin in this case is a salient reminder of
just how seriously the matter is taken in some parts of the European Union.
Zeppelin is the Spanish producer of the television programme “Gran Hermano”, the Spanish version of the popular
reality TV format “Big Brother”. Internet hackers managed to access details about 1,700 potential contestants on the
show, and in some cases the information included details of their mental health, IQs and credit history.
While Zeppelin tried to claim that it was the innocent victim of illegal hacking activity, the incident brought to light
various data protection infringements. Zeppelin was the unhappy recipient of a €1,081,822 fine, the highest imposed
by the AEPD in a single administrative proceeding to date, and the highest anywhere in the European Union.
The breaches of the Spanish DPA committed by Zeppelin were listed as:
−
not complying with the information rights of the participants;
−
not obtaining their express consent for the processing of sensitive data;
−
not fulfilling the requirements for data processing by third parties, it therefore being deemed that a disclosure
of data which had not been consented to had taken place; and
−
not complying with regulations on security measures.
Case Study 3 – Telefonica
Another example highlighting the tough stance adopted by the Spanish DPA is that of Telefonica. The Spanish
telecoms company had disclosed data for marketing purposes to a third party, Telefonica Data, after the data subject
had refused the data processing. This data was disclosed to Telefonica Data without the consent of the data subject
and furthermore passed back to Telefonica again without consent.
Telefonica was fined EUR 420,708 for:
−
processing personal data for purposes incompatible with those for which the data were collected;
−
processing data without the consent of the data subject; and
−
disclosing personal data to Telefonica Data without the consent of the data subject.
Telefonica Data were also fined EUR 420,708 for similar breaches.
Enforcement – Other issues
Although the above examples represent the most costly and damaging incidences of data protection enforcement, it is
poor publicity that remains, for most organisations, the key driver in ensuring data protection compliance. The recent
employee-related data protection disputes involving Fortis in Belgium, Lloyds TSB in the UK and McDonalds and
CEAC in France are powerful examples of how data protection issues can deliver significant unwanted publicity.
Interestingly, a number of EU regulators have commented favourably on recent legislative developments in California.
Californian privacy legislation1 now requires organisations to publicly identify disclosure of personal information to
unauthorised persons. The initiative, which has exposed a number of large US financial institutions to press criticism,
is likely to continue to attract attention in the European Union over the next couple of years.
Conclusions
The financial penalties described above should impress upon companies the need to ensure that they are meeting their
obligations under data protection legislation. And the potential cost is even greater still, since the damage to
reputation caused by such breaches may have serious repercussions for a company’s business.
Nevertheless, the reality is that data protection enforcement activity remains in its infancy in large parts of Europe.
There remains a wide disparity in funding and staffing of data protection regulators across the continent, and a
number of authorities seem hesitant to make use of the full extent of their powers. As the number of investigations and
subsequent convictions/sanctions increase, so it is likely that the willingness of regulators to seek greater penalties
through the courts will grow. There can be little doubt that the current gap between potential and actual penalties will
narrow in the foreseeable future as more EU regulators learn to flex their muscles.
1
California’s data protection law (Cal. Civil Code ss 1798.29, 1798.82-1798.84) requires companies doing business in California to notify affected
consumers if unencrypted personal information is acquired by an “unauthorized person”. A number of US companies (Choice Point, Bank of America,
CitiFinancial and LexisNexis for example) have been forced to make such announcements. In the recent case of CardSystems, however, although 40
million records were exposed to unauthorised access, notification was not required after an application to the San Francisco Superior Court as there was
deemed to be no “immediate threat of irreparable injury” to the data subjects. Nonetheless, over 50 similar bills in more than 28 states have been
introduced following the Californian model (including Texas, New York and Illinois).
Country Overviews.
Austria.
Contributed by Schönherr Rechtsanwälte OEG
General I Directive 95/46/EC
National Legislation
Status of implementation of the Directive
Directive 95/46/EC has been implemented by the Federal Act concerning the Protection of Personal Data
(Bundesgesetz über den Schutz personenbezogener Daten (Datenschutzgesetz 2000) - the “DPA”) dated 17
August 1999 which was last revised on 31 March 2005.
Entry into force of the implementing legislation
The DPA came into force on 1 January 2000.
Scope of Application of the National Legislation
Territorial scope of application
The DPA applies to: (i) the use of personal data in Austria; and (ii) the use of personal data outside Austria,
provided the data is used in another Member State of the EU for the purposes of an establishment in Austria.
Material scope of application
The DPA applies to both manual and electronic files (with certain reservations).
Personal scope of application
The DPA applies to data relating to individuals or legal entities.
Data Controller
Entity responsible for compliance with the National Legislation
The data controller is responsible for compliance with the DPA. The DPA defines a data controller as a natural or
legal person, or a group of persons, which (either alone or jointly with other persons) determines the purposes for
which personal data are to be processed. The data controller may request the processing to be done by a third
party.
National Regulatory Authority (“NRA”)
Details of the competent NRA
Austrian Data Protection Commission
Ballhausplatz 1
1014 Vienna
Austria
www.dsk.gv.at
Notification or registration scheme and timing
Unless the processing is exempt, the data controller has a general obligation to file a notification to the Austrian
Data Protection Commission. Such notification is entered in the Data Processing Register. The notification must
occur prior to the processing of personal data.
Exemptions
Exemptions apply in certain circumstances, including but not limited to: (i) processing of published data;
(ii) processing of personal data not linked to a name; or (iii) so-called standardised data processing.
Data Quality
Rules on the quality of the data processed
The general principles with respect to data quality state: (i) that the personal data must be essential and not
excessive in relation to the purpose or purposes for which they are processed; and (ii) that personal data must be
accurate and, where necessary, kept up to date.
Retention period
Personal data may not be kept longer than is necessary for the relevant purpose.
Rights of Data Subjects
Right to information
The data controller must inform the data subject whether it has processed or is processing any data concerning
him/her. If it does, it must describe the processed data, the purpose for which they are used, the origin of the data
- if available, the recipients of the data, the legal basis for processing and the name and address of the processor.
Right of access/correction/objection and other rights
Access: Upon request, the data subject has the right to access its personal data being processed by the data
controller. Under the DPA, the data subject is not entitled to obtain copies thereof.
Correction: The data subject can apply for rectification and erasure of data that are incorrect or that have been
processed contrary to the DPA.
Objection to processing: The data subject has a right to raise an objection to the processing of its personal data if
the processing is not authorised by law and the use of data infringes an overriding interest of secrecy deserving
protection that arises from the particular situation.
Security
Security requirements in order to protect the data
There are several security requirements pursuant to Section 14 DPA, such as but not limited to: (i) the use of data
must be tied to valid instructions of the authorised organisational units or users; (ii) every user is to be instructed
about his/her duties according to the DPA and the organisation’s internal data protection regulations, including
data security regulations; (iii) the right of access to the premises of the data controller or processor is to be
regulated; (iv) the right of access to data and programs is to be regulated as well as the protection of storage media
against access and use by unauthorised persons; (v) every device is to be secured against unauthorised operation
by ensuring security processes are in place in both the machines and programs used; and (vi) logs of the
processing steps must be kept.
Specific rules governing processing by a third party (processor) on behalf of the data controller
There are several specific rules that apply to data processing performed by a processor on behalf of a data
controller. The processor must: (i) use data only according to the instructions of the controller; (ii) take all required
safety measures pursuant to Section 14 DPA (in particular, employ only users who have committed themselves to
confidentiality vis-à-vis the processor or are under a statutory obligation of confidentiality; (iii) enlist another
processor only with the permission of the controller; (iv) insofar as possible given the nature of the processing,
create in agreement with the controller the necessary technical and organisational requirements for the fulfilment
of the controller’s obligation to grant the right of information, rectification and erasure; (v) hand over to the
controller after the end of the processing all results of processing and documentation containing data or keep or
destroy them at the controller’s request; and (vi) make available to the controller all information necessary to
control the compliance with these obligations.
Transfer of Personal Data to Foreign Countries
Transfer within the EEA
The DPA permits transfers within the EU.
Transfer outside the EEA
The transfer of personal data to countries outside the EU is subject to prior authorisation by the Data Protection
Commission, based upon the following conditions: (i) legality of the data application; (ii) adequate level of data
protection in the case at hand; and (iii) protection of secrecy interests.
Sensitive Data
Restrictions apply to the processing of data concerning racial and ethnic origin, political opinions, religious or
philosophical beliefs, membership of a trade union, health and sexual life.
Austria.
Enforcement
Sanctions
Breaches may incur civil, criminal and administrative sanctions, depending on the type of breach. The maximum
penalty for deliberate violation of the Data Protection Act is EUR 18,890 and EUR 9,445 for violation of
notification and information obligations. Note that no administrative penalty may be imposed if the violation is
subject to criminal prosecution.
Practice
In 2004, the Data Protection Commission dealt with: (i) 83 complaints of individuals against public sector data
controllers; (ii) 70 complaints of individuals against private sector data controllers; and (iii) six ex officio
investigations (no complaint).
In relation to the number of prosecutions last year, there are no statistical data on criminal prosecutions for data
abuse, as Section 51 DPA, which provides for a criminal penalty of up to one year’s imprisonment, is only a
subsidiary provision if no other more severe sanction pursuant to another provision of the Criminal Code applies.
Therefore, prosecution for data abuse will be subsumed within prosecution for other crimes (fraud, theft, "cyber
crimes" and, for the public sector, abuse of authority). Moreover, data abuse can only be prosecuted with the
consent of the victim.
In relation to the typical level of penalties imposed, as administrative penalties are, since 2000, no longer imposed
by the Data Protection Commission but by local administrative authorities (more than 100 different bodies), there
are no statistical data on the level of penalties.
Sector specific: E-communications I Directive 2002/58/EC
Marketing by E-mail
Marketing by E-mail
Status of implementation of Article 13 of Directive 2002/58/EC
Article 13 of Directive 2002/58/EC has been implemented by Section 107 of the Telecommunications Act (TKG
2003 - the “ECA”). The effective date was 20 August 2003.
Conditions for sending direct marketing e-mail
It is not permitted to send unsolicited direct marketing e-mail unless the recipient has previously consented to
such communication (opt-in regime with respect to consumers).
Exemptions
It is permitted to send e-mail for the purposes of direct marketing (exemption from the opt-in regime) where: (i) the
sender has obtained the contact details from a business connection with the client; (ii) the direct marketing is in
respect of the sender’s similar products or services; and (iii) the recipient is informed about the possibility of
refusing such e-mail.
Scope of Application
The ECA opt-in regime only applies to consumers and not to the business-to-business sphere. However, an opt-out
regime has to be provided for business-to-business relations. The option to opt-out must be offered in every e-mail.
In addition, recipients who do not want to receive unsolicited e-mail in general may include themselves in an optout list pursuant to Section 7 of the E-Commerce Act administered by the Austrian Regulatory Authority for
Broadcasting and Telecommunications. This list must be respected by direct mailers.
⏐Data protection legislation in the European Union⏐ November 2005⏐13
Belgium.
Directive 95/46/EC has been implemented by the law of 11 December 1998 modifying the law of 8 December
1992 on privacy protection in relation to the processing of personal data (the “DPA”). Some provisions of the DPA
have been modified by the law of 22 August 2002 on patients’ rights and by the law of 26 February 2003
regarding the status, composition and functioning of the national regulatory authority.
The DPA entered into force on 1 September 2001 further to an implementing Royal Decree (the “Decree”) of 13
February 2001.
Scope of application of the National Legislation
The DPA is applicable: (i) when the processing is carried out in the context of the activities of a permanent
establishment of the controller in Belgium; or (ii) if the controller, established outside the EU, makes use of
equipment, whether or not automated, located in Belgium (except for mere transit).
The DPA applies to both manual and electronic files. The manual files must form part of a filing system (i.e. any
structured set of personal data that are accessible according to specific criteria, whether centralised, decentralised
or dispersed on a functional or geographical basis).
The DPA only applies to the processing of personal data, i.e. any information relating to an identified or
identifiable individual (natural person as opposed to legal entities).
Data Controller
The data controller is responsible for compliance with the DPA. The DPA defines the data controller as the physical
person or legal entity, factual association or public authority that, alone or jointly with others, determines the
purposes and means of the processing of personal data.
Commission for the Protection of Privacy
Rue Haute, 139, 1000 Brussels
www.privacy.fgov.be
The data controller must notify the Commission for the Protection of Privacy before the start of any wholly or
partially automated processing operation. Such notification is a mere filing of information, including any change
thereto. The end of any processing must also be notified. The notification can be made by electronic means.
Exemptions
Notification is required for automated processing (not for manual files) with certain exemptions applicable under
strict conditions (e.g. payroll and personnel administration, accounting and client/supplier administration).
Belgium.
Data Quality
The personal data must be processed for specified, explicit and legitimate purposes. The personal data must be
adequate, relevant and not excessive in relation to the purposes for which they are collected or further processed.
The data must also be accurate and kept up to date.
Retention period
The controller may keep the data no longer than necessary for the purposes of the processing.
The data controller must inform the data subject of its identity and the purposes of the processing as well as some
additional information that may be required to guarantee fair processing (e.g. categories of recipients of the data,
right of access and correction).
The data subject has the right of access to the data and the right to have inaccurate data corrected or deleted.
If the data are to be used for direct marketing purposes, the data subject also has the right to object to such
processing and the data controller has to inform the data subjects of their right to object.
In certain cases, the data subject may object to decisions being made about him/her based solely on automatic
processing.
Security
The controller and the processor (i.e. the individual or the legal entity that processes personal data on behalf of the
controller) are required to implement appropriate technical and organisational measures to protect the data.
The controller and its representative, if applicable, must: (a) secure access to the data; (b) inform its personnel
about the obligations under the DPA; and (c) ascertain that no unlawful use is made of the software programs used
for the automatic processing of personal data.
Specific rules governing processing by a third party (processor) on behalf of data controller
The DPA requires that if the processing is carried out by a processor, the controller must conclude an agreement
with the processor with specific obligations to ensure that the data are kept secure and that the processor only acts
upon instructions from the data controller.
Transfer of personal data to foreign countries
The transfer of personal data is free within the EEA.
The transfer of data to non-EEA countries is restricted. The controller may only transfer personal data from Belgium
to a country outside the EEA if that country guarantees an adequate level of protection of personal data. Whether a
country ensures an adequate level of protection is to be answered taking into account all circumstances, including
the kind of data, the purposes and duration of the processing and the legislation of that country.
The DPA contains some exemptions from the prohibition to transfer personal data to countries that do not
guarantee an adequate level of protection, including the unambiguous consent of the data subject.
Furthermore, without prejudice to the paragraph referring to the exemptions, the DPA states that permission for the
transfer to countries that do not guarantee an adequate level of protection may be granted by Royal Decree subject
to adequate safeguards, including contractual guarantees. The EU Commission has approved a set of standard
contractual clauses for export to a controller in a third country and for export to a processor in a third country.
Sensitive Data
The processing of some specific so-called “sensitive data” (i.e., personal data relating to racial or ethnic origin,
political opinions, philosophical or religious beliefs, trade union memberships or sexual life) is, in principle,
prohibited. The processing of data of a judicial nature and health-related data are also, in principle, prohibited.
There are some exceptions to the general prohibition to process such data under the DPA, such as the written
consent of the data subject (except for data of a judicial nature).
For the processing of sensitive data, data of a judicial nature or health-related data, the controller must ensure that
the persons having access to such data will comply with the obligation of confidentiality in relation to such data by
means of legal, statutory or contractual provisions. The controller has to keep a list at the disposal of the
Commission for the Protection of Privacy with the categories of persons having access to such data and a precise
description of their duties in relation to the data.
Enforcement
Sanctions
The sanctions are both civil and criminal.
The DPA provides for criminal sanctions for most provisions, including the duty to inform the data subject and the
duty to file a prior notification. Penalties range from EUR 500 to EUR 500,000 and include, in specific cases,
imprisonment of up to two years. The publication of the judgment can also be ordered, and in addition, other
measures could be ordered which may also constitute a serious threat to the controller, such as confiscation of the
support media, an order to erase the data, and/or a prohibition to use the personal data for up to two years.
The data controller must compensate the data subject for damages caused by any breach of the DPA. The damage
to reputation aspect is also crucial.
Practice
The Belgian Privacy Commission distinguishes three different types of data protection files: (i) with regard to
"general information and investigation files", in 2004, 678 new files were opened, 473 were closed the same year.
Compared to the previous year, the number of cases is slightly higher (+ 3.5%). 40 files from 2003 and 206 files
from 2004 are still being investigated. The average duration of investigations is three to four months; (ii) with
regard to information or investigation files concerning 'consumer credit'. There have been 21.5% more new files in
2004 compared to 2003. In 2004, 462 new files were opened and 402 of them have already been closed; and
(iii) with regard to 'indirect access files', in 2004, 94 new files were opened, which is 6% fewer files than in
2003.
In relation to the number of prosecutions last year, there is no information about individual complaints, once the
files are closed by the Commission. Although the Privacy Commission has the power to file complaints before the
courts, the Commission has so far showed a particular leniency in exercising this power and used its power of
recommendation instead. This situation is however likely to change with the Commission’s growing resources and
the increased awareness of the legislation among the Belgian population.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been partially - only with regard to e-mails - implemented by Articles 13
and 14 of the law of 11 March 2003 on certain legal aspects of information society services (the “ECA”) and the
Royal Decree of 4 April 2003 on the sending of advertising by e-mail (the “RD”) (rules similar to those set forth in
Directive 2002/58/EC with respect to automatic calling and facsimile machines were already introduced in the
Trade Practice Act of 14 July 1991 in connection with distance selling to consumers).
The ECA prohibits the use of e-mails for advertising purposes without prior, free, specific and informed consent of
the addressees, thus imposing a so-called “opt-in” system.
Belgium.
Exemptions
There are a number of situations addressed in the RD where the addressee’s consent does not need to be obtained.
The first exception is where the e-mail is sent to a legal entity using “impersonal” electronic contact details (e.g.
[email protected]). The use of addresses such as [email protected], however, remains subject to the opt-in
requirement.
The second, and most important, exception, is that no consent needs to be obtained if the e-mail is sent to existing
customers, provided that the following conditions are cumulatively fulfilled: (i) the sender of the e-mail directly
obtained the electronic contact details of the addressee in the framework of the sale of a product and/or service, in
compliance with the legal and regulatory provisions with regard to data protection; (ii) the sender uses the
electronic contact details only for marketing similar products or services; and (iii) the sender offered the customer,
at the time of collecting his/her electronic contact details (and at any time thereafter), the opportunity, free of
charge and in a simple manner, to object to such use.
Scope of application
The opt-in regime is applicable to both individual and corporate contacts as soon as it is a personal address such
as [email protected].
Cyprus.
Contributed by Georgiades & Pelides
Directive 95/46/EC has been implemented by the Law on the Processing of Personal Data (Protection of the
Individual) of 23 November 2001, Law No. 138(l)/2001, as amended by the Law on the Processing of Personal
Data (Protection of the Individual) (Amending) Law of 2 May 2003, Law No. 37(l)/2003 (the “DPA”).
Law No. 138(l)/2001 came into force on 23 November 2001 (except for Sections 9(4) and 9(5) on the free
transfer of data to other Member States of the EU, which came into force on 1 May 2004) and Law No. 37(I)/2003
came into force on 2 May 2003.
The DPA is applicable in relation to data processing carried out (i) by a data controller established in the territory
of the Republic of Cyprus or in a place where Cyprus law applies by virtue of public international law, and (ii) by a
data controller not established in the Republic but using equipment situated in the Republic for purposes other
than the mere transit of data.
The DPA applies to data kept in a record, defined as a structured set of personal data accessible according to
specific criteria. The processing may be carried out by automated, partly automated or non-automated means.
The DPA only applies to data relating to individuals. The data subject is an identified or identifiable living natural
person to whom the personal data relate.
Data Controller
Responsibility for compliance with the DPA lies with the person in charge of processing (the “data controller”). The
data controller is defined as any natural or legal person under private or public law (including the Government of
the Republic) that determines the purposes and means of processing. The DPA does not apply to processing by a
data controller who is a natural person acting for purely personal or domestic purposes.
Commissioner for the Protection of Personal Data
40 Themistokli Dervi Street
Natassa Court, 3rd floor
1066 Nicosia, Cyprus
www.dataprotection.gov.cy
The data controller must notify the Commissioner in writing that a record is being set up or that processing is to
take place. Information notified is kept in the Commissioner’s Register of Records and Processing. Notification to
the Commissioner should take place upon setting up of the record, or commencement of processing at the latest.
The Commissioner’s prior approval is required only when: (i) data are to be transmitted to a country outside the
EU; or (ii) two or more records which contain sensitive data or from which data may be retrieved using common
criteria are to be combined.
Cyprus.
Exemptions
The data controller must notify unless the processing is exempt. Exemptions apply in respect of processing:
(i) necessary for the fulfilment of an obligation under an employment or contractual relationship; (ii) relating to
customers or suppliers (except in the case of insurance and pharmaceutical companies, banks and other financial
institutions); (iii) confidentially carried out by lawyers, doctors or health service providers, provided data are not
transmitted to third parties; or (d) carried out by any organisation in relation to its consenting members (e.g.
shareholders of a company).
Data Quality
The processed data must be: (i) adequate, relevant and not excessive in relation to the purposes of processing; and
(ii) accurate and, where necessary, kept up-to-date.
Retention period
Personal data may be retained in a form that permits identification of data subjects for no longer than necessary
for the purposes for which data has been collected. The Commissioner may permit retention for a longer period for
historical, scientific or statistical purposes, provided data subjects’ rights are not prejudiced.
Data subjects must be informed of the identity of the data controller and the purposes of the processing. Also,
where this is necessary to ensure fair processing, data subjects must be informed about the recipients of the data,
the existence of rights to access and rectify data, whether it is obligatory to provide the data required and the
consequences of failure to do so.
Access: Data subjects have the right to obtain from the data controller, without excessive delay and expense,
information as to the data processed, their source and recipients, the purpose of the processing, and the logic
behind automatic processing.
Correction: Data subjects have the right to insist upon rectification, erasure or blocking of data which is incomplete
or inaccurate or has been subject to unlawful processing.
Objection to processing: Data subjects have the right to object to the processing of data on compelling legitimate
grounds relating to a data subject’s particular situation.
Other: Data subjects have the right (i) to seek a court order suspending or annulling an act or decision taken
through data processing intended to evaluate the data subject’s personality and (ii) to receive compensation from
the data controller for damage suffered as a result of unlawful processing.
Security
Processing is confidential and may be carried out only by the data controller and others, upon its instructions and
under its control, provided they possess the necessary technical skill and personal integrity. The data controller
must implement appropriate technical and organisational measures to protect the data from accidental or unlawful
destruction, loss, alteration, unauthorised disclosure or access or unlawful processing.
Where the processing is carried out by a third party on behalf of the data controller, the appointment of the third
party must be in writing and must provide that the third party will act only on instructions of the data controller
and that the obligations of the data controller wilI be incumbent on the third party also.
The transfer of data to another EU Member State is unrestricted. The transfer to Norway, Liechtenstein and Iceland
of data that have been or are to be processed is permitted, provided the Commissioner’s permission is obtained.
Permission is given only if, in the opinion of the Commissioner, the country to which data will be transferred
ensures an adequate level of data protection. The Commissioner may permit the transfer of data to a country which
does not ensure an adequate level of data protection provided particular conditions set out in the DPA are
satisfied.
The transfer to any country outside the EU of data that have been or are to be processed is permitted, provided the
Commissioner’s permission is obtained. Permission is given only if, in the opinion of the Commissioner, the
country to which data will be transferred ensures an adequate level of data protection. The Commissioner may
permit the transfer of data to a country which does not ensure an adequate level of data protection provided
particular conditions set out in the DPA are satisfied.
Sensitive Data
Special protection is provided for personal data that are sensitive, i.e. concerning racial or ethnic origin, political
opinions, religious or philosophical beliefs, society and trade union membership, health, sexual life, sexual
orientation and criminal prosecutions and convictions. The processing of sensitive data is prohibited, except where
(a) the subject has expressly consented and such consent is not contrary to the law or public morals; (b) processing
is necessary under employment law or for national security purposes or in order to safeguard the interests of a
subject unable to express consent; or (c) processing is carried out by a non-profit-making organisation in relation to
its members, or by a doctor for medical purposes, or in relation to data that have been publicised by its subject, or
for statistical, research, scientific, historical, journalistic or artistic purposes.
Enforcement
Sanctions
Sanctions are both civil and criminal. Civil sanctions include fines of up to CYP#5,000 and an order to cease
processing and/or destroy data. Criminal sanctions include fines of up to CYP#5,000 and up to five years of
imprisonment.
Practice
80 complaints were submitted last year to the Information Commissioner. The Commissioner has no competence to
bring prosecutions, but can report any contraventions of the provisions of the Law, which constitute an offence, to
the competent Authorities. No such contraventions have been reported to date. The Commissioner may impose
administrative sanctions for breaches of the data protection legislation.
The most significant sanction imposed by the Commissioner to date was a fine of CYP#1,500 on a company. The
company had infringed various provisions of the Law, including Section 15 of the Law which relates to processing
for direct marketing purposes. The company had sent advertising text messages without obtaining the prior written
consent of the data subjects. The provisions of Section 5 of the Law, which relate to lawful processing were also
breached and finally the company had omitted to notify the establishment and operation of a filing system/carrying
out of a processing to the Commissioner in contravention of Section 7 of the Law.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented by: (i) amended Section 15 of the DPA, which came
into force on 2 May 2003; and (ii) Section 106 of the Law on the Regulation of Electronic Communications and
Postal Services of 30 April 2004, Law No. 112(I)/2004 (the “Law”) which came into force on 30 April 2004.
The DPA prohibits the processing of personal data (including an e-mail address) for the purpose of marketing,
selling goods and offering services from a distance, unless the prior consent of the data subject has been obtained
in writing. In order to contact the data subject for the purpose of obtaining its consent, only personal data relating
to the subject which are accessible to the public may be used. Section 106(1) of the Law provides that electronic
mail may be used for direct marketing purposes only where a subscriber has consented to such use in advance. By
virtue of Section 106(3), Section 106(1) applies to natural persons only, while a decree may be issued by the
Commissioner for the Regulation of Electronic Communications and Postal Services (the “Electronic
Cyprus.
Communications Commissioner”) in order to ensure the protection of the legitimate interests of subscribers who
are legal persons. The Electronic Communications Commissioner has issued the Decree on Legal Persons (Ensuring
the Protection of Legitimate Interests with regard to Unsolicited Communications) of 28 January 2005, Decree No.
34/2005 (the “Decree”), which came into force on 28 January 2005, and provides that the use of e-mail for direct
marketing to subscribers who are legal persons is permitted only where a subscriber has clearly declared, in written
or electronic form, his willingness to receive such mail to: (i) the sender; or (ii) the person responsible for the
Cyprus Telephone Directory Data Base; or (iii) the provider of e-mail services. Section 106(4) of the Law provides
that where the e-mail address of a client is revealed in the context of the sale of a good or service, the same seller
may use that address for the direct marketing of its own same goods or services, provided the client is given clearly
and distinctly an opportunity to object, in an easy and costless manner, to such use at the time the address is
collected and, if no objection is at that time raised, each time the address is used. Under Section 106(5) of the
Law, in each marketing message sent by e-mail the following must be stated: (i) the identity of the sender or the
person on whose behalf the message is sent; and (ii) a valid address to which the recipient may send a request that
communications cease.
Exemptions
There are no exemptions.
The provisions of the DPA and Section 106(1) of the Law apply to natural persons only, while the provisions of
Sections 106(4) and 106(5) of the Law apply to both natural and legal persons. The provisions of the Decree apply
to legal persons only.
Czech Republic.
Directive 95/46/EC was implemented by Act No. 101/2000 Coll., on Personal Data Protection (the “DPA”).
The DPA entered into force on 1 June 2000 with the exception of the Registration Section, which came into force
on 1 December 2000.
The national legislation applies to data controllers established in the Czech Republic and the processing of
personal data in the Czech Republic. It also applies to data controllers established outside the EU that process
personal data in the Czech Republic, if such processing is not limited to a pure transfer of personal data through
the EU. A data controller established outside the EU processing personal data in the Czech Republic must appoint
an authorised representative in the Czech Republic.
Czech law may also be applicable under the rules of private international law regardless of the country in which a
data controller is established.
The DPA applies to both manual and electronic files.
