Data protected.
Transcription
Data protected.
Data protected. A report on the status of data protection legislation in the European Union in 2005. Foreword. Welcome to the 2005 edition of ‘Data Protected’, a special report prepared by Linklaters’ Technology, Media & Telecommunications Group which outlines and analyses current EU data protection legislation. The report covers each EU Member State, as well as Iceland, Liechtenstein and Norway (which together with the EU Member States make up the European Economic Area) and Switzerland. Since 24 October 1995, when Directive 95/46/EC on “the protection of individuals with regard to the processing of personal data and on the free movement of such data” was adopted, data protection has become a subject with significant legal implications for individuals and organisations. In a market of about 470 million people, it is critical that businesses address compliance with data protection legislation in all relevant countries, especially as a failure to process personal data in accordance with the relevant legislation may lead to severe consequences, including payment of damages and fines as well as reputation issues. For this reason, the report, now in its second year of publication, has been revised to include more detailed information on the sanctions imposed for infringement of data protection provisions in each of the countries. A commentary on the extent of these sanctions and the variation between jurisdictions precedes the individual country sections and is included on page 5 of the report. The report has been updated to reflect the major changes to France’s data protection legislation which occurred on 6 August 2004 when France, the last EU Member State to do so, finally implemented the Directive. Additionally, the report reflects significant changes that have been made to data protection legislation in Slovakia and Slovenia. The report has also been amended to reflect the recent implementation, in a number of the jurisdictions, of Article 13 of Directive 2002/58/EC which relates to marketing by email. The purpose of this report is not to provide exhaustive information regarding data protection in all the countries profiled but rather to create awareness of the main applicable rules. As with the previous edition of the report, the relevant issues for each jurisdiction are presented in a standard format, allowing a simple comparison of the legal situation to be made between countries. Needless to say, each contributor law firm is responsible for the contents of its own section. This edition of the report was prepared with input from the various law firms as of September 2005. Should you have any questions in connection with the issues raised or if specific advice is needed, please consult any of the lawyers referred to in the contact list at the end of this report. Christopher Millard Partner Technology, Media and Telecommunications London November 2005 ⏐Data protection legislation in the European Union⏐November 2005 Contents. Commentary: A Survey of Current Levels of Enforcement of European Data Protection Legislation 1 Country overviews Austria 11 Belgium 14 Cyprus 18 Czech Republic 22 Denmark 26 Estonia 29 Finland 32 France 36 Germany 40 Greece 43 Hungary 47 Iceland 51 Ireland 56 Italy 60 Latvia 63 Liechtenstein 66 Lithuania 69 Luxembourg 73 Malta 76 The Netherlands 79 Norway 83 Poland 86 Portugal 89 Slovakia 93 Slovenia 97 Spain 100 Sweden 104 Switzerland 107 United Kingdom 111 Contacts 114 Commentary: A Survey of Current Levels of Enforcement of European Data Protection Legislation. ⏐Data protection legislation in the European Union⏐November 2005 Commentary: A Survey of Current Levels of Enforcement of European Data Protection Legislation. Richard Cumbley, Linklaters TMT Group, London Introduction “What happens if it goes wrong?” It’s the most consistently asked of all questions faced by data protection practitioners. For both internal and external clients, understanding the potential consequences of non-compliance is essential in coming to a sensible risk based assessment of how to improve compliance. Yet, to date, a comprehensive picture of the theoretical sanctions available and how they have been applied across the EEA has been extremely difficult to discover. As a result, “Data Protected” 2005 now contains details on not just theoretical sanctions, but also for the first time details of levels of actual enforcement activity. Details include: − the number of investigations made by regulators in 2004-5; − the number of prosecutions during that period; − the typical level of penalties imposed by regulators; and − the most significant penalty levied to date with brief details of the case. Where the information is not publicly available, contributors have sought the information direct from regulators. This comprehensive picture of enforcement activity in the European Union identifies a number of significant issues for both the public and private sectors. Overview of Findings Theoretical sanctions, and the level of actual enforcement activity, vary very substantially across the continent. Although there are exceptions, in general theoretical sanctions in the newer EU member states are set out at a lower level than the EU15. Perhaps more surprisingly, the courts of many countries whose legislation provides significant penalties have shown a reluctance to impose such significant penalties. Denmark and the UK stand out particularly in this regard. At the upper end of the range of penalties imposed are some striking examples. A number of jail terms and suspended jail terms have been imposed, for example in Sweden, Switzerland and the Netherlands. As well as jail terms, there have also been some substantial fines for breaches of data protection laws in Europe, including one of over 1 million Euros. The case studies below highlight the significant cost of failing to comply with data protection law experienced in particular by companies in the Netherlands and Spain. Nevertheless, these headline examples are at the upper end of European practice, and in the majority of European countries enforcement activity for breaches of data protection legislation remains low. ⏐Data protection legislation in the European Union⏐November 2005⏐3 Data on Potential and Actual Enforcement Provisions for the Infringements of Data Protection Legislation Figure 1: Potential Jail Terms and Fines for Infringements of Data Protection Legislation Potential Jail Terms and Fines 2000000 12 1800000 Maximum Fine (Euros) 1400000 8 1200000 1000000 6 800000 4 600000 400000 Maximum Jail Term (Years) 10 1600000 2 200000 0 Au st r Be ia lg iu m C ze Cy pr ch u s R ep u D blic en m ar Es k to ni a Fi nl an Fr d an c G er e m an G y re ec e H un ga ry Ic el an d Ire EU lan M d ed ia n Ita ly L Li ec atv i ht en a st Li ein th Lu ua xe nia m bo ur Th g e M N a et he lta rla nd s N or w ay Po la Po nd rtu g Sl al ov ak ia Sl ov en ia Sp a Sw in Sw ed en U ni itze te rla d Ki nd ng do m 0 Countries Maximum Potential Fine (EUR) Unlimited Fines Maximum Potential Jail Term (Years) Notes for Figure 1 : In the cases of Denmark and the UK potential fines are unlimited. In Iceland fines are €1,220 a day and in Liechtenstein the level will depend on the financial status of the offender but there is no maximum amount. In Finland the fines will be 1/60 of the offender’s average monthly income per day for a maximum of 120 days. As one might expect the newest accession states still have relatively low maximum potential fine levels. For example, in Estonia, infringement of the requirements for the processing of personal data stipulated under the Personal Data Protection Act of 12 February 2003 is treated as a misdemeanour and punishable by a fine of up to 50,000 kroons (approximately EUR 3,195). However, in 2004 the Data Protection Inspectorate applied penalty payments on six occasions with the average penalty being just 5,000 kroons (approximately EUR 320). Over time, one would expect such fines in the newest accession states to increase in line with the older member states. As the data above suggests, the potential financial implications for infringements are enormous, but it is the potential for a custodial sentence in most member states that demonstrates the serious nature with which data protection infringement is viewed by EU legislatures. In just seven of the 25 EU members states (the Baltic states, Slovakia, Spain, Ireland and the UK) there are no jail terms directly available for data protection related offences. 4⏐November 2005⏐Data protection legislation in the European Union⏐ Figure 2: Actual Jail Terms and Fines for Infringements of Data Protection Legislation Actual Jail Terms and Fines 12 11 90000 10 80000 Actual Fines (Euros) 9 70000 8 60000 7 50000 6 40000 5 4 30000 3 20000 Actual Jail Terms (Months) 100000 2 1 0 0 Au s Be tria lg iu C m ze ch Cyp R ru ep s u D bli en c m a Es rk to n Fi ia nl an Fr d a G nc er e m a G ny re H ece un ga Ic ry EU ela M nd ed ia Ire n la nd Ita ly Li ec La ht tvi en a s Li tei Lu thu n xe an m ia bo Th ur e g N et Ma he lta rla n N ds or w Po ay la Po nd rtu Sl ga ov l a Sl kia ov en ia Sp Sw ain S U wi ede ni tz te er n d l Ki and ng do m 10000 Countries Maximum Fine Imposed To Date (Euro) Maximum Jail Term To Date (Months) Notwithstanding the potential for custodial sentences, authorities have as yet been hesitant to use them, although the Swiss example was just one of at least five criminal convictions in the country as a result of data protection infringement. The spike represented in the Netherlands is in fact a suspended jail term, resulting from the Bureau X case, which is described further below. The fines graph is dominated by the Spanish Zeppelin example (see below at Case Study 2) where a fine of over €1m was incurred. The graph stops at EUR 100,000, giving a greater sense of just how far out of step with the rest of Europe the Spanish regulator remains. In fact, the three largest fines levied in Europe to date were all imposed in Spain. Serious fines were also handed out in Greece, and to a lesser extent in the Czech Republic, France, Netherlands and Portugal amongst others. Notwithstanding these significant fines, in much of the EU there remains a wide disparity between potential levels of financial penalties and actual levels. Denmark and the UK stand out particularly in this regard. For example, under Danish data protection law any person or legal entity that commits an offence is liable upon conviction to a fine or imprisonment. However, there was only one prosecution in 2004 – a case that was decided by the Eastern Division of the High Court, which imposed a fine of approximately EUR 6,500. So far only fines have been levied in Denmark. In the United Kingdom, breaches may incur civil liability or criminal sanctions, which include unlimited fines but not jail terms. During 2004-5, a total of 20,138 cases were closed by the Information Commissioner, but there were just 12 prosecutions. The penalties that were imposed ranged from £100 to £3,150, with the average fine being around £250. Finally, although it is tempting from the above graph to assume that in large parts of the European Union no enforcement action has been taken at all, that conclusion should be resisted. A full picture of the level of sanctions imposed across Europe remains impossible to gather, as the information is not only not published but in some cases in Europe cannot be published. In many cases therefore, the blank columns reflect that even after discussions with regulators direct, information is not available. Case Studies – Examples of Enforcement Proceedings Case Study 1 – Bureau X in The Netherlands A complaint was made from an individual concerning the processing of data by an information agency “Bureau X” and subsequently investigations were undertaken by the Dutch DPA. ⏐Data protection legislation in the European Union⏐November 2005⏐5 Some of the information collected by Bureau X appeared to be derived from illegal sources and a raid was carried out. In due course a formal complaint was registered with the public prosecutor on the grounds of fraud, breach of secrecy and non-notification of the Dutch DPA. On the orders of the defendant (the manager of the agency), employees had been obtaining private information fraudulently and from illegal sources. Using false pretences the agency extracted information on people that according to a report in April 2003 by the Dutch “College Bescheming Persoonsgegevens” included National Insurance numbers, tax and social security information, Public Prosecution data and even bank account numbers. Judgment was passed in September 2004. The defendant was fined and ordered to complete 240 hours of community service as well as a one year suspended jail sentence. Bureau X was also threatened with financial sanctions if it did not bring itself in line with the Dutch Data Protection Act. Furthermore some of the employees at the companies who had been providing the illegal information were promptly dismissed. Case Study 2 – Zeppelin in Spain The fine imposed by the Spanish Data Protection Authority, the AEPD, on Zeppelin in this case is a salient reminder of just how seriously the matter is taken in some parts of the European Union. Zeppelin is the Spanish producer of the television programme “Gran Hermano”, the Spanish version of the popular reality TV format “Big Brother”. Internet hackers managed to access details about 1,700 potential contestants on the show, and in some cases the information included details of their mental health, IQs and credit history. While Zeppelin tried to claim that it was the innocent victim of illegal hacking activity, the incident brought to light various data protection infringements. Zeppelin was the unhappy recipient of a €1,081,822 fine, the highest imposed by the AEPD in a single administrative proceeding to date, and the highest anywhere in the European Union. The breaches of the Spanish DPA committed by Zeppelin were listed as: − not complying with the information rights of the participants; − not obtaining their express consent for the processing of sensitive data; − not fulfilling the requirements for data processing by third parties, it therefore being deemed that a disclosure of data which had not been consented to had taken place; and − not complying with regulations on security measures. Case Study 3 – Telefonica Another example highlighting the tough stance adopted by the Spanish DPA is that of Telefonica. The Spanish telecoms company had disclosed data for marketing purposes to a third party, Telefonica Data, after the data subject had refused the data processing. This data was disclosed to Telefonica Data without the consent of the data subject and furthermore passed back to Telefonica again without consent. Telefonica was fined EUR 420,708 for: − processing personal data for purposes incompatible with those for which the data were collected; − processing data without the consent of the data subject; and − disclosing personal data to Telefonica Data without the consent of the data subject. Telefonica Data were also fined EUR 420,708 for similar breaches. Enforcement – Other issues Although the above examples represent the most costly and damaging incidences of data protection enforcement, it is poor publicity that remains, for most organisations, the key driver in ensuring data protection compliance. The recent employee-related data protection disputes involving Fortis in Belgium, Lloyds TSB in the UK and McDonalds and CEAC in France are powerful examples of how data protection issues can deliver significant unwanted publicity. 6⏐November 2005⏐Data protection legislation in the European Union⏐ Interestingly, a number of EU regulators have commented favourably on recent legislative developments in California. Californian privacy legislation1 now requires organisations to publicly identify disclosure of personal information to unauthorised persons. The initiative, which has exposed a number of large US financial institutions to press criticism, is likely to continue to attract attention in the European Union over the next couple of years. Conclusions The financial penalties described above should impress upon companies the need to ensure that they are meeting their obligations under data protection legislation. And the potential cost is even greater still, since the damage to reputation caused by such breaches may have serious repercussions for a company’s business. Nevertheless, the reality is that data protection enforcement activity remains in its infancy in large parts of Europe. There remains a wide disparity in funding and staffing of data protection regulators across the continent, and a number of authorities seem hesitant to make use of the full extent of their powers. As the number of investigations and subsequent convictions/sanctions increase, so it is likely that the willingness of regulators to seek greater penalties through the courts will grow. There can be little doubt that the current gap between potential and actual penalties will narrow in the foreseeable future as more EU regulators learn to flex their muscles. 1 California’s data protection law (Cal. Civil Code ss 1798.29, 1798.82-1798.84) requires companies doing business in California to notify affected consumers if unencrypted personal information is acquired by an “unauthorized person”. A number of US companies (Choice Point, Bank of America, CitiFinancial and LexisNexis for example) have been forced to make such announcements. In the recent case of CardSystems, however, although 40 million records were exposed to unauthorised access, notification was not required after an application to the San Francisco Superior Court as there was deemed to be no “immediate threat of irreparable injury” to the data subjects. Nonetheless, over 50 similar bills in more than 28 states have been introduced following the Californian model (including Texas, New York and Illinois). ⏐Data protection legislation in the European Union⏐November 2005⏐7 Country Overviews. 8⏐November 2005⏐Data protection legislation in the European Union⏐ Austria. Contributed by Schönherr Rechtsanwälte OEG General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Federal Act concerning the Protection of Personal Data (Bundesgesetz über den Schutz personenbezogener Daten (Datenschutzgesetz 2000) - the “DPA”) dated 17 August 1999 which was last revised on 31 March 2005. Entry into force of the implementing legislation The DPA came into force on 1 January 2000. Scope of Application of the National Legislation Territorial scope of application The DPA applies to: (i) the use of personal data in Austria; and (ii) the use of personal data outside Austria, provided the data is used in another Member State of the EU for the purposes of an establishment in Austria. Material scope of application The DPA applies to both manual and electronic files (with certain reservations). Personal scope of application The DPA applies to data relating to individuals or legal entities. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The DPA defines a data controller as a natural or legal person, or a group of persons, which (either alone or jointly with other persons) determines the purposes for which personal data are to be processed. The data controller may request the processing to be done by a third party. National Regulatory Authority (“NRA”) Details of the competent NRA Austrian Data Protection Commission Ballhausplatz 1 1014 Vienna Austria www.dsk.gv.at Notification or registration scheme and timing Unless the processing is exempt, the data controller has a general obligation to file a notification to the Austrian Data Protection Commission. Such notification is entered in the Data Processing Register. The notification must occur prior to the processing of personal data. Exemptions Exemptions apply in certain circumstances, including but not limited to: (i) processing of published data; (ii) processing of personal data not linked to a name; or (iii) so-called standardised data processing. Data Quality Rules on the quality of the data processed The general principles with respect to data quality state: (i) that the personal data must be essential and not excessive in relation to the purpose or purposes for which they are processed; and (ii) that personal data must be accurate and, where necessary, kept up to date. ⏐Data protection legislation in the European Union⏐November 2005⏐11 Retention period Personal data may not be kept longer than is necessary for the relevant purpose. Rights of Data Subjects Right to information The data controller must inform the data subject whether it has processed or is processing any data concerning him/her. If it does, it must describe the processed data, the purpose for which they are used, the origin of the data - if available, the recipients of the data, the legal basis for processing and the name and address of the processor. Right of access/correction/objection and other rights Access: Upon request, the data subject has the right to access its personal data being processed by the data controller. Under the DPA, the data subject is not entitled to obtain copies thereof. Correction: The data subject can apply for rectification and erasure of data that are incorrect or that have been processed contrary to the DPA. Objection to processing: The data subject has a right to raise an objection to the processing of its personal data if the processing is not authorised by law and the use of data infringes an overriding interest of secrecy deserving protection that arises from the particular situation. Security Security requirements in order to protect the data There are several security requirements pursuant to Section 14 DPA, such as but not limited to: (i) the use of data must be tied to valid instructions of the authorised organisational units or users; (ii) every user is to be instructed about his/her duties according to the DPA and the organisation’s internal data protection regulations, including data security regulations; (iii) the right of access to the premises of the data controller or processor is to be regulated; (iv) the right of access to data and programs is to be regulated as well as the protection of storage media against access and use by unauthorised persons; (v) every device is to be secured against unauthorised operation by ensuring security processes are in place in both the machines and programs used; and (vi) logs of the processing steps must be kept. Specific rules governing processing by a third party (processor) on behalf of the data controller There are several specific rules that apply to data processing performed by a processor on behalf of a data controller. The processor must: (i) use data only according to the instructions of the controller; (ii) take all required safety measures pursuant to Section 14 DPA (in particular, employ only users who have committed themselves to confidentiality vis-à-vis the processor or are under a statutory obligation of confidentiality; (iii) enlist another processor only with the permission of the controller; (iv) insofar as possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller’s obligation to grant the right of information, rectification and erasure; (v) hand over to the controller after the end of the processing all results of processing and documentation containing data or keep or destroy them at the controller’s request; and (vi) make available to the controller all information necessary to control the compliance with these obligations. Transfer of Personal Data to Foreign Countries Transfer within the EEA The DPA permits transfers within the EU. Transfer outside the EEA The transfer of personal data to countries outside the EU is subject to prior authorisation by the Data Protection Commission, based upon the following conditions: (i) legality of the data application; (ii) adequate level of data protection in the case at hand; and (iii) protection of secrecy interests. Sensitive Data Restrictions apply to the processing of data concerning racial and ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health and sexual life. 12⏐November 2005⏐Data protection legislation in the European Union⏐ Austria. Enforcement Sanctions Breaches may incur civil, criminal and administrative sanctions, depending on the type of breach. The maximum penalty for deliberate violation of the Data Protection Act is EUR 18,890 and EUR 9,445 for violation of notification and information obligations. Note that no administrative penalty may be imposed if the violation is subject to criminal prosecution. Practice In 2004, the Data Protection Commission dealt with: (i) 83 complaints of individuals against public sector data controllers; (ii) 70 complaints of individuals against private sector data controllers; and (iii) six ex officio investigations (no complaint). In relation to the number of prosecutions last year, there are no statistical data on criminal prosecutions for data abuse, as Section 51 DPA, which provides for a criminal penalty of up to one year’s imprisonment, is only a subsidiary provision if no other more severe sanction pursuant to another provision of the Criminal Code applies. Therefore, prosecution for data abuse will be subsumed within prosecution for other crimes (fraud, theft, "cyber crimes" and, for the public sector, abuse of authority). Moreover, data abuse can only be prosecuted with the consent of the victim. In relation to the typical level of penalties imposed, as administrative penalties are, since 2000, no longer imposed by the Data Protection Commission but by local administrative authorities (more than 100 different bodies), there are no statistical data on the level of penalties. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by Section 107 of the Telecommunications Act (TKG 2003 - the “ECA”). The effective date was 20 August 2003. Conditions for sending direct marketing e-mail It is not permitted to send unsolicited direct marketing e-mail unless the recipient has previously consented to such communication (opt-in regime with respect to consumers). Exemptions It is permitted to send e-mail for the purposes of direct marketing (exemption from the opt-in regime) where: (i) the sender has obtained the contact details from a business connection with the client; (ii) the direct marketing is in respect of the sender’s similar products or services; and (iii) the recipient is informed about the possibility of refusing such e-mail. Scope of Application The ECA opt-in regime only applies to consumers and not to the business-to-business sphere. However, an opt-out regime has to be provided for business-to-business relations. The option to opt-out must be offered in every e-mail. In addition, recipients who do not want to receive unsolicited e-mail in general may include themselves in an optout list pursuant to Section 7 of the E-Commerce Act administered by the Austrian Regulatory Authority for Broadcasting and Telecommunications. This list must be respected by direct mailers. ⏐Data protection legislation in the European Union⏐ November 2005⏐13 Belgium. General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the law of 11 December 1998 modifying the law of 8 December 1992 on privacy protection in relation to the processing of personal data (the “DPA”). Some provisions of the DPA have been modified by the law of 22 August 2002 on patients’ rights and by the law of 26 February 2003 regarding the status, composition and functioning of the national regulatory authority. Entry into force of the implementing legislation The DPA entered into force on 1 September 2001 further to an implementing Royal Decree (the “Decree”) of 13 February 2001. Scope of application of the National Legislation Territorial scope of application The DPA is applicable: (i) when the processing is carried out in the context of the activities of a permanent establishment of the controller in Belgium; or (ii) if the controller, established outside the EU, makes use of equipment, whether or not automated, located in Belgium (except for mere transit). Material scope of application The DPA applies to both manual and electronic files. The manual files must form part of a filing system (i.e. any structured set of personal data that are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis). Personal scope of application The DPA only applies to the processing of personal data, i.e. any information relating to an identified or identifiable individual (natural person as opposed to legal entities). Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The DPA defines the data controller as the physical person or legal entity, factual association or public authority that, alone or jointly with others, determines the purposes and means of the processing of personal data. National Regulatory Authority (“NRA”) Details of the competent NRA Commission for the Protection of Privacy Rue Haute, 139, 1000 Brussels www.privacy.fgov.be Notification or registration scheme and timing The data controller must notify the Commission for the Protection of Privacy before the start of any wholly or partially automated processing operation. Such notification is a mere filing of information, including any change thereto. The end of any processing must also be notified. The notification can be made by electronic means. Exemptions Notification is required for automated processing (not for manual files) with certain exemptions applicable under strict conditions (e.g. payroll and personnel administration, accounting and client/supplier administration). 14⏐November 2005⏐Data protection legislation in the European Union⏐ Belgium. Data Quality Rules on the quality of the data processed The personal data must be processed for specified, explicit and legitimate purposes. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected or further processed. The data must also be accurate and kept up to date. Retention period The controller may keep the data no longer than necessary for the purposes of the processing. Rights of Data Subjects Right to information The data controller must inform the data subject of its identity and the purposes of the processing as well as some additional information that may be required to guarantee fair processing (e.g. categories of recipients of the data, right of access and correction). Right of access/correction/objection and other rights The data subject has the right of access to the data and the right to have inaccurate data corrected or deleted. If the data are to be used for direct marketing purposes, the data subject also has the right to object to such processing and the data controller has to inform the data subjects of their right to object. In certain cases, the data subject may object to decisions being made about him/her based solely on automatic processing. Security Security requirements in order to protect the data The controller and the processor (i.e. the individual or the legal entity that processes personal data on behalf of the controller) are required to implement appropriate technical and organisational measures to protect the data. The controller and its representative, if applicable, must: (a) secure access to the data; (b) inform its personnel about the obligations under the DPA; and (c) ascertain that no unlawful use is made of the software programs used for the automatic processing of personal data. Specific rules governing processing by a third party (processor) on behalf of data controller The DPA requires that if the processing is carried out by a processor, the controller must conclude an agreement with the processor with specific obligations to ensure that the data are kept secure and that the processor only acts upon instructions from the data controller. Transfer of personal data to foreign countries Transfer within the EEA The transfer of personal data is free within the EEA. Transfer outside the EEA The transfer of data to non-EEA countries is restricted. The controller may only transfer personal data from Belgium to a country outside the EEA if that country guarantees an adequate level of protection of personal data. Whether a country ensures an adequate level of protection is to be answered taking into account all circumstances, including the kind of data, the purposes and duration of the processing and the legislation of that country. The DPA contains some exemptions from the prohibition to transfer personal data to countries that do not guarantee an adequate level of protection, including the unambiguous consent of the data subject. Furthermore, without prejudice to the paragraph referring to the exemptions, the DPA states that permission for the transfer to countries that do not guarantee an adequate level of protection may be granted by Royal Decree subject to adequate safeguards, including contractual guarantees. The EU Commission has approved a set of standard contractual clauses for export to a controller in a third country and for export to a processor in a third country. ⏐Data protection legislation in the European Union⏐ November 2005⏐15 Sensitive Data The processing of some specific so-called “sensitive data” (i.e., personal data relating to racial or ethnic origin, political opinions, philosophical or religious beliefs, trade union memberships or sexual life) is, in principle, prohibited. The processing of data of a judicial nature and health-related data are also, in principle, prohibited. There are some exceptions to the general prohibition to process such data under the DPA, such as the written consent of the data subject (except for data of a judicial nature). For the processing of sensitive data, data of a judicial nature or health-related data, the controller must ensure that the persons having access to such data will comply with the obligation of confidentiality in relation to such data by means of legal, statutory or contractual provisions. The controller has to keep a list at the disposal of the Commission for the Protection of Privacy with the categories of persons having access to such data and a precise description of their duties in relation to the data. Enforcement Sanctions The sanctions are both civil and criminal. The DPA provides for criminal sanctions for most provisions, including the duty to inform the data subject and the duty to file a prior notification. Penalties range from EUR 500 to EUR 500,000 and include, in specific cases, imprisonment of up to two years. The publication of the judgment can also be ordered, and in addition, other measures could be ordered which may also constitute a serious threat to the controller, such as confiscation of the support media, an order to erase the data, and/or a prohibition to use the personal data for up to two years. The data controller must compensate the data subject for damages caused by any breach of the DPA. The damage to reputation aspect is also crucial. Practice The Belgian Privacy Commission distinguishes three different types of data protection files: (i) with regard to "general information and investigation files", in 2004, 678 new files were opened, 473 were closed the same year. Compared to the previous year, the number of cases is slightly higher (+ 3.5%). 40 files from 2003 and 206 files from 2004 are still being investigated. The average duration of investigations is three to four months; (ii) with regard to information or investigation files concerning 'consumer credit'. There have been 21.5% more new files in 2004 compared to 2003. In 2004, 462 new files were opened and 402 of them have already been closed; and (iii) with regard to 'indirect access files', in 2004, 94 new files were opened, which is 6% fewer files than in 2003. In relation to the number of prosecutions last year, there is no information about individual complaints, once the files are closed by the Commission. Although the Privacy Commission has the power to file complaints before the courts, the Commission has so far showed a particular leniency in exercising this power and used its power of recommendation instead. This situation is however likely to change with the Commission’s growing resources and the increased awareness of the legislation among the Belgian population. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been partially - only with regard to e-mails - implemented by Articles 13 and 14 of the law of 11 March 2003 on certain legal aspects of information society services (the “ECA”) and the Royal Decree of 4 April 2003 on the sending of advertising by e-mail (the “RD”) (rules similar to those set forth in Directive 2002/58/EC with respect to automatic calling and facsimile machines were already introduced in the Trade Practice Act of 14 July 1991 in connection with distance selling to consumers). Conditions for sending direct marketing e-mail The ECA prohibits the use of e-mails for advertising purposes without prior, free, specific and informed consent of the addressees, thus imposing a so-called “opt-in” system. 16⏐November 2005⏐Data protection legislation in the European Union⏐ Belgium. Exemptions There are a number of situations addressed in the RD where the addressee’s consent does not need to be obtained. The first exception is where the e-mail is sent to a legal entity using “impersonal” electronic contact details (e.g. [email protected]). The use of addresses such as [email protected], however, remains subject to the opt-in requirement. The second, and most important, exception, is that no consent needs to be obtained if the e-mail is sent to existing customers, provided that the following conditions are cumulatively fulfilled: (i) the sender of the e-mail directly obtained the electronic contact details of the addressee in the framework of the sale of a product and/or service, in compliance with the legal and regulatory provisions with regard to data protection; (ii) the sender uses the electronic contact details only for marketing similar products or services; and (iii) the sender offered the customer, at the time of collecting his/her electronic contact details (and at any time thereafter), the opportunity, free of charge and in a simple manner, to object to such use. Scope of application The opt-in regime is applicable to both individual and corporate contacts as soon as it is a personal address such as [email protected]. ⏐Data protection legislation in the European Union⏐ November 2005⏐17 Cyprus. Contributed by Georgiades & Pelides General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Law on the Processing of Personal Data (Protection of the Individual) of 23 November 2001, Law No. 138(l)/2001, as amended by the Law on the Processing of Personal Data (Protection of the Individual) (Amending) Law of 2 May 2003, Law No. 37(l)/2003 (the “DPA”). Entry into force of the implementing legislation Law No. 138(l)/2001 came into force on 23 November 2001 (except for Sections 9(4) and 9(5) on the free transfer of data to other Member States of the EU, which came into force on 1 May 2004) and Law No. 37(I)/2003 came into force on 2 May 2003. Scope of Application of the National Legislation Territorial scope of application The DPA is applicable in relation to data processing carried out (i) by a data controller established in the territory of the Republic of Cyprus or in a place where Cyprus law applies by virtue of public international law, and (ii) by a data controller not established in the Republic but using equipment situated in the Republic for purposes other than the mere transit of data. Material scope of application The DPA applies to data kept in a record, defined as a structured set of personal data accessible according to specific criteria. The processing may be carried out by automated, partly automated or non-automated means. Personal scope of application The DPA only applies to data relating to individuals. The data subject is an identified or identifiable living natural person to whom the personal data relate. Data Controller Entity responsible for compliance with the National Legislation Responsibility for compliance with the DPA lies with the person in charge of processing (the “data controller”). The data controller is defined as any natural or legal person under private or public law (including the Government of the Republic) that determines the purposes and means of processing. The DPA does not apply to processing by a data controller who is a natural person acting for purely personal or domestic purposes. National Regulatory Authority (“NRA”) Details of the competent NRA Commissioner for the Protection of Personal Data 40 Themistokli Dervi Street Natassa Court, 3rd floor 1066 Nicosia, Cyprus www.dataprotection.gov.cy Notification or registration scheme and timing The data controller must notify the Commissioner in writing that a record is being set up or that processing is to take place. Information notified is kept in the Commissioner’s Register of Records and Processing. Notification to the Commissioner should take place upon setting up of the record, or commencement of processing at the latest. The Commissioner’s prior approval is required only when: (i) data are to be transmitted to a country outside the EU; or (ii) two or more records which contain sensitive data or from which data may be retrieved using common criteria are to be combined. 18⏐November 2005⏐Data protection legislation in the European Union⏐ Cyprus. Exemptions The data controller must notify unless the processing is exempt. Exemptions apply in respect of processing: (i) necessary for the fulfilment of an obligation under an employment or contractual relationship; (ii) relating to customers or suppliers (except in the case of insurance and pharmaceutical companies, banks and other financial institutions); (iii) confidentially carried out by lawyers, doctors or health service providers, provided data are not transmitted to third parties; or (d) carried out by any organisation in relation to its consenting members (e.g. shareholders of a company). Data Quality Rules on the quality of the data processed The processed data must be: (i) adequate, relevant and not excessive in relation to the purposes of processing; and (ii) accurate and, where necessary, kept up-to-date. Retention period Personal data may be retained in a form that permits identification of data subjects for no longer than necessary for the purposes for which data has been collected. The Commissioner may permit retention for a longer period for historical, scientific or statistical purposes, provided data subjects’ rights are not prejudiced. Rights of Data Subjects Right to information Data subjects must be informed of the identity of the data controller and the purposes of the processing. Also, where this is necessary to ensure fair processing, data subjects must be informed about the recipients of the data, the existence of rights to access and rectify data, whether it is obligatory to provide the data required and the consequences of failure to do so. Right of access/correction/objection and other rights Access: Data subjects have the right to obtain from the data controller, without excessive delay and expense, information as to the data processed, their source and recipients, the purpose of the processing, and the logic behind automatic processing. Correction: Data subjects have the right to insist upon rectification, erasure or blocking of data which is incomplete or inaccurate or has been subject to unlawful processing. Objection to processing: Data subjects have the right to object to the processing of data on compelling legitimate grounds relating to a data subject’s particular situation. Other: Data subjects have the right (i) to seek a court order suspending or annulling an act or decision taken through data processing intended to evaluate the data subject’s personality and (ii) to receive compensation from the data controller for damage suffered as a result of unlawful processing. Security Security requirements in order to protect the data Processing is confidential and may be carried out only by the data controller and others, upon its instructions and under its control, provided they possess the necessary technical skill and personal integrity. The data controller must implement appropriate technical and organisational measures to protect the data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access or unlawful processing. Specific rules governing processing by a third party (processor) on behalf of data controller Where the processing is carried out by a third party on behalf of the data controller, the appointment of the third party must be in writing and must provide that the third party will act only on instructions of the data controller and that the obligations of the data controller wilI be incumbent on the third party also. Transfer of personal data to foreign countries Transfer within the EEA The transfer of data to another EU Member State is unrestricted. The transfer to Norway, Liechtenstein and Iceland of data that have been or are to be processed is permitted, provided the Commissioner’s permission is obtained. Permission is given only if, in the opinion of the Commissioner, the country to which data will be transferred ⏐Data protection legislation in the European Union⏐ November 2005⏐19 ensures an adequate level of data protection. The Commissioner may permit the transfer of data to a country which does not ensure an adequate level of data protection provided particular conditions set out in the DPA are satisfied. Transfer outside the EEA The transfer to any country outside the EU of data that have been or are to be processed is permitted, provided the Commissioner’s permission is obtained. Permission is given only if, in the opinion of the Commissioner, the country to which data will be transferred ensures an adequate level of data protection. The Commissioner may permit the transfer of data to a country which does not ensure an adequate level of data protection provided particular conditions set out in the DPA are satisfied. Sensitive Data Special protection is provided for personal data that are sensitive, i.e. concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, society and trade union membership, health, sexual life, sexual orientation and criminal prosecutions and convictions. The processing of sensitive data is prohibited, except where (a) the subject has expressly consented and such consent is not contrary to the law or public morals; (b) processing is necessary under employment law or for national security purposes or in order to safeguard the interests of a subject unable to express consent; or (c) processing is carried out by a non-profit-making organisation in relation to its members, or by a doctor for medical purposes, or in relation to data that have been publicised by its subject, or for statistical, research, scientific, historical, journalistic or artistic purposes. Enforcement Sanctions Sanctions are both civil and criminal. Civil sanctions include fines of up to CYP#5,000 and an order to cease processing and/or destroy data. Criminal sanctions include fines of up to CYP#5,000 and up to five years of imprisonment. Practice 80 complaints were submitted last year to the Information Commissioner. The Commissioner has no competence to bring prosecutions, but can report any contraventions of the provisions of the Law, which constitute an offence, to the competent Authorities. No such contraventions have been reported to date. The Commissioner may impose administrative sanctions for breaches of the data protection legislation. The most significant sanction imposed by the Commissioner to date was a fine of CYP#1,500 on a company. The company had infringed various provisions of the Law, including Section 15 of the Law which relates to processing for direct marketing purposes. The company had sent advertising text messages without obtaining the prior written consent of the data subjects. The provisions of Section 5 of the Law, which relate to lawful processing were also breached and finally the company had omitted to notify the establishment and operation of a filing system/carrying out of a processing to the Commissioner in contravention of Section 7 of the Law. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by: (i) amended Section 15 of the DPA, which came into force on 2 May 2003; and (ii) Section 106 of the Law on the Regulation of Electronic Communications and Postal Services of 30 April 2004, Law No. 112(I)/2004 (the “Law”) which came into force on 30 April 2004. Conditions for sending direct marketing e-mail The DPA prohibits the processing of personal data (including an e-mail address) for the purpose of marketing, selling goods and offering services from a distance, unless the prior consent of the data subject has been obtained in writing. In order to contact the data subject for the purpose of obtaining its consent, only personal data relating to the subject which are accessible to the public may be used. Section 106(1) of the Law provides that electronic mail may be used for direct marketing purposes only where a subscriber has consented to such use in advance. By virtue of Section 106(3), Section 106(1) applies to natural persons only, while a decree may be issued by the Commissioner for the Regulation of Electronic Communications and Postal Services (the “Electronic 20⏐November 2005⏐Data protection legislation in the European Union⏐ Cyprus. Communications Commissioner”) in order to ensure the protection of the legitimate interests of subscribers who are legal persons. The Electronic Communications Commissioner has issued the Decree on Legal Persons (Ensuring the Protection of Legitimate Interests with regard to Unsolicited Communications) of 28 January 2005, Decree No. 34/2005 (the “Decree”), which came into force on 28 January 2005, and provides that the use of e-mail for direct marketing to subscribers who are legal persons is permitted only where a subscriber has clearly declared, in written or electronic form, his willingness to receive such mail to: (i) the sender; or (ii) the person responsible for the Cyprus Telephone Directory Data Base; or (iii) the provider of e-mail services. Section 106(4) of the Law provides that where the e-mail address of a client is revealed in the context of the sale of a good or service, the same seller may use that address for the direct marketing of its own same goods or services, provided the client is given clearly and distinctly an opportunity to object, in an easy and costless manner, to such use at the time the address is collected and, if no objection is at that time raised, each time the address is used. Under Section 106(5) of the Law, in each marketing message sent by e-mail the following must be stated: (i) the identity of the sender or the person on whose behalf the message is sent; and (ii) a valid address to which the recipient may send a request that communications cease. Exemptions There are no exemptions. Scope of application The provisions of the DPA and Section 106(1) of the Law apply to natural persons only, while the provisions of Sections 106(4) and 106(5) of the Law apply to both natural and legal persons. The provisions of the Decree apply to legal persons only. ⏐Data protection legislation in the European Union⏐ November 2005⏐21 Czech Republic. General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC was implemented by Act No. 101/2000 Coll., on Personal Data Protection (the “DPA”). Entry into force of the implementing legislation The DPA entered into force on 1 June 2000 with the exception of the Registration Section, which came into force on 1 December 2000. Scope of Application of the National Legislation Territorial scope of application The national legislation applies to data controllers established in the Czech Republic and the processing of personal data in the Czech Republic. It also applies to data controllers established outside the EU that process personal data in the Czech Republic, if such processing is not limited to a pure transfer of personal data through the EU. A data controller established outside the EU processing personal data in the Czech Republic must appoint an authorised representative in the Czech Republic. Czech law may also be applicable under the rules of private international law regardless of the country in which a data controller is established. Material scope of application The DPA applies to both manual and electronic files. Personal scope of application The DPA only applies to data relating to individuals. However, data relating to legal entities are also protected by national legislation, in particular, by the provisions of the Commercial Code relating to business names and unfair competition. Data Controller Entity responsible for compliance with the National Legislation The DPA applies to any data processed by state bodies, local government bodies, other public bodies, and by legal entities and individuals. The DPA does not apply to data processing performed by an individual exclusively for personal needs. In addition, the DPA does not apply to casual personal data collection, provided that the data are not processed any further. The DPA defines a data controller as “any subject which: (i) determines the purpose of personal data processing; (ii) determines the means of processing; (iii) carries out processing; and (iv) bears responsibility for such processing”. The activities under (i), (ii) and (iv) are always carried out by the data controller. The activity under (iii) may be transferred to a data processor. National Regulatory Authority (“NRA”) Details of the competent NRA Office for Personal Data Protection (Úrad pro ochranu osobních údaju) (the “Office”) Pplk. Sochora 27, 170 00, Prague 7 Czech Republic www.uoou.cz Notification or registration scheme and timing A person that intends to process personal data must notify the Office prior to commencement of data processing. The DPA sets no period within which the notification must be filed. If the notification includes all required information and if the Office has not initiated proceedings (the Office will start proceedings in cases where there are serious doubts arising from the notification that the processing could breach the law), the data controller may 22⏐November 2005⏐Data protection legislation in the European Union⏐ Czech Republic. start its data processing activities 30 days after the delivery of the notification to the Office. Upon the data controller’s request, the Office will issue a registration certificate. The notification must be filed on a registration form on which the notifying party must provide various details with regard to the intended processing. The same notification obligation applies to any future changes in the processing. The notification is not subject to administrative fees. Exemptions There is no need to notify the Office of processing if: (i) the data processed are part of public records specifically available in accordance with law, such as the Companies Register or a certain part of the Trade Licences Register; (ii) the data controller needs to process the data in order to benefit from the rights arising, or fulfil the obligations under, specified legislation (this relates in particular to data processed in the course of judicial resolution of disputes, to a number of fields of administrative decision-making, to employers’ duties under the Employment Act and accounting and social security legislation); or (iii) political parties or non-profit making organisations process personal data concerning their members or partners and such data are not disclosed without the consent of such members or partners. Data Quality Rules on the quality of the data processed The data controller is required to process only true and accurate personal data obtained in compliance with the DPA. If the data controller discovers that the data are untrue or inaccurate, it must block the data and correct or complete them. If it is impossible to correct the data, the data controller must destroy them. The data controller must inform all the prior recipients of the data about blocking, correction, completion or destruction of the data without undue delay. Retention period Personal data may be retained only as long as is necessary for the purpose of processing. Rights of Data Subjects Right to information The data controller must inform the data subject prior to commencement of data processing about: (i) the extent and purpose of the processing of his/her personal data; (ii) the identity of the person by whom the data will be processed; and (iii) the recipient of the data. If the data are obtained from a data subject, the information provided must also include a note as to whether the data subject is required by law to provide the requested personal data or whether the provision of data is voluntary. The data controller must inform the data subjects about the processing of their personal data upon request. This duty to inform may be carried out on behalf of the data controller by a processor. Right of access/correction/objection and other rights The data subject may ask the data controller to correct his/her personal data if they are untrue or inaccurate. The data subject is entitled to ask the data controller to inform him/her which of his/her personal data are being processed. If the data subject discovers that the data controller or processor has breached its duties, he/she may: (i) ask the Office to take remedial measures; (ii) request that the data controller or processor refrain from such activity; (iii) request that the data are corrected, completed, blocked or destroyed; and (iv) request a financial remedy. Security Security requirements in order to protect the data The data controller (as well as the data processor) must take technical, organisational or other measures to protect personal data against unauthorised or accidental access, change, destruction, loss or against any other unauthorised processing. Specific rules governing processing by a third party (processor) on behalf of data controller Authorisation of the data processor arises either from a special act or is based on a written agreement with the data controller on whose behalf the data are processed. The agreement must include the extent and purpose of the data processing and the period for which it is concluded. The processor has similar duties to those of the data controller. ⏐Data protection legislation in the European Union⏐ November 2005⏐23 Transfer of personal data to foreign countries Transfer within the EEA Personal data may be freely transferred within the EEA and to countries that have ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) of the Council of Europe. Transfer outside the EEA Personal data may be transferred to non-EEA Member States or countries which are not party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) if the data are transferred based on the decision of EU bodies (such as decisions on contractual clauses and the US safe harbor). In other cases, the data controller must apply for the Office’s approval prior to the transfer. The Office authorises the transfer if the data controller proves that one of the conditions set by the DPA is met. These conditions include: (i) the data subject’s consent to the transfer; (ii) the necessity to conclude or execute an agreement upon the data subject’s initiative or to perform an agreement to which the data subject is a party; (iii) the necessity to perform an agreement in the data subject’s interest concluded between the data controller and a third party; or (iv) it is essential for the protection of the data subject’s rights. Sensitive Data Sensitive personal data are data regarding national, racial or ethnic origin, political opinions, membership of political parties, trade unions or other employee organisations, religious and philosophical convictions, criminal activity, health and sexual life of the data subject and any biometric or genetic data of the data subject. This list of sensitive data in the DPA is complete, and no other data are considered sensitive. Sensitive data may be processed with the explicit consent of the data subject. The data controller must be able to prove the data subject’s consent during the entire period of data processing. Sensitive data may be processed without the data subject’s consent in the following cases: (i) if necessary in order to maintain the life or health of the data subject or any other person, or to avert an imminent threat to his/her assets; (ii) if providing health care or assessing health under a special legal regulation, in particular for social security purposes; or (iii) if the data processing is necessary for meeting the data controller’s duties under labour law. Enforcement Sanctions Sanctions and penalties under the DPA: If legal entities, or individuals undertaking business under special laws, breach as data controllers or processors any of the obligations in the DPA, they may be required to pay a penalty of up to CZK 5,000,000. If they breach duties related to sensitive data processing or if the breach endangers the privacy and private life of more people (the number of people depends on the context of the case, in practice this involves dozens of people or more), they may be required to pay a penalty of up to CZK 10,000,000. Legal entities are not responsible for the breach if they prove that they have made every possible effort to prevent the breach of the legal obligation. If individuals as data controllers or processors breach any of the obligations in the DPA, they may be required to pay a penalty of up to CZK 1,000,000. If individuals breach duties related to sensitive data processing or if the breach endangers the privacy and private life of more people, they may be required to pay a penalty of up to CZK 5,000,000. In addition, if a person who is employed by or works for a data controller or processor or who in the course of fulfilling his/her rights and obligations imposed by law comes into contact with the personal data of the controller or the processor and breaches the confidentiality duty under the DPA, he/she may be subject to a fine of up to CZK 100,000. Sanctions under the Criminal Code: Under current regulations, only individuals are liable for criminal offences; the Criminal Code has no relevance to data controllers which are legal entities. However, their employees may be held liable for a criminal offence, such as unauthorised disclosure of personal data or breach of the duty of confidentiality and may be punished by a term of imprisonment of up to three years, prohibition of professional activities or a fine. Practice The Office for Personal Data Protection conducted 79 inspections in 2004, of which 60 were initiated on the basis of an external complaint. 53 prosecutions were closed in 2004, of which 35 were closed by a decision on levying a fine. Typically, the level of penalty imposed is in the tens of thousands of Czech Republic Koruna, but is rarely 24⏐November 2005⏐Data protection legislation in the European Union⏐ Czech Republic. over a hundred thousand Czech Republic Koruna. The highest penalty levied to date was CZK 500,000, levied in 2004. An employment agency processed sensitive data on jobseekers without their consent. The agency did not exercise due care in order to protect the dignity of its clients. The personal data processed by the agency were not protected from unauthorised access, alteration, destruction, transfer or other abuse. The investigation of this agency was opened after documents containing personal data on jobseekers were found in the street next to a dustbin. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of European Directive 2002/58/EC was implemented in the Czech Republic by Act No. 480/2004 Coll., on Certain Information Society Services (the “ECA”). Conditions for sending direct marketing e-mail Under the ECA, marketing e-mail may be addressed to individuals as well as to legal entities on an opt-in basis. Exemptions The ECA does not include exemptions. Scope of application The ECA applies to both individuals and legal entities. ⏐Data protection legislation in the European Union⏐ November 2005⏐25 Denmark. Contributed by Gorrissen Federspiel Kierkegaard General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Act on Processing of Personal Data, Act no. 429 (the “DPA”) dated 31 May 2000. Entry into force of the implementing legislation The DPA entered into force on 1 July 2000. Scope of Application of the National Legislation Territorial scope of application The DPA applies to the processing of data undertaken for a data controller established in Denmark, provided that the activities take place within the EU, and to processing undertaken for Danish diplomatic offices. The DPA also applies to data controllers established in a third country (i) if the collection of data in Denmark is undertaken for the purpose of processing in a third country, or (ii) if the processing is undertaken through means located in Denmark, unless such means are only used for the purpose of sending data through the territory of the EU, in which case the data controller must designate a representative established in Denmark and provide written notification of the details of the representative to the Data Protection Agency. A “third country” is defined in the DPA as a country which is not a Member State of the EU, and which has not implemented agreements with the EU that contain provisions similar to the provisions of Directive 95/46/EC. Material scope of application The DPA applies to all personal data, regardless of whether held in manual or computerised form. Personal scope of application In general, the provisions of the DPA only apply to individuals. In relation to credit information bureau data processing, the DPA also applies to legal entities. This is also the case with the provisions regulating the disclosure to credit information agencies of debts to public authorities. Furthermore, the DPA applies to corporate data if the processing is carried out for the purpose of warning third parties against entering into business relations with a data subject. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. A data controller is defined as a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. National Regulatory Authority (“NRA”) Details of the competent NRA The Data Protection Agency (Datatilsynet) Borgergade 28, 5 DK-1300 Copenhagen K Denmark www.datatiIsynet.dk Notification or registration scheme and timing Prior permission from the Data Protection Agency is required for the following data processing: (i) processing of sensitive data or data of a purely private nature; (ii) processing undertaken for the purpose of warning others against business relations with, or employment of, a data subject; (iii) processing undertaken by a credit information bureau for the purpose of disclosing, as part of its business, data for the evaluation of financial soundness and creditworthiness; (iv) processing undertaken for the purpose of commercial employment assistance; 26⏐November 2005⏐Data protection legislation in the European Union⏐ Denmark. (v) processing undertaken solely for the purpose of supplying legal information; or (vi) transfers based on the EC Model Clauses. A fee of DKK 1,000 is payable for an application for permission. Exemptions No prior permission or notification is required for other processing activities. Data Quality Rules on the quality of the data processed The personal data processed must be relevant, adequate and not excessive in relation to the purposes for which they are collected and processed. In addition, the processing of personal data must be undertaken in such a manner as to ensure, where necessary, that the data are kept up to date and that controls are also be in place to ensure that no inaccurate or misleading data is processed; any such data must be deleted or rectified as soon as possible. Retention period Personal data may not be stored for longer than is necessary for the purposes for which the data are processed. Rights of Data Subjects Right to information When collecting data from a data subject, the data controller or its representative must provide the following information if the data subject is not already aware of it: (a) the identity of the data controller and any representative of the data controller; (b) the purpose for which the data are intended to be processed; and (c) any further information which in the specific circumstances is necessary to permit the data subject to consider his/her interests. Examples of such information include the category of any recipients of the data, whether answering questions is compulsory or voluntary and the possible consequences of failing to answer, and information regarding rights of access and rectification. If personal data are not obtained from the data subject, the same information must be provided to the data subject on collection of the data, unless the data subject is already aware of the information, or if providing it proves to be impossible, or would involve disproportionate effort. Right of access/correction/objection and other rights Access: Data subjects may obtain information on their personal data on request to data controllers. Correction: In certain cases the data subject may ask the data controller to rectify, block, erase or destroy the data. Objection to processing: Data subjects may object to the processing where justified. Security Security requirements in order to protect the data The DPA requires data controllers and data processors to implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss or deterioration, disclosure to unauthorised persons, misuse, or other unlawful forms of processing. Specific rules governing processing by a third party (processor) on behalf of data controller All processing by a data processor must be subject to a written agreement between the data controller and the data processor. The agreement must state that the data processor may only act on instructions from the data controller, and that the data processor must ensure that the necessary technical and organisational precautions are taken against accidental or illegal loss, destruction or deterioration of the data, and against their abuse or illegal processing. Transfer of Personal Data to Foreign Countries Transfer within the EEA Transfer of personal data to Member States of the EU and the EEA must simply comply with the general processing rules under the DPA. Transfer outside the EEA The DPA prohibits transfer outside the EEA unless the destination ensures adequate protection for the data. ⏐Data protection legislation in the European Union⏐ November 2005⏐27 In addition, the DPA may grant permission for the transfer of data (which may be conditional), if the data controller provides satisfactory guarantees for the protection of the rights of the data subjects. Otherwise, personal data can be transferred outside the EEA under the usual circumstances (e.g. international transfers based on consent do not need to be notified to the DPA unless the transfers include sensitive personal data or data of a purely private nature). Sensitive Data Special protection is provided for personal data that are sensitive, i.e. data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life. Under the DPA, “data of a purely private nature” is defined as data on criminal matters, substantial social problems and other matters of a purely private nature. Private sector data controllers may process such data only in certain circumstances. Data of a purely private nature may not be disclosed without the explicit consent of the data subject, unless such disclosure is for the purpose of public or private interests that clearly outweigh the interests of the data subject, or unless the disclosure fulfils the requirements for processing of sensitive data. Enforcement Sanctions Any person or legal entity that commits an offence under the DPA is liable upon conviction to a fine or imprisonment. Practice The number of investigations in 2004 which includes all cases handled by the Danish Data Protection Agency (including 67 inspections) was 1,825. The Danish Data Protection Agency cannot impose sanctions but can only request the Danish Public Prosecution Office to instigate proceedings. To our knowledge, there was only one prosecution last year. The prosecution referred to above was decided by the Eastern Division of the High Court, which imposed a fine of approximately EUR 650. So far only fines have been levied. The highest fine imposed to date amounted to approximately EUR 6,500 and was imposed in 2001. The case concerned the unauthorised transfer of the customer database of a newspaper to another newspaper, which used the customer database for marketing purposes. The case did not go to court as the newspaper accepted the fine. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by amending Act no. 450 of 10 June 2003 (the “ECA”), which amends Section 6a of the Marketing Practices Act. The ECA entered into force on 25 July 2003. Conditions for sending direct marketing e-mail It is not permitted to transmit unsolicited direct marketing e-mail (as well as SMS and MMS messages) unless the recipient has notified the sender of his/her consent to such communications being sent by the sender (opt-in approach). Exemptions It is permitted to send e-mail for the purposes of direct marketing where: (a) the unsolicited marketing only relates to products or services which are similar to the products or services bought by the recipient at the time when the sender obtained the e-mail address and (b) the recipient has been given a simple means (free of charge except for the costs of transmitting the refusal - the use of premium rate telephone numbers or SMS messages is not permitted) of refusing the use of his/her contact details for the purposes of such direct marketing at the time that the details were initially collected and with each subsequent communication. This is therefore an opt-out. Scope of application The ECA applies to all customers, including consumers, businesses and public authorities, irrespective of whether the customer is a natural person or legal entity. 28⏐November 2005⏐Data protection legislation in the European Union⏐ Estonia. Contributed by Raidla & Partners General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Personal Data Protection Act (lsikuandmete kaitse seadus (the “DPA”)) dated 12 February 2003. Entry into force of the implementing legislation The DPA entered into force on 1 October 2003. Scope of Application of the National Legislation Territorial scope of application The DPA is applicable within the territory of Estonia. Transmission of personal data through the territory of Estonia for transit purposes (without other processing) is excluded from the scope of the DPA. Material scope of application The DPA applies to both data that are processed in digital form as well as data in paper files. Personal scope of application The DPA only applies to data relating to individuals and not to data relating to legal entities. Data Controller Entity responsible for compliance with the National Legislation All persons engaged in the processing of personal data are responsible for compliance with the DPA. The DPA defines the data controller as a natural or legal person, or a state or local government agency, which processes personal data or at whose request personal data are processed. National Regulatory Authority (“NRA”) Details of the competent NRA Data Protection Inspectorate Vaike-Ameerika 19 10129 Tallinn Estonia www.dp.gov.ee Notification or registration scheme and timing Data controllers are required to notify the Data Protection Inspectorate of the processing of private personal data (i.e. data revealing details of family life, data revealing an application for the provision of social assistance or social services, data regarding mental or physical suffering endured by a person and data collected on a person during the process of taxation, except data concerning tax arrears) at least one month prior to commencement of processing. No approval from the Data Protection Inspectorate is necessary. In addition, data controllers are required to register the processing of sensitive personal data (see below) with the Data Protection Inspectorate at least one month before commencement of processing. The Data Protection Inspectorate will refuse to register processing of sensitive data if there is no legal basis for such processing, the conditions of processing do not comply with the requirements of the DPA or the security measures applied do not ensure compliance with the requirements of the DPA. Exemptions Other processing is exempted from notification. ⏐Data protection legislation in the European Union⏐November 2005⏐29 Data Quality Rules on the quality of the data processed Personal data must be kept up to date; personal data must be complete and necessary for the specific purpose of the data processing. Retention period Under the DPA, data controllers must promptly erase or block personal data unnecessary for achieving their specified purposes unless otherwise prescribed by law. Rights of Data Subjects Right to information The data processors must notify the data subject of the purpose of the processing, persons to whom transmission of the personal data is permitted, certain information about the data controller and the data subject’s rights with regard to the processing. In addition, certain information must be provided to the data subject at the request of the data subject, such as data relating to the respective data subject and categories and sources of the data. Right of access/correction/objection and other rights Access: Upon request of the data subject, the data controller must inform the individual whether it has processed or is processing any data concerning him/her. If it does, it must describe the content of such personal data, the purpose for which they are processed and third parties to which they are, or may be, disclosed. Correction: Data subjects have the right to request rectification of inaccurate data and blocking or erasure of the personal data collected if the processing is not in compliance with the DPA or other legislation. Objection to processing: Data subjects have the right to object to the processing of personal data relating to them if the processing is not in compliance with the DPA or other legislation. Security Security requirements in order to protect the data Processors are required to take organisational, physical and IT security measures to prevent unauthorised alteration, loss and destruction of data, unauthorised processing and to guarantee access to the data to persons who are authorised to access such data. Specific rules governing processing by a third party (processor) on behalf of the data controller Processors must act in compliance with the DPA as well as the orders and instructions provided by the data controllers and maintain the confidentiality of personal data which become known to them. No special additional rules are applied with regard to such persons. Transfer of Personal Data to Foreign Countries Transfer within the EEA The DPA permits transfers within the EEA. Transfer outside the EEA The DPA permits transfers outside the EEA to countries whose data protection level is deemed to be sufficient by the Commission of the European Communities. Transmission of personal data to foreign countries whose data protection level is not deemed to be sufficient by the Commission of the European Communities is allowed only with the permission of the Data Protection Inspectorate if, in the specific case, the data controller guarantees the protection of the rights and private life of the data subject in the country or if, in the specific case, a sufficient level of data protection is ensured in the country. Upon assessment of the level of data protection, circumstances related to the transmission of personal data, including: (i) the categories of data; (ii) the purposes and duration of processing, transmission of data to the country of destination and to the final country of destination; and (iii) the law of the state shall be taken into account. If the Data Protection Inspectorate does not give permission to do so, personal data may be transmitted to a foreign state where a sufficient level of data protection is not ensured if: (i) the data subject has consented thereto; (ii) the data are transmitted to the foreign state in cryptographic form and the data necessary for decoding is not 30⏐November 2005⏐Data protection legislation in the European Union⏐ Estonia. communicated to the foreign state; or (iii) there are certain significant reasons for transfer of the data (e.g. transfer of data is necessary for protection of the life, health or freedom of the data subject). Sensitive Data As indicated above, processing of sensitive personal data is subject to registration with the Data Protection Inspectorate. Sensitive personal data within the meaning of the DPA includes data revealing political opinions or religious or philosophical beliefs, ethnic or racial origin, data relating to health or disability, genetic information, sexual life, membership of trade unions and certain information collected in criminal proceedings or in other proceedings to ascertain an offence. Enforcement Sanctions Violation of the requirements for the processing of personal data stipulated in the DPA is treated as a misdemeanour and is punishable by a fine of up to 50,000 kroons (approx EUR 3,195). Practice Pursuant to the information available on the Data Protection Inspectorate’s website, the Inspectorate issued 28 enforcement notices to data controllers in 2004. The main reasons for issuing enforcement notices were noncompliance with the obligation to register processing of sensitive personal data with the Data Protection Inspectorate and the failure to apply additional measures for protection of sensitive personal data within the term established by the Data Protection Inspectorate. Penalty payments were applied on six occasions, the average penalty being 5,000 Estonian kroons (approximately EUR 320). In relation to the highest penalty levied to date, the Data Protection Inspectorate do not have any statistics on this matter. However, they confirmed that fining and imposing penalty payments is rather rare and in practice they only use such measures if a data controller violates the law and does not bring its activities into compliance with the law even after an enforcement notice has been issued by the Data Protection Inspectorate. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been transposed into Estonian law by the Information Society Service Act (Infoühiskonna teenuse seadus) (the “ECA”) which entered into force on 1 May 2004. Conditions for sending direct marketing e-mail Pursuant to the ECA, direct marketing by e-mail is allowed to recipients who have given their prior consent (opt-in regime). In addition, the recipient must be expressly informed of how to refuse receiving marketing messages in the future and the possibility of exercising that right by way of electronic means must be provided. The ECA also specifies certain data about the sender (service provider) which must be communicated to the recipients as well as criteria which the direct marketing e-mail must meet. Exemptions The ECA does not provide any exemptions to the opt-in regime. Scope of application The ECA does not differentiate between individual persons and corporate entities as recipients of marketing e-mail and applies to both. ⏐Data protection legislation in the European Union⏐ November 2005⏐31 Finland. Contributed by Hannes Snellman Attorneys at Law General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Finnish Personal Data Act (Henkilötietolaki 1999/523) (the “DPA”) dated 22 April 1999. Entry into force of the implementing legislation The DPA came into force on 1 June 1999. Scope of application of the National Legislation Territorial scope of application The DPA applies to processing of personal data where the data controller is: (i) established in Finland; (ii) not established in Finland but otherwise subject to Finnish law; or (iii) not established in the EU but uses equipment located in Finland in the processing of personal data (other than for mere transit purposes). In this case the data controller must designate a representative established in Finland. Material scope of application The DPA makes no distinction between manual and electronic files. Thus, it applies equally to personal data files of all forms. Personal scope of application The DPA only applies to data relating to natural persons. Data relating to legal entities remain outside the scope of the DPA. Data Controller Entity responsible for compliance with the National Legislation The responsibility for compliance with the DPA lies with the data controller. The DPA defines a data controller as a person, corporation, institution or foundation, or a number of them, for whose use a personal data file is set up and who is entitled to determine the use of the file, or who has been designated as a data controller by law. National Regulatory Authority (“NRA”) Details of the competent NRA The Office of the Data Protection Ombudsman (supervises the processing in order to achieve the objectives of the DPA). P.O. Box 315 00181 Helsinki Finland www.tietosuoja.fi The Data Protection Board/Ministry of Justice (deals with questions of principle relating to the processing of personal data) P.O. Box 25 00023 Council of State Finland www.tietosuoja.fi Notification or registration scheme and timing Unless the processing is exempt, the data controller must notify the Data Protection Ombudsman of automated data processing and any transfer of data outside the EEA that requires such a notification no later than 30 days before processing commences. No approval is required. 32⏐November 2005⏐Data protection legislation in the European Union⏐ Finland. Exemptions Every data controller who is processing personal data must notify the Data Protection Ombudsman unless they are exempt. Exemptions apply if, inter alia: (i) the data subject has unambiguously consented to the processing; (ii) the data subject has given an assignment for processing, or the processing is necessary in order to perform a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract; (iii) processing is necessary, in an individual case, in order to protect the vital interests of the data subject; (iv) processing is based on a law or is necessary for compliance with a task or obligation to which the data controller is bound by virtue of an act or an order issued on the basis of an act; (v) there is a relevant connection between the data subject and the operations of the data controller, based on the data subject being a client or member of, or in the service of, the data controller; (vi) the data relate to the clients or employees of a group of companies or another comparable economic grouping, and they are processed within that grouping; or (vii) the Data Protection Board has granted permission for the processing. In addition, derogation may be provided by a decree if it is evident that the processing of personal data does not compromise the protection of the privacy of the data subject, or his/her rights of freedom. Data Quality Rules on the quality of the data processed The personal data processed must be necessary for the declared purpose of the processing (necessity requirement). The data controller must also ensure that no erroneous, incomplete or obsolete data are processed (accuracy requirement). Retention period If a personal data file is no longer necessary for the data controller’s operations, it must be destroyed unless an act or lower-level regulation contains specific provisions for continued storage of the data. Sensitive data must be erased from the data file immediately when there no longer is a reason for its processing. Rights of Data Subjects Right to information The data subject has the right to be informed, upon collection and recording of personal data by the data controller or, if the data are obtained from a source other than the data subject and intended for disclosure, at the latest at the time of first disclosure of the data, of: (i) the name and address of the data controller and, where necessary, the data controller’s representative; (ii) the purpose of the processing; (iii) the regular destinations of disclosed data; and (iv) how the data subject may exercise his/her rights with respect to the processing in question. Additionally, certain specific rules apply with regard to the provision of information to the data subject on the processing of data contained in a credit data file and the related right of access. Right of access/correction/objection and other rights Access: Data subjects have the right to access personal data relating to them or to a notice that the file contains no such data, upon signed request or personal appearance at the premises of the data controller. Correction: At the request of the data subject, or on his/her own initiative, the data controller must without undue delay rectify, erase or supplement personal data contained in its personal data file which is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing. Objection to processing: A data subject has the right to prohibit the data controller from processing personal data for direct advertising, distance selling, other direct marketing, market research, opinion polls, public registers or genealogical research. Security Security requirements in order to protect the data The data controller must carry out the technical and organisational measures necessary to secure personal data against unauthorised access, accidental or unlawful destruction, manipulation, disclosure and transfer and other unlawful processing. Specific rules governing processing by a third party (processor) on behalf of the data controller The processor must, before starting to process the data, provide the data controller with appropriate commitments and other adequate guarantees of the security of the data as provided above. Anyone who has gained knowledge of ⏐Data protection legislation in the European Union⏐ November 2005⏐33 the characteristics, personal circumstances or economic situation of another person while carrying out measures relating to data processing must not disclose the data to a third person in contravention of the DPA. Transfer of Personal Data to Foreign Countries Transfer within the EEA The DPA permits transfers within the EEA. Transfer outside the EEA Personal data may be transferred to countries outside the EEA only if the country in question guarantees an adequate level of data protection. The Data Protection Ombudsman must be notified when data is transferred based on this prerequisite. The European Commission has specifically approved certain countries as having an adequate level of data protection. With respect to these countries no notification is required. Otherwise, personal data can be transferred outside the EEA under the usual circumstances (e.g. when the data subject has unambiguously consented to the transfer; when the transfer is made using the EC Model Clauses). The Data Protection Ombudsman must be notified when a data transfer contract is used which is not in the model form approved by the European Commission. Sensitive Data According to the DPA, the processing of sensitive data is prohibited. Personal data are deemed to be sensitive if they relate to or are intended to relate to racial or ethnic origin; social, political or religious affiliation or trade union membership; criminal acts, punishment or other criminal sanctions; state of health, illness or handicap or treatment or other comparable measures; sexual preference or sexual life; social welfare needs or benefits, support or other social welfare assistance received. There are, however, many exemptions to the prohibition including, among others, the processing of data where the data subject has given express consent. In addition, the DPA contains limitations as to the processing of personal identity numbers (these are not as such sensitive data). Enforcement Sanctions The data controller is liable to compensate for economic and other loss suffered by the data subject or another person as a result of the processing of personal data in violation of the DPA. The penalties for a personal data offence, for breaking into a personal data file and for violation of the secrecy obligation are provided for in the Penal Code. The penalties normally range from a fine to one year in prison. Practice According to the 2004 annual report of the Office of the Finnish Data Protection Ombudsman the number of requests for action (including e.g. guidance and investigations) made by the citizens (i.e. data subjects and data controllers) was around 800. According to the oral, unofficial opinion of the head of department of the Office of the Finnish Data Protection Ombudsman the number of investigations was around 260 from that amount. According to the information received from the head of department of the Office of the Data Protection Ombudsman the number of prosecutions in 2004 was 50. The Data Protection Ombudsman must give a prior statement before any prosecution to the public prosecutor and 50 statements were given last year by the Data Protection Ombudsman. According to the head of department of the Office of the Data Protection Ombudsman the number of requests for statements has been increased significantly compared to the previous years. According to the information received from the head of department of the Office of the Data Protection Ombudsman the typical penalty is a fine, but information about the typical level of the fine could not be verified. Under the Finnish Personal Data Act (the “DPA”) serious breaches are classed as “personal data file crimes” and are punishable by up to one year’s imprisonment or fines. These include intentional or grossly negligent: (i) processing of personal data in violation of the provisions of the DPA relating to the exclusivity of purpose, the general prerequisites for processing, the necessity and integrity of processing, sensitive data, personal identity numbers or the processing of personal data for specific purposes; (ii) transfer of personal data outside the EU or EEA in violation of the DPA, provided that such transfer violates the privacy of the data subject or causes him other damage or significant inconvenience; or (iii) conduct by giving false or misleading information and thereby preventing or attempting to prevent a data subject from using his right of inspection. In addition, breaches of the secrecy obligations are classed as secrecy violations or offences. Less serious breaches are classed as “personal data violations” and are punishable only by fines. These include intentional or grossly 34⏐November 2005⏐Data protection legislation in the European Union⏐ Finland. negligent: (i) violation of the provisions relating to the drawing up of the description of the file, defining the purpose of the processing of the personal data, the information on processing of personal data, the rectification of the file, the right of the data subject to prohibit the processing of personal data, and the notification to the Data Protection Ombudsman; (ii) provision of false or misleading data to a data protection authority in a matter concerning a personal data file; (iii) violation of the provisions on the protection and destruction of personal data file; or (iv) breaking a final order issued by the Data Protection Board. Information about the most significant penalty levied to date could not be received from the Office of the Data Protection Ombudsman, but according to the information given by the head of department of the Office of the Data Protection Ombudsman the most significant amount of all personal data crimes relate to the intentional or grossly negligent processing of personal data in violation of the exclusivity purpose of the DPA (e.g. unauthorised use of the data systems and data files). Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by the Finnish Act on the Protection of Privacy in Electronic Communications (Sähköisen viestinnän tietosuojalaki 2004/516) (the “ECA”) dated 16 June 2004. The ECA came into force on 1 September 2004. Conditions for sending direct marketing e-mail Under the ECA, it is not permitted to send unsolicited direct marketing to natural persons by electronic communication, such as e-mail, without the person’s prior consent (opt-in). Under the ECA, direct marketing by electronic communication to legal persons is allowed if the recipient has not specifically refused it. The opportunity to opt-out must be reserved for any legal person in each occurrence of direct marketing easily and at no separate cost and the party undertaking direct marketing must give clear notification of the possibility of such refusal. According to the guidance note of the Office of the Data Protection Ombudsman, although a personal e-mail address based on a company’s domain name (e.g. individual@company) can be used for direct marketing purposes, the recipient is regarded as an individual and a prior consent is required, unless the direct marketing has been sent to that person based on his/her job description. The ECA will prohibit the practice of sending e-mail for direct marketing purposes that disguises or conceals the identity of the sender and lacks a valid address to which the recipient may send a request for termination of communications. The ECA will also require that each electronic direct marketing message must, upon receipt, be unmistakably identifiable as a marketing message. This requirement means that the subject field of a direct marketing e-mail message should contain the word ‘advertisement’ or a similar term. Exemptions Under the ECA, there is an exemption from the opt-in rule for natural persons with respect to existing customer relationships where the seller of a product or the provider of a service has obtained the customer’s electronic contact details in the context of the sale of a product or a service, in which case the same seller of products or provider of services may use these contact details for direct marketing of its own products in the same product group and of other similar products or services. However, the customer must be given the opportunity to refuse, free of charge and in an easy manner, both when the contact details are first collected and later, on the occasion of each electronic message to the customer (opt-out). The seller of a product or the provider of the service must notify the customer clearly of the possibility of such a refusal. Scope of application The ECA applies to direct marketing in public networks with respect to both individual and corporate recipients. ⏐Data protection legislation in the European Union⏐ November 2005⏐35 France. General I Directive 95/46/EC National Legislation Status of implementation of the Directive After a long legislative process, France (being the last EU Member State to do so) has finally implemented the Directive into national law pursuant to Law no. 2004-801 of 6 August 2004 relating to the protection of individuals against the processing of personal data. This last law modifies the French Data Protection Act called the “Computer and Liberties” Act of 6 January 1978 (the “DPA”). Entry into force of the implementing legislation The DPA, as recently amended, came into force on 6 August 2004. Scope of Application of the National Legislation Territorial scope of application The DPA applies to the processing of personal data where: (i) the controller is established in France (the controller is considered as established when its activities are carried out in the context of an establishment regardless of its legal status); or (ii) the controller is not established in France or in Community territory and, for purposes of processing personal data, makes use of equipment located in France, unless such equipment is used only for purposes of transit through France or another Member State. Material scope of application The DPA applies to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system. The exceptions are: (i) the processing of personal data by a natural person in the course of a purely personal or household activity; and (ii) operations concerning public security, defence or State security. Personal scope of application The DPA only applies to data relating to individuals and not to legal entities. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The data controller is defined as the natural or legal person, public authority, agency or any other body that determines the purposes and means of the processing of personal data. National Regulatory Authority (“NRA”) Details of the competent NRA Commission Nationale de l’Informatique et des Libertés or “CNIL” 21 rue Saint-Guillaume, 75340 Paris, Cedex 7 France www.cnil.fr Notification or registration scheme and timing The usual regime for the processing of data is that of a prior declaration to the NRA. However, the DPA also provides for a limited number of cases where express authorisation must be obtained from the NRA. The cases where an authorisation is needed under the DPA include the following main categories of processing: (i) the processing of sensitive data, (ii) transfer of data outside the EU to a country without adequate protection, (iii) automated processing which consists of a selection of people and is aimed at excluding some of them from the advantages of a right, a benefit or a contract, (iv) automated interconnection files, and (v) biometric identity checks, for instance for access controls. 36⏐November 2005⏐Data protection legislation in the European Union⏐ France. In all cases, the data controller has to fill in a declaration form available on the CNIL’s website. This declaration must either be in an ordinary form or in simplified form requiring minimum information to be provided for the most typical processing (e.g. payroll, management of employees, customer files). Simplified forms can be submitted electronically. The notification to the NRA must take place prior to collecting and processing the data, which can only start from the date the data controller receives a receipt from the CNIL. The NRA has two months within which to reply, failing which the processing is deemed to have been accepted. Exemptions All processing of personal data must be notified except: (i) processing whose sole purpose is the keeping of a register which, according to laws or regulations, is intended to provide information to the public and which is open to consultation either by the public in general or by any person demonstrating a legitimate interest; (ii) processing carried out by an association or any other non-profit-seeking body with a religious, philosophical, political or trade union aim; and (iii) processing for which the data controller has appointed a personal data protection officer responsible for insuring the application of the obligations provided by the law and for keeping a register of processing, except where a transfer to a non-Member State is contemplated. Data Quality Rules on the quality of the data processed The data shall be: (i) fairly and lawfully collected and processed; and (ii) collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. The data shall be: (i) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; and (ii) accurate, complete and, where necessary, kept up to date. Appropriate steps must be taken to ensure that data that are inaccurate or incomplete in relation to the purposes for which they were collected or further processed are erased or rectified. Retention period The data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or further processed. Rights of Data Subjects Right to information The data subject shall be provided by the controller or his/her representative with the following information: (i) the identity of the controller and of his/her representative, if any; (ii) the purposes of the processing; (iii) whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply; (iv) the identity of the recipients or the category of recipients to which the recipients belong; (v) the existence of the right of access to and the right to rectify his/her personal data; and (vi) in the case of international transfer of data to a non-EU Member State, information on such transfer. Right of access/correction/objection and other rights Access: Data subjects have the right to obtain from the controller: (i) confirmation as to whether or not his/her data are being processed; (ii) information regarding the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed; (iii) in the case of international transfer of data to a non-EU Member State, information about such transfer; (iv) communication in an intelligible form of the data and of any available information as to their source; and (v) the logic involved in the processing. A copy of the data processed is provided to the data subjects. The controller may object to abusive queries from the data subjects. Correction: Data subjects also have the right to ask the controller to rectify, complete, update, block or erase their data where they are incomplete, inaccurate or where the use, transfer or storage of such data is forbidden. Object to processing: Data subjects have the right to object at any time to the processing of their personal data on compelling legitimate grounds. Data subjects also have the right to object, free of charge, to the processing of their personal data for direct marketing purposes by the current or future data controller. Security Security requirements in order to protect the data The data controller or any person acting under its instructions must implement appropriate technical and organisational measures to safeguard the security of the personal data, in particular, in order to avoid any ⏐Data protection legislation in the European Union⏐ November 2005⏐37 distortion, damage or unauthorised disclosure to a third party. The measures implemented shall ensure a level of security appropriate to the risks arising out of the process and the nature of the personal data. Specific rules governing processing by a third party (processor) on behalf of the data controller Wherever a sub-contractor is involved (a processor acting on behalf of the data controller being viewed as a subcontractor) the data controller shall ensure that: (i) the sub-contractor presents sufficient guarantees to enable the implementation of the security and confidentiality measures and that the sub-contractor complies with the same security requirements; and (ii) the contract with the sub-contractor contains all necessary provisions in terms of security of the processing of the data. In addition, the sub-contractor may only act upon the instruction of the provider and the data controller remains in all cases jointly liable with respect to the security and confidentiality of the personal data. Transfer of Personal Data to Foreign Countries Transfer within the EEA Data can be transferred freely to EEA countries, provided the data controller: (i) informs the data subject; and (ii) completes a declaration with the CNIL (which delivers a receipt enabling the transfer without delay). Transfer outside the EEA The transfer of data outside the EEA is possible only to countries which ensure an adequate level of protection (a list of which has been established by the European Commission). The DPA provides exemptions from the prohibition against transferring data to countries that do not guarantee an adequate level of protection which include, in particular: (i) the use of EC Model Clauses; and (ii) the use of Corporate Binding Rules. Furthermore, the DPA provides for a list of other exemptions which do not rely on a contractual basis and include, among others, the consent of the data subject. However, in terms of the data subject’s consent, the NRA however considers that such consent is almost never deemed to be sufficient when the transfer relates to employees’ personal data. Sensitive data The processing of data revealing directly or indirectly racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life data, health data or judicial data is restricted under French law. These data may only be processed under specific circumstances described in the DPA. Enforcement Sanction The CNIL may issue a wide array of penalties including: (i) a warning; (ii) a formal demand; (iii) the issuing of an injunction to cease processing; and (iv) financial sanctions of up to EUR 150,000 for the first breach (and up to EUR 300,000 in the case of a second breach). Criminal sanctions may also be imposed up to a maximum of five years’ imprisonment and fines from EUR 15,000 to EUR 300,000. Practice There were 45 investigations last year, and seven warnings by the CNIL (against financial institutions) and two denunciations to the public prosecutor. In relation to the typical level of penalties imposed, there have been no administrative fines so far; in addition the level of criminal fines is rather low (i.e. maximum of EUR 5,000 according to a review of the relevant case law). In relation to the most significant penalty levied to date, the Commercial Court of Paris gave an exemplary judgment, dated 5 May 2004, against a French spammer. The French company was the origin of a massive campaign of sending unwanted e-mails and was ordered to pay EUR 10,000 in damages and EUR 12,000 in prosecution fees. In addition, the judges ruled that the company was not allowed to send any other unwanted emails using AOL and Microsoft Hotmail services. 38⏐November 2005⏐Data protection legislation in the European Union⏐ France. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of the European Directive 2002/58/EC was implemented on 21 June 2004 into the “Loi pour la confiance dans I’économie numérique” (Law for trust in computer processing in the economy) (the “Law”). It modifies article L. 33-4-1 of the Code of Post and Telecommunication and is mentioned in article L.121-20-5 of the Consumption Code. Conditions for sending direct marketing e-mail Direct marketing e-mail requires “prior consent” of the recipient (opt-in). “Prior consent” is defined by the Law as a “free, specific and informed manifestation of consent to his/her personal data being used for direct marketing purposes”. Direct marketing e-mails are defined as “any messages intending to promote, directly or indirectly, goods, services, or the image of a person that sells goods or services”. Exemptions Direct marketing via e-mail is authorised if: (i) the person’s personal data has been obtained directly from him/her in compliance with the DPA; (ii) the data has been obtained during the course of a sale or a service; (iii) the direct marketing relates to similar products or services; and (iv) the recipient is expressly and unambiguously given the possibility to oppose (without any cost to himself except those of the transmission of the refusal) the use of his/her personal data when collected and in any marketing e-mail. This is opt-out. Scope of application The Law applies to individual contacts but not to company contacts. ⏐Data protection legislation in the European Union⏐ November 2005⏐39 Germany. General I Directive 95/46/EC National Legislation Status of implementation of the Directive The Data Protection Directive 95/46/EC has been implemented into German law under the German Federal Data Protection Act (Bundesdatenschutzgesetz - the “DPA”). Entry into force of the implementing legislation The DPA came into force on 23 May 2001. Scope of Application of the National Legislation Territorial scope of application The DPA is only applicable to data controllers located in Germany and does not apply to data controllers located in another Member State of the EU or the EEA, except where collection, processing or use of personal data is carried out by a branch in Germany (the principle of origin). The DPA is also applicable to data controllers not located in a Member State of the EU or the EEA who collect, process or use personal data in Germany (the principle of territoriality). Material scope of application The DPA is only applicable to the collection, processing and use of personal data by means of data processing systems and non-automated filing systems, such as manual record cards. Personal scope of application The DPA only applies to information concerning personal or material circumstances of an identified or identifiable individual and does not apply to legal entities. Data Controller Entity responsible for compliance with the National Legislation The responsibility for complying with the provisions set out in the DPA is borne by the data controller. The data controller is defined as any person or body that collects, processes or uses personal data on its own behalf or commissions others to undertake the same on its behalf. National Regulatory Authority (“NRA”) Details of the competent NRA There are 20 different regional supervisory authorities responsible for monitoring the implementation of data protection. The names, addresses and websites of these supervisory authorities are available at www.bundesdatenschutz.de (select “Anschriften und Links” and then “Die Aufsichtsbehörden für den nichtöffentlichen Bereich”). Notification or registration scheme and timing In general, automated processing procedures are only required to be registered with the competent supervisory authority in advance, if: (i) the data controller has not appointed a data protection official (which is usually the case in Germany), unless a maximum of four employees are involved in the collection of personal data and either consent has been obtained or the use of the data serves the purposes of the contract; or (ii) the data controller commercially stores personal data for the purpose of transfer. Exemptions See above. 40⏐November 2005⏐Data protection legislation in the European Union⏐ Germany. Data Quality Rules on the quality of the data processed Personal data must be accurate and kept up to date at all times. The data controller is only allowed to handle personal data which are absolutely necessary for legitimate purposes. Retention period Personal data can only be kept as long as necessary for the purpose of processing. Rights of Data Subjects Right to information The data controller is obliged to inform the data subject if personal data are collected from the data subject or if personal data are stored for the first time for the data controller’s own purposes without the data subject’s knowledge. The data subject must be notified, inter alia, regarding the type of data collected or stored, the purpose of their collection, and the identity of the data controller, unless the data subject has been informed of this via another source. Right of access/correction/objection and other rights The data subject may request to see such information at any time. The data subject may demand the correction of incorrect data as well as the deletion or blocking of personal data, the storage of which is not, or is no longer, covered by legitimate purposes. The data subject has the right to object to personal data being transferred for purposes of advertising, market and opinion research. Security Security requirements in order to protect the data Public and private bodies processing personal data, either on their own behalf or on behalf of others (processors), are obliged to ensure that all technical and organisational measures necessary are taken in order to comply with the provisions set out in the DPA. Pursuant to the Annex to the DPA, measures must be taken with regard to access control, transmission control, input control and availability control. Specific rules governing processing by a third party (processor) on behalf of data controller In the event that a third party (processor) is handling personal data on behalf of a data controller, the processor and the data controller need to conclude a written agreement about the commissioned processing of data and specify, inter alia, the details of the handling of the personal data. Where processors are commissioned to handle data, the responsibility for compliance with the provisions of the DPA is borne by the data controller. Therefore, the controller must ensure that the data are processed strictly in accordance with its instructions (job control). Transfer of Personal Data to Foreign Countries Transfer within the EEA If the general provisions for the transfer of personal data set out in the DPA have been complied with, the transfer of personal data to Member States of the EU or the EEA and to countries that guarantee an adequate level of data protection is permissible without any other additional requirements. Transfer outside the EEA If the general provisions for the transfer of personal data set out in the DPA have been complied with, transfer of personal data to the USA is permissible if the data importer has signed up to the Safe Harbor and transfer to all other countries is permissible if: (i) the EC Model Clauses are complied with; (ii) the data subject has given his/her consent; or (iii) the transfer is necessary for the fulfilment of a contract with the data subject. Sensitive Data The rules applicable to the processing of sensitive data (data in relation to race, ethnicity, political opinions, religious or philosophical convictions, trade union membership, health and sexual life) are more restrictive. In most cases, it is only possible to legally transfer such data after obtaining the data subject’s consent. ⏐Data protection legislation in the European Union⏐ November 2005⏐41 Enforcement Sanctions Should a data controller infringe the data subject’s rights under the DPA, the data subject is entitled to injunctive relief and compensation for damages. In addition, the competent governmental authority can impose administrative fines and penalties in case of a violation of the DPA. Practice With respect to any information about investigations and prosecutions in Germany, two things should be noted: 1. Reliable information is very hard to obtain. This is due to the fact that in Germany there is not one single data protection authority, but one federal authority and several state authorities in each of the 16 German states (in fact, there are not even single authorities in each of these states, but in some cases several authorities responsible for data protection and investigations etc). In addition, the reports published by the various data protection authorities do not contain details of penalties imposed or the facts of the relevant cases. 2. In Germany there is a distinction between criminal sanctions (Straftaten) and administrative fines (Ordnungswidrigkeiten). Both types of investigations are applicable in relation to data protection infringements. Based on these facts, the information relating to enforcement in practice is as follows: (i) there were 274 investigations relating to criminal offences of the German federal and state data protection laws in 2004. With respect to investigations relating to administrative fines, the figures vary in the German states between zero (Mecklenburg-Vorpommern) to 30 (Bavaria); (ii) with respect to actual prosecutions in 2004, the figures are unclear. Out of the 274 investigations in 2004, there have been 203 decisions, including convictions, but also acquittals. With respect to administrative fines, the number of prosecutions is also unknown but should also be lower than the figures for investigations; and (iii) information with respect to the typical level of penalties is also vague. With respect to criminal convictions, actual figures could not be obtained. With respect to administrative fines, the convictions range from less than EUR 100 to a maximum of EUR 10,000 (compared to the statutory range of up to EUR 250,000). There are rumours that there have been considerably higher fines recently; however, confirmation of this could not be obtained; and (iv) accordingly, based on the rather vague information available, the most significant penalties are approximately EUR 5,000. The cases mostly relate to reluctance of companies to co-operate with data protection authorities. In another case involving a high penalty, a medical doctor disposed of patient data without any precautions. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Directive 2002/58/EC has in the meantime been implemented into German law. Article 13 of Directive 2002/58/EC has been implemented both in the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb - the “UCA”) dated 3 July 2004 and the revised German Telecommunications Act (Telekommunikationsgesetz - the “TA”) dated 22 June 2004. Conditions for sending direct marketing e-mail According to the UCA and the TA, direct marketing via e-mail principally requires the prior explicit consent of the recipient (opt-in). Exemptions However, it is possible for a company to send e-mails to a subscriber for its own direct marketing purposes if the company has obtained the “electronic address” during the course of a sale or negotiation and the marketing relates to similar products or services, unless the recipient has prohibited the use of his/her address. In these cases it is sufficient if the subscriber is given an opt-out opportunity and is informed in an appropriate manner that his/her right to object can be exercised at any time. Scope of application In relation to e-mail marketing, German law does not in relation to e-mail marketing distinguish between individual and corporate subscribers. 42⏐November 2005⏐Data protection legislation in the European Union⏐ Greece. Contributed by J Karageorgiou & Associates General | Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC (the “Directive”) has been implemented by the Data Protection Act (Law 2472/1997) (the “DPA”). Entry into force of the implementing legislation The DPA came into force on 10 November 1997. Scope of Application of the National Legislation Territorial scope of application The DPA applies to any processing of personal data, provided: (i) it is carried out by a controller or processor established in Greek territory or in a place where Greek Law applies by virtue of International Law; (ii) the processing relates to persons established in Greek territory; or (iii) it is carried out by a controller established in the territory of a non-EU country who makes use of equipment, automated or otherwise, situated in Greek territory, for purposes of processing personal data (except for mere transit purposes). Material scope of application The DPA regulates the fully and partially automated processing of personal data and the non-automated processing of personal data included in a filing system. Personal scope of application The DPA only applies to data relating to individuals. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The data controller is defined as a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed. The data controller can be a natural or legal person, public authority, agency or any other organisation. National Regulatory Authority (“NRA”) Details of the competent NRA Data Protection Authority 1-3 Kifisias Avenue Ampelokipi 115 23 Athens Greece www.dpa.gr Notification or registration scheme and timing The data controller must notify the Data Protection Authority in writing of the establishment of a filing system and the commencement of a data processing activity. No approval by the Data Protection Authority is required. The notification must take place before the commencement of any data processing activities. The processing of sensitive personal data requires a special licence issued by the Data Protection Authority. Exemptions The data controller is exempt from the obligation of notification to the Data Protection Authority, and the obligation to receive permits in the following cases: (i) when processing is carried out exclusively for purposes relating directly to an employment or project relationship or to the provision of services to the public sector and is necessary for the fulfilment of an obligation imposed by law or for the accomplishment of obligations arising from the aforementioned relationships, and upon prior notification of the data subject; (ii) when processing relates to clients’ or suppliers’ personal data, provided that such data are neither transferred nor disclosed to third parties. ⏐Data protection legislation in the European Union⏐November 2005⏐43 Insurance companies, pharmaceutical companies, companies, whose main activities involve trading of data, credit and financial institutions (banks etc.) are not exempt from the obligation of notification; (iii) when processing is carried out by societies, enterprises, associations and political parties and relates to personal data of their members or companies, provided that the latter have given their consent; (iv) when processing is carried out by doctors or other persons, rendering medical services and relates to medical data, provided that the controller is bound by medical confidentiality or other obligations of professional secrecy, legal entities or organisations rendering healthcare services, insurance funds and insurance companies, as well as controllers processing personal data within the framework of programmes of telemedicine or provision of healthcare services via the Internet; and (v) when processing is carried out by lawyers, notaries, unpaid land registrars and court officers and relates to the provision of legal services to their clients. Data Quality Rules on the quality of the data processed Personal data must