The DPA only applies to data relating to individuals. However, data relating to legal entities are also protected by
national legislation, in particular, by the provisions of the Commercial Code relating to business names and unfair
competition.
Data Controller
The DPA applies to any data processed by state bodies, local government bodies, other public bodies, and by legal
entities and individuals. The DPA does not apply to data processing performed by an individual exclusively for
personal needs. In addition, the DPA does not apply to casual personal data collection, provided that the data are
not processed any further.
The DPA defines a data controller as “any subject which: (i) determines the purpose of personal data processing;
(ii) determines the means of processing; (iii) carries out processing; and (iv) bears responsibility for such
processing”. The activities under (i), (ii) and (iv) are always carried out by the data controller. The activity under
(iii) may be transferred to a data processor.
Office for Personal Data Protection (Úrad pro ochranu osobních údaju) (the “Office”)
Pplk. Sochora 27,
170 00, Prague 7
Czech Republic
www.uoou.cz
A person that intends to process personal data must notify the Office prior to commencement of data processing.
The DPA sets no period within which the notification must be filed. If the notification includes all required
information and if the Office has not initiated proceedings (the Office will start proceedings in cases where there
are serious doubts arising from the notification that the processing could breach the law), the data controller may
Czech Republic.
start its data processing activities 30 days after the delivery of the notification to the Office. Upon the data
controller’s request, the Office will issue a registration certificate.
The notification must be filed on a registration form on which the notifying party must provide various details with
regard to the intended processing. The same notification obligation applies to any future changes in the
processing. The notification is not subject to administrative fees.
Exemptions
There is no need to notify the Office of processing if: (i) the data processed are part of public records specifically
available in accordance with law, such as the Companies Register or a certain part of the Trade Licences Register;
(ii) the data controller needs to process the data in order to benefit from the rights arising, or fulfil the obligations
under, specified legislation (this relates in particular to data processed in the course of judicial resolution of
disputes, to a number of fields of administrative decision-making, to employers’ duties under the Employment Act
and accounting and social security legislation); or (iii) political parties or non-profit making organisations process
personal data concerning their members or partners and such data are not disclosed without the consent of such
members or partners.
Data Quality
The data controller is required to process only true and accurate personal data obtained in compliance with the
DPA. If the data controller discovers that the data are untrue or inaccurate, it must block the data and correct or
complete them. If it is impossible to correct the data, the data controller must destroy them. The data controller
must inform all the prior recipients of the data about blocking, correction, completion or destruction of the data
without undue delay.
Retention period
Personal data may be retained only as long as is necessary for the purpose of processing.
The data controller must inform the data subject prior to commencement of data processing about: (i) the extent
and purpose of the processing of his/her personal data; (ii) the identity of the person by whom the data will be
processed; and (iii) the recipient of the data. If the data are obtained from a data subject, the information provided
must also include a note as to whether the data subject is required by law to provide the requested personal data
or whether the provision of data is voluntary.
The data controller must inform the data subjects about the processing of their personal data upon request. This
duty to inform may be carried out on behalf of the data controller by a processor.
The data subject may ask the data controller to correct his/her personal data if they are untrue or inaccurate. The
data subject is entitled to ask the data controller to inform him/her which of his/her personal data are being
processed.
If the data subject discovers that the data controller or processor has breached its duties, he/she may: (i) ask the
Office to take remedial measures; (ii) request that the data controller or processor refrain from such activity;
(iii) request that the data are corrected, completed, blocked or destroyed; and (iv) request a financial remedy.
Security
The data controller (as well as the data processor) must take technical, organisational or other measures to protect
personal data against unauthorised or accidental access, change, destruction, loss or against any other
unauthorised processing.
Authorisation of the data processor arises either from a special act or is based on a written agreement with the data
controller on whose behalf the data are processed. The agreement must include the extent and purpose of the data
processing and the period for which it is concluded. The processor has similar duties to those of the data
controller.
Personal data may be freely transferred within the EEA and to countries that have ratified the Convention for the
Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) of the Council of Europe.
Personal data may be transferred to non-EEA Member States or countries which are not party to the Convention for
the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) if the data are
transferred based on the decision of EU bodies (such as decisions on contractual clauses and the US safe harbor).
In other cases, the data controller must apply for the Office’s approval prior to the transfer. The Office authorises
the transfer if the data controller proves that one of the conditions set by the DPA is met. These conditions
include: (i) the data subject’s consent to the transfer; (ii) the necessity to conclude or execute an agreement upon
the data subject’s initiative or to perform an agreement to which the data subject is a party; (iii) the necessity to
perform an agreement in the data subject’s interest concluded between the data controller and a third party; or
(iv) it is essential for the protection of the data subject’s rights.
Sensitive Data
Sensitive personal data are data regarding national, racial or ethnic origin, political opinions, membership of
political parties, trade unions or other employee organisations, religious and philosophical convictions, criminal
activity, health and sexual life of the data subject and any biometric or genetic data of the data subject. This list of
sensitive data in the DPA is complete, and no other data are considered sensitive.
Sensitive data may be processed with the explicit consent of the data subject. The data controller must be able to
prove the data subject’s consent during the entire period of data processing. Sensitive data may be processed
without the data subject’s consent in the following cases: (i) if necessary in order to maintain the life or health of
the data subject or any other person, or to avert an imminent threat to his/her assets; (ii) if providing health care or
assessing health under a special legal regulation, in particular for social security purposes; or (iii) if the data
processing is necessary for meeting the data controller’s duties under labour law.
Enforcement
Sanctions
Sanctions and penalties under the DPA: If legal entities, or individuals undertaking business under special laws,
breach as data controllers or processors any of the obligations in the DPA, they may be required to pay a penalty of
up to CZK 5,000,000. If they breach duties related to sensitive data processing or if the breach endangers the
privacy and private life of more people (the number of people depends on the context of the case, in practice this
involves dozens of people or more), they may be required to pay a penalty of up to CZK 10,000,000. Legal entities
are not responsible for the breach if they prove that they have made every possible effort to prevent the breach of
the legal obligation.
If individuals as data controllers or processors breach any of the obligations in the DPA, they may be required to
pay a penalty of up to CZK 1,000,000. If individuals breach duties related to sensitive data processing or if the
breach endangers the privacy and private life of more people, they may be required to pay a penalty of up to CZK
5,000,000.
In addition, if a person who is employed by or works for a data controller or processor or who in the course of
fulfilling his/her rights and obligations imposed by law comes into contact with the personal data of the controller
or the processor and breaches the confidentiality duty under the DPA, he/she may be subject to a fine of up to CZK
100,000.
Sanctions under the Criminal Code: Under current regulations, only individuals are liable for criminal offences; the
Criminal Code has no relevance to data controllers which are legal entities. However, their employees may be held
liable for a criminal offence, such as unauthorised disclosure of personal data or breach of the duty of
confidentiality and may be punished by a term of imprisonment of up to three years, prohibition of professional
activities or a fine.
Practice
The Office for Personal Data Protection conducted 79 inspections in 2004, of which 60 were initiated on the basis
of an external complaint. 53 prosecutions were closed in 2004, of which 35 were closed by a decision on levying a
fine. Typically, the level of penalty imposed is in the tens of thousands of Czech Republic Koruna, but is rarely
Czech Republic.
over a hundred thousand Czech Republic Koruna. The highest penalty levied to date was CZK 500,000, levied in
2004. An employment agency processed sensitive data on jobseekers without their consent. The agency did not
exercise due care in order to protect the dignity of its clients. The personal data processed by the agency were not
protected from unauthorised access, alteration, destruction, transfer or other abuse. The investigation of this
agency was opened after documents containing personal data on jobseekers were found in the street next to a
dustbin.
Marketing by E-mail
Marketing by E-mail
Article 13 of European Directive 2002/58/EC was implemented in the Czech Republic by Act No. 480/2004 Coll.,
on Certain Information Society Services (the “ECA”).
Under the ECA, marketing e-mail may be addressed to individuals as well as to legal entities on an opt-in basis.
Exemptions
The ECA does not include exemptions.
The ECA applies to both individuals and legal entities.
Denmark.
Contributed by Gorrissen Federspiel Kierkegaard
Directive 95/46/EC has been implemented by the Act on Processing of Personal Data, Act no. 429 (the “DPA”)
dated 31 May 2000.
The DPA entered into force on 1 July 2000.
The DPA applies to the processing of data undertaken for a data controller established in Denmark, provided that
the activities take place within the EU, and to processing undertaken for Danish diplomatic offices.
The DPA also applies to data controllers established in a third country (i) if the collection of data in Denmark is
undertaken for the purpose of processing in a third country, or (ii) if the processing is undertaken through means
located in Denmark, unless such means are only used for the purpose of sending data through the territory of the
EU, in which case the data controller must designate a representative established in Denmark and provide written
notification of the details of the representative to the Data Protection Agency. A “third country” is defined in the
DPA as a country which is not a Member State of the EU, and which has not implemented agreements with the EU
that contain provisions similar to the provisions of Directive 95/46/EC.
The DPA applies to all personal data, regardless of whether held in manual or computerised form.
In general, the provisions of the DPA only apply to individuals. In relation to credit information bureau data
processing, the DPA also applies to legal entities. This is also the case with the provisions regulating the disclosure
to credit information agencies of debts to public authorities. Furthermore, the DPA applies to corporate data if the
processing is carried out for the purpose of warning third parties against entering into business relations with a
data subject.
Data Controller
The data controller is responsible for compliance with the DPA. A data controller is defined as a natural or legal
person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data.
The Data Protection Agency (Datatilsynet)
Borgergade 28, 5
DK-1300
Copenhagen K
Denmark
www.datatiIsynet.dk
Prior permission from the Data Protection Agency is required for the following data processing: (i) processing of
sensitive data or data of a purely private nature; (ii) processing undertaken for the purpose of warning others
against business relations with, or employment of, a data subject; (iii) processing undertaken by a credit
information bureau for the purpose of disclosing, as part of its business, data for the evaluation of financial
soundness and creditworthiness; (iv) processing undertaken for the purpose of commercial employment assistance;
Denmark.
(v) processing undertaken solely for the purpose of supplying legal information; or (vi) transfers based on the EC
Model Clauses. A fee of DKK 1,000 is payable for an application for permission.
Exemptions
No prior permission or notification is required for other processing activities.
Data Quality
The personal data processed must be relevant, adequate and not excessive in relation to the purposes for which
they are collected and processed. In addition, the processing of personal data must be undertaken in such a
manner as to ensure, where necessary, that the data are kept up to date and that controls are also be in place to
ensure that no inaccurate or misleading data is processed; any such data must be deleted or rectified as soon as
possible.
Retention period
Personal data may not be stored for longer than is necessary for the purposes for which the data are processed.
When collecting data from a data subject, the data controller or its representative must provide the following
information if the data subject is not already aware of it: (a) the identity of the data controller and any
representative of the data controller; (b) the purpose for which the data are intended to be processed; and (c) any
further information which in the specific circumstances is necessary to permit the data subject to consider his/her
interests. Examples of such information include the category of any recipients of the data, whether answering
questions is compulsory or voluntary and the possible consequences of failing to answer, and information regarding
rights of access and rectification. If personal data are not obtained from the data subject, the same information
must be provided to the data subject on collection of the data, unless the data subject is already aware of the
information, or if providing it proves to be impossible, or would involve disproportionate effort.
Access: Data subjects may obtain information on their personal data on request to data controllers.
Correction: In certain cases the data subject may ask the data controller to rectify, block, erase or destroy the data.
Objection to processing: Data subjects may object to the processing where justified.
Security
The DPA requires data controllers and data processors to implement appropriate technical and organisational
measures to protect personal data against accidental or unlawful destruction, loss or deterioration, disclosure to
unauthorised persons, misuse, or other unlawful forms of processing.
All processing by a data processor must be subject to a written agreement between the data controller and the data
processor. The agreement must state that the data processor may only act on instructions from the data controller,
and that the data processor must ensure that the necessary technical and organisational precautions are taken
against accidental or illegal loss, destruction or deterioration of the data, and against their abuse or illegal
processing.
Transfer of personal data to Member States of the EU and the EEA must simply comply with the general processing
rules under the DPA.
The DPA prohibits transfer outside the EEA unless the destination ensures adequate protection for the data.
In addition, the DPA may grant permission for the transfer of data (which may be conditional), if the data controller
provides satisfactory guarantees for the protection of the rights of the data subjects.
Otherwise, personal data can be transferred outside the EEA under the usual circumstances (e.g. international
transfers based on consent do not need to be notified to the DPA unless the transfers include sensitive personal
data or data of a purely private nature).
Sensitive Data
Special protection is provided for personal data that are sensitive, i.e. data concerning racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade union membership, health or sexual life.
Under the DPA, “data of a purely private nature” is defined as data on criminal matters, substantial social
problems and other matters of a purely private nature. Private sector data controllers may process such data only in
certain circumstances. Data of a purely private nature may not be disclosed without the explicit consent of the data
subject, unless such disclosure is for the purpose of public or private interests that clearly outweigh the interests of
the data subject, or unless the disclosure fulfils the requirements for processing of sensitive data.
Enforcement
Sanctions
Any person or legal entity that commits an offence under the DPA is liable upon conviction to a fine or
imprisonment.
Practice
The number of investigations in 2004 which includes all cases handled by the Danish Data Protection Agency
(including 67 inspections) was 1,825. The Danish Data Protection Agency cannot impose sanctions but can only
request the Danish Public Prosecution Office to instigate proceedings. To our knowledge, there was only one
prosecution last year. The prosecution referred to above was decided by the Eastern Division of the High Court,
which imposed a fine of approximately EUR 650. So far only fines have been levied. The highest fine imposed to
date amounted to approximately EUR 6,500 and was imposed in 2001. The case concerned the unauthorised
transfer of the customer database of a newspaper to another newspaper, which used the customer database for
marketing purposes. The case did not go to court as the newspaper accepted the fine.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented by amending Act no. 450 of 10 June 2003 (the
“ECA”), which amends Section 6a of the Marketing Practices Act. The ECA entered into force on 25 July 2003.
It is not permitted to transmit unsolicited direct marketing e-mail (as well as SMS and MMS messages) unless the
recipient has notified the sender of his/her consent to such communications being sent by the sender (opt-in
approach).
Exemptions
It is permitted to send e-mail for the purposes of direct marketing where: (a) the unsolicited marketing only relates
to products or services which are similar to the products or services bought by the recipient at the time when the
sender obtained the e-mail address and (b) the recipient has been given a simple means (free of charge except for
the costs of transmitting the refusal - the use of premium rate telephone numbers or SMS messages is not
permitted) of refusing the use of his/her contact details for the purposes of such direct marketing at the time that
the details were initially collected and with each subsequent communication. This is therefore an opt-out.
The ECA applies to all customers, including consumers, businesses and public authorities, irrespective of whether
the customer is a natural person or legal entity.
Estonia.
Contributed by Raidla & Partners
Directive 95/46/EC has been implemented by the Personal Data Protection Act (lsikuandmete kaitse seadus (the
“DPA”)) dated 12 February 2003.
The DPA entered into force on 1 October 2003.
The DPA is applicable within the territory of Estonia. Transmission of personal data through the territory of Estonia
for transit purposes (without other processing) is excluded from the scope of the DPA.
The DPA applies to both data that are processed in digital form as well as data in paper files.
The DPA only applies to data relating to individuals and not to data relating to legal entities.
Data Controller
All persons engaged in the processing of personal data are responsible for compliance with the DPA. The DPA
defines the data controller as a natural or legal person, or a state or local government agency, which processes
personal data or at whose request personal data are processed.
Data Protection Inspectorate Vaike-Ameerika 19
10129 Tallinn
Estonia
www.dp.gov.ee
Data controllers are required to notify the Data Protection Inspectorate of the processing of private personal data
(i.e. data revealing details of family life, data revealing an application for the provision of social assistance or social
services, data regarding mental or physical suffering endured by a person and data collected on a person during
the process of taxation, except data concerning tax arrears) at least one month prior to commencement of
processing. No approval from the Data Protection Inspectorate is necessary. In addition, data controllers are
required to register the processing of sensitive personal data (see below) with the Data Protection Inspectorate at
least one month before commencement of processing. The Data Protection Inspectorate will refuse to register
processing of sensitive data if there is no legal basis for such processing, the conditions of processing do not
comply with the requirements of the DPA or the security measures applied do not ensure compliance with the
requirements of the DPA.
Exemptions
Other processing is exempted from notification.
Data Quality
Personal data must be kept up to date; personal data must be complete and necessary for the specific purpose of
the data processing.
Retention period
Under the DPA, data controllers must promptly erase or block personal data unnecessary for achieving their
specified purposes unless otherwise prescribed by law.
The data processors must notify the data subject of the purpose of the processing, persons to whom transmission
of the personal data is permitted, certain information about the data controller and the data subject’s rights with
regard to the processing. In addition, certain information must be provided to the data subject at the request of the
data subject, such as data relating to the respective data subject and categories and sources of the data.
Access: Upon request of the data subject, the data controller must inform the individual whether it has processed
or is processing any data concerning him/her. If it does, it must describe the content of such personal data, the
purpose for which they are processed and third parties to which they are, or may be, disclosed.
Correction: Data subjects have the right to request rectification of inaccurate data and blocking or erasure of the
personal data collected if the processing is not in compliance with the DPA or other legislation.
Objection to processing: Data subjects have the right to object to the processing of personal data relating to them
if the processing is not in compliance with the DPA or other legislation.
Security
Processors are required to take organisational, physical and IT security measures to prevent unauthorised
alteration, loss and destruction of data, unauthorised processing and to guarantee access to the data to persons
who are authorised to access such data.
Processors must act in compliance with the DPA as well as the orders and instructions provided by the data
controllers and maintain the confidentiality of personal data which become known to them. No special additional
rules are applied with regard to such persons.
The DPA permits transfers within the EEA.
The DPA permits transfers outside the EEA to countries whose data protection level is deemed to be sufficient by
the Commission of the European Communities.
Transmission of personal data to foreign countries whose data protection level is not deemed to be sufficient by the
Commission of the European Communities is allowed only with the permission of the Data Protection Inspectorate
if, in the specific case, the data controller guarantees the protection of the rights and private life of the data
subject in the country or if, in the specific case, a sufficient level of data protection is ensured in the country.
Upon assessment of the level of data protection, circumstances related to the transmission of personal data,
including: (i) the categories of data; (ii) the purposes and duration of processing, transmission of data to the
country of destination and to the final country of destination; and (iii) the law of the state shall be taken into
account.
If the Data Protection Inspectorate does not give permission to do so, personal data may be transmitted to a foreign
state where a sufficient level of data protection is not ensured if: (i) the data subject has consented thereto; (ii) the
data are transmitted to the foreign state in cryptographic form and the data necessary for decoding is not
Estonia.
communicated to the foreign state; or (iii) there are certain significant reasons for transfer of the data (e.g. transfer
of data is necessary for protection of the life, health or freedom of the data subject).
Sensitive Data
As indicated above, processing of sensitive personal data is subject to registration with the Data Protection
Inspectorate. Sensitive personal data within the meaning of the DPA includes data revealing political opinions or
religious or philosophical beliefs, ethnic or racial origin, data relating to health or disability, genetic information,
sexual life, membership of trade unions and certain information collected in criminal proceedings or in other
proceedings to ascertain an offence.
Enforcement
Sanctions
Violation of the requirements for the processing of personal data stipulated in the DPA is treated as a
misdemeanour and is punishable by a fine of up to 50,000 kroons (approx EUR 3,195).
Practice
Pursuant to the information available on the Data Protection Inspectorate’s website, the Inspectorate issued 28
enforcement notices to data controllers in 2004. The main reasons for issuing enforcement notices were noncompliance with the obligation to register processing of sensitive personal data with the Data Protection
Inspectorate and the failure to apply additional measures for protection of sensitive personal data within the term
established by the Data Protection Inspectorate. Penalty payments were applied on six occasions, the average
penalty being 5,000 Estonian kroons (approximately EUR 320).
In relation to the highest penalty levied to date, the Data Protection Inspectorate do not have any statistics on this
matter. However, they confirmed that fining and imposing penalty payments is rather rare and in practice they only
use such measures if a data controller violates the law and does not bring its activities into compliance with the
law even after an enforcement notice has been issued by the Data Protection Inspectorate.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been transposed into Estonian law by the Information Society Service Act
(Infoühiskonna teenuse seadus) (the “ECA”) which entered into force on 1 May 2004.
Pursuant to the ECA, direct marketing by e-mail is allowed to recipients who have given their prior consent (opt-in
regime). In addition, the recipient must be expressly informed of how to refuse receiving marketing messages in
the future and the possibility of exercising that right by way of electronic means must be provided. The ECA also
specifies certain data about the sender (service provider) which must be communicated to the recipients as well as
criteria which the direct marketing e-mail must meet.
Exemptions
The ECA does not provide any exemptions to the opt-in regime.
The ECA does not differentiate between individual persons and corporate entities as recipients of marketing e-mail
and applies to both.
Finland.
Contributed by Hannes Snellman Attorneys at Law
Directive 95/46/EC has been implemented by the Finnish Personal Data Act (Henkilötietolaki 1999/523) (the
“DPA”) dated 22 April 1999.
The DPA came into force on 1 June 1999.
The DPA applies to processing of personal data where the data controller is: (i) established in Finland; (ii) not
established in Finland but otherwise subject to Finnish law; or (iii) not established in the EU but uses equipment
located in Finland in the processing of personal data (other than for mere transit purposes). In this case the data
controller must designate a representative established in Finland.
The DPA makes no distinction between manual and electronic files. Thus, it applies equally to personal data files
of all forms.
The DPA only applies to data relating to natural persons. Data relating to legal entities remain outside the scope of
the DPA.
Data Controller
The responsibility for compliance with the DPA lies with the data controller. The DPA defines a data controller as a
person, corporation, institution or foundation, or a number of them, for whose use a personal data file is set up and
who is entitled to determine the use of the file, or who has been designated as a data controller by law.
The Office of the Data Protection Ombudsman (supervises the processing in order to achieve the objectives of the
DPA).
P.O. Box 315
00181 Helsinki
Finland
www.tietosuoja.fi
The Data Protection Board/Ministry of Justice (deals with questions of principle relating to the processing of
personal data)
P.O. Box 25
00023 Council of State
Finland
www.tietosuoja.fi
Unless the processing is exempt, the data controller must notify the Data Protection Ombudsman of automated
data processing and any transfer of data outside the EEA that requires such a notification no later than 30 days
before processing commences. No approval is required.
Finland.
Exemptions
Every data controller who is processing personal data must notify the Data Protection Ombudsman unless they are
exempt. Exemptions apply if, inter alia: (i) the data subject has unambiguously consented to the processing;
(ii) the data subject has given an assignment for processing, or the processing is necessary in order to perform a
contract to which the data subject is a party or in order to take steps at the request of the data subject before
entering into a contract; (iii) processing is necessary, in an individual case, in order to protect the vital interests of
the data subject; (iv) processing is based on a law or is necessary for compliance with a task or obligation to which
the data controller is bound by virtue of an act or an order issued on the basis of an act; (v) there is a relevant
connection between the data subject and the operations of the data controller, based on the data subject being a
client or member of, or in the service of, the data controller; (vi) the data relate to the clients or employees of a
group of companies or another comparable economic grouping, and they are processed within that grouping; or
(vii) the Data Protection Board has granted permission for the processing. In addition, derogation may be provided
by a decree if it is evident that the processing of personal data does not compromise the protection of the privacy
of the data subject, or his/her rights of freedom.
Data Quality
The personal data processed must be necessary for the declared purpose of the processing (necessity requirement).
The data controller must also ensure that no erroneous, incomplete or obsolete data are processed (accuracy
requirement).
Retention period
If a personal data file is no longer necessary for the data controller’s operations, it must be destroyed unless an act
or lower-level regulation contains specific provisions for continued storage of the data. Sensitive data must be
erased from the data file immediately when there no longer is a reason for its processing.
The data subject has the right to be informed, upon collection and recording of personal data by the data controller
or, if the data are obtained from a source other than the data subject and intended for disclosure, at the latest at
the time of first disclosure of the data, of: (i) the name and address of the data controller and, where necessary,
the data controller’s representative; (ii) the purpose of the processing; (iii) the regular destinations of disclosed
data; and (iv) how the data subject may exercise his/her rights with respect to the processing in question.
Additionally, certain specific rules apply with regard to the provision of information to the data subject on the
processing of data contained in a credit data file and the related right of access.
Access: Data subjects have the right to access personal data relating to them or to a notice that the file contains no
such data, upon signed request or personal appearance at the premises of the data controller.
Correction: At the request of the data subject, or on his/her own initiative, the data controller must without undue
delay rectify, erase or supplement personal data contained in its personal data file which is erroneous,
unnecessary, incomplete or obsolete as regards the purpose of the processing.
Objection to processing: A data subject has the right to prohibit the data controller from processing personal data
for direct advertising, distance selling, other direct marketing, market research, opinion polls, public registers or
genealogical research.
Security
The data controller must carry out the technical and organisational measures necessary to secure personal data
against unauthorised access, accidental or unlawful destruction, manipulation, disclosure and transfer and other
unlawful processing.
The processor must, before starting to process the data, provide the data controller with appropriate commitments
and other adequate guarantees of the security of the data as provided above. Anyone who has gained knowledge of
the characteristics, personal circumstances or economic situation of another person while carrying out measures
relating to data processing must not disclose the data to a third person in contravention of the DPA.
Personal data may be transferred to countries outside the EEA only if the country in question guarantees an
adequate level of data protection. The Data Protection Ombudsman must be notified when data is transferred
based on this prerequisite. The European Commission has specifically approved certain countries as having an
adequate level of data protection. With respect to these countries no notification is required. Otherwise, personal
data can be transferred outside the EEA under the usual circumstances (e.g. when the data subject has
unambiguously consented to the transfer; when the transfer is made using the EC Model Clauses). The Data
Protection Ombudsman must be notified when a data transfer contract is used which is not in the model form
approved by the European Commission.
Sensitive Data
According to the DPA, the processing of sensitive data is prohibited. Personal data are deemed to be sensitive if
they relate to or are intended to relate to racial or ethnic origin; social, political or religious affiliation or trade
union membership; criminal acts, punishment or other criminal sanctions; state of health, illness or handicap or
treatment or other comparable measures; sexual preference or sexual life; social welfare needs or benefits, support
or other social welfare assistance received. There are, however, many exemptions to the prohibition including,
among others, the processing of data where the data subject has given express consent.
In addition, the DPA contains limitations as to the processing of personal identity numbers (these are not as such
sensitive data).
Enforcement
Sanctions
The data controller is liable to compensate for economic and other loss suffered by the data subject or another
person as a result of the processing of personal data in violation of the DPA. The penalties for a personal data
offence, for breaking into a personal data file and for violation of the secrecy obligation are provided for in the
Penal Code. The penalties normally range from a fine to one year in prison.
Practice
According to the 2004 annual report of the Office of the Finnish Data Protection Ombudsman the number of
requests for action (including e.g. guidance and investigations) made by the citizens (i.e. data subjects and data
controllers) was around 800. According to the oral, unofficial opinion of the head of department of the Office of
the Finnish Data Protection Ombudsman the number of investigations was around 260 from that amount.
According to the information received from the head of department of the Office of the Data Protection
Ombudsman the number of prosecutions in 2004 was 50. The Data Protection Ombudsman must give a prior
statement before any prosecution to the public prosecutor and 50 statements were given last year by the Data
Protection Ombudsman. According to the head of department of the Office of the Data Protection Ombudsman the
number of requests for statements has been increased significantly compared to the previous years.
According to the information received from the head of department of the Office of the Data Protection
Ombudsman the typical penalty is a fine, but information about the typical level of the fine could not be verified.
Under the Finnish Personal Data Act (the “DPA”) serious breaches are classed as “personal data file crimes” and
are punishable by up to one year’s imprisonment or fines. These include intentional or grossly negligent:
(i) processing of personal data in violation of the provisions of the DPA relating to the exclusivity of purpose, the
general prerequisites for processing, the necessity and integrity of processing, sensitive data, personal identity
numbers or the processing of personal data for specific purposes; (ii) transfer of personal data outside the EU or
EEA in violation of the DPA, provided that such transfer violates the privacy of the data subject or causes him other
damage or significant inconvenience; or (iii) conduct by giving false or misleading information and thereby
preventing or attempting to prevent a data subject from using his right of inspection.
In addition, breaches of the secrecy obligations are classed as secrecy violations or offences. Less serious breaches
are classed as “personal data violations” and are punishable only by fines. These include intentional or grossly
Finland.
negligent: (i) violation of the provisions relating to the drawing up of the description of the file, defining the
purpose of the processing of the personal data, the information on processing of personal data, the rectification of
the file, the right of the data subject to prohibit the processing of personal data, and the notification to the Data
Protection Ombudsman; (ii) provision of false or misleading data to a data protection authority in a matter
concerning a personal data file; (iii) violation of the provisions on the protection and destruction of personal data
file; or (iv) breaking a final order issued by the Data Protection Board.
Information about the most significant penalty levied to date could not be received from the Office of the Data
Protection Ombudsman, but according to the information given by the head of department of the Office of the Data
Protection Ombudsman the most significant amount of all personal data crimes relate to the intentional or grossly
negligent processing of personal data in violation of the exclusivity purpose of the DPA (e.g. unauthorised use of
the data systems and data files).
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented by the Finnish Act on the Protection of Privacy in
Electronic Communications (Sähköisen viestinnän tietosuojalaki 2004/516) (the “ECA”) dated 16 June 2004. The
ECA came into force on 1 September 2004.
Under the ECA, it is not permitted to send unsolicited direct marketing to natural persons by electronic
communication, such as e-mail, without the person’s prior consent (opt-in).
Under the ECA, direct marketing by electronic communication to legal persons is allowed if the recipient has not
specifically refused it. The opportunity to opt-out must be reserved for any legal person in each occurrence of
direct marketing easily and at no separate cost and the party undertaking direct marketing must give clear
notification of the possibility of such refusal. According to the guidance note of the Office of the Data Protection
Ombudsman, although a personal e-mail address based on a company’s domain name (e.g. individual@company)
can be used for direct marketing purposes, the recipient is regarded as an individual and a prior consent is
required, unless the direct marketing has been sent to that person based on his/her job description.
The ECA will prohibit the practice of sending e-mail for direct marketing purposes that disguises or conceals the
identity of the sender and lacks a valid address to which the recipient may send a request for termination of
communications. The ECA will also require that each electronic direct marketing message must, upon receipt, be
unmistakably identifiable as a marketing message. This requirement means that the subject field of a direct
marketing e-mail message should contain the word ‘advertisement’ or a similar term.
Exemptions
Under the ECA, there is an exemption from the opt-in rule for natural persons with respect to existing customer
relationships where the seller of a product or the provider of a service has obtained the customer’s electronic
contact details in the context of the sale of a product or a service, in which case the same seller of products or
provider of services may use these contact details for direct marketing of its own products in the same product
group and of other similar products or services. However, the customer must be given the opportunity to refuse,
free of charge and in an easy manner, both when the contact details are first collected and later, on the occasion
of each electronic message to the customer (opt-out). The seller of a product or the provider of the service must
notify the customer clearly of the possibility of such a refusal.
The ECA applies to direct marketing in public networks with respect to both individual and corporate recipients.
France.
After a long legislative process, France (being the last EU Member State to do so) has finally implemented the
Directive into national law pursuant to Law no. 2004-801 of 6 August 2004 relating to the protection of
individuals against the processing of personal data. This last law modifies the French Data Protection Act called
the “Computer and Liberties” Act of 6 January 1978 (the “DPA”).
The DPA, as recently amended, came into force on 6 August 2004.
The DPA applies to the processing of personal data where: (i) the controller is established in France (the controller
is considered as established when its activities are carried out in the context of an establishment regardless of its
legal status); or (ii) the controller is not established in France or in Community territory and, for purposes of
processing personal data, makes use of equipment located in France, unless such equipment is used only for
purposes of transit through France or another Member State.
The DPA applies to the processing of personal data wholly or partly by automatic means, and to the processing
otherwise than by automatic means of personal data which form part of a filing system or are intended to form part
of a filing system.
The exceptions are: (i) the processing of personal data by a natural person in the course of a purely personal or
household activity; and (ii) operations concerning public security, defence or State security.
The DPA only applies to data relating to individuals and not to legal entities.
Data Controller
The data controller is responsible for compliance with the DPA. The data controller is defined as the natural or
legal person, public authority, agency or any other body that determines the purposes and means of the processing
of personal data.
Commission Nationale de l’Informatique et des Libertés or “CNIL”
21 rue Saint-Guillaume, 75340 Paris, Cedex 7
France
www.cnil.fr
The usual regime for the processing of data is that of a prior declaration to the NRA. However, the DPA also
provides for a limited number of cases where express authorisation must be obtained from the NRA.
The cases where an authorisation is needed under the DPA include the following main categories of processing:
(i) the processing of sensitive data, (ii) transfer of data outside the EU to a country without adequate protection,
(iii) automated processing which consists of a selection of people and is aimed at excluding some of them from the
advantages of a right, a benefit or a contract, (iv) automated interconnection files, and (v) biometric identity
checks, for instance for access controls.
France.
In all cases, the data controller has to fill in a declaration form available on the CNIL’s website. This declaration
must either be in an ordinary form or in simplified form requiring minimum information to be provided for the most
typical processing (e.g. payroll, management of employees, customer files). Simplified forms can be submitted
electronically. The notification to the NRA must take place prior to collecting and processing the data, which can
only start from the date the data controller receives a receipt from the CNIL. The NRA has two months within
which to reply, failing which the processing is deemed to have been accepted.
Exemptions
All processing of personal data must be notified except: (i) processing whose sole purpose is the keeping of a
register which, according to laws or regulations, is intended to provide information to the public and which is open
to consultation either by the public in general or by any person demonstrating a legitimate interest; (ii) processing
carried out by an association or any other non-profit-seeking body with a religious, philosophical, political or trade
union aim; and (iii) processing for which the data controller has appointed a personal data protection officer
responsible for insuring the application of the obligations provided by the law and for keeping a register of
processing, except where a transfer to a non-Member State is contemplated.
Data Quality
The data shall be: (i) fairly and lawfully collected and processed; and (ii) collected for specific, explicit and
legitimate purposes and not further processed in a way incompatible with those purposes. The data shall be:
(i) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further
processed; and (ii) accurate, complete and, where necessary, kept up to date. Appropriate steps must be taken to
ensure that data that are inaccurate or incomplete in relation to the purposes for which they were collected or
further processed are erased or rectified.
Retention period
The data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the
purposes for which the data were collected or further processed.
The data subject shall be provided by the controller or his/her representative with the following information: (i) the
identity of the controller and of his/her representative, if any; (ii) the purposes of the processing; (iii) whether
replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply; (iv) the
identity of the recipients or the category of recipients to which the recipients belong; (v) the existence of the right
of access to and the right to rectify his/her personal data; and (vi) in the case of international transfer of data to a
non-EU Member State, information on such transfer.
Access: Data subjects have the right to obtain from the controller: (i) confirmation as to whether or not his/her data
are being processed; (ii) information regarding the purposes of the processing, the categories of data concerned,
and the recipients or categories of recipients to whom the data are disclosed; (iii) in the case of international
transfer of data to a non-EU Member State, information about such transfer; (iv) communication in an intelligible
form of the data and of any available information as to their source; and (v) the logic involved in the processing. A
copy of the data processed is provided to the data subjects. The controller may object to abusive queries from the
data subjects.
Correction: Data subjects also have the right to ask the controller to rectify, complete, update, block or erase their
data where they are incomplete, inaccurate or where the use, transfer or storage of such data is forbidden.
Object to processing: Data subjects have the right to object at any time to the processing of their personal data on
compelling legitimate grounds. Data subjects also have the right to object, free of charge, to the processing of their
personal data for direct marketing purposes by the current or future data controller.
Security
The data controller or any person acting under its instructions must implement appropriate technical and
organisational measures to safeguard the security of the personal data, in particular, in order to avoid any
distortion, damage or unauthorised disclosure to a third party. The measures implemented shall ensure a level of
security appropriate to the risks arising out of the process and the nature of the personal data.
Wherever a sub-contractor is involved (a processor acting on behalf of the data controller being viewed as a subcontractor) the data controller shall ensure that: (i) the sub-contractor presents sufficient guarantees to enable the
implementation of the security and confidentiality measures and that the sub-contractor complies with the same
security requirements; and (ii) the contract with the sub-contractor contains all necessary provisions in terms of
security of the processing of the data. In addition, the sub-contractor may only act upon the instruction of the
provider and the data controller remains in all cases jointly liable with respect to the security and confidentiality of
the personal data.
Data can be transferred freely to EEA countries, provided the data controller: (i) informs the data subject; and
(ii) completes a declaration with the CNIL (which delivers a receipt enabling the transfer without delay).
The transfer of data outside the EEA is possible only to countries which ensure an adequate level of protection (a
list of which has been established by the European Commission).
The DPA provides exemptions from the prohibition against transferring data to countries that do not guarantee an
adequate level of protection which include, in particular: (i) the use of EC Model Clauses; and (ii) the use of
Corporate Binding Rules.
Furthermore, the DPA provides for a list of other exemptions which do not rely on a contractual basis and include,
among others, the consent of the data subject. However, in terms of the data subject’s consent, the NRA however
considers that such consent is almost never deemed to be sufficient when the transfer relates to employees’
personal data.
Sensitive data
The processing of data revealing directly or indirectly racial or ethnic origin, political opinions, religious or
philosophical beliefs, sex life data, health data or judicial data is restricted under French law. These data may only
be processed under specific circumstances described in the DPA.
Enforcement
Sanction
The CNIL may issue a wide array of penalties including: (i) a warning; (ii) a formal demand; (iii) the issuing of an
injunction to cease processing; and (iv) financial sanctions of up to EUR 150,000 for the first breach (and up to
EUR 300,000 in the case of a second breach). Criminal sanctions may also be imposed up to a maximum of five
years’ imprisonment and fines from EUR 15,000 to EUR 300,000.
Practice
There were 45 investigations last year, and seven warnings by the CNIL (against financial institutions) and two
denunciations to the public prosecutor.
In relation to the typical level of penalties imposed, there have been no administrative fines so far; in addition the
level of criminal fines is rather low (i.e. maximum of EUR 5,000 according to a review of the relevant case law).
In relation to the most significant penalty levied to date, the Commercial Court of Paris gave an exemplary
judgment, dated 5 May 2004, against a French spammer. The French company was the origin of a massive
campaign of sending unwanted e-mails and was ordered to pay EUR 10,000 in damages and EUR 12,000 in
prosecution fees. In addition, the judges ruled that the company was not allowed to send any other unwanted
emails using AOL and Microsoft Hotmail services.
France.
Marketing by E-mail
Marketing by E-mail
Article 13 of the European Directive 2002/58/EC was implemented on 21 June 2004 into the “Loi pour la
confiance dans I’économie numérique” (Law for trust in computer processing in the economy) (the “Law”). It
modifies article L. 33-4-1 of the Code of Post and Telecommunication and is mentioned in article L.121-20-5 of
the Consumption Code.
Direct marketing e-mail requires “prior consent” of the recipient (opt-in). “Prior consent” is defined by the Law as
a “free, specific and informed manifestation of consent to his/her personal data being used for direct marketing
purposes”. Direct marketing e-mails are defined as “any messages intending to promote, directly or indirectly,
goods, services, or the image of a person that sells goods or services”.
Exemptions
Direct marketing via e-mail is authorised if: (i) the person’s personal data has been obtained directly from him/her
in compliance with the DPA; (ii) the data has been obtained during the course of a sale or a service; (iii) the direct
marketing relates to similar products or services; and (iv) the recipient is expressly and unambiguously given the
possibility to oppose (without any cost to himself except those of the transmission of the refusal) the use of his/her
personal data when collected and in any marketing e-mail. This is opt-out.
The Law applies to individual contacts but not to company contacts.
Germany.
The Data Protection Directive 95/46/EC has been implemented into German law under the German Federal Data
Protection Act (Bundesdatenschutzgesetz - the “DPA”).
The DPA came into force on 23 May 2001.
The DPA is only applicable to data controllers located in Germany and does not apply to data controllers located in
another Member State of the EU or the EEA, except where collection, processing or use of personal data is carried
out by a branch in Germany (the principle of origin). The DPA is also applicable to data controllers not located in a
Member State of the EU or the EEA who collect, process or use personal data in Germany (the principle of
territoriality).
The DPA is only applicable to the collection, processing and use of personal data by means of data processing
systems and non-automated filing systems, such as manual record cards.
The DPA only applies to information concerning personal or material circumstances of an identified or identifiable
individual and does not apply to legal entities.
Data Controller
The responsibility for complying with the provisions set out in the DPA is borne by the data controller. The data
controller is defined as any person or body that collects, processes or uses personal data on its own behalf or
commissions others to undertake the same on its behalf.
There are 20 different regional supervisory authorities responsible for monitoring the implementation of data
protection. The names, addresses and websites of these supervisory authorities are available at
www.bundesdatenschutz.de (select “Anschriften und Links” and then “Die Aufsichtsbehörden für den nichtöffentlichen Bereich”).
In general, automated processing procedures are only required to be registered with the competent supervisory
authority in advance, if: (i) the data controller has not appointed a data protection official (which is usually the
case in Germany), unless a maximum of four employees are involved in the collection of personal data and either
consent has been obtained or the use of the data serves the purposes of the contract; or (ii) the data controller
commercially stores personal data for the purpose of transfer.
Exemptions
See above.
Germany.
Data Quality
Personal data must be accurate and kept up to date at all times. The data controller is only allowed to handle
personal data which are absolutely necessary for legitimate purposes.
Retention period
Personal data can only be kept as long as necessary for the purpose of processing.
The data controller is obliged to inform the data subject if personal data are collected from the data subject or if
personal data are stored for the first time for the data controller’s own purposes without the data subject’s
knowledge. The data subject must be notified, inter alia, regarding the type of data collected or stored, the purpose
of their collection, and the identity of the data controller, unless the data subject has been informed of this via
another source.
The data subject may request to see such information at any time. The data subject may demand the correction of
incorrect data as well as the deletion or blocking of personal data, the storage of which is not, or is no longer,
covered by legitimate purposes.
The data subject has the right to object to personal data being transferred for purposes of advertising, market and
opinion research.
Security
Public and private bodies processing personal data, either on their own behalf or on behalf of others (processors),
are obliged to ensure that all technical and organisational measures necessary are taken in order to comply with
the provisions set out in the DPA. Pursuant to the Annex to the DPA, measures must be taken with regard to
access control, transmission control, input control and availability control.
In the event that a third party (processor) is handling personal data on behalf of a data controller, the processor
and the data controller need to conclude a written agreement about the commissioned processing of data and
specify, inter alia, the details of the handling of the personal data. Where processors are commissioned to handle
data, the responsibility for compliance with the provisions of the DPA is borne by the data controller. Therefore, the
controller must ensure that the data are processed strictly in accordance with its instructions (job control).
If the general provisions for the transfer of personal data set out in the DPA have been complied with, the transfer
of personal data to Member States of the EU or the EEA and to countries that guarantee an adequate level of data
protection is permissible without any other additional requirements.
If the general provisions for the transfer of personal data set out in the DPA have been complied with, transfer of
personal data to the USA is permissible if the data importer has signed up to the Safe Harbor and transfer to all
other countries is permissible if: (i) the EC Model Clauses are complied with; (ii) the data subject has given his/her
consent; or (iii) the transfer is necessary for the fulfilment of a contract with the data subject.
Sensitive Data
The rules applicable to the processing of sensitive data (data in relation to race, ethnicity, political opinions,
religious or philosophical convictions, trade union membership, health and sexual life) are more restrictive. In most
cases, it is only possible to legally transfer such data after obtaining the data subject’s consent.
Enforcement
Sanctions
Should a data controller infringe the data subject’s rights under the DPA, the data subject is entitled to injunctive
relief and compensation for damages. In addition, the competent governmental authority can impose
administrative fines and penalties in case of a violation of the DPA.
Practice
With respect to any information about investigations and prosecutions in Germany, two things should be noted:
1. Reliable information is very hard to obtain. This is due to the fact that in Germany there is not one single data
protection authority, but one federal authority and several state authorities in each of the 16 German states (in
fact, there are not even single authorities in each of these states, but in some cases several authorities responsible
for data protection and investigations etc). In addition, the reports published by the various data protection
authorities do not contain details of penalties imposed or the facts of the relevant cases.
2. In Germany there is a distinction between criminal sanctions (Straftaten) and administrative fines
(Ordnungswidrigkeiten). Both types of investigations are applicable in relation to data protection infringements.
Based on these facts, the information relating to enforcement in practice is as follows: (i) there were 274
investigations relating to criminal offences of the German federal and state data protection laws in 2004. With
respect to investigations relating to administrative fines, the figures vary in the German states between zero
(Mecklenburg-Vorpommern) to 30 (Bavaria); (ii) with respect to actual prosecutions in 2004, the figures are
unclear. Out of the 274 investigations in 2004, there have been 203 decisions, including convictions, but also
acquittals. With respect to administrative fines, the number of prosecutions is also unknown but should also be
lower than the figures for investigations; and (iii) information with respect to the typical level of penalties is also
vague. With respect to criminal convictions, actual figures could not be obtained. With respect to administrative
fines, the convictions range from less than EUR 100 to a maximum of EUR 10,000 (compared to the statutory
range of up to EUR 250,000). There are rumours that there have been considerably higher fines recently; however,
confirmation of this could not be obtained; and (iv) accordingly, based on the rather vague information available,
the most significant penalties are approximately EUR 5,000. The cases mostly relate to reluctance of companies to
co-operate with data protection authorities. In another case involving a high penalty, a medical doctor disposed of
patient data without any precautions.
Marketing by E-mail
Marketing by E-mail
Directive 2002/58/EC has in the meantime been implemented into German law. Article 13 of Directive
2002/58/EC has been implemented both in the German Act Against Unfair Competition (Gesetz gegen den
unlauteren Wettbewerb - the “UCA”) dated 3 July 2004 and the revised German Telecommunications Act
(Telekommunikationsgesetz - the “TA”) dated 22 June 2004.
According to the UCA and the TA, direct marketing via e-mail principally requires the prior explicit consent of the
recipient (opt-in).
Exemptions
However, it is possible for a company to send e-mails to a subscriber for its own direct marketing purposes if the
company has obtained the “electronic address” during the course of a sale or negotiation and the marketing relates
to similar products or services, unless the recipient has prohibited the use of his/her address. In these cases it is
sufficient if the subscriber is given an opt-out opportunity and is informed in an appropriate manner that his/her
right to object can be exercised at any time.
In relation to e-mail marketing, German law does not in relation to e-mail marketing distinguish between individual
and corporate subscribers.
Greece.
Contributed by J Karageorgiou & Associates
General | Directive 95/46/EC
Directive 95/46/EC (the “Directive”) has been implemented by the Data Protection Act (Law 2472/1997) (the
“DPA”).
The DPA came into force on 10 November 1997.
The DPA applies to any processing of personal data, provided: (i) it is carried out by a controller or processor
established in Greek territory or in a place where Greek Law applies by virtue of International Law; (ii) the
processing relates to persons established in Greek territory; or (iii) it is carried out by a controller established in the
territory of a non-EU country who makes use of equipment, automated or otherwise, situated in Greek territory, for
purposes of processing personal data (except for mere transit purposes).
The DPA regulates the fully and partially automated processing of personal data and the non-automated processing
of personal data included in a filing system.
The DPA only applies to data relating to individuals.
Data Controller
The data controller is responsible for compliance with the DPA. The data controller is defined as a person who
determines the purposes for which and the manner in which any personal data are, or are to be, processed. The
data controller can be a natural or legal person, public authority, agency or any other organisation.
Data Protection Authority
1-3 Kifisias Avenue
Ampelokipi 115
23 Athens
Greece
www.dpa.gr
The data controller must notify the Data Protection Authority in writing of the establishment of a filing system and
the commencement of a data processing activity. No approval by the Data Protection Authority is required. The
notification must take place before the commencement of any data processing activities. The processing of
sensitive personal data requires a special licence issued by the Data Protection Authority.
Exemptions
The data controller is exempt from the obligation of notification to the Data Protection Authority, and the obligation
to receive permits in the following cases: (i) when processing is carried out exclusively for purposes relating directly
to an employment or project relationship or to the provision of services to the public sector and is necessary for the
fulfilment of an obligation imposed by law or for the accomplishment of obligations arising from the
aforementioned relationships, and upon prior notification of the data subject; (ii) when processing relates to
clients’ or suppliers’ personal data, provided that such data are neither transferred nor disclosed to third parties.
Insurance companies, pharmaceutical companies, companies, whose main activities involve trading of data, credit
and financial institutions (banks etc.) are not exempt from the obligation of notification; (iii) when processing is
carried out by societies, enterprises, associations and political parties and relates to personal data of their
members or companies, provided that the latter have given their consent; (iv) when processing is carried out by
doctors or other persons, rendering medical services and relates to medical data, provided that the controller is
bound by medical confidentiality or other obligations of professional secrecy, legal entities or organisations
rendering healthcare services, insurance funds and insurance companies, as well as controllers processing personal
data within the framework of programmes of telemedicine or provision of healthcare services via the Internet; and
(v) when processing is carried out by lawyers, notaries, unpaid land registrars and court officers and relates to the
provision of legal services to their clients.
Data Quality
Personal data must be: (i) adequate, relevant and not excessive in relation to the purpose for which they are held;
and (ii) accurate and up to date.
Retention period
Personal data must be kept for no longer than is considered necessary by the Data Protection Authority. On expiry
of that period, the Data Protection Authority may allow further storage for historical, scientific or statistical
purposes, as long as it considers that there is no violation of the rights of the data subject or any third party.
The data controller is obliged, during the collection of personal data, to inform data subjects of the following:
(i) the identity of the data controller and/or any representative; (ii) the purpose of the data processing; (iii) the
intended recipients of data; and (iv) the existence of the data subject’s right of access.
Access: Data subjects may obtain copies of their personal data on written request to data controllers.
Correction: Data subjects may require to have their data rectified.
Objection to processing: A data subject may require in writing that the data controller cease processing. The right
to object includes provisional non-utilisation, locking, non-transmission or deletion.
Other: A data subject can seek provisional judicial protection from the competent court, such as immediate
suspension or non-application of an act or decision affecting the data subject, issued by an administrative
authority or public law entity or association or natural person solely on automated processing of data, intended to
evaluate the subject’s personality, effectiveness at work, creditworthiness, reliability or general conduct.
Security
Data controllers must take appropriate organisational and technical security measures to protect against accidental
or unlawful destruction, loss, alteration, illegal disclosure, access or any other form of unlawful processing of
personal data.
The processor must fulfil certain professional qualifications and provide sufficient guarantees in respect of
technical expertise and personal integrity to ensure confidentiality. If the processor is not dependent upon the data
controller (i.e. is not an employee of the controller), there must necessarily be a written contract.
Greece.
The DPA prohibits transfers outside the EEA unless the destination ensures adequate protection for the data.
Transfer to non-EEA countries is also permitted following special permission granted by the Data Protection
Authority and if one of a number of conditions is satisfied (e.g. with the consent of the data subject).
Sensitive Data
Sensitive personal data is defined by the DPA as information referring to racial or ethnic origin, political ideas,
religious or philosophical beliefs, participation in unions, syndicates or other social groups, health, social welfare
and sex life, as well as criminal sanctions or convictions. The processing of sensitive personal data is permitted by
data controllers who have obtained a licence from the Data Protection Authority and when, in addition, one or more
of the following conditions are met: (i) the written consent of the data subject has been obtained; (ii) the
processing is necessary to protect the vital interests of data subjects, if they are physically or legally unable to give
their consent; (iii) the processing is for defence of the data subject’s right in a court of justice; (iv) the processing
is for purposes of preventive medicine, medical diagnosis, provision of care or management of healthcare services
and is carried out by a health professional subject to the obligation of professional secrecy or relevant codes of
conduct; (v) the processing is for purposes of national security, criminal or correctional policy or public health and
is carried out by a public authority; (vi) the processing is for research or scientific purposes provided that
anonymity is maintained and all necessary measures for the protection of the persons involved are taken; and
(vii) the processing is for journalistic purposes and concerns data pertaining to public figures, provided that such
data are in connection with the holding of public office or the management of third parties’ interests.
Enforcement
Sanctions
Administrative (i.e. imposition of fines, temporary or definitive revocation of licences, destruction of files), civil
(i.e. compensation) and criminal (i.e. imprisonment and imposition of fines).
Practice
During 2004, the Greek DPA performed 26 investigations: 17 investigations were conducted ex officio and nine
following a complaint of a natural person or legal entity (extraordinary investigations):
(a) “Ex officio investigations” were conducted with regard to the following items:
Eight investigations regarding health and sensitive personal data;
Four investigations regarding closed circuit TV;
Two investigations about Olympic Games security; and
Three investigations about airlines and transfer of passenger name records to the USA.
(b) “Extraordinary investigations” were conducted with regard to:
Reality games;
Video surveillance;
Health and sensitive personal data;
Closed circuit TV; and
The right to access personal data.
The number of prosecutions in 2004 was about 20. More specifically, the Greek DPA imposed on Controllers:
12 penalties;
Four recommendations;
Two warnings; and
Two decisions to destroy files containing data collected and processed.
The Greek DPA usually imposes fines of between EUR 5,000 and EUR 20,000.
In relation to the most significant penalty levied to date, the Greek Authority imposed a fine amounting to EUR
50,000 on an insurance company for the collection of sensitive personal data regarding the health of a patient
claiming compensation by the insurance company, without his prior consent. The Greek authority decided that the
sensitive personal data that had actually been collected were irrelevant to the purpose of the data collection and
processing and that the collection was violating the personality and the right of privacy of the claimant.
Sector specific: E-communications | Directive 2002/58/EC
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has not yet been implemented in Greek legislation. A draft law has been
prepared by the Greek Ministry of Justice, replacing the existing Law 2774/99, solely regarding data protection in
the telecommunication sector, and it is expected to be submitted to the Greek Parliament for enactment within the
next few months. The draft law is currently not available. Until the new legislation comes into force, article 9 of
Law 2774/99 is still enforceable and designates that “unsolicited communications may only be allowed in respect
of subscribers who have given their prior consent” (the “Opt-in Principle”). Furthermore, in paragraph 2 of the
same article, it is provided that unsolicited communications are prohibited in case natural or legal persons have
been registered to “Opt-out Registers”, declaring in that way that they do not wish to receive any commercial
communication. This provision is in compliance with article 6 of Presidential Decree No. 131/2003 (which
implemented the Directive 2000/31/EE on Electronic Commerce), regarding the obligation of service providers
undertaking unsolicited commercial communications by e-mail, to consult on a regular basis and respect Opt-out
Registers, in which natural or legal persons who do no wish to receive such commercial communications are
registered.
Hungary.
Directive 95/46 has been implemented by Act No. LXIII of 1992 on the protection of personal data and the
disclosure of public information (the “DPA”).
The DPA entered into force originally on 1 May 1993; its latest amendment entered into force on 1 July 2005.
The DPA applies to all data processing operations performed in the Republic of Hungary.
The DPA applies only to individuals.
Data Controller
The data controller is responsible for compliance with the DPA. A data controller is the natural or legal person or
unincorporated organisation that determines the purpose of the processing of personal data, makes decisions
regarding data management (including the means) and implements such decisions itself or engages a processor to
implement them.
The Parliamentary Commissioner for Data Protection and Freedom of Information (the “Commissioner”).
Nádor u. 22
H-1051 Budapest
Hungary
http://abiweb.obh.hu/abi/
Any data processing must be notified in the Data Protection Register (the “Register”) kept by the Commissioner. It
consists of simply filing information. The notification must take place prior to the commencement of the data
processing activity. It should be noted that the wording of the DPA only requires the notification of data
controlling, however, the Commissioner requires the notification of data processing activities as well.
Exemptions
Data controllers do not have to notify to the Register the following types of data processing operations: (i) when it
concerns the data of the data controller’s employees, members, students or customers; (ii) when carried out in
accordance with the internal rules of the church or other religious organisation; (iii) if it concerns the personal data
of a person undergoing medical treatment, for the purposes of health care and preventive measures or for settling
claims for benefits and services in the social insurance system; (iv) where it contains information concerning the
provision of social and other benefits to the data subject; (v) where it contains the personal data of persons
implicated in an official regulatory, public prosecutor or court proceeding to the extent required for such
proceeding; (vi) if it contains personal data for official statistical purposes, provided there are adequate guarantees
that the data are rendered anonymous in such a way that the data subject is no longer identifiable; (vii) where it
contains data of organisations and bodies falling under the scope of the Media Act, if they are used solely for their
own information; (viii) if it serves the purposes of scientific research, and if the data are not made available to the
public; (ix) if the data are transferred to a public archive; and (x) if the processing serves the personal purposes of
a natural person.
Data Quality
As a general rule, personal data may only be processed if: (i) the data subject has given his/her consent; or
(ii) decreed by law or by a local authority based on authorisation conferred by law concerning specific data defined
therein.
Personal data collected for processing must be: (i) processed fairly and lawfully; (ii) accurate, complete and, where
necessary, kept up to date; and (iii) kept in a form that permits identification of data subjects for no longer than is
necessary for the purposes for which the data were collected.
The use of personal identification codes or any other identifier of general application shall not be permitted.
Retention period
There is no specific retention period in the DPA except that the data may not be kept for longer than necessary for
the purposes of processing.
Prior to the collection of data, the data subject must be informed whether disclosure is voluntary or compulsory
and, in the latter case, on which basis. The data subject must also be clearly informed of all aspects concerning
the processing of his/her personal data, such as the purpose for which the data is processed and the legal grounds,
the person entitled to carry out the processing, the duration of the proposed processing operation and the persons
to whom data may be disclosed. Information shall also be provided on the data subject’s rights and remedies. If
the provision of the above information to each individual data subject is impossible or is likely to result in
unreasonable expense, notification of data processing - in particular for statistical or scientific purposes (including
historical research) - may occur by way of publishing the fact of the data collection, the scope of the data subjects
involved, the purpose and duration of the proposed processing operation and the availability of data. In addition,
the register of processing operations may be inspected by any person. An extract of the data contained therein may
be requested upon payment of a fee.
Access: Upon the data subject’s request, the data controller must provide information concerning: (i) the data
relating to the data subject, including those processed by a data processor on its behalf, the purpose, grounds and
duration of processing, the name and corporate address of the data processor; and (ii) its activities relating to data
management, the recipients of its data and the purpose for which they are or have been transferred. Any data
subject may also request confirmation as to whether or not data relating to him/her are being processed.
Correction: Any data subject may request the rectification or erasure of his/her personal data, with the exception of
those processed by order of legal regulation. Data controllers must correct the data if they are false. Personal data
must be erased if: (i) processed unlawfully; (ii) so requested by the data subject; (iii) it is deficient or inaccurate
and it cannot be legitimately corrected, provided that deletion is not disallowed by statutory provision; (iv) the
purpose of processing no longer exists or the legal time limit for storage has expired; or (v) so instructed by court
order or by the Commissioner.
Object to processing: The data subject has the right to object to the processing of data relating to the data subject:
(i) if processing is carried out solely for the purpose of enforcing the rights and legitimate interests of the controller
or the recipient, unless processing is prescribed by law; (ii) if personal data are used or transferred for the purposes
of direct marketing, public opinion polling or scientific research; and (iii) if the right to object is ensured by law.
Security
Data controllers, and within their sphere of competence, data processors must implement adequate safeguards and
appropriate technical and organisational measures to protect personal data, as well as adequate procedural rules to
enforce the provisions of the DPA and other regulations concerning confidentiality and security of data processing.
Data must be protected against unauthorised access, alteration, transfer, disclosure by transmission or deletion as
well as damage and accidental destruction. For the technical protection of personal data, the controller, the
Hungary.
processor or the operator of the telecommunications or information technology equipment shall implement security
measures in particular if the processing involves the transmission of data over a network or any other means of
information technology.
The controller and the processor must enter into a written contract for the processing of personal data. Any
company interested in the business activity for which the personal data is to be processed may not be contracted
for the processing of such data.
Transmission of data to EU Member States is treated in the same way as transmission within the territory of the
Republic of Hungary.
Personal data (including sensitive data) may be transferred - irrespective of the medium and the manner in which
it is transferred - to a third-country controller or processor if the data subject has given his/her consent, if the
transfer is permitted by law or if it is prescribed by treaty or international convention, provided (in all cases) that
the laws of the third country in question afford an adequate level of protection within the meaning of EU standards
with respect to the processing of the data transferred.
Sensitive Data
Sensitive data (i.e. personal data revealing racial, national or ethnic origin, political opinions and any affiliation
with political parties, religious or philosophical beliefs, trade union membership, personal data concerning health,
addictions, sex life, or criminal record) may only be processed: (i) if the data subject has given his/her explicit
consent in writing; (ii) if prescribed by treaty, or if ordered by law in connection with the enforcement of some
constitutional right or for national security or law enforcement purposes; or (iii) if ordered by law in other cases.
Enforcement
Sanctions
Criminal sanctions include imprisonment of up to one year (three years in the case of sensitive data), public
service or a fine in the amount of HUF 3,000 to HUF 10,800,000 (i.e. approximately EUR 12 to EUR 43,200).
If the data controller or processor fails to comply with the Commissioner’s request to cease the unlawful data
processing, the Commissioner may order that unlawfully processed data be blocked, deleted or destroyed, or the
Commissioner may prohibit the unauthorised data management and/or processing operations and suspend any
operation aimed at transferring data abroad. The Commissioner may also announce these unlawful data processing
operations to the public.
Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by
breaching the technical requirements of data protection. Data subjects may file for court action against the
controller for any violation of their rights. No compensation shall be paid where the damage was caused by
intentional or negligent conduct on the part of the data subject. The court may order publication of its decision.
Practice
Based on the report prepared by the Data Protection Commissioner for the Hungarian Parliament, there were 712
complaints, 386 consultation papers requested, 33 ex officio investigations, 13 other matters in relation to data
protection and 169 matters in relation to freedom of information which were handled by the Commissioner's Office
in 2004. In terms of the number of prosecutions last year, seven matters in relation to freedom of information and
33 matters in relation to the protection of personal data were initiated by the Commissioner ex officio, i.e. by way
of prosecution. In relation to penalties, the Commissioner is not entitled to order penalties as a sanction for the
violation of the Hungarian DPA.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented by Act No. C of 2003 on electronic communications
(the “Communications Act”) CVIII of 2001 (as amended by Act No. XCVII of 2003) on certain aspects of
electronic commerce services and information society services (the “ECA”). The ECA entered into force on 23
January 2002, and its latest amendment entered into force on 10 July 2004. The Communications Act entered
into force on 1 January 2004, and its latest amendment entered into force on 10 July 2005.
According to the ECA, advertising by e-mail is authorised on the basis of an opt-in regime. On the other hand, the
Communications Act implementing Article 13 of Directive 2002/58/EC requires that direct marketing messages
through the telephone or through other electronic communication tools cannot be forwarded to subscribers who
have opted out from the receipt of such messages. Messages from automatic calling machines are authorised on
the basis of the prior consent of the subscriber. Please note that, contrary to Article 13(1) of Directive
2002/58/EC, no written consent is required under the opt-in regime for automatic calling machines as set out by
the Communications Act.
Exemptions
No exemption is available under the above regimes.
The regime is equally applicable to individual contacts and to corporate contacts.
Iceland.
Contributed by LOGOS - Legal Services
General | Directive 95/46/EC
Directive 95/46/EC has been implemented by the Act 77/2000 on the Protection and Processing of Personal Data
(the “DPA”).
The DPA itself entered into force on 1 January 2001, but the amending Acts 90/2001 and 81/2002, which
implemented the Directive, entered into force, on 15 June 2001 and 17 May 2002, respectively.
The DPA applies: (i) to the processing of personal data on behalf of a controller established in Iceland, if the
processing is carried out in the EEA, an EFTA country or a country or a place that the Data Protection Authority
lists in a notice in the Law and Ministerial Gazette; (ii) to the processing of personal data despite the controller
being established in a country outside the EEA or EFTA if it makes use of equipment and facilities situated in
Iceland; and (iii) to the processing of financial and credit standing data concerning legal persons even if the
controller is not established in Iceland, if it makes use of equipment and facilities situated in Iceland. Points
(ii) and (iii) do not apply if the equipment in question is only used to transmit personal data through the territory of
Iceland.
The DPA applies to both manual files and electronic files.
The DPA only applies to data relating to individuals, but refers to Regulation 246/2001 on the Collection and
Processing of Financial and Credit Standing Data, which deals with individuals, companies and other legal persons.
Data Controller
The data controller is defined as the party that determines the purposes of the processing of personal data, the
equipment that is used, the method of processing and other usage of the data.
The Data Protection Authority
Rauðarárstíg 10
105 Reykjavík
Iceland
www.personuvernd.is
Any processing of personal data must be notified to the Data Protection Authority. The Data Protection Authority
can decide that the processing of certain general or sensitive personal data likely to represent specific risks to the
rights and freedoms of data subjects may not begin until it has been examined and approved by the issuing of a
special permit. Notification must take place in a timely manner.
Exemptions
The obligation to notify does not apply if the processing extends only to data that have been and are accessible to
the public.
The Data Protection Authority has issued instructions according to which the following categories of data
processing are exempted from the obligation to notify: (i) data processing carried out in the regular or standard
course of activities, relating solely to those who have a connection to the activities or the relevant field of work, e.g.
business associates, employees, members; (ii) data processing necessary to fulfil legal obligations of the controller;
(iii) data processing necessary to fulfil a contract to which the data subject is a party, or an agreement between
labour market organisations; (iv) data processing extending only to data that have been and are accessible to the
public, provided that they are not aligned or combined with other personal data which have not been made
accessible to the public; (v) data processing resulting from electronic surveillance, conducted for the purposes of
security and property protection only, provided that legal obligations regarding notification have been fulfilled; and
(vi) wholly manual data processing.
These exemptions do not apply to the following categories of electronic processing of personal data (i) data
processing regarding conduct and individual evaluation, e.g. grades and the performance of employees; (ii) data
processing for the purposes of aligning individuals to personal profiles; and (iii) data processing incorporating the
transfer of unencrypted personal data abroad.
Data Quality
The data must be processed in a fair, apposite and lawful manner and their use must be in accordance with good
practices of personal data processing. The data must have been obtained for specified, explicit, apposite purposes
and not processed further for other incompatible purposes. The data must be adequate, relevant and not excessive
in relation to the purposes of the processing; they must be accurate and kept up to date when necessary. The data
can only be kept as long as is necessary for the purposes of the processing. The data should be preserved in a form
which does not permit identification of data subjects for longer than is necessary for the purposes of the
processing.
Retention period
When there is no longer an apposite reason to preserve personal data, the controller must erase them.
The data subject has a right to be informed by the controller of (i) the data that are processed about him/her;
(ii) the purpose of the processing; (iii) the recipients of the data; (iv) the source of the data; (v) his/her right to
access/correct/delete the data; and (vi) the security measures in place, provided it does not diminish the security of
the processing.
This right to information of the data subject does, however, not apply if: (i) the data are used solely for statistical
processing or scientific research, provided that their processing cannot have direct influence on a data subject’s
interests; (ii) the rights of the data subject, under that clause, are deemed secondary, in part or wholly, to the
interests of others or of his own. In such cases, the considerations to be taken into account include the data
subject’s health and the interests of his family members. However, the information may be disclosed to a
representative of the data subject, there being no special arguments to the contrary; or (iii) the data is exempted
from access under the Access to Information Act or the Administrative Procedures Act.
The controller shall give general information, on any personal data processing conducted on his behalf, to any
person that requests such information. Any person who so requests shall be supplied with information on: (i) the
name and address of the controller and, where relevant, his representative; (ii) who bears the day-to-day
responsibility of fulfilling the controller’s duties under the DPA; (iii) the purpose of the processing; (iv) the
categories of personal data being processed; (v) where the data was obtained; and (vi) the recipients of the data,
including whether the data are intended to be exported and, if so, to whom.
When a controller obtains personal data from the data subject, the controller must provide the data subject with
the information listed in the DPA.
When a controller collects personal data from someone other than the data subject, the controller shall, with few
exceptions, concurrently inform the data subject about the collection and other specific items listed in the DPA.
If incorrect, misleading or incomplete personal data have been registered, or if personal data have been registered
without proper authorisation, the data subject can request the data to be rectified, erased or deleted. The data
subject also has the right to object to the processing. In addition, the data subject has the right to be informed
regarding electronic surveillance. The data subject can also ask about the reasons for individual decisions that are
Iceland.
based on automated data processing. When personal profiles are used for specific purposes, the Data Protection
Authority can decide that the controller shall notify the data subject and give him certain information.
Security
The controller must implement appropriate technical and organisational measures to protect personal data against
unlawful destruction, accidental loss or alteration and unauthorised access. Having regard to the state of the art
and the cost of their implementation, such measures must ensure a level of security appropriate to the risks
represented by the processing and the nature of the data to be protected. The controller is responsible for having
risk analysis procedures and security measures in place, in conformity with laws, rules and instructions given by
the Data Protection Authority.
A controller is permitted to entrust processing to a processor. The controller and its processor must enter into a
written contract that will stipulate that the processor must act only on instructions from the controller and that the
obligations set out in the DPA shall also be incumbent on the processing carried out by the processor. Anyone who
acts on behalf of the controller or the processor, including the processor itself, may only process personal data
according to the instructions of the controller.
The transfer of personal data to another country is permitted if the laws of that country provide an adequate level
of personal data protection. A country which complies with Directive 95/46/EC is considered to fulfil this
requirement.
The transfer of personal data is permitted to the countries which the Data Protection Authority lists in a notice in
the Law and Ministerial Gazette, having considered the decisions of the Commission of the EU. The transfer of
personal data to a country that does not provide an adequate level of personal data protection is prohibited, unless
specific exceptions apply, e.g. if the data subject has consented to the transfer or if the transfer is necessary to
establish or fulfil a contract between the data subject and the controller or is in his/her interests. The Data
Protection Authority can also authorise a transfer of data in certain cases.
Sensitive Data
Specific protection is provided for the processing of sensitive personal data. They can only be processed under
strict conditions. Processing is permitted when at least one of the conditions (i) to (vi) below has been met and
also one of the conditions marked (a) to (j) below is fulfilled.
(i) the data subject has unambiguously agreed to the processing or given his consent; (ii) the processing is
necessary to honour a contract, to which the data subject is a party, or to take measures at the request of the data
subject before a contract is established; (iii) the processing is necessary to fulfil a legal obligation of the controller;
(iv) the processing is necessary to protect vital interests of the data subject; (v) the processing is necessary for a
task that is carried out in the public interest; or (vi) the processing is necessary in the exercise of official authority
vested in the controller or in a third party to whom data are transferred.
(a) The data subject gives his consent to the processing; (b) the processing is specifically authorised in another Act
of law; (c) the controller is required, by contracts between the Social Partners, to carry out the processing; (d) the
processing is necessary to protect vital interests of the data subject or of another party who is incapable of giving
his consent in accordance with (a); (e) the processing is carried out by an organisation with a trade union aim or by
other non-profit organisations, such as cultural, humanitarian, social or ideological organisations, on condition that
the processing is carried out in the course of the organisation’s legitimate activities and relates solely to the
members of the body or to individuals who according to the organisation’s goals are, or have been, in regular
contact with it; it is, however, prohibited to disclose such personal data to a third party without the data subject’s
consent; (f) the processing extends only to information that the data subject himself has made public; (g) the
processing is necessary for a claim to be established, exercised or defended because of litigation or other such
legal needs; (h) the processing is necessary because of a medical treatment or because of the routine management
of health care services, provided that it is carried out by an employee of the health care services who is subject to
an obligation of secrecy; or (j) the processing is necessary for the purposes of statistical or scientific research,
provided that the privacy of individuals is protected by means of specific and adequate safeguards.
Material, such as audio and visual material, that is produced by means of electronic surveillance and includes
sensitive personal data, may be collected even though the above requirements are not fulfilled, if the following
conditions are met: (i) the surveillance is necessary and is conducted for the purposes of security and property
protection; (ii) the material produced by the surveillance may not be handed over to anyone else or processed
further except with the consent of the subject of the recording, or in accordance with a decision by the Data
Protection Authority; however, material that contains data on accidents or a punishable legal offence may be
turned over to the police; and (iii) the material, that is collected in conjunction with the surveillance, shall be
deleted when there is no longer an apposite reason to preserve it, unless a special permit is issued by the Data
Protection Authority.
The Data Protection Authority can permit the processing of sensitive personal data in instances other than those
above if it considers it to be of urgent public interest.
Enforcement
Sanctions
The sanctions for breaching the DPA are both civil and criminal. The Data Protection Authority can order the
cessation of processing of personal data, prohibit further use of data or instruct the controller to implement
measures that ensure the legitimacy of the processing. The Data Protection Authority can assign to the Chief of
Police the task of temporarily halting the operations of the party in question and sealing its place of operation
without delay. If the Data Protection Authority’s instructions are not observed, the Data Protection Authority can
decide to impose daily fines on the person receiving the instructions, until it concludes that the necessary
improvements have been made. Fines can amount to ISK 100,000 per day. Infringements are also punishable by
means of fines or a prison term of up to three years, unless more severe sanctions are provided for in other legal
instruments. If a controller or a processor has processed personal data in violation of the DPA, rules or instructions
from the Data Protection Authority, the controller must compensate the data subject for the financial damage
suffered by him/her as a result.
Practice
According to the Data Protection Authority, no police investigations took place last year, nor in the years before
that.
Last year the Data Protection Authority had 365 cases for inspection (administrative level), of which 28 were
started of its own initiative, 233 were enquiries resulting in the issuing of opinions and there were 104 complaints
regarding which the authority handed down its decision. In relation to the number of prosecutions last year, the
Data Protection Authority does not refer cases to the police/prosecutor, as it is up to the person who thinks there
has been an infringement of his privacy rights to make a complaint to the police. There are no statistics available
on the number of complaints to the police.
To date no one has been prosecuted for infringements against the DPA. Since no prosecution has taken place and
only the courts can impose penalties for infringements against the DPA, to date no penalties have been imposed.
The Data Protection Authority can, according to some provisions in the DPA, impose daily fines upon the receiver
of instructions from the Data Protection Authority if he fails to observe them. This power has never been used.
Marketing by E-mail
Marketing by E-mail
The Directive has been implemented by the Post and Telecommunication Act No. 81/2003 (the “PTA”), which
entered into force on 25 July 2003.
There is a general opt-in rule concerning direct marketing by e-mail and other electronic devices. There is,
however, a wide exemption to such rule which allows direct marketing by e-mail for the sender’s own products or
services, provided that customers are clearly and distinctly given the opportunity to object, free of charge and in an
easy manner, to such use of electronic contact details when they are collected and on the occasion of each
message if the customer has not initially refused such use. The name and address of the sender on whose behalf
the communication is made must be clearly indicated in the e-mail.
Iceland.
Exemptions
There are no exemptions to these rules in the PTA.
These rules apply to both individual contacts and corporate contacts.
Ireland.
Contributed by Mason Hayes & Curran, Solicitors
Directive 95/46/EC has been implemented by the Data Protection Act, 1988 (the “1988 Act”) as modified by the
Data Protection (Amendment) Act, 2003 of 10 April 2003 (the “2003 Act”) (collectively, the “DPA”).
Most of the implementing provisions came into force on 1 July 2003. Some provisions of the 2003 Act are not yet
in force. In addition, in relation to manual data existing prior to 1 July 2003, some provisions of the 2003 Act do
not come into operation until 24 October 2007 (see “Material scope of application” below).
The DPA applies to data controllers in respect of the processing of personal data where: (i) the data controller is
established in Ireland and the data are processed in the context of that establishment; or (ii) the data controller is
established neither in Ireland nor any other state that is a contracting party to the EEA but makes use of
equipment in Ireland for processing data otherwise than for the purpose of transit through the territory of Ireland.
The DPA applies to electronic files and generally to manual files. However, there is a transitional period until 24
October 2007 in relation to manual data which already existed prior to 1 July 2003 whereby certain provisions of
the DPA shall not apply until 24 October 2007. The provisions involved relate to: (i) the basic data protection
principles, for example fair obtaining and purpose specification; (ii) additional conditions for legitimate processing
of personal data; and (iii) further conditions for the processing of sensitive data.
The DPA only applies to personal data, defined as “data relating to a living individual who is or can be identified
either from the data or from the data in conjunction with other information that is in, or is likely to come into, the
possession of the data controller”. Thus, the DPA may apply to data relating to living individuals but not to data
relating to legal entities or data relating to deceased persons.
Data Controller
The data controller, whether it is a legal entity or an individual, is responsible for complying with the DPA. A data
controller is defined as a person who, either alone or with others, controls the contents and use of personal data.
Office of the Data Protection Commissioner
Block 6
Irish Life Centre
Lower Abbey Street
Dublin 1
Ireland
www.dataprivacy.ie
Certain data controllers and/or data processors (see “Exemptions” below) must register with the Data Protection
Commissioner before commencing processing personal data in Ireland. Data controllers and/or data processors are
obliged to renew their registration annually and the Commissioner’s office will contact them six weeks prior to this
date. The Data Protection Commissioner may refuse an application for registration in certain conditions. There is a
right of appeal to the Circuit Court against a refusal.
Ireland.
Exemptions
Rather than providing exemptions in respect of certain categories that need not register, the 1988 Act stipulates
that the following persons must register with the Data Protection Commissioner: (a) data controllers, being public
authorities and other bodies and persons referred to in the Third Schedule to the 1988 Act; (b) data controllers,
being financial institutions, persons holding authorisations under the EC (Non-Life) Insurance Regulations, 1976,
or the EC (Life Assurance) Regulations, 1984, or persons whose business consists wholly or mainly in direct
marketing, providing credit references or collecting debts; (c) any other data controllers who keep personal data
relating to: (i) racial origin; (ii) political opinions or religious or other beliefs; (iii) physical or mental health (other
than any such data reasonably kept by them in relation to the physical or mental health of their employees in the
ordinary course of personnel administration and not used or disclosed for any other purpose); (iv) sexual life; or
(v) criminal convictions; (d) most data processors; and (e) internet access providers and telecommunications
service providers.
Although not yet in force, a provision of the 2003 Act provides that all data controllers and data processors will be
required to register with the Data Protection Commissioner, subject to a limited number of exceptions.
Data Quality
Personal data must be accurate and complete and, where necessary, kept up to date. Moreover, the personal data
must be adequate, relevant, and not excessive in relation to the purposes for which they are collected and/or
further processed.
Retention period
Personal data may not be kept longer than necessary for the purpose for which such personal data were originally
collected or for which they are legitimately further processed. Where personal data are kept for the purposes of
direct marketing, Section 2(7) of the DPA provides that where the relevant data subject requests in writing that the
Data Controller in question cease processing the data for that purpose, then generally, the data controller has 40
days to accede to such a request.
Where personal data are obtained directly from the data subject, the data controller must ensure, as far as
practicable, that the data subject has, is provided with, or has readily available to him/her the following
information: (i) the identity of the data controller and of its representative(s) within Ireland, if any; (ii) the purposes
of the processing; and (iii) any other information which is necessary, having regard to the specific circumstances in
which the data are or are to be processed, to enable processing in respect of the data to be fair to the data subject
(e.g. information as to the recipients or categories of recipients of the data).
Access: An individual is entitled to be informed whether any data processed by or on behalf of a data controller are
personal data relating to that individual. If they are, the individual may request access to his/her personal data that
have been or are being processed, provided that none of the prescribed exceptions is satisfied. Upon receipt of
such request, the data controller is required to provide certain prescribed information in a notice in writing.
Correction: An individual may apply to a data controller who keeps personal data relating to him/her to have data
rectified, blocked or erased in case of contravention of the fair processing principles.
Objection to processing: A data subject may, in certain instances, request a data controller to cease processing
his/her data for a specified purpose or in a specified manner.
Others: A data subject may also object to the processing of his/her personal data for the purpose of direct
marketing in which case, depending on the particular circumstances, the data controller may be required to erase
the personal data.
Security
Data controllers or data processors must implement appropriate security measures to protect personal data against:
(i) unauthorised access, unauthorised alteration, disclosure or destruction, in particular, where processing involves
the transmission of personal data over a network; and (ii) all other unlawful forms of processing.
Where processing of personal data is carried out by a data processor, the data controller must ensure that the
processing is carried out in pursuance of a contract in writing or equivalent for stipulating, in particular, that:
(i) the data processor carries out the processing only on and subject to the instructions of the data controller; and
(ii) the data processor complies with the security obligations outlined above.
Personal data may be transferred to a country or territory within the EEA.
Personal data may be transferred to countries outside the EEA which have been designated by the European
Commission as territories ensuring an adequate level of protection. In the absence of such a designation, there are
numerous preconditions, at least one of which will have to be fulfilled before data can be transferred outside the
EEA (e.g. the data importer has signed up to the Safe Harbor or the EC Model Clauses, the data subject has
consented or the transfer is necessary for the performance of a contract).
The DPC has issued guidance in relation to when the prescribed exceptions may be relied upon and in particular,
in relation to when a data subject may be considered to have implicitly consented to the transfer of its data outside
the EEA. The DPC considers that it may be within reasonable expectations of staff working for a multinational
organisation that routine HR data may be transferred for routine HR purposes to an organisation’s corporate
headquarters outside the EEA. However, this may not apply to sensitive data or other information that the
employee would consider sensitive.
Sensitive Data
Sensitive data may not be processed unless one of a number of prescribed conditions is satisfied. Sensitive data is
defined as personal data as to: (a) racial or ethnic origin, political opinions or religious or philosophical beliefs;
(b) trade union membership; (c) physical or mental health or condition, or sexual life; (d) the commission or
alleged commission of any offence; or (e) any proceedings for an offence committed or alleged to have been
committed, the disposal of such proceedings or the sentence of any court in such proceedings.
Enforcement
Sanctions
Breaches may incur civil liability or criminal sanctions, which include fines up to EUR 100,000 on indictment but
not prison terms. A breach of a data protection principle is not of itself a criminal offence, but may result in an
enforcement notice. The DPA also imposes a duty of care on data controllers to comply with the DPA. Therefore, in
the event of a breach of the DPA by a data controller, a data subject might be in a position to make a claim for
damages against a data controller for breach of its duty of care towards the data subject.
In 2005 the Irish Data Protection Commissioner (the “DPC”) issued a series of guidance notes which sought to
confer clarity on a number of different data protection issues. It is expected that in time codes of conduct will be
put in place. Some of the issues addressed in the DPC’s guidance notes are outlined below. The guidance notes
are available at www.dataprivacy.ie
Practice
In relation to investigations last year, the Data Protection Commissioner received 385 new complaints, of which
366 were concluded. Of the complaints concluded, 26% were upheld, 63% were resolved informally while 11%
were rejected. In addition, there were three prosecutions last year.
The typical level of penalties imposed is unknown, as is the most significant penalty levied to date. Under the Irish
Data Protection legislation the Data Protection Commissioner may launch investigations into possible
contraventions of the legislation and has the power to arrange an amicable resolution or issue a decision. The Data
Protection Commissioner has no power to issue fines in respect of contraventions, however, he may issue a formal
decision which is subject to a right of appeal by either party to the courts. Accordingly, in relation to levels of
penalties imposed, there is very little data regarding penalties to draw from as the majority of the investigations are
settled amicably.
Ireland.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented by the European Communities (Electronic
Communications Networks and Services) (Data Protection and Privacy) Regulations, 2003 (the “ECA”). The ECA
became effective on 6 November 2003.
The sending of unsolicited e-mail for the purpose of direct marketing is permitted provided that the consent of the
recipient has been obtained. The type of consent required depends on whether the recipient is a natural person
(opt-out).
Exemptions
It is permitted to use a customer’s e-mail contact details if: (i) they were collected in accordance with general data
protection laws, in the context of a sale of a product or service, for the purposes of direct marketing; (ii) the direct
marketing relates only to the sender’s own similar products or services; and (iii) the customer is clearly and
distinctly given the opportunity to object, in an easy manner and without charge, to the use of their e-mail contact
details when they are collected and on the occasion of each subsequent message. This exemption seems to apply
in relation to individual and corporate subscribers.
The ECA applies to natural persons (individuals) and non-natural persons (corporate entities).
Italy.
Contributed by Gianni, Origoni, Grippo & Partners
Directive 95/46/EC has been implemented by the Protection of Individuals and Other Subjects with regard to the
Processing of Personal Data Act (No. 675 of 31 December 1996), which was replaced by the Consolidation Act
regarding the Protection of Personal Data (Data Protection Code - Legislative Decree No. 196) (the “DPC”) of 30
June 2003.
Law no. 675/96 came into force on 8 May 1997; the DPC came into force on 1 January 2004.
The DPC applies to data controllers established in Italy (the DPC also applies to a foreign data controller having a
branch in Italy).
The DPC also applies if the data controller is established outside the EEA but uses equipment in Italy for
processing personal data other than for transit purposes.
The DPC applies to both manual and electronic files.
The DPC applies to data relating to individuals and legal entities.
Data Controller
The entity responsible for data processing is the data controller, which is defined as any natural or legal person,
public administration, body, association or other entity that is competent, also jointly with another data controller,
to determine the purposes and methods of the processing of personal data and the relevant means, including
security matters.
Garante per la protezione dei dati personali (Italian Regulatory Authority) (“Garante”)
Piazza di Monte Citorio 121
00186 Roma
Italy
www.garanteprivacy.it
Unless the processing is exempt, the data controller has to submit notification to the Garante before
commencement of the personal data processing. No approval is required.
Exemptions
Notification is required only with regard to data processing which could jeopardise rights and the freedom of the
data subjects, because of its methods or the nature of the personal data it relates to. Accordingly, only data
controllers in certain areas of activity (such as health, heavy marketing, central risk database maintained by banks,
telecommunications or operating user profiling), carrying out certain kinds of processing expressly listed by the
DPC must notify their processing activities.
Italy.
Data Quality
The DPC states that the data must be: (i) accurate; (ii) up to date; and (iii) adequate, relevant and not excessive in
relation to the purpose or purposes for which they are processed.
Retention period
The data must be retained for a period of time not exceeding that required for the furtherance of the purposes of
the processing.
The Garante has issued guidelines for the permitted data retention period in relation to specific kinds of data or
processing (such as loyalty programmes, databases for consumer credit, reliability and timeliness of payments).
The data subjects have the right to be informed about: (i) the purposes and methods of the processing; (ii) the
mandatory or voluntary nature of the supply of data; (iii) the consequence of possible refusal to consent to the data
processing; (iv) the (categories of) entities to whom the data may be communicated; (v) their rights as data subject;
and (vi) the name and address of the controller and, if applicable, of the data processor.
Access: Data subjects may have access to their personal data by addressing a request to the data controller.
Correction: Data subjects may have their personal data updated, amended or supplemented or have their personal
data cancelled, transformed into anonymous data, or blocked, by the data controller. The Garante has specified
that a data subject cannot ask for correction of data if the data are the result of an evaluation of the data
controller.
Objection to processing: Data subjects may object to the processing of their personal data on the basis of lawful
reasons or discretionally in the case of commercial information, advertising material or marketing research.
Security
Further to the generic duty to implement the security measures appropriate to protect personal data from
accidental or unlawful destruction, accidental loss, alteration and unauthorised disclosure or access, the DPC
requires, under criminal sanction, the implementation of specific technical, logical and organisational minimum
security measures set forth by a “Disciplinare Tecnico” (“Technical Specifications”), attached to the DPC.
According to the DPC, the data controller has to give instruction to the data processor and make the security
measures applicable also to data processors.
The DPC permits data transfers within the EEA without restrictions.
Transfer to non-EEA countries is only permitted if: (1) the non-EEA country guarantees an adequate level of
protection (a) as recognised by the Garante (e.g. Canada, Hungary, Switzerland, Argentina, Isle of Man, GuernseyUnited Kingdom, U.S. companies having adhered to Safe Harbor principles) or (b) by means of the adoption of
standard contractual clauses; (2) in compliance with certain conditions, inter alia: (i) the data subject’s consent;
(ii) the transfer is necessary for the execution of an agreement in which the data subject is a party; (iii) the
processing relates to personal data regarding legal entities and any other entity or association; and (iv) the transfer
is necessary in order to judicially challenge, exercise or defend a right.
Sensitive Data
Sensitive data are data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions,
membership of parties, trade unions, associations or organisations of a religious, philosophical, political or trade
union nature, as well as personal data disclosing details of health and sexual life.
Sensitive data may be processed only with both the data subject’s written consent and the Garante’s prior
authorisation.
Enforcement
Sanctions
The DPC sets forth civil, criminal and administrative sanctions.
The DPC states that the data controller shall be liable for damages caused by the improper use or disclosure of the
processed data.
The Garante may impose administrative sanctions (fines), inter alia, in case of: (i) non-fulfilment of the obligation
to provide the data subject with the Information Notice; or (ii) failure to notify or incomplete notification to the
Garante.
The DPC provides for up to three years’ imprisonment and publication of the judgment decision in the event of,
inter alia: (i) unlawful personal data processing, if damage occurs; (ii) false notification; or (iii) failure to adopt and
implement the required security measures.
The Garante has investigation powers and can use also the Financial Police (“Guardia di Finanza”).
Practice
During 2004 the Garante started roughly 100 inspections, mainly in the area of security measures and notification,
with specific reference to sensitive data. The investigations resulted in about 20 criminal proceedings and, in
several cases, blocking orders of the processing. In a regulation in July 2005, the Garante stated that future
investigations will focus mainly on internet services, consumer credit, fidelity programmes and interactive
television.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented by the DPC. The effective date was 1 January 2004.
The DPC provides that sending unsolicited marketing or advertising communications by e-mail shall be permitted
only with the consent of the data subject (opt-in).
In any event, the data subject has a right to opt-out and must be expressly informed of this right.
Exemptions
The opt-in system is not applicable to e-mail marketing by the sender to parties who are already its clients (opt-out
system).
The provisions of the DPC regarding e-mail marketing apply to both individual contacts and corporate contacts.
Latvia.
Contributed by Klavins & Slaidins
The Law on Protection of Personal Data of Natural Persons (the “DPA”) was adopted on 23 March 2000. The DPA
incorporates the principles and provisions of Directive 95/46/EC.
The DPA came into force on 20 April 2000.
The DPA applies to: (i) data controllers registered in Latvia; (ii) processing where the personal data processing
equipment is located in Latvia; and (iii) data processing performed outside Latvia in the territories which belong to
Latvia in accordance with international agreements.
The DPA applies to structured sets of personal data recorded in any manner (both manual and electronic files).
Data Controller
The data controller is responsible for compliance with the DPA. The DPA defines a data controller as a natural or
legal person who determines the purposes and means of processing of the personal data.
State Data Inspection (“SDI”)
Kr. Barona street 5-4
Riga LV-1050
Latvia
www.dvi.gov.lv
Applications relating to personal data processing systems must be submitted to:
SDI registration department
Dzirnavu street 93 Riga LV-1011 Latvia
Under the DPA, and unless the processing is exempt, all state and municipal authorities and other natural and
legal persons who perform or wish to commence personal data processing and create personal data processing
systems must register such processing with the NRA. The NRA reviews the information submitted and, if
necessary, performs a pre-registration examination.
Exemptions
Exemptions from registration of processing apply in respect of: (i) processing for accounting and personnel
registration needs; (ii) processing of personal data not stored in electronic form; and (iii) processing created by
religious organisations or churches referred to in the Civil Law.
Data Quality
The DPA states that the data controller must ensure the correctness of the personal data and their timely updating,
correction and deletion if the personal data are inaccurate or incomplete.
Retention period
The personal data processed shall not be kept in a form which allows identification of the data subject longer than
is necessary for the purpose.
The data controller must provide the data subject with the details of the data controller and data processor, the
purposes for which the data are processed and the reasons for the intended personal data processing.
Access: A data subject has the right to obtain information regarding those natural or legal persons which over a
certain period of time have received from the data controller his/her personal data. The data subject also has the
right to obtain a copy of all his/her personal data, unless prohibited under the DPA.
Correction: A data subject has the right to request that his/her personal data be supplemented, corrected or
destroyed, or that the data processing be terminated if the personal data are incomplete, out of date, untrue or
illegally obtained or if the data are no longer necessary for the purpose for which they were gathered.
Objection to processing: A data subject has the right to object to processing of his/her personal data for direct
marketing purposes.
Security
The data controller and the processor have an obligation to use the necessary technical and organisational means
in order to protect the personal data and prevent illegal processing. The mandatory technical and organisational
requirements for protection of personal data processing systems are established by the Cabinet of Ministers of the
Republic of Latvia in the form of specific regulations.
Data processors must undertake in writing to maintain and not illegally disclose personal data. The data controller
has an obligation to register the data processors.
Personal data can be transferred to another country if that country ensures a level of data protection which
corresponds to the level of data protection effective in Latvia. Assessment of the protection level is made by the
NRA which issues a written consent to the transfer of personal data.
Personal data can be transferred to another country if that country ensures the level of data protection which
corresponds to the level of data protection effective in Latvia. Assessment of the protection level is made by the
NRA which issues written consent to the transfer of personal data.
Sensitive Data
The processing of sensitive personal data is prohibited, except in certain cases provided for in the DPA. Personal
data are sensitive if they relate to racial or ethnic origin, religious, philosophical and political convictions,
participation in trade unions or health or sexual life.
Latvia.
Enforcement
Sanctions
The NRA has the right to impose administrative fines or issue warnings for violations of the DPA. These fines range
from LVL25 to 250 for individuals and from LVL100 to 1,000 for legal entities (1 LVL = EUR 0.70).
Practice
There were 136 investigations by the SDI last year, of which administrative penalties were imposed in 18 cases
and fines in 14 cases. There was LVL 1,610 collected in total. The number of prosecutions last year is not known,
but the SDI has won in all those proceedings which took place.
The typical level of penalty imposed on a natural person is LVL 25. For legal persons it is LVL 100, which most
often arises out of data processing without a legal basis.
The most significant penalty levied to date was LVL 350. The former president of the Bank of Latvia, Mr Repse,
was involved in the case. Mr Repse was filmed by CCTV cameras in a supermarket. Photos were extracted from the
CCTV footage and then appeared in “Privata Dzive” (Private Life) Magazine. The store’s system manager was found
guilty of disclosing the data to the magazine. The PSI fined the supermarket LVL 350.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented in the new Electronic Communications Law (“ECL”).
The ECL took effect on 1 December 2004, replacing the Law on Telecommunications. The ECL stipulates the
allocation of supervisory functions for the electronic communications market.
The ECL provides for the protection of user data, including the protection of personal data in the field of electronic
communications services. Supervision of data protection is carried out by the SDI.
Liechtenstein.
Contributed by Wanger Advokaturburo
Directive 95/46/EC has been implemented by the Data Protection Act dated 14 March 2002 and the relevant
Ordinance on the Data Protection Act (Data Protection Ordinance) dated 9 July 2002 (together, the “DPA”).
The DPA came into force on 1 August 2002.
The DPA regulates all data processing conducted as part of the activities of a branch of a data controller in
Liechtenstein or by a data controller established in a place where the law of Liechtenstein is applicable, or by a
data controller not established in the EEA who makes use of automated or non-automated means located in
Liechtenstein for the purpose of processing data, unless such means are used solely for the purpose of transit of
data through the EEA.
The DPA applies to data relating to individuals and legal entities.
Data Controller
The data controller is responsible for compliance with the DPA. The DPA defines a data controller as private
persons or authorities who decide on the purpose and content of the processing.
Commissions
Dr Philipp Mittelberger
Data Protection Unit
Aeulestrasse 51
FL-9490 Vaduz
Liechtenstein
www.llv.li/amtstellen/llv-sds-home.htm
Under the DPA, data controllers must notify to the Data Protection Registrar the processing of personal data prior
to commencement of processing if either: (i) personal data are to be disclosed; or (ii) the data controller processes
sensitive data or personality profiles and discloses data to third parties, unless there is a legal requirement for the
data processing and the subject is aware of the data processing.
Exemptions
Until an act comes into force regulating the processing of personal data for fighting terrorism, violent extremism,
organised crime, and illicit news services and to guarantee state security, the government may make exceptions to
the provisions to the notification obligation.
Liechtenstein.
Data Quality
There are no other rules relating to data quality.
Retention period
There are no time limits on retention of data under the DPA.
Data subjects have the right to obtain information, including access, to their personal data with regard to:
(i) whether or not their personal data are being processed, and information as to the source of those data; (ii) the
purpose of the data processing and its legal basis, the categories of personal data concerned and the categories of
both the data controller and recipients to whom the data are disclosed; and (iii) the logic involved in any fully
automated processing of their personal data.
Access: See “Right to information” above.
Correction: Data subjects have the right to require the rectification, erasure or blocking of personal data if the data
are incomplete or inaccurate.
Objection to processing: Unless the processing is authorised by law, data subjects have the right to object to the
processing by the data controller of personal data on the grounds of predominant interests which are worthy of
protection and which relate to the data subject’s particular situation. Where there is a justified objection, the
processing undertaken by the data controller may no longer involve the personal data in regard to which the
objection was made.
Security
Personal data must be protected against unauthorised processing by appropriate technical and organisational
measures.
The processing of personal data may be entrusted to a data processor provided: (i) the data controller ensures that
no processing occurs that it would not be permitted to carry out itself; and (ii) the processing is not prohibited by a
legal or contractual duty of confidentiality.
The data processor will be subject to the same duties and may assert the same grounds of lawful justification as
the data controller.
Under the DPA, the transfer must be notified to the Data Protection Commissioner in advance, unless the transfer
is required in order to comply with a legal obligation and the data subject is aware of the transfer.
However, the government may issue further regulations, particularly in order to simplify or create exemptions from
the notification requirements when the processing does not adversely affect the data subject, and to specify foreign
countries which do not provide adequate protection of personal data. Under the Data Protection Ministerial Order,
notification of the transfer of personal data to countries which ensure adequate data protection is not required
unless the data are sensitive data or data constituting a personality profile.
As with transfer to EEA Member States, under the DPA the transfer must be notified to the Data Protection
Commissioner in advance, unless the transfer is required in order to comply with a legal obligation and the data
subject is aware of the transfer.
However, the government may issue further regulations, particularly in order to simplify or create exemptions from
the notification requirements when the processing does not adversely affect the data subject, and to specify foreign
countries which do not provide adequate protection of personal data. Under the Data Protection Ministerial Order,
notification of the transfer of personal data to countries which ensure adequate data protection is not required
unless the data are sensitive data or data constituting a personality profile.
States whose data protection legislation is regarded as equivalent are Argentina, Guernsey, Canada, Switzerland
and the U.S. Safe Harbor according to measures of the decision 2000/520/EG of the Commission dated 26 July
2000.
Sensitive Data
Both sensitive personal data and data constituting a personality profile are the subject of specific rules. Sensitive
data are data relating to: (i) religious, philosophical, or political opinions or activities; (ii) health, sexuality, or racial
origin; (iii) social security files; and (iv) criminal or administrative proceedings and penalties. “Personality profile”
refers to a collection of data that allows the appraisal of fundamental characteristics of the personality of an
individual.
Enforcement
Sanctions
The criminal sanctions for breaching the DPA include fines up to CHF 20,000/360 daily rates (which is a figure
calculated by reference to the income of the offender) or imprisonment for a period of up to one year.
The following civil procedures/sanctions also apply under the DPA: (i) under the DPA, in conjunction with the
Persons and Companies Act, infringement of the right of personality under the DPA provides a data subject with a
right to pursue civil proceedings in court for rectification, destruction or prevention of disclosure of personal data
and for compensation for damage suffered; and (ii) the right of access to personal data may be pursued under a
special non-contentious civil proceeding (Rechtsfiirsorgeverfahren).
Practice
Information about numbers of investigations and penalties imposed is not public.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has not yet been implemented.
A Communication Act (the “ECA”) implementing this provision is currently under preparation. It is likely that the
ECA will come into force in summer 2006.
Under the DPA, in the event data is processed for the purpose of direct marketing, the data subject must be
notified in advance and must be informed of the cost-free and immediately effective right to object to which it is
entitled (opt-out).
The draft ECA (the so called Vernehmlassungsbericht) is now available.
Lithuania.
Contributed by Lideika, Petrauskas, Valiunas ir
Partneriai
Directive 95/46/EC has been implemented by the Law on Legal Protection of Personal Data dated 11 June 1996
(as modified on 17 July 2000, 22 January 2002 and 21 January 2003) (the “DPA”).
The latest modifications to the DPA came into force on 1 July 2003.
The DPA regulates data processing activities in the territory of the Republic of Lithuania.
The DPA is applicable to the processing of personal data by automated means (electronic files) and to the
processing of personal data by non-automated means (manual files) in filing systems, such as lists, card indexes,
files, codes, etc.
Data Controller
The data controller is responsible for compliance with the DPA. “Data controller” is defined as any natural or legal
person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The State Data Protection Inspectorate
Gedimino Avenue 27/2
LT-01104 Vilnius
Lithuania
www.ada.lt
Data controllers are obliged to register with the State Data Protection Inspectorate. The registration needs to be
approved by the State Data Protection Inspectorate. Registration must take place prior to commencement of data
processing.
Unless the processing is exempt, personal data may be processed by automated means subject to notification by
the data controller or its representative to the State Data Protection Inspectorate two months before the intended
commencement of the data processing activities. Such data processing operations may be carried out only if
authorisation has been granted by the State Data Protection Inspectorate. Within two months of receipt of the
notification, the State Data Protection Inspectorate must carry out prior checking according to the procedure it
determines and grant or refuse authorisation.
Exemptions
Exemptions from the registration/notification procedures described above apply when the data are processed for
the purposes of internal administration, or when personal data are processed for journalistic purposes or the
purposes of artistic or literary expression, or other means of providing information to the public, or where personal
data on the person’s health (condition, diagnosis, prognosis and treatment) are processed by a health care
professional, or non-profit organisations which manage data about their members, or data are processed for the
purposes of ensuring state and official secrets.
Data Quality
Under the DPA, personal data must be: (i) accurate, and, where necessary for the processing of personal data, up
to date; and (ii) relevant, adequate and not excessive in relation to the purposes for which they are collected and
processed.
Retention period
Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary
for the purposes for which the data were collected and processed.
Upon submitting to the data controller or the data processor a document certifying his/her identity, the data
subject is entitled to obtain information on the source and type of personal data that have been collected, the
purposes of processing and the recipient to whom the data are disclosed. Under the DPA, the data subject has the
right to be informed about the processing of his/her personal data.
Access: The data subject has the right of access to his/her personal data and to familiarisation with the processing
method.
Correction: The data subject has the right to demand rectification or destruction of his/her personal data or
restriction of further processing, with the exception of storage, where the data are not processed in compliance
with the provisions of the DPA or other legislation. Personal data must be rectified and destroyed in response to the
request of the data subject and on the basis of documents confirming his/her identity and personal data.
Objection to processing: The data subject has the right to object to the processing of his/her personal data.
Security
The data controller must have adequate means for protecting the secrecy of personal data. The data controller and
data processor must implement appropriate organisational and technical measures to ensure the protection of
personal data against any accidental or unlawful destruction, alteration and/or disclosure and against any other
unlawful processing. These measures must ensure an appropriate level of security in view of the nature of the data
to be protected and the risks represented by the processing.
The data controller must choose a data processor providing guarantees in respect of adequate technical and
organisational data protection measures and ensuring compliance with those measures. When authorising the data
processor to process personal data, the data controller must stipulate that personal data must be processed only
upon instructions from the data controller. The staff processing personal data, when applying for a job or when
performing their work, must assume an obligation in writing to keep the personal data confidential when the data
are not meant for public disclosure. This obligation remains valid after the employment has ended.
Personal data can be transferred to data recipients in foreign countries without receiving authorisation from the
State Data Protection Inspectorate if international agreements to which the Republic of Lithuania is a party provide
for such a possibility. This exception will be applicable as of 1 May 2004 to data transfers to other EEA countries.
As a general rule, personal data may be transferred to data recipients in foreign countries only upon receiving
authorisation from the State Data Protection Inspectorate. Such authorisation may be issued provided that there is
an adequate level of protection in the recipient country. The State Data Protection Inspectorate may, however,
Lithuania.
grant authorisation to transfer personal data to a foreign country which does not guarantee an adequate level of
protection if the data controller transferring the personal data specifies to the recipient of the data in a contract
the requirements for the safeguarding of personal data.
Personal data can be transferred outside the EEA without authorisation from the State Data Protection Inspectorate
under the usual circumstances (e.g. the data subject has consented to the transfer of the data; the provision of
personal data is necessary for the conclusion or performance of a contract between the data controller and a third
party concluded in the interests of the data subject; the transfer of personal data is necessary for the performance
of a contract between the data controller and the data subject or the implementation of pre-contractual measures
taken in response to the data subject’s request).
Sensitive Data
The DPA defines sensitive data as personal data about an individual’s racial, national and ethnic origin, political
opinions, religious and other beliefs, party membership, previous convictions, health, pathological defects and
sexual (private) life. Special protection is provided for personal data that are sensitive as their processing is
prohibited except in certain circumstances: (i) the data subject has given consent; (ii) such processing is necessary
for the purposes of work or public service in the exercise of the rights and obligations of the data controller in the
field of labour law in cases provided by law; (iii) it is necessary to protect vital interests of the data subject or of
any other person, where the data subject is unable to give consent due to a physical disability or because he/she is
legally incapable; (iv) processing is carried out in the course of its activities by a foundation, association or any
other non-profit-seeking body for political, philosophical, religious or trade union purposes, provided that the
processed data relate solely to the members of the body or to persons who have regular contact with it in
connection with its purposes; however, such personal data may not be disclosed to a third party without the
consent of the data subject; (v) the data have been made public by the data subject; (vi) it is necessary, in cases
provided by the DPA, for the prevention and investigation of criminal offences; or (vii) the data are necessary for a
court hearing.
Enforcement
Sanctions
Any act of non-compliance with the DPA or secondary data protection legislation gives rise to civil and
administrative (but not criminal) liability. Administrative sanctions include reprimand and monetary fines of
amounts from EUR 30 to EUR 1,200. Administrative sanctions may only be applied to individuals, and not to legal
entities.
Affected data subjects may also seek civil damages from either individual or corporate perpetrators.
Practice
In 2004 the Lithuanian DPA (the State Data Protection Inspectorate) carried out 365 investigations, 87 of which
were carried out as a result of complaints of individuals, 136 of which were as a result of applications for advance
review of planned automated personal data processing, and the rest were carried out by the State Data Protection
Inspectorate of its own accord.
27 investigations resulted in administrative prosecutions in 2004.
Administrative prosecution can only be initiated against individuals who have committed a data protection
violation, or the officer responsible for data protection issues within the company which has committed the
violation. If such an officer does not exist, the CEO of the entity is held responsible for the data protection issues.
The company itself may not be subject to administrative prosecution.
Typical administrative penalties are fines from 300 to 1,000 Litas (EUR 85 to 300). Penalties are roughly doubled
for repeated violations.
The individual affected by the breach of the DPA is also entitled to claim pecuniary and moral damages.
The most significant penalty levied to date was 2,000 Litas (EUR 600) against the responsible officer of one of the
biggest Lithuanian commercial banks, which was found repeatedly infringing the personal data treatment regime,
by collecting excessive data on its clients and by transferring personal data to other entities.
Marketing by e-mail
Marketing by e-mail
Article 13 of Directive 2002/58/EC has been fully implemented by Article 68 of 15 April 2004 Law on Electronic
Communications (the “LOEC”) of the Republic of Lithuania, which came into force on 1 May 2004.
The LOEC prohibits the use of e-mail for advertising purposes without prior and free consent of the addressees.
The LOEC is designed to be implemented along with the DPA, which provides that personal data may be processed
for the purpose of direct marketing if this purpose is expressly declared during the collection of the data and the
data subject has given his/her express consent (opt-in).
The practice of the State Data Protection Inspectorate, maintained in most recent cases, suggests that the right of
consent must be clearly and separately explained to the data subject, and silence (no response) shall not be
considered as consent. In sum the above regulations clearly impose an “opt-in” system.
Additionally, the LOEC expressly prohibits use of e-mail for advertising purposes when the sender’s identity is
disguised or a valid e-mail address for the addressee to cancel the sending of such information is not provided.
Exemptions
Only one exemption is provided in the LOEC, and provided that no consent needs to be obtained if the e-mail is
sent to existing customers, all the following conditions must be fulfilled: (i) the sender of the e-mail directly
obtained the electronic contact details of the addressee in compliance with the provisions of the DPA; (ii) the
sender uses the electronic contact details only for marketing the sender’s own similar products or services; (iii) the
sender offered the customer, at the time of collecting his/her electronic contact details, the clear opportunity, free
of charge and in a simple manner, to object to such use; and (iv) the customer has not objected to such use of
his/her data in respect of any electronic message.
The above regulation regime is applicable to both individual and corporate contacts, as it does not specify any
particular limitations on the addressees.
Luxembourg.
Directive 95/46/EC has been implemented by the law of 2 August 2002 on the protection of persons with regard to
the processing of personal data (the “DPA”).
The DPA entered into force on 1 December 2002.
The DPA applies to: (i) processing done by a data controller that is subject to Luxembourg law; and (ii) processing
by a controller that is not based in Luxembourg or any other EU Member State but uses equipment in Luxembourg
for processing personal data other than for transit purposes.
The DPA applies to data relating to individuals and legal entities.
Data Controller
The data controller is responsible for compliance with the DPA. The DPA defines the data controller as a natural or
legal person, public authority, agency or any other body that solely or jointly with others determines the purposes
and methods of processing personal data. When the purposes and methods of processing are determined by or
pursuant to legal provisions, the controller is determined by or pursuant to specific criteria in accordance with
those legal provisions.
Commission NPD (“CNPD”).
41, avenue de la gare
L-1611 Luxembourg
www.cnpd.lu
The data controller must notify all processing to the CNPD. A prior authorisation from the CNPD is required in
specific cases. The notification/authorisation has to be done prior to the processing.
Exemptions
The exemptions from the notification/authorisation requirement include: (i) the existence of a data protection
official appointed by the data controller; (ii) processing for the sole purpose of keeping a register, which is legally
introduced for public information purposes and open to consultation by the public or by a person having a
legitimate interest; and (iii) processing necessary to acknowledge, exercise or defend a right at law carried out in
accordance with the rules governing legal proceedings applicable to civil matters.
The processing by a data controller pursuant exclusively to his personal or domestic activities is excluded from the
scope of the DPA.
Data Quality
The data controller must process the data in a fair and lawful manner. The data must be: (i) collected for specified,
explicit and legitimate purposes and not further processed in a way that is incompatible with those purposes;
(ii) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further
processed; (iii) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that
data that are inaccurate or incomplete, having regard to the purposes for which they were collected or for which
they are further processed, are erased or rectified; and (iv) kept in a form that permits identification of data
subjects for no longer than is necessary for the purposes for which the data were collected and processed.
Retention period
The DPA does not provide a specific retention period for the data but the retention period has to be proportionate
to the processing.
The data subject has to be provided with the following information: (i) the identity of the data controller and of its
representative, if any; (ii) the purpose or purposes of the processing for which the data are intended; and (iii) any
further information such as the (categories of) recipients of the data; the categories of data concerned; whether
answering the questions is compulsory or voluntary, as well as the possible consequences of failure to answer; the
existence of the right of access to data concerning him/her and the right to rectify them; the period of time the
data will be stored.
Access: Upon request to the data controller, the data subject or his/her beneficiaries who can prove they have a
legitimate interest may obtain, free of charge, at reasonable intervals and without excessive waiting periods:
(i) access to his/her data; (ii) confirmation as to whether or not data relating to him/her are being processed and
information at least as to the purposes of the processing, the categories of data concerned and the recipients or
categories of recipients to whom the data are disclosed; (iii) disclosure to him/her in an intelligible form of the data
undergoing processing and of any available information as to their source; and (iv) knowledge of the logic involved
in any automatic processing of data concerning him/her at least in the case of automated decisions.
Correction: The data subjects have a right to rectification, but the way to exercise this right is not specified in the
DPA. The data controller is required to rectify, delete or block data if such data are incomplete or inaccurate.
Object to processing: The data subject may object at any time, for compelling and legitimate reasons relating to
his/her special situation, to the processing of any data on him/her except in cases where legal provisions expressly
provide for that processing. Where there is a justified objection, the processing instigated by the data controller
may not involve those data. The data subject may also object to the processing of his/her data for direct marketing
purposes and he/she may forbid the data controller to disclose his/her data to third parties or enable his/her data to
be used by third parties for marketing purposes. The data controller must inform the data subject about this right.
Security
The data controller must implement all appropriate technical and organisational measures to protect the data
against accidental or unlawful destruction or accidental loss, falsification, unauthorised dissemination or access, in
particular where the processing involves the transmission of data over a network, and against all other unlawful
forms of processing. These measures have to be contained in an annual report to be submitted by the data
controller to the CNPD.
If the processing is carried out on behalf of the data controller, the data controller must choose a data processor
that provides sufficient guarantees as regards the technical and organisational security measures pertaining to the
processing to be carried out. It is up to the data controller as well as the data processor to ensure that the said
measures are respected.
Any processing carried out on behalf of a controller must be governed by a written contract or legal instrument
binding the data processor to the data controller.
Luxembourg.
Data transfers to a third country may take place only where that country provides an adequate level of protection of
personal data and complies with the provisions of the DPA. If the European Commission or the CNPD finds that a
third country does not have an adequate level of protection, transfer of data to that country is prohibited. The
transfer to countries not ensuring an adequate level of protection is, however, permitted in specific circumstances
such as if the data subject provided his/her consent or if the transfer is necessary for the performance of a contract
to which the data subject is a party.
Sensitive Data
Processing operations that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade
union membership, and the processing of data concerning health or sex life, including the processing of genetic
data, are forbidden except in limited situations described in the DPA.
Enforcement
Sanctions
The sanctions for breaching the DPA are both civil and criminal (they range from eight days to one year
imprisonment and/or a fine between EUR 251 and EUR 125,000).
Practice
As at 1 April 2004, 16 complaints had been filed with the CNPD. According to the latest available information, no
sanctions have been imposed so far by the CNPD.
Marketing by E-mail
Marketing by E-mail
A draft of the Bill relating to specific provisions concerning the processing of personal data and the protection of
privacy in the electronic communications sector, modifying provisions 88-2 and 88-4 of the Criminal Instruction
Code and modifying the DPA (the “draft ECA”), is pending before the “Chambre des Députés”.
The draft ECA provides that sending direct marketing e-mail shall only be permitted with the prior consent of the
data subject (opt-in).
Exemptions
The opt-in system is not applicable where the person has obtained the contact details of the recipient in the course
of the sale or negotiations for the sale of a product or service; the direct marketing is with respect to a similar
product or service only; and the recipient has been given a simple means of refusing (free of charge) the use of
his/her contact details for the purposes of such direct marketing at the time of collection of the details and for
each subsequent communication.
The provisions of the draft ECA regarding e-mail marketing apply to both individual contacts and corporate
contacts.
Malta.
Contributed by Mamo TCV Advocates
Directive 95/46/EC has been implemented by the Data Protection Act 2001 (the “DPA”), Chapter 440 of the Laws
of Malta.
The DPA came into force on 15 July 2003, subject to transitional periods for certain provisions. These periods
differ depending on whether the processing is automated or manual.
The DPA applies to the processing of personal data carried out in the context of activities of a data controller
established in Malta or in a Maltese embassy or High Commission abroad and to the processing of personal data
where the data controller is established in a third country but the equipment used for the processing of personal
data is situated in Malta (unless such equipment is only used to transfer information between the third country and
another such country).
The DPA applies to manual files and electronic files.
The DPA only applies to individuals but subsidiary legislation implementing Directive 2002/58/EC establishes a
broad definition of “personal data” that also includes data relating to legal entities unless otherwise specified by
the subsidiary legislation.
Data Controller
The data controller is responsible for compliance with the DPA. The DPA defines the data controller as “a person
who alone or jointly with others determines the purposes and means of the processing of personal data”.
The Office of the Data Protection Commissioner
2, Airways House
High Street
Sliema SLM 16
Malta
www.dataprotection.gov.mt
Data controllers must notify their processing of personal data to the Office of the Data Protection Commissioner. In
the case of manual processing this must be done by 24 October 2007. This involves the filing of information
relating to the processing operations carried out by the data controller, against payment of a notification fee,
renewable annually, and the subsequent notification of any updates regarding new processes, prior to
implementing such new processes.
Exemptions
By virtue of Legal Notice 162 of 2004, published on 16 April 2004, an exemption from notification has been laid
down in circumstances where the only personal data processed by a company is that contained in its Memorandum
and Articles of Association as registered with the Registrar of Companies under the Companies Act. Moreover the
following categories of persons are obliged to notify but are exempt from payment of the notification fee: (i) self-
Malta.
employed persons who carry on a trade, business, profession or other economic activity and do not employ any
employees with them; and (ii) any philanthropic institutions and similar organisations, band clubs, sports clubs
and similar institutions, registered trade unions and political parties and clubs adhering to political parties, which
are also exempt from tax under the Income Tax Act.
Data Quality
The data must be processed fairly and lawfully in accordance with good practice. They must be collected only for
specific, explicitly stated, legitimate purposes. They cannot be processed for a purpose incompatible with that for
which they have been collected. The data must be adequate, relevant, accurate and cannot be retained for a period
longer than necessary for the stated purposes of the processing.
Retention period
There is no specific retention period. The DPA only requires that personal data not be kept for a period longer than
is necessary for the purposes for which the data are processed.
The data subject must be informed of: (i) the identity and contact details of the data controller and any other
person authorised by the data controller to take action on its behalf; (ii) the purposes of the processing; (iii) the
recipients or categories of recipients of the data; (iv) whether replies to questions are voluntary or obligatory and
consequences of failure to reply; (v) the existence of the right to access, rectify, and if applicable erase the data
relating to him/her; and (vi) if the data are not collected from the data subject, the categories of data processed.
Access: Data subjects have a right to request access to their data. Requests must be made in writing to the data
controller and signed by the data subject.
Correction: Data subjects have a right to have their data rectified where the data would not have been processed in
accordance with the DPA.
Objection to processing: Data subjects have a right to object to the processing in specific circumstances, such as
direct marketing.
Other: Data subjects also have the right to ask the data controller to reconsider any decisions based solely on
automated processing (unless such decisions are taken in the course of entering into or performing a contract with
the data subject, under certain conditions).
Security
Data controllers are obliged to take “appropriate technical and organisational measures to protect the data
processed against accidental destruction or loss or unlawful forms of processing thereby providing an adequate
level of security” (Article 26(1) DPA).
Data controllers must further ensure that data processors can and actually do implement security measures as
described above. The carrying out of processing by way of a data processor must be governed by a written
agreement binding the data processor to the data controller and stipulating that the processor shall only act on the
data controller’s instructions and shall take the security measures identified above.
The DPA permits transfers within the EU. They must, however, be notified.
Transfers to a country outside the EU must be notified and further approved by the Data Protection Commissioner
provided that an adequate level of data protection is ensured by that third country. Data controllers are required to
complete and submit a data transfer form to the Commissioner providing details of any such transfers that they
make to third countries. Exemptions from the prohibition of such transfers to third countries exist, e.g. where the
data subject has given his/her unambiguous consent to the transfer; or if the transfer is necessary for the
performance of a contract between the data subject and the data controller.
Sensitive Data
Special protection is provided for data revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade union membership, sexual life and health data.
Enforcement
Sanctions
Sanctions under the DPA are both civil and criminal. A data controller in breach of the DPA may also be liable to:
(i) an administrative fine imposed by the Data Protection Commissioner; (ii) an order to pay compensation to the
aggrieved data subject following a successful action for damages by the data subject; or (iii) a criminal fine
(currently, maximum 10,000 Maltese liri), imprisonment (currently, maximum six months) or both.
Practice
Four investigations were carried out during 2004. No prosecutions were conducted last year and no financial
penalties have been imposed to date.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented by the Processing of Personal Data
(Telecommunications Sector) Regulations, 2003 (the “ECA”), subsidiary legislation enacted by Legal Notice 16 of
2003 under the DPA. The ECA entered into force on 15 July 2003.
The ECA provides that direct marketing e-mail cannot be sent without prior explicit consent of the data subject in
writing. This is opt-in.
Exemptions
Where a person has obtained from its customers their e-mail addresses in the context of a sale of a product or a
service, according to the ECA that same person may use such details for direct marketing of its own similar
products or services. This exception applies provided that customers have been given the opportunity to object,
free of charge and in an easy and simple manner, to such use of electronic contact details when they are collected
and on the occasion of each message where the customer has not initially refused such use.
The provisions of the ECA regarding direct marketing e-mail apply both to individual and corporate contacts.
The Netherlands.
Contributed by De Brauw Blackstone Westbroek
Directive 95/46/EC has been implemented. The Dutch implementation legislation consists of two acts: (i) the Act
on the Protection of Personal Data of 6 July 2000 (“Wet bescherming persoonsgegevens” - the “DPA”); and (ii) the
Exemption Decree DPA of 7 May 2001 (“vrijstellingsbesluit Wbp” - the “Decree”).
The DPA entered into force on 1 September 2001.
The DPA applies to the processing of personal data carried out in the context of the activities of an establishment
of a responsible party (“data controller”) in The Netherlands. Furthermore, the DPA applies to the processing of
personal data by or for data controllers who are not established in the EU, whereby use is made of automated or
non-automated means situated in The Netherlands, unless these means are used only for forwarding personal data.
Such data controllers are prohibited from processing personal data unless they designate a person or body in The
Netherlands to act on their behalf in accordance with the provisions of the DPA; that body shall be deemed to be
the data controller.
The DPA applies to the fully or partly automated processing of personal data, and to the non-automated processing
of personal data entered in a file or intended to be entered therein.
The DPA applies only to personal data (any information relating to an identified or identifiable natural person). As a
rule, data relating to legal entities do not qualify as personal data, since a legal entity is not a natural person.
However, data concerning legal entities can be classified as personal data if these data are of such a nature that
they can (together with other data) be decisive for the manner in which a natural person may be judged or treated
in society. Data about contact persons of legal entities also constitute personal data.
Data Controller
The data controller is the person or entity responsible for compliance with the DPA. The DPA defines a data
controller as the natural person, legal person, administrative body or any other entity which, alone or in conjunction
with others, determines the purpose of and means for processing personal data.
Dutch DPB (“College bescherming persoonsgegevens”)
Mailing address:
College bescherming persoonsgegevens (CBP)
Postbus 93374
2509 AJ Den Haag
The Netherlands
Visiting address:
Prins Clauslaan 20
2595 AJ Den Haag
The Netherlands
www.cbpweb.nl
In general, fully or partly automated processing of personal data must be notified to the Dutch Data protection
board or the (internal) privacy officer before processing commences. The Dutch Data protection board has designed
standard notification forms. The notification does not require the approval of the Dutch Data protection board; it is
a mere filing of information.
Exemptions
Pursuant to the Decree, certain common categories of processing are exempt from the notification obligation (such
as the processing of data as part of salary and/or personnel administration), provided that the processing only
involves the data and purposes explicitly prescribed in the Decree. Furthermore, certain conditions mentioned in
the Decree must be complied with, such as the obligation not to keep the data longer than a certain period of time,
unless otherwise required by law.
Data Quality
Personal data may only be processed where, given the purposes for which they are collected or subsequently
processed, they are adequate, relevant and not excessive. Furthermore, the data must be correct and accurate
given the purposes for which they are collected or subsequently processed.
Retention period
Generally, personal data may not be retained in an identifiable form for any longer than is necessary for achieving
the purposes for which they were collected or subsequently processed. Please note that the Decree contains
specific retention periods for certain categories of data, which must be complied with in order to be exempt from
the notification obligation.
Pursuant to the DPA, the data controller must provide the data subject with the following information prior to
obtaining the personal data, unless the data subject is already acquainted with this information: the identity of the
data controller and the purposes of the data processing; the identity of recipients of the data; the right of the data
subject to have access to his/her data; the right to request rectification of data, etc.; or, in the event of transfer of
data to a country outside the EU, the fact that this is occurring and for what purposes, etc.
Access: Upon written request, the data controller must provide the data subject with a full and clear summary of
the data that are being processed about him/her, including a definition of the purposes of the processing, the
categories of processed data and the (categories of) recipients, as well as the available information as to the origin
of the data.
Correction: Data subjects may ask the data controller to correct, supplement, delete or block the data processed
about them in the event that such data are inaccurate, incomplete or irrelevant for the purposes of the processing,
or are being processed in any other way that infringes a legal provision.
Objection to processing: Data subjects have a right to object to the processing if the data controller is planning to
provide personal data to third parties or to use personal data for the purposes of direct marketing.
Other: Upon request by the data subject, the data controller must provide information concerning the underlying
logic of any automated decision relating to the data subject.
Security
The data controller must implement appropriate technical and organisational measures to secure personal data
against loss or against any form of unlawful processing. These measures must guarantee an appropriate level of
security, taking into account the state of the art and the costs of implementation, and having regard to the risks
associated with the processing and the nature of the data to be protected.
The Netherlands.
The carrying out of processing by a third party processor must be governed by an agreement or another legal act set
out in writing or in another equivalent form. Pursuant to the DPA, the data controller is obliged to ensure that the
data processor only processes the data on the orders of the data controller and that the data processor implements
appropriate technical and organisational measures.
The DPA permits transfer within the EEA.
The transfer of data to a country outside the EEA is only authorised if that country offers adequate data protection.
Otherwise, the transfer will be prohibited, unless one of the exceptions provided for by the DPA is applicable, e.g.
if: (i) the data subjects have given their consent to the data transfer; or (ii) the Minister of Justice has, after
consulting the Dutch Data protection board, issued a permit for the data transfer on the basis that sufficient
safeguards are provided. Sufficient safeguards may be: (i) the entering into model contractual clauses approved by
the European Commission; and (ii) the implementation of Binding Corporate Rules.
Sensitive Data
The general rule is that it is prohibited to process sensitive personal data, except as otherwise provided in the DPA.
Pursuant to the DPA, sensitive data are data concerning a person’s religion or philosophy of life, race, political
persuasion, health and sexual life, or personal data concerning trade union membership, and personal data
concerning a person’s criminal behaviour, or unlawful or objectionable conduct connected with a ban imposed with
regard to such conduct.
Enforcement
Sanctions
Certain violations of the DPA qualify as a criminal offence. The sanction is a penal fine up to a maximum of EUR
4,500, and in the event of intentional violation a prison sentence with a maximum of six months. Also, the Dutch
Data protection board may apply an administrative fine with a maximum of EUR 4,500. With respect to all
violations of the DPA, the Dutch Data protection board may apply administrative sanctions and/or a penalty
payment. Furthermore, the Dutch Data protection board may carry out an investigation concerning compliance with
the DPA within a certain company. The Dutch Data protection board is free to present its findings to the press.
Finally, civil proceedings such as claims for damages or for injunctions may be started by the parties concerned.
Practice
In 2004, there were 216 complaints, 56 investigations and one official report for criminal prosecution. The
penalties imposed by the Data protection board range from EUR 3,000 to EUR 15,000. The highest penalty levied
to date was a penalty of EUR 15,000 which was imposed because of failure to notify multiple processings to the
Data protection board.
Marketing by e-mail
Marketing by e-mail
Directive 2002/58/EC has been implemented by an amendment to the Telecommunications Act (Wet
implementatie Europees regelgevingskader voor de elektronische communicatiesector 2002) (the “TA”). The new
TA entered into force in May 2004.
The new TA provides that the use of e-mail to transmit unsolicited communications for commercial, idealistic or
charitable purposes is only permitted if the sender can demonstrate that the subscriber concerned has provided
his/her prior consent. This is opt-in.
Exemptions
The new TA provides that a recipient of the electronic contact details may use those details to transmit
communications for commercial purposes where: (i) it has received the data in the context of the sale of its
product or service; (ii) the commercial communication relates to its own similar products or services; and (iii) at
the time of receipt of the contact details, the customer is clearly and expressly offered the opportunity to object to
the use of such electronic details, and, where the customer did not object to this use, the customer is clearly and
expressly offered the opportunity to object to further use of his/her electronic contact details in each transmitted
communication. This is opt-out.
The relevant provisions of the new TA only apply to “individual subscribers”. Accordingly, the new TA does not
apply to corporate subscribers (e.g. [email protected]). The Dutch Minister of Justice has announced that
he/she will file a proposal to amend the TA so that it will apply to corporate subscribers as well in the future.
Norway.
Contributed by Wiersholm, Mellbye & Bech,
advokatfirma AS
Directive 95/46/EC has been implemented by the Act on Processing of Personal Data (the “DPA”) dated 14 April
2000. The DPA is supplemented by a regulation dated 15 December 2000 (the “Regulation”), as last amended on
6 May 2005.
The DPA came into force on 1 January 2001.
The DPA applies to data controllers who are established in Norway. The DPA also applies to data controllers who
are established in states outside the territory of the EEA if the data controller makes use of equipment in Norway.
However, this does not apply if such equipment is used only for transit purposes.
The DPA applies to processing of personal data wholly or partly by automatic means, and other processing of
personal data which form part of or are intended to form part of a personal data filing system.
Except for credit information agencies, the DPA only applies to processing of data relating to natural persons
(individuals).
Data Controller
The data controller is responsible for compliance with the DPA. The DPA defines the data controller as the person
who determines the purposes of the processing and the means which are to be used.
The Data Inspectorate
P.O. Box 8177
Dep, N-0034
Oslo
Norway
www.datatilsynet.no
The data controller must notify the Data Inspectorate before processing personal data by automatic means, or
establishing a manual personal data filing system which contains sensitive personal data. The notification must be
made no later than 30 days prior to commencement of processing. The Data Inspectorate does not provide
approval.
The processing of sensitive data and the processing of personal data in the telecommunications sector, insurance
industry, banks and financial institutions and credit information agencies requires a licence from the Data
Inspectorate prior to processing.
Exemptions
There are some exemptions from the notification/licensing requirements, i.e. with regard to processing of data as
part of administration of and performance of contractual obligations to customers, subscribers and suppliers.
Data Quality
The DPA requires that the data processed are adequate, relevant and not excessive in relation to the purpose of the
processing. Personal data must also be accurate and up to date.
Retention period
Data must not be stored longer than is necessary for the purpose of the processing.
Under the DPA, the data subject must be informed of: (i) the identity of the data controller and of his/her
representative, if any; (ii) the purpose for which the data are to be processed; (iii) the (categories of) recipients of
data; and (iv) the fact that the provision of data is voluntary, and the existence of the right to access and to rectify
the data concerning him/her. The data controller does not need to provide information about the specific data that
are being used in a personal profile, or the assumptions which form the basis for a personal profile. There are also
some exemptions from the duty to inform.
The data controller may not request compensation for providing data to or meeting demands of the data subject.
Access: Any data subject who so requests must be informed of the kind of processing of personal data that a data
controller is performing and must be given a copy of the data collected. Upon written request from the data
subject, the information will be given in writing.
Correction: The data subject has a right to require rectification of personal data which are inaccurate, incomplete
or the processing of which is not authorised.
Objection to processing: The data subject is also given the right to object to certain categories of processing, i.e.
processing of personal data for direct marketing purposes.
Security
In accordance with the DPA and the Regulation, the data controller must by means of planned, systematic
measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection
with the processing of personal data, as well as internal control. The data system and the security measures must
be documented, and must be accessible to such employees of the data controller as need this in their work, as well
as to the Data Inspectorate and the Privacy Appeals Board.
A third party processor is defined as a person or entity that processes personal data on behalf of the data
controller. Under the DPA, there must be a written agreement between the processor and the data controller
regarding such processing of information.
The DPA prohibits transfers outside the EEA unless the destination ensures adequate protection for the data.
Otherwise personal data can be transferred outside the EEA under the usual circumstances (e.g. if there has been
a Community adequacy finding, the data importer has signed up to the Safe Harbor or the EC Model Clauses, the
data subject has consented).
The Data Inspectorate may allow transfer even if the above conditions are not fulfilled if the data controller
provides adequate safeguards with respect to the protection of the rights of the data subject. The Data Inspectorate
may stipulate conditions for the transfer.
Norway.
Sensitive Data
Under the DPA, sensitive data means data relating to racial or ethnic origin, political opinions, union membership,
religious or philosophical convictions, health and sexual preference of the data subject, and the fact that a person
has been suspected of, charged with, indicted for or convicted of a criminal act.
As set out above, a licence from the Data Inspectorate is required prior to the processing of sensitive data.
Enforcement
Sanctions
Anyone who wilfully or through gross negligence does not comply with the provisions of the DPA shall be liable to
fines or imprisonment for a term not exceeding one year or both. In particularly aggravating circumstances, a
sentence of imprisonment for a term not exceeding three years may be imposed.
A coercive fine may also be imposed by the Data Inspectorate.
Finally, under the DPA, the data controller must compensate for damage suffered if personal data have been
processed contrary to the DPA, unless it is established that the damage is not due to error or negligence on the
part of the data controller. The compensation must be equivalent to the financial loss incurred by the claimant as a
result of the unlawful processing. The Data Controller may also be ordered to pay such compensation for damage of
a non-economic nature (compensation for non-pecuniary damage) as seems reasonable.
Practice
The Data Inspectorate carried out 161 investigations in 2004. None led to prosecution. In 2005 there have been
two reports so far. Since the coming into force of the DPA, only one penalty has been imposed by a lower court in
an unpublished judgment.
Marketing by e-mail
Marketing by e-mail
Article 13 of Directive 2002/58/EC has been implemented by an amendment to the Marketing Control Act Section
2b dated 21 January 2005. The Marketing Control Act Section 2b originally implemented Directive 1997/7/EC.
The Marketing Control Act Section 2b prohibits direct marketing to individuals in the course of business using
methods of telecommunication which permit individual communication, such as e-mail, text messaging services to
mobile telephones, facsimile or automatic calling machines, without the prior consent of the recipient (opt-in
requirement).
Exemptions
Direct marketing using telecommunication such as e-mail to existing customers will not require prior consent
provided that certain conditions are met. However, the e-mail must contain an explanation of how to opt-out of
future communications.
Individual-to-individual e-mail routines set up by companies on the company’s website (tip-a-friend) are permitted
in most circumstances.
The legislation applies to direct marketing to natural persons (individuals, not only consumers) by a business using
methods of telecommunication which permit individual communication.
Poland.
The rules established by Directive 95/46/EC were implemented in Poland by the Act on the Protection of Personal
Data of 29 August 1997 (Journal of Laws of 2002, No. 101, item 926, as amended) (the “DPA”).
The DPA entered into force on 30 April 1998. However, certain statements came into force on 1 May 2004,
including, but not limited to, those on “Territorial scope of application“ and “Transfer within the EEA”.
The DPA is applicable in Poland. The DPA applies if: (i) the data controller is established or domiciled in Poland
and data are processed in the context of its activities; or (ii) the data controller is established outside the EEA, but
uses equipment in Poland for processing personal data.
The DPA determines the principles of processing personal data and the rights of individuals whose personal data
are or can be processed as part of a data filing system. The DPA applies to the processing of personal data in
computer systems, files, indexes, books, lists and other registers.
The DPA applies only to individuals.
Data Controller
The data controller is responsible for compliance with the DPA. The DPA defines the data controller as a body or
an organisational unit, an establishment or a person that decides about the purposes and means of processing
personal data.
The Inspector General for the Protection of Personal Data (the “IGPPD”)
ul. Stawki 2
00-193 Warsaw
Poland
Tel.+48 (22) 860-70-86
e-mail: [email protected]
www.giodo.gov.pl
The DPA provides for a registration scheme. The data controller must register any data filing system with the
IGPPD before starting to process the data in a data filing system. The IGPPD may refuse registration.
Exemptions
The obligation to register filing systems does not apply to certain data controllers, in cases where there is a public
interest or a low level of risk to the rights and freedoms of the persons whose data are being processed. The DPA
identifies such situations in detail.
Poland.
Data Quality
The DPA provides rules on the quality of the data processed. The controller must protect the interests of the data
subjects with due care, and it must in particular ensure that the data are: (i) processed lawfully; (ii) collected and
processed for specified and legitimate purposes; (iii) relevant and adequate for the purposes for which they are
processed; and (iv) kept in a form that permits identification of the subjects of the data for no longer than is
necessary for the purposes for which they are processed.
Retention period
The DPA provides no specific retention period for personal data. The sole indication is that the data shall not be
kept in a form that enables identification of the data subjects for longer than is necessary for the purposes for
which they are processed.
Data subjects have the right to obtain information: (i) on whether a filing system exists and on the controller’s
identity; (ii) regarding the purpose, scope, and the means of processing of the data contained in the filing system;
(iii) as to when processing of the personal data commenced; (iv) about the source of the personal data; (v) about
the form in which the data are disclosed, and in particular about the recipients or categories of recipients of the
data; and (vi) about the rights of data subjects.
Data subjects have a right to control the processing of their personal data contained in the filing systems, and in
particular have the right to obtain extensive information, to correct their data and to object to their data being
processed.
Data subjects have the right to demand that the data be completed, updated, rectified, temporarily or permanently
suspended or erased, if they are incomplete, outdated, untrue or collected in violation of the DPA, or if they are no
longer required for the purpose for which they were collected.
Data subjects also have the right to file a substantiated demand in writing, in certain cases, to have the data
processing halted.
Security
Data controllers must implement technical and organisational measures to protect the personal data processed,
appropriate to the risks and category of data that are protected and protect them against unauthorised disclosure,
takeover, change, loss, damage or destruction.
A data controller may authorise another entity to carry out the processing of the personal data by way of a written
contract, if there are sufficient security measures protecting the data filing system. The data controller remains
responsible for the proper processing of the data.
The transfer of data within the EEA is authorised.
Personal data may be transferred to a third country only if the country of destination ensures at least the same
level of personal data protection as that in Poland.
The data controller may also transfer personal data to a third country not ensuring an adequate level of data
protection if: (i) the data subject has given written consent; (ii) it is necessary for the performance of a contract
between the data subject and the controller; (iii) it is necessary for the performance of a contract concluded in the
interests of the data subject between the controller and a third party; (iv) the transfer is required by reason of
public interest or to establish legal claims; (v) the transfer is necessary in order to protect the vital interests of the
data subject; or (vi) the transfer relates to data that are publicly available.
Sensitive Data
Certain restrictions are imposed on the processing of sensitive data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, religious, party or trade union membership, as well as data concerning
health, genetic code, addictions or sexual life and data relating to convictions, decisions on penalty or fines and
other decisions issued in court or administrative proceedings.
It is prohibited to process sensitive data unless the data subject has given written consent or in other specific
circumstances described in detail in the DPA.
Enforcement
Sanctions
A breach of the DPA would give rise to criminal liability, including a fine (varying between PLN 100 and PLN
720,000), a partial restriction of freedom or a prison sentence of up to three years.
Apart from criminal sanctions defined in the DPA, civil liability could arise on the basis of general civil law rules.
Practice
According to the IGPPD, there were 1,024 complaints brought before it and 144 inspections conducted by it in
2004.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented by the Act on the Provision of Services by way of
Electronic Means, dated 18 July 2002 (Journal of Laws of 2002, No. 144, Item 1204) (the “ECA”), which
entered into force on 10 March 2003, and by the Telecommunication Law dated 16 July 2004 (Journal of Laws of
2004, No. 171, Item 1800), the majority of which entered into force on 2 September 2004.
Direct marketing by e-mail is authorised if the recipient gave his/her prior consent for receiving such e-mails. The
ECA provides for certain conditions on sending direct marketing e-mail based on the recipient’s consent. Such
marketing communication should be isolated and clearly designated as marketing communication and should
contain: (i) the identification of the entity ordering marketing activities, including e-mail address; (ii) a clear
description of marketing activities, in particular price reduction, gratuitous services and any other benefits; and
(iii) any information that could have an impact on the scope of responsibility of the parties, in particular warnings
and reservations.
Exemptions
Restrictions imposed by the ECA are applicable both to individual and corporate contacts.
Portugal.
Directive 95/46 has been implemented by Law 67/98 of 26 of October on personal data protection (the “DPA”).
The DPA came into force on 1 November 1998.
The DPA applies to the processing of data carried out: (i) in the context of the activities of an establishment of the
data controller in Portugal; (ii) outside national territory, in those places where Portuguese law is applicable by
virtue of international public law; or (iii) by a data controller that is not established on EU territory and that for
purposes of processing personal data makes use of equipment, automated or otherwise, situated in Portugal,
unless such equipment is used only for purposes of transit through the territory of the EU.
The DPA applies only to data relating to individuals.
Data Controller
The person responsible for compliance with the DPA is the data controller defined as the natural or legal person,
public authority, agency or any other body, which alone or jointly with others determines the purposes and means
of the processing of personal data. Where the purposes and means of processing are determined by laws or
regulations, the data controller shall be designated in the DPA establishing the organisation and functioning or in
the statutes of the legal or statutory body competent to protect the personal data concerned.
Comissão Nacional de Protecção de Dados (the “CNPD”)
Rua de São Bento, n.° 148, 3°
1200-821 Lisboa
Portugal
www.cnpd.pt
The controller must notify the CNPD before carrying out any wholly or partly automatic processing operation or set
of such operations intended to serve a single purpose or several related purposes. The authorisation of the CNPD is
required for: (i) the processing of personal data revealing philosophical or political beliefs, political party or trade
union membership, religion, privacy and racial or ethnic origin, and concerning health or sex life, including genetic
data, and it is only awarded when such processing is essential for the exercise of the legal or statutory rights of the
data controller or when the data subject has given his/her explicit consent for such processing; and the processing
of data relating to persons suspected of illegal activities, criminal and administrative offences and decisions
applying penalties, security measures, fines and additional penalties, which may only be created and kept by
public services vested with that specific responsibility; (ii) the processing of data relating to credit and the solvency
of the data subjects; (iii) the use of personal data for purposes other than those which determined their collection;
and (iv) the combination of personal data not provided for in a legal provision.
The non-automatic processing of personal data revealing philosophical or political beliefs, political party or trade
union membership, religion, privacy and racial or ethnic origin, and concerning health or sex life, including genetic
data, shall also be subject to authorisation.
Exemptions
CNPD may authorise the simplification of or the exemption from notification for particular categories of processing
that are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of the
data subjects and in order to take account of criteria of speed, economy and efficiency.
Processing whose sole purpose is the keeping of a register which, according to laws or regulations, is intended to
provide information to the public and which is open to public consultation is exempted from notification.
Data Quality
Data must be: (i) processed lawfully and in compliance with the principle of good faith; (ii) collected for specified,
explicit and legitimate purposes; (iii) adequate, relevant and not excessive in relation to the purposes for which
they are collected; and (iv) accurate and kept up to date.
Retention period
The only time limit on the retention of data is that data must be kept in a form that permits identification of their
data subjects for no longer than is necessary for the purposes for which they were collected or for which they are
further processed. However, the storing of data for historical, statistical or scientific purposes for longer periods
may be authorised by the CNPD at the request of the data controller in the case of a legitimate interest.
Data subjects have the right to be informed about the processing of their data. The documents supporting the
collection of personal data must contain: (i) the identity of the controller or its representative; (ii) the purposes of
the processing; and (iii) other information such as the recipients or categories of recipients; whether replies are
mandatory or voluntary; and the existence and conditions of the right of access and the right to rectify, provided
they are necessary, taking into account the specific circumstances of collection of the data in order to guarantee
the data subject that they will be processed fairly.
Access: The data subject has the right to obtain from the data controller at reasonable intervals and without
excessive delay or expenses: (i) confirmation as to whether or not data relating to him/her are being processed and
information as to the purposes of the processing, the categories of data concerned and the recipients to whom the
data are disclosed; (ii) communication in an intelligible form of the data undergoing processing and of any
available information as to their source; and (iii) information on the automatic processing of data.
Correction: The data subject has the right to obtain from the data controller the rectification, erasure or blocking of
data, the processing of which does not comply with the DPA; and the notification to third parties to whom the data
have been disclosed of any such rectification, erasure or blocking.
Object to processing: The data subject has the right to object at any time on compelling legitimate grounds relating
to his/her particular situation to the processing of data relating to him/her; and to object, on request and free of
charge, to the processing of personal data for the purposes of direct marketing or any other form of research.
Security
The data controller must implement appropriate technical and organisational measures to protect personal data
against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.
The processor chosen by the data controller must provide sufficient guarantees with respect to the technical
security measures and organisational measures governing the processing to be carried out and must ensure
compliance with those measures.
Portugal.
There must be a contract or legal act binding the processor to the data controller and stipulating in particular that
the processor shall act only upon instructions from the data controller and that it is bound to implement the
appropriate technical and organisational measures to protect personal data.
Personal data may move freely within the EU.
The transfer of personal data to a country that is not a member of the EU may only take place provided that
country ensures an adequate level of protection.
The adequacy of the level of protection of a country must be assessed in light of all the circumstances surrounding
a (set of) data transfer operation(s); particular, consideration must be given to the nature of the data, the purpose
and duration of the proposed processing operation or operations, the country of origin and country of final
destination, the rules of law, both general and sectorial, in force in the country in question, and the professional
rules and security measures that are complied with in that country.
A transfer of personal data to a country which does not ensure an adequate level of protection may be allowed by
the CNPD in the usual circumstances (e.g. if the data subject has given his/her unambiguous consent to the
proposed transfer).
Sensitive Data
The processing of personal data revealing philosophical or political beliefs, political party or trade union
membership, religion, privacy, and racial or ethnic origin, and concerning health or sex life, including genetic data,
is prohibited unless authorised by the CNPD (see above).
Enforcement
Sanctions
The sanctions have a quasi-criminal and criminal nature: the imposition of fines of up to EUR 30,000 and
imprisonment of up to two years. In addition, the entity that breaches the DPA is liable, under general legal rules
of law, for the damages caused to the data subject or third parties.
Practice
The number of investigations and prosecutions in 2004 is not publicly available, but there were at least 80.
In 2004, penalties of between EUR 3,500 and EUR 20,000 were imposed. The most significant penalty levied
was EUR 20,000, applied to Radiotelevisão Portuguesa, S.A. (“RTP”), the public television company, in April
2004.
RTP decided to carry out some research on the professional skills of its employees. It hired a company to assess
various pieces of data about its workers but failed to notify its employees of this assessment process. Under
Portuguese law, RTP was obliged to notify the CNPD before carrying out such a data processing operation. RTP
also informed the contractor about the trade union membership of its employees which was not authorised by
CNPD or consented to by the data subjects. The CNPD also found that RTP had a video surveillance system in
operation in its building which had not been authorised by the CNPD.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented by Decree-Law No. 7/2004 of 7 January 2004 (the
“ECA”).
Direct marketing by e-mail is authorised provided the addressee gives its prior consent (opt-in regime).
Exemptions
The supplier of goods/services may send unrequested advertising to its clients, as long as the client has been given
the explicit option to refuse, free of any charge.
These rules are applicable to individual contacts, although an opt-out regime for corporate contacts is foreseen.
Slovakia.
Directive 95/46/EC has been implemented by Act No. 428/2002 Coll. on the Protection of Personal Data dated 3
July 2002, as amended by Act No. 90/2005 Coll. (the “Act”).
The Act came into force on 1 September 2002 (the amending Act No. 90/2005 came into force on 1 May 2005).
The Act applies to the processing of personal data: (i) in the territory of Slovakia; (ii) in the territory where the data
controller is established and where Slovak law applies by virtue of public international law; and (iii) where the data
controller is outside the EEA but uses equipment situated in the territory of Slovakia, for processing personal data
other than for transit purposes.
The Act protects all personal data made available by natural persons to other entities manually or electronically
including personal data processed systematically in a filing system.
The Act applies only to personal data relating to individuals.
Data Controller
The Act makes a distinction between the data controller and the data processor. Both are responsible for
compliance with the Act.
Where the data controller is not established in an EU Member State, but has a representative in Slovakia, such
representative is bound by the same obligations as the data controller.
A data controller is defined as a state organ, an organ of local government, other public authority or a legal or
natural person which alone or jointly with others determines the purposes and means of processing. If a separate
law regulates the purposes and means of processing of personal data, the data controller is an entity which is
designated by such law to fulfil the purposes of processing or satisfies the conditions set out by the law. The same
also applies if so determined by Community law.
A data processor is defined as a state organ, an organ of local government, other public authority or a legal or
natural person that processes personal data on behalf of the data controller or the data controller’s representative.
Office for the Protection of Personal Data (Úrad na ochranu osobných údajov) (the “Office”)
Odborárske námestieč .3
SK-817 60 Bratislava 15
Slovakia
www.dataprotection.gov.sk
Under the Act there are two types of registration scheme: (i) a general registration scheme, which applies to all
information systems where personal data are processed by wholly or partly automatic means (subject to the
exemptions listed below); and (ii) a special registration scheme, which applies to all information systems in which
the data controller processes: (a) at least one special category of data, and this special category of data is
transferred to a non-EU country that does not ensure an adequate level of protection; (b) personal data without the
consent of the data subject where such processing is aimed at protecting the legally protected rights and interests
of the data controller or a third party; or (c) biometric data, except for DNA analysis for the purposes of recording
entries into highly protected facilities and if so required for the internal interests of the data controller.
The general registration scheme does not require any approval by the Office; the processing of data may commence
upon filing the necessary information with the Office. In case of the special registration scheme, prior approval by
the Office is necessary before the processing may begin.
The data controller must register the information system under the general registration scheme and under the
special registration scheme, in both cases prior to starting to process the data.
Exemptions
The standard registration scheme does not apply to information systems which: (i) are subject to special
registration; (ii) are supervised by a responsible person designated by the data controller in writing, who supervises
data protection under the Act; (iii) contain data of natural persons (including data of their close persons) which are
processed for the purposes of carrying out the rights or obligations of the data controller under employment or
membership relationships; (iv) contain data on membership in trade unions, political parties or religious
organisations, if such data are used solely for internal purposes; and (v) contain data which are necessary for
exercising rights or observing obligations under a separate law, or which are processed on the basis of a separate
law.
No exemptions apply in the case of the special registration scheme.
Data Quality
The data controller must determine the purpose and means of processing personal data in advance and may only
process personal data that are compatible in scope and content with such purpose.
With respect to the quality of the data processed the data controller is obliged to: (i) collect personal data
exclusively for the specified or determined purpose; (ii) collect personal data that are adequate, relevant and not
excessive in relation to the purpose; (iii) collect personal data for different purposes separately and ensure that
they are processed and used exclusively for the purpose for which they have been collected; it is forbidden to
merge personal data collected for different purposes; and (iv) process only data which are accurate, complete and,
where necessary, kept up to date in relation to the purpose of processing; inaccurate or incomplete data should be
blocked by the data controller and rectified or completed without delay, or otherwise erased.
Retention period
The data controller must ensure that collected data is retained only for the time period necessary to attain the
purpose of processing, and must without delay delete personal data after this purpose has been achieved. The
following exceptions apply when data need not be deleted immediately: (i) if a time limit for which personal data
must be kept is set by a specific law; once such time limit has expired the personal data must be deleted; (ii) if
such data are part of archived documents; or (iii) if data are subject to further processing for historical, statistical
or scientific purposes, subject to conditions set by the Act.
A data subject must be informed by the data controller (or, where data are collected by the data processor, then by
the data processor) of: (i) the identity of the data controller or representative of the data controller, and/or the data
processor; (ii) the purpose of processing of personal data; or (iii) other information necessary for the protection of
rights of a data subject, including: (a) the identity of the person collecting personal data; (b) information on
whether the provision of personal data is voluntary or compulsory; (c) third parties or other recipients that may have
access to personal data; (d) form of publication, should such data be published; (e) non-EU countries to which the
data may be transferred; and (f) an explanation of the rights of data subjects.
Data subjects have the right to request from the data controller information regarding the processing of their
personal data, the source from which it has acquired the personal data and a transcript of his/her personal data
that are the subject of processing, and also correction of incorrect and out of date personal data that are the
subject of processing, deletion of personal data after the purpose of processing is achieved, and deletion of
personal data processed in breach of the Act.
Slovakia.
Data subjects are entitled to object to the processing of their data for the purposes of direct marketing and to the
processing of their data in certain cases where the Act does not require the consent of a data subject, where such
processing represents an unjustified interference with their rights or their interests protected by law.
Data subjects have the right not to be subject to a decision that produces legal effects concerning them or
significantly affects them which is based solely on automated processing of data, and the right to reject the crossborder transfer of their personal data to a third country which does not have an adequate level of protection.
Security
Both the data controller and the data processor are responsible for the security of personal data by implementing
appropriate technical and organisational measures to protect personal data against accidental or unlawful
destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of
processing. When taking the appropriate measures, the following must be taken into consideration: (i) the technical
means that may be used; (ii) the extent of risks that may negatively impact the safety or functionality of the
information system; and (iii) the confidentiality and importance of data that are processed. In certain cases, the
technical and organisational measures are to be implemented by the data controller and the data processor in the
form of a security project.
A data controller may authorise a data processor to carry out the processing of personal data by way of a written
contract if there are sufficient security measures protecting the information system.
The Act guarantees the free movement of personal data between Slovakia and the EU Member States.
Transfer of data to third (non-EU) countries is subject to certain conditions and generally depends on whether or
not the other country offers an adequate level of protection. In such case, the only conditions that must be
satisfied relate to the fact that data subjects must be adequately informed.
If the destination country does not offer an adequate level of protection, cross-border transfer of personal data is
allowed if such transfer takes place on the basis of a decision of the European Commission, or one of a series of
other conditions is satisfied such as: (i) the data subject has authorised in writing the proposed transmission while
being aware that the country of destination does not guarantee an adequate level of protection; (ii) the
transmission is necessary for the execution of a contract between the data subject and the data controller; (iii) the
transmission is necessary for the signing or fulfilment of a contract between the data controller and another
subject, in the interests of the data subject; (iv) the transmission is necessary for the execution of an international
treaty binding on Slovakia; (v) the transmission is necessary for the protection of vital interests of the data subject;
or (vi) the transmission concerns personal data contained in lists or registers that are publicly accessible under law.
Sensitive Data
The processing of sensitive data, being data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union or political party membership, and data on health, sexual orientation and
criminal convictions, is forbidden. Biometric data can be processed if data subjects have agreed to such processing
in a written form, or under a special law and processing by the data controller stems from such law.
The prohibition on processing of sensitive data shall not apply if the data subject has consented to such
processing, or in exceptional circumstances specified in the Act.
Enforcement
Sanctions
The Office may impose a penalty of up to SKK 10,000,000 for the processing of personal data in breach of the
Act or other serious offences; a penalty of up to SKK 5,000,000 for breach of obligations related to liquidation of
personal data or certain other major offences; a penalty of up to SKK 3,000,000 for breach of the obligation
related to registration of information systems, or certain other minor offences; or a penalty of up to SKK
1,000,000 for other named offences.
The Slovak Criminal Code provides for criminal sanctions for the unauthorised manipulation of personal data
including imprisonment or a fine. Unauthorised breach of the right to personal integrity and privacy can also trigger
responsibility under the Slovak Civil Code.
Practice
The number of investigations last year is not known. According to the most recent Report on the Data Protection in
the Slovak Republic issued by the Office, between June 2003 and March 2005 the number of investigations
undertaken by the Office was 175.
According to the online statistics of the General Prosecutor’s Office of the Slovak Republic, 12 persons were
prosecuted in 2004 in connection with the crime of unauthorised manipulation of personal data under the Slovak
Criminal Code.
The Office imposes penalties only rarely, thus it is not possible to generalise on the typical level of penalties
imposed. The highest penalty levied by the Office to date was SKK 200,000 (approx. EUR 5,000) imposed on the
city administration of Košice for obstructing the exercise of functions by the Office during an inspection.
Marketing by E-mail
Marketing by E-mail
Article 13 of the European Directive 2002/58/EC has been implemented by Act No. 610/2003 on Electronic
Communications of 3 December 2003 (the “ECA”). Direct marketing is subject to Section 65 of the ECA, which
came into force on 1 January 2004.
Direct marketing by e-mail is authorised, subject to the subscriber’s prior consent (opt-in). A subscriber is a natural
or legal person that uses or requests the use of electronic communication services. Consent already given can be
withdrawn at any time.
The sending of e-mail for purposes of direct marketing that does not specify the identity of the sender or a valid
address to which the recipient may send a request seeking termination of such communication is prohibited. The
ECA does not distinguish between marketing e-mails sent to individual or corporate contacts.
Exemptions
There are no exemptions from the opt-in regime for existing clients.
The ECA applies with regard to both individual contacts and corporate contacts.
Slovenia.
Contributed by Schönherr Rechtsanwälte OEG
The new Slovenian Personal Data Protection Act (Zakon o varstvu osebnih podatkov, UL RS No. 86/2004) (the
“ZVOP”) replaced the previous Personal Data Protection Act (UL RS No. 59/1999) and implemented Directive
95/46/EC.
The old ZVOP, which first transposed Directive 95/46/EC into Slovenian law, entered into force on 7 August 1999.
The new ZVOP entered into force on 1 January 2005.
The ZVOP applies to any personal data processing if the data controller is incorporated or established in Slovenia or
has its registered seat in Slovenia or a branch of the controller is registered in Slovenia.
The ZVOP also applies when the data controller is not established in a Community territory and, for the purposes of
processing personal data, makes use of equipment, automated or otherwise, situated in the territory of Slovenia,
unless such equipment is used only for the purposes of transit through the territory of Slovenia.
Every individual in Slovenia is protected, regardless of the individual’s citizenship or permanent residence, or state
of establishment of the data controller/administrator.
The ZVOP applies to personal data relating to an identified or identifiable natural person, whether in manual or
electronic files.
The ZVOP applies exclusively to personal data relating to individuals.
Data Controller
The data controller is responsible for compliance with the ZVOP. The ZVOP defines a data controller as either:
(i) the natural or legal person, public authority, agency or any other body which alone or jointly with others
determines the purposes and means of the processing of personal data; or (ii) the natural or legal person set by an
act which defines the purposes and means of personal data processing.
The Inspection Authority established within the Ministry of Justice (Inšpektorat za varstvo osebnih podatkov) (the
“Inspection Authority”)
Župančičeva 3
SL-1000 Ljubljana
Slovenia
www.mp.gov.si
The data controller must notify the Inspection Authority before carrying out any wholly or partly automatic
processing operation or before adding a new category of information to the system. No approval or consent is
required. The notification must occur no later than 15 days prior to commencing data processing.
Exemptions
Data controllers that have no more than 20 employees hired for an indefinite term are not required to notify the
Inspection Authority of the personal data filing system which contains information on its employees and which the
controller is required to manage in compliance with the Labour Records Act (Zakon o evidencah na podro ju dela,
UL SFRJ No. 17/1990).
Data Quality
The personal data must be accurate and, where necessary, kept up to date.
Retention period
Personal data may be kept and processed for as long as necessary to achieve the purpose for which they have been
collected.
Rights of the Data Subjects
The data controller must inform the data subjects of the type of data collected and the list of persons/entities to
whom/which personal data referring to the data subject were provided. The data subject must also receive
information on the data controller and the purpose of information processing.
Access: Data subjects may review and obtain copies of their personal data free of charge.
Correction: The data subject may ask the data controller to change and/or amend incomplete, incorrect or out of
date personal data and to erase personal data which have been collected illegally.
Others: The data subject has a right to review the sources from which data are collected and the method of
processing.
Security
Data controllers must protect and secure personal data by organisational, technical and technical-logistical
procedures and measures against unauthorised access to information, deletion, amendment or loss of information.
Processors are only authorised to carry out activities within the scope of the authorisation granted by the data
controller.
The data controller may transfer personal data to a foreign recipient (non-EU based), provided the importing
country has an adequate data protection system. The Inspection Authority must give prior approval to the data
transfer. Prior approval is not required if the importing country is included in the list of countries that provide
adequate data protection.
The above paragraph does not apply to transfers of personal data to persons incorporated or resident within the EU
or EEA.
Sensitive Data
Sensitive data is defined as information on racial, national or ethnic origin, political, religious or philosophical
beliefs, union membership, medical records, sexual orientation and criminal records.
Sensitive data may be collected with the consent of the data subject and for certain other important purposes (e.g.
health personnel and medical records).
In processing sensitive data, the data must be labelled and protected so as to prevent unauthorised access.
Transfer of sensitive data is deemed adequately secure if the data are encrypted and protected with an electronic
signature so that the data are illegible and unrecognisable during transfer.
Slovenia.
Enforcement
Sanctions
The civil sanction is liability for damages. Punitive damages are not awarded. Criminal sanctions include
imprisonment of up to one year for individuals and fines of up to approximately EUR 300,000 for legal entities.
Certain violations of the ZVOP are also considered as misdemeanours, which are subject to fines of up to
approximately EUR 12,500.
Practice
In 2004 the Inspection Authority performed 100 investigations. Of these, the Inspection Authority issued six
administrative decisions, initiated misdemeanour proceedings in 13 cases and criminal proceedings in two cases.
The average fine imposed to date is between SIT 500,000 and SIT 1,000,000 (approximately EUR 2,000 to EUR
4,000). The highest fine levied to date is SIT 1,000,000 for two discrete violations.
In addition, the Inspection Authority issued 32 warnings with instructions to remedy the problem.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented by an amendment to the Slovenian Consumer
Protection Act (Zakon o varstvu potrošnikov, UL RS No. 110/2002, the “ZVPot”). The effective date of
implementation was 17 January 2003.
Direct marketing by e-mail is permitted upon prior consent of the consumer (opt-in).
Exemptions
The ZVPot only applies to natural persons.
Spain.
Directive 95/46/EC has been implemented by the Organic Law 15/1999 relating to Personal Data Protection (Ley
Orgánica 15/1999, de Protección de Datos de Carácter Persona) (the “DPA”).
The DPA entered into force on 14 January 2000.
The DPA is applicable to processing carried out by a data controller established in Spain and by a data controller
not established in the EU but using equipment situated in Spain for purposes other than the mere transit of data.
The DPA is also applicable to processing carried out by a data processor established in Spain (for example, the
data processor will have to comply with the Security Measures Regulations).
The DPA applies to both manual and electronic files. The processing of data already held in manual filing systems
on the date of entry of the DPA shall be brought into conformity by 24 October 2007.
The DPA only applies to data relating to individuals. Data relating to legal entities do not fall within the scope of
application of the DPA.
Data Controller
Data Controllers and processors are responsible for compliance and shall be subject to the sanctioning provisions
of the DPA. A data controller is defined as the public or private natural or legal person, or agency of the
administration, which determines the purpose, content and use of the data processing. The processor is defined as
the natural or legal person, public authority, agency or any other body that alone or jointly with others processes
personal data on behalf of the controller.
Agenda Española de Protección de Datos (“AEPD”)
Sagasta, 22
28004 Madrid
Spain
www.agpd.es
Any person intending to create personal data files is required to register with the AEPD by completing the forms
(available on the AEPD website). The General Data Protection Register of the AEPD approves the notification if the
notification form complies with the necessary requirements. It is a mere filing of information that must take place
prior to the creation of the data file. Any changes in the processing must be notified within a month of the change.
Exemptions
There are no exemptions from notification/registration.
Spain.
Data Quality
The data processed must be: (i) adequate, relevant and not excessive in relation to the purposes of the processing;
and (ii) accurate and, where necessary, kept up to date.
Retention period
Personal data shall be kept for the periods stipulated in the applicable provisions or in the contractual relations, if
any, between the data controller and the data subject. Personal data shall be erased when they have ceased to be
necessary or relevant for the purpose for which they were collected or recorded. They shall not be kept in a form
permitting identification of the data subject for longer than necessary for the purposes for which they were
collected or recorded.
Data subjects from whom personal data are requested shall be informed in advance expressly, precisely and
unambiguously of: (i) the existence of a personal data filing or processing system, the purpose of the collection of
such data and the recipients of such information; (ii) the obligatory or voluntary nature of their reply to the
questions put to them; (iii) the consequences of the collection of the data or of the refusal to supply the data;
(iv) the possibility of exercising the rights of access, rectification, erasure and opposition; and (v) the identity and
address of the data controller or its representative, if any.
Furthermore, where questionnaires or other printed forms are used for the collection of personal data, they shall set
out, in clearly legible form, the information referred to above.
Data subjects have the right to access their data and to rectify them when necessary. They also have the right to
object to the processing under specific circumstances.
Data subjects have the right: (i) not to be subject to a decision that produces legal effects based solely on
automated procession of data; (ii) to consult the General Data Protection Register; and (iii) to compensation if they
have suffered damage or injury to their property or rights as a result of the infringement of the DPA.
Security
Royal Decree 994/1999, of 11 June, approved the Security Measures Regulations, which classify security
measures into three levels: basic, medium and high, depending on the nature of the information processed.
The performance of processing operations by a processor on behalf of a data controller must be governed by a
contract that must be in writing or another form permitting its conclusion and contents to be evidenced.
The processing contract shall expressly stipulate that the processor shall only process the data in accordance with
the instructions of the data controller, that it shall not process the data for purposes other than those provided in
such contract nor disclose the data, even for storage purposes, to other persons.
Once the contractual obligations have been performed, the personal data must be destroyed or returned to the data
controller, together with any medium or document in which any personal data that is the subject of processing are
recorded.
Sub-contracting by the processor to a third party is only permitted if the contract between the data controller and
the processor contemplates such sub-contracting, identifying the processing to be sub-contracted and the identity
of the sub-processor, and if the processing carried out by the sub-processor complies with the instructions of the
controller.
The Act authorises the transfer of data within the EEA.
The principle is that international transfers to countries that do not provide an equivalent level of protection as
provided under Spanish law is prohibited, unless prior authorisation has been granted by the Director of the AEPD.
The Act sets out a number of derogations where prior authorisation shall not be required.
Whether or not the transfer requires prior authorisation, it has to be notified to the AEPD. In this regard, the
standard form to notify the creation of data files includes a section on international transfers. If this section is not
completed when the file is initially notified, the notification must be amended to include the transfer.
Sensitive Data
Personal data revealing ideology, trade union membership, religion and beliefs may only be processed with the
express, written consent of the data subject.
Personal data relating to racial origin, health or sex life may only be obtained, processed and disclosed when so
provided by a law on grounds of general interest, or with the data subject’s express consent. Data files containing
sensitive data must implement high-level security measures (in addition to basic and medium security measures
they must, among other duties, encrypt the information when distributing it, etc., as set out in the Security
Measures Regulations).
Enforcement
Sanctions
Spain has one of the most stringent penalty systems in the entire EU in the event of breach of the DPA, with fines
of up to EUR 601,012.10. The penalties established pursuant to the DPA range from EUR 601.01 to EUR
601,012.10, depending on the severity of the breach. Breach of the DPA implies fines but it must be noted that
the Spanish Criminal Code also establishes a number of criminal offences derived from the violation of secrets and
breach of privacy.
Practice
In 2003, there were approximately 600 investigations carried out by the AEPD. There were 191 sanctioning
proceedings started (163 against private entities and 28 against public entities) in that period. In most of the
cases, the AEPD imposed the minimum level of fine for single infringements. Therefore, the typical fine imposed
for a non serious breach was EUR 601.01, for a serious breach EUR 60,101.21 and for a very serious breach EUR
300,506.10. Nevertheless, in some proceedings, the AEPD imposed a single fine that corresponds to several
infringements, and in some occasions, the AEPD imposed a fine for a higher amount than the minimum amount of
the corresponding threshold.
The highest fine imposed by the AEPD in a single administrative proceeding to date is the one imposed on
Zeppelin (the producer of the television programme “Gran Hermano” (“Big Brother”)) in January 2001. The fine
amounted to EUR 1,081,822. The breaches of the DPA were the following: (i) not complying with the information
rights of the participants in the programme; (ii) not obtaining their express consent for the processing of sensitive
data; (iii) not fulfilling the requirements for data processing by third parties, it therefore being deemed that a
disclosure of data which had not been consented to had taken place; and (iv) not complying with regulations on
security measures.
The facts that led to the investigation were that Zeppelin’s security system was breached and the data of the
participants in the programme were made available over the Internet.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented in Law 34/2002 on information society services and
electronic commerce (the “ECA”) as amended by Law 32/2003 on General Telecommunications (the “Amended
ECA”).The ECA is effective as of 12 October 2002. The Amended ECA is effective as of 5 November 2003.
Spain.
The rest of the provisions concerning the processing of personal data and the protection of privacy in the electronic
communications sector set out in Directive 2002/58/EC such as itemised billing, traffic data, location data other
than traffic data, directories of subscribers, etc. were incorporated into Spanish Law by Royal Decree 424/2005,
which entered into force on 30 April 2005.
The Amended ECA provides that it is forbidden to send advertising or promotional communications by e-mail, or by
any other equivalent means, if they have not been requested or expressly authorised by the recipient of such
communication. This is an opt-in.
Exemption
Exemption to the opt-in is established when there is a previous contractual relationship between the service
provider and the recipient, as long as the contact data has been obtained lawfully, and the data are used to send
commercial communications regarding the products or services of the service provider that are similar to those of
the previous contractual relationship.
The ECA and Amended ECA apply both to corporate and individual subscribers. Individual subscribers include
individuals at corporate accounts as well as private accounts.
Sweden.
Directive 95/46/EC has been implemented through the Swedish Data Protection Act (Personuppgiftslagen
(1998:204), the “DPA”).
The DPA entered into force on 24 October 1998 but due to transitional regulations it only entered into full force on
1 October 2001.
The DPA applies to data controllers established in Sweden. It also applies when a data controller is established in
a third country (i.e. a country outside the EU/EEA) but for the processing of personal data uses equipment that is
situated in Sweden, provided that the equipment is not used only to transfer information between the third country
and another such country.
The DPA is applicable to both manual and electronic files.
It is only applicable to data relating to individuals.
Data Controller
The data controller is responsible for compliance with the DPA. The DPA defines the data controller as the person
who alone or together with others decides the purpose and means of processing personal data.
Datainspektionen (the “Data Inspection Board”)
Box 8114
SE-104 20 Stockholm
Sweden
www.datainspektionen.se
There is a general duty to notify the Data Inspection Board about processing of data. The registration scheme is
merely a filing of information. The notification should take place before the processing is conducted.
Exemptions
The notification duty only includes processing of data that is completely or partially automated. There are,
however, several exceptions to the general notification duty. The notification duty does not apply, for example, if
the data subject has given his/her consent or if the data controller has appointed a personal data representative.
Neither is notification required, for example, if the personal data processed relates to a data subject with whom the
data controller has a certain relationship (such as follows from employment, membership, customer relationship or
similar) if the data controller maintains a schedule of the processing including such information that otherwise
would have been included in a notification.
Sweden.
Data Quality
There are some general requirements regarding data that is processed, which prescribe, for example, that the
personal data processed must be correct and, if necessary, up to date, adequate and relevant in relation to the
purposes of the processing and that no more personal data than necessary may be processed.
Retention period
The personal data should not be kept for a longer period than necessary for the purpose of the processing. There
are no fixed time limits.
The data controller must voluntarily inform the data subject about the processing of personal data. The information
must comprise the identity of the data controller, the purpose of the processing and all other information necessary
in order for the data subject to be able to exercise his/her rights in connection with the processing.
Access: Every individual is, once per year and free of charge, entitled, upon written request, to receive notification
as to whether personal data concerning him/her has been processed. If so, information regarding the processing
should be provided.
Correction: The data subject is entitled to obtain immediate rectification, blocking or erasure of such personal data
that has not been legally processed under the DPA.
Objection to processing: Personal data may not be processed for purposes of direct marketing if the registered
person notifies the data controller in writing that he/she opposes such processing.
Security
The data controller must implement appropriate technical and organisational measures to protect the personal data
that are processed.
If the data controller engages a processor, the parties must enter into a written contract. The contract must
stipulate that the processor is permitted to process the data only in accordance with instructions from the data
controller. Further, the data controller must ensure that the processor complies with security requirements as
described above.
Transfer within the EEA is permitted.
The transfer of personal data to third countries (i.e. countries outside the EU/EEA) is prohibited unless the third
country has an adequate level of protection.
Notwithstanding this prohibition, it is permitted to transfer the data if the data subject has given his/her consent to
the transfer or if the transfer is necessary for purposes specified in the DPA.
In addition, it is also permitted to transfer data for use: (i) in a state that has acceded to the Council of Europe
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data; (ii) in a state
considered by the European Commission to have an adequate level of protection for the data processed; (iii) in
accordance with the standard EC Model Clauses; or (iv) to a data controller in the U.S. that has signed up to the
Safe Harbor framework.
Sensitive Data
As a general rule, it is prohibited to process sensitive personal data. Sensitive personal data are data that reveal
race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data
concerning health or sexual life. Such data may, however, be processed if the data subject has given his/her
explicit consent, if the data subject, in a clear way, has published the information or if the processing is necessary
with regard to certain purposes specified in the DPA.
Data concerning legal offences may in principle only be processed by public authorities.
Personal identity numbers may, in the absence of consent, only be processed when it is clearly justified with regard
to the purpose of the processing, the importance of secure identification, or some other noteworthy reason.
Enforcement
Sanctions
The DPA provides for both civil and criminal sanctions.
The data controller must compensate the data subject for damages and violation of personal integrity that
processing of personal data in contravention of the DPA has caused.
Certain violations of the DPA may lead to fines or imprisonment for a maximum of six months or, if the crime is
major, to imprisonment for a maximum of two years. A sentence is not imposed in minor cases.
Practice
The Data Inspection Board registered 229 matters last year.
The typical penalties imposed are fines and damages which are awarded to the victim. The level of the penalty
varies according to the severity of the crime and the income of the person responsible for the breach of the data
protection legislation.
There have been cases of imprisonment for breaches of the data protection legislation, in particular cases where
the infringer has committed other additional offences, for example, severe defamation. Another case which
involved imprisonment for breach of the data protection legislation concerned two persons with Nazi leanings who
set up a register containing a large group of people with their religious and political beliefs, sexual life, race etc.
The sentence referred mainly to the breach against the data protection legislation. One of the victims of the
infringement received SEK 10,000 in damages (approximately EUR 1,070).
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC was implemented on 1 April 2004 through a modification of the Marketing Act
(Sw. marknadsforingslagen (1995:450)).
Direct marketing by e-mail is in principle only permitted if the recipient has given his/her consent (opt-in).
Exemptions
Such marketing may, however, be permitted provided that the marketing company: (i) has received the e-mail
address from a customer in connection with the sale of a product; (ii) if the customer has not opposed the use of
the e-mail address for marketing by e-mail; (iii) the marketing concerns the company’s own, similar products; and
(iv) the customer is given the opportunity, without charge and in an easy way, to oppose the information being used
for marketing purposes both when the information is collected and on every further marketing occasion.
The rules are applicable only to individuals.
Switzerland.
Contributed by Homburger Rechtsanwalte
The Swiss Federal Data Protection Act (the “DPA”) is dated 19 June 1992. Since Switzerland is neither an EU
Member State nor an EEA Member State, Directive 95/46/EC does not need to be implemented in Swiss law.
However, in order to implement the Additional Protocol to the Council of Europe Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data (CETS No. 181), the Swiss Legislator has
suggested a revision of the DPA. The suggested changes are highly disputed and it cannot be judged if and when
the revised DPA will enter into force.
The DPA came into force on 1 July 1993.
Swiss courts will in general apply the DPA, upon free choice of the data subject, if either: (i) the data subject is
resident in Switzerland (provided this was foreseeable for the data controller or processor); (ii) the data controller or
processor has its seat of residence in Switzerland; or (iii) the data processing (or other violation of privacy) occurs
in Switzerland (provided this was foreseeable for the data controller or processor). In addition, the DPA's export
notification obligations will apply whenever personal data databases are exported out of Switzerland.
Processing of personal data comprises all operations relating to personal data, regardless of the means and
procedures used. Accordingly, the DPA applies to both manual and electronic files. The DPA does not apply to
personal data processed by an individual solely for personal purposes and not disclosed to third parties. Another
important exception is that the DPA does not apply to pending civil, criminal, judicial assistance and
administrative recourse proceedings.
The DPA applies to all processing of personal data relating to individuals and to legal entities.
Data Controller
Everyone who processes personal data must comply with the DPA. Accordingly, not only data controllers but also
data processors are responsible for compliance. The data controller is defined in the DPA as any private person or
federal authority who decides on the purpose and the content of the files. Cantonal and local authorities are
governed by separate, cantonal data protection legislation, not the DPA.
The Swiss Federal Data Protection Commissioner (“DPC”)
Feldeggweg 1
CH-3003 Berne
Switzerland
www.edsb.ch
Data controllers which regularly process sensitive personal data or personality profiles or regularly disclose personal
data to third parties must publicly register their data collection with the DPC. This registration does not require any
approval and is, therefore, a mere notification system. The registration must take place before the processing is
commenced.
In addition, data controllers must notify the DPC prior to transferring (or otherwise making available) personal data
databases outside of Switzerland.
Exemptions
No registration/notification is required if there is: (i) a statutory obligation to process the personal data in a
particular way; or (ii) if the data subject is aware (no consent must be obtained) of the data processing which is
subject to the registration/notification obligation. Most data processors rely on the latter exemption to avoid any
registration/notification.
There are further exceptions to the above notification obligations. For instance, there is no obligation to notify a
transfer of a personal data database abroad if: (i) the database is transferred to a country with equivalent data
protection legislation; (ii) it does not contain sensitive personal data or personality profiles; and (iii) no further
transfer to a country without equivalent data protection legislation is intended.
Data Quality
Personal data must be accurate. Moreover, data must be relevant and necessary for the purpose for which they are
collected.
Retention period
Personal data may not be kept for longer than is necessary for the purpose for which they are processed.
Absent a sufficient justification, personal data may only be processed for the purposes that: (i) have been
communicated upon their collection; (ii) were apparent based on the circumstances; or (iii) are provided for by
statutory law. In addition, mandatory statutory restrictions apply to the processing of employee personal data.
Currently there is no statutory duty requiring the data controller to explicitly inform the data subject of the
processing. With the intended revision of the DPA (see above), however, a provision may be added to the DPA
which would provide for an information obligation if sensitive data or personality profiles are processed.
Right of access/correction/objection and others rights
Access: Data subjects, which must identify themselves, may ask data controllers in writing for confirmation as to
whether they process personal data relating to them, and request (usually free of charge) information as to all
personal data relating to them that is contained in the data controller's data collection, the purposes of the
processing and, where applicable, the legal basis for the processing, the categories of personal data concerned, the
persons involved in the processing of the data collection and, finally, the recipients to whom the data are
disclosed.
Correction: The data subject may request the personal data to be rectified or deleted.
Objection: The data subject may request that no personal data be disclosed to third parties or processed further.
Security
Personal data must be protected against unauthorised processing by adequate technical and organisational means.
Processing of personal data may be outsourced to a third party: (i) if the data controller ensures that the data are
only processed in the way that the data controller would be entitled to; and (ii) if no statutory or contractual
confidentiality obligations prohibit the outsourcing. To the extent that a certain data processing requires a
particular justification, the third party may rely on the same justifications as the data controller.
Personal data may only be transferred to countries with equivalent protection of personal data. According to the
non-binding list of countries with equivalent data protection published by the DPC, personal data relating to
individuals may for instance in principle be transferred to EU Member States that have implemented Directive
Switzerland.
95/46/EC. If data are to be transferred to countries with no equivalent protection, a justification such as the data
subject’s consent is required. Alternatively, the data exporter may establish a sufficient level of data protection by
entering into a transborder data flow contract with the data importer (comparable to the standard contract clauses
adopted by the EU Commission, a copy of which is available from the Swiss authority’s website).
Sensitive Data
Sensitive data may not be disclosed to third parties without sufficient justification such as the data subject’s
consent and regular processing of such data may require a registration with the DPC. Sensitive data are personal
data regarding opinions or activities relating to religion, philosophy, politics or trade unions; health, the private
sphere or racial origin; social aid; and administrative or criminal proceedings and sanctions.
It should be noted that under the DPA, the rules for sensitive data also apply to personality profiles, i.e.
combinations of data that allow the assessment of fundamental characteristics of the personality of an individual.
Enforcement
Sanctions
The data subject is entitled to civil remedies such as damages and legal redress.
In addition, individuals who are in breach of their statutory duties of information, notification and co-operation are
subject to criminal sanctions and may be imprisoned or fined. The same criminal sanctions also apply for the
breach of professional secrecy. However, in practice, the competent authorities are very reluctant to impose
criminal sanctions on data controllers.
Practice
There are no official statistics on the number of investigations and prosecutions concerning violations of the DPA.
Between April 2004 and March 2005, the DPC conducted 30 official investigations (four of which were not
completed in the period, and 15 cases concerned the right of access to homeland security files) and made six
official “recommendations” (see below). The Federal Data Protection Commission, which acts as an appellate
instance, processed 32 cases in 2004, of which 17 were new and 11 were completed in 2004 (most cases relate
to data processing by federal authorities). The number of DPA related cases decided by civil or criminal courts is
not known; it is known, however, that since coming into force in 1993, as of August 2004, the criminal provisions
of the DPA have resulted in only one prison sentence (a five day term plus a fine of CHF 750 in 1996); convictions
that only resulted in fines are not recorded.
In addition to the criminal provisions of the DPA, the Swiss Penal Code provides that a person who obtains
sensitive data or personality profiles from a non-public data collection without authorisation shall be punished by
imprisonment or fined. Since 1993, the foregoing provision has led to a total of five recorded criminal convictions
(in the years 1995, 1996 and 2002, where the most significant term was for 28 days, the most significant fine
was CHF 750 and the average fine was CHF 575).
Apart from the civil and criminal sanctions, the DPC may conduct investigations in the private sector if a particular
method of data processing could violate the privacy of a larger number of people (in addition to supervising the
federal authorities’ DPA compliance). Based on such investigations in the private sector, the DPC may issue case
specific “recommendations” and may publish them.
Marketing by E-mail
Marketing by E-mail
Since Switzerland is neither an EU Member State nor an EEA Member State, Directive 2002/58/EC does not need
to be implemented in Swiss law. Nevertheless, the Swiss Legislator is currently discussing a proposed revision of
the Swiss Unfair Competition Act in order to expressly prohibit spamming and other forms of unsolicited
commercial e-communications except under certain conditions (“opt-in” as a principle; “opt-out” for existing
clients). The provision would be similar to Article 13 of Directive 2002/58/EC. Since the (undisputed) proposal is
part of a controversial revision of the Swiss Telecommunications Act, it is not clear when the anti-spamming
provision will enter into force.
Currently, Swiss law has no specific provision regarding unsolicited e-mails. However, the Federal Data Protection
Commission (“FDPC”) has ruled that under the DPA, e-mail marketing is admissible only on an “opt-in” basis, i.e.
with the prior express consent of the intended recipients. The FDPC found that sending unsolicited e-mails to
unknown recipients using e-mail addresses indiscriminately collected on the Internet violates the DPA, regardless
of whether such e-mails provide for an opt-out. Of course, since the DPA entitles data subjects to ban data
controllers from using personal data, they in any case may require spammers to stop sending unsolicited e-mails
(opt-out).
In addition, unsolicited e-mails may already under present law qualify as unfair competition, for instance if a false
or unrecognisable sender address is used, if the e-mails are sent to a large, unspecific group of recipients or if the
e-mails are sent to recipients that have previously opted-out.
United Kingdom.
Directive 95/46/EC has been implemented by the Data Protection Act 1998 (the “DPA”) dated 16 July 1998.
The majority of the provisions came into force on 1 March 2000.
The DPA applies to data controllers in respect of any data if: (i) the data controller is established in the UK
(including offices, branches, agencies or other regular practice in the UK) and data are processed in the context of
that establishment; or (ii) the data controller is established outside the EEA, but uses equipment in the UK for
processing personal data other than for transit purposes.
The DPA applies to both manual and electronic files. The manual files must form part of an organised filing
system.
The DPA only applies to “personal data”, which is any data relating to individuals. In order for the DPA to apply,
such individuals must be identifiable from: (i) the data; or (ii) the data and other information which is, or is likely
to come into, the possession of the data controller.
The definition of “personal data” was considered further by the court of appeal in the case of Durant, which
suggested that there are two notions which may be used to help decide whether information could be considered to
be “personal data”. The first is whether the information is “biographical in a significant sense, that is, going
beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal
connotations, a life event in respect of which his privacy could not be said to be compromised”. The second is that
the information should have the data subject as its focus rather than some other person or event such as an
investigation into some other body’s conduct. The court also held that: “In short, [personal data] is information
that affects his privacy, whether in his personal or family life, business or professional capacity.” The decision was
a controversial one, and has attracted considerable criticism.
Data Controller
The data controller is responsible for compliance with the DPA. The DPA defines a data controller as a person who
(either alone or jointly or in common with other persons) determines the purposes for which and the manner in
which any personal data are, or are to be, processed.
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
www.informationcommissioner.gov.uk
Unless the processing is exempt, personal data may not be processed by a data controller that has not submitted
notification to the Information Commissioner. No approval is required. The notification must occur prior to the first
processing of personal data.
Exemptions
Every data controller who is processing personal data must notify the Information Commissioner unless they are
exempt. Exemptions apply in respect of: (i) staff administration; (ii) advertising and marketing etc. of the data
controller’s business; (iii) accounts and records of the data controller or its customer/supplier; and (iv) certain
processing relating to non-profit making organisations.
Data Quality
The rules are set out in the data protection principles listed in the DPA. The third data protection principle states
that personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which
they are processed. The fourth principle states that personal data shall be accurate and, where necessary, kept up
to date.
Retention period
The fifth data protection principle states that personal data processed for any purpose shall not be kept longer than
is necessary for that purpose.
Upon written request, any data controller must inform the individual whether it has processed or is processing any
data concerning him/her. If it has or is, it must describe the personal data, the purpose for which they are
processed and third parties to which they are, or may be, disclosed. Where data are processed automatically and
are likely to form the sole basis for a decision significantly affecting the data subject, he/she will be entitled to
know the logic involved in that decision making, provided it is not confidential.
Access: Data subjects may obtain copies of their personal data on written request to data controllers.
Correction: In certain cases, the data subject may ask the court to order the data controller to rectify, block, erase
or destroy the data.
Objection to processing: An individual may in writing require that the data controller cease processing either
generally or for a specified purpose or in a specified manner data concerning the individual if such processing is
likely to cause substantial damage or distress to the individual or a third party and that damage/distress would be
unwarranted.
Other: A data subject may require in writing that a data controller stop processing data for direct marketing
purposes. In certain cases, a data subject may object to decisions being taken about him/her based solely on
automatic processing.
Security
Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing and
against accidental loss or destruction of, or damage to, personal data. Data controllers must ensure an appropriate
level of security for the processed data having regard to possible damage and the nature of the data. The adequacy
of measures taken is to be judged with regard to the state of technology and the cost of such measures.
The processing of personal data by a data processor must be in accordance with a written contract with the data
controller requiring the processor to act only on instruction from the data controller and requiring the data
processor to comply with the obligations equivalent to those imposed on the data controller by the seventh
principle (security).
United Kingdom.
The DPA prohibits transfers outside the EEA unless the destination ensures adequate protection for that data.
Adequacy is to be assessed by the data controller. PersonaI data can be transferred outside the EEA under the
usual circumstances (e.g. if there has been a Community adequacy finding, the data importer has signed up to the
Safe Harbor or the EC Model Clauses, the data subject has consented or the transfer is necessary for the
performance of a contract). A number of more minor grounds also exist.
Sensitive Data
Special protection is provided for personal data that are sensitive, i.e. concerning the data subject’s racial or ethnic
origin, political opinions, religious or similar beliefs, membership of a trade union, physical or mental health or
conditions, sexual life, commission of an offence or proceedings for an offence.
Enforcement
Sanctions
Breaches may incur civil liability or criminal sanctions, which include unlimited fines (including for directors) but
not jail terms. A breach of a data protection principle is not of itself a criminal offence, but may result in an
Enforcement Notice. Breach of that notice may be a criminal offence.
Practice
20,138 cases were closed by the Information Commissioner in 2004/5. In that period there were 12 prosecutions.
The penalties imposed range from £100 to £3,150, with the average level of penalty being around £250.
The most significant penalty levied to date was a fine of £5,000 plus costs. The penalty was imposed on the
London Borough of Havering.
Marketing by E-mail
Marketing by E-mail
Article 13 of Directive 2002/58/EC has been implemented by the Privacy and Electronic Communications (EC
Directive) Regulations 2003 (the “ECA”). The effective date was 11 December 2003.
It is not permitted to transmit unsolicited direct marketing e-mail unless the recipient has previously notified the
sender that he/she consents for the time being to such communications being sent by the sender. This is usually
considered opt-in, but may also be achieved using an opt-out approach in certain circumstances.
Exemptions
It is permitted to send e-mail for the purposes of direct marketing where: (a) the sender has obtained the contact
details of the recipient of that e-mail in the course of the sale or negotiations for the sale of a product or service to
that recipient; (b) the direct marketing is in respect of the sender’s similar products and services only; and (c) the
recipient has been given a simple means of refusing (free of charge except for the costs of transmitting the refusal)
the use of his contact details for the purposes of such direct marketing, at the time that the details were initially
collected and with each subsequent communication. This is therefore opt-out.
The ECA only applies to individual contacts. It does not apply to corporate contacts (including individuals at
corporates).
Contacts.
Austria
Estonia
Greece
Michael Lagler
Schöeherr Rechtsanwälte OEG
Tel: (43) 1 53437 127
Fax: (43) 1 53437 6177
[email protected]
Raino Paron
Raidla & Partners
Tel: (372) 6 407 170
Fax: (372) 6 407 171
[email protected]
Maria Giannakaki
J. Karageorgiou & Associates
Tel: (30) 210 7221021
Fax: (30) 210 7213981
[email protected]
A-1010 Wien, Tuchlauben 17,
Vienna, Austria
Roosikrantsi 2, 10119 Tallinn,
Estonia
www.raidla.ee
35, Vas. Sofias Avenue,
GR-106 75 Athens, Greece
[email protected]
Belgium
Finland
Hungary
Tanguy Van Overstraeten
Linklaters De Bandt
Tel: (32) 2 501 95.15
Fax: (32) 2 501 91.14
[email protected]
Kaisa Fahllund
Hannes Snellman Attorneys at Law Ltd
Tel (358) 9 2288 841
Fax:(358)9 2288 4323
[email protected]
Dr András Lendvai
Berecz & Andrékó Linklaters
Tel: (36) 1428 4400
Fax: (36) 1 428 4444
[email protected]
13, rue Brederodestraat,
1000 Brussels, Belgium
www.linklaters.be
Etelaranta 8, 00130 Helsinki,
Finland
www.hannessnellman.fi
H -1054 Budapest,
Szechenyi rkp. 3., Hungary
Cyprus
France
Iceland
Ms Galatia Sazeidou
Georgiades & Pelides
Tel: (357) 22 315939
Fax:(357)22 315553
[email protected]
Pierre Gougé
Linklaters
Tel: (33) 1 56 43 56 43
Fax: (33) 1 43 59 41 96
[email protected]
Erlendur Gíslason
LOGOS - Legal Services
Tel: (354) 5 400 300
Fax:(354) 5 400 301
[email protected]
Eagle House, 10th floor, 16 Kyriakos
Matsis Avenue, Ayioi Omoloyites, 1082
Nicosia, Cyprus
25, rue de Marignan, 75008 Paris,
France
Efstaleiti 5, 103 Reykjavík, Iceland
www.schoenherr.at
www.cypruslaw.com.cy
Czech Republic
Barbora Lezatkova & Hana Gawlasova
Linklaters
Tel: (420) 221 622 224/125
Fax:(420)221622 199
[email protected]
[email protected]
Na Prikope 19, Prague 1, Czech
Republic www.linklaters.com
Denmark
Jakob Skaadstrup Andersen & Nicolai
Hesgaard
Gorrissen Federspiel Kierkegaard
Tel: (45) 33 41 41 41
Fax: (45) 33 41 41 33
[email protected]
[email protected]
H.C. Andersens Boulevard 12,
DK-1553 Copenhagen V, Denmark
www.gfklaw.dk
www.linklaters.com
Germany
Dr Fabian Niemann
Linklaters Oppenhoff & Rädler
Tel: (49) 69 71003-372
Fax: (49) 69 71003-333
[email protected]
Mainzer Landstrasse 16,
60325 Frankfurt am Main, Germany
www.linklaters.com
Dr Jürgen Hartung
Tel: (49) 221 20910
Fax: (49) 221 2091 435
[email protected]
Börsenplatz 1, Cologne,
D-50667 Germany
www.linklaters.com
Dr Konrad Berger
Tel: (49) 89 4 18 08 0
Fax: (49) 89 4 18 08 100
[email protected]
Prinzregentenplatz 10, Munich,
D-81675 Germany
www.linklaters.com
www.linklaters.com
www.logos.is
Ireland
Philip Nolan
Mason Hayes & Curran, Solicitors
Tel: (353) 16145000
Fax: (353) 16145001
[email protected]
6 Fitzwilliam Square, Dublin 2,
Ireland
www.mhc.ie
Italy
Avv. Daniele Vecchi
Avv. Melissa Marchese
Gianni, Origoni, Grippo & Partners
Tel: (39) 02 763741
Fax: (39) 02 76009628
[email protected]
[email protected]
Piazza Belgioioso, 2, 20121 Milano,
Italy
www.gop. it
Contacts.
Latvia
Malta
Slovenia
Sanda Lace
Klavins & Slaidins
Tel: (371) 781 4848
Fax: (371) 781 4849
[email protected]
Dr Florian Kirchhof
Schönherr Rechtsanwälte
Tel: (386) 12000 980
Fax: (386) 14260 711
[email protected]
Elizabetes 15, Riga LV-1010, Latvia
Dr Brigitte Zammit
Mamo TCV Advocates
Tel: (356) 2123 1345 or
(356) 2124 8375
Fax: (356) 2124 4291 or
(356) 2123 1298
[email protected]
Palazzo Pietro Stiges, 90, Strait Street,
Valletta VLT 01, Malta
www.schoenherr.at
Liechtenstein
www.klavinsslaidins.Iv
Dr Johannes Grabher
Wanger Advokaturbüro
Tel: (423) 237 52 52
Fax: (423) 237 52 53
[email protected]
Äulestrasse 45, FL-9490 Vaduz,
Liechtenstein
www.wanger.net
Lithuania
Dr Mindaugas Kiskis
Lideika, Petrauskas, Valiunas ir
partneriai
Tel: (370) 5 268 1888
Fax: (370) 5 212 5591
[email protected]
Tomsiceva 3, SI-1000 Ljubljana,
Slovenia
www.mamotcv.com
Spain
Norway
Carmen Burgos
Linklaters
Andreas Wahl
Wiersholm, Mellbye & Bech,
advokatfirma AS
Tel: (47) 210 210 00
Fax: (47) 210 210 01
[email protected]
www.linklaters.com
Ruseløkkveien 26, PO Box 1400 Vika,
N-0115 0slo, Norway
Sweden
Poland
Jonas Forzelius
Linklaters Advokatbyrå AB
Tel: (46) 8 665 67 66
Fax: (46) 8 667 68 83
[email protected]
www.wiersholm.no
Tel: (34) 91 399 60 35
Fax: (34) 91 399 61 43
[email protected]
Zurbarán, 28. 28010 Madrid, Spain
Jogailos g.9/1, LT-01116 Vilnius,
Lithuania
Daniel Hasik
Linklaters
Tel: (48) 22 526 51 36
Fax: (48) 22 526 50 60
[email protected]
www.linklaters.com
Luxembourg
Warsaw Towers, ul. Sienna 39, Warsaw,
PL-00-121, Poland
Switzerland
Portugal
David Rosenthal
Homburger Rechtsanwälte
Tel: (41) 43 222 10 00
Fax: (41) 43 222 15 00
[email protected]
www.lawin.lt
Emmanuelle Ragot
Linklaters Loesch
Tel: (352) 26 08 1
Fax: (352) 26 08 88 88
[email protected]
www.linklaters.com
35, avenue John F. Kennedy
L-1855 Luxembourg
Carlos Pinto Correia
Linklaters
Tel: (351) 21 864 00 32
Fax: (351) 21 864 00 04
[email protected]
The Netherlands
Avenida Fontes Pereira de Melo,
14-15°, 1050-121, Lisbon, Portugal
www.linklaters.com
Catrien Noorda
De Brauw Blackstone Westbroek
Tel: (31) 20 577 1412
Fax: (31) 20 471 5831
[email protected]
P.O. box 75084, 1070 AB
Amsterdam, The Netherlands
www.debrauw.com
www.linklaters.com
Regeringsgatan 67, Box 7833,
SE-103 98 Stockholm, Sweden
Weinbergstrasse 56/58,
PO Box 338, CH-8035 Zurich,
Switzerland
www.homburger.ch
United Kingdom
Zuzana Turayová
Linklaters
Tel: (421) 2 5929 1148
Fax: (421)2 5929 1210
[email protected]
Christopher Millard
Richard Cumbley
Linklaters
Tel: (44) 20 7456 2000
Fax: (44) 20 7456 2222
[email protected]
[email protected]
Hlavné námestie 5,
811 01 Bratislava, Slovakia
One Silk Street, London EC2Y 8HQ,
United Kingdom
Slovakia
www.linklaters.com
www.linklaters.com
Linklaters, One Silk Street, London EC2Y 8HQ. Tel: (44) 20 7456 2000 Fax: (44) 20 7456 2222. www.linklaters.com
© Linklaters 2005
November 2005⏐Data protection legislation in the European Union⏐

Data protected.

Transcription

Similar documents

Budapest Participants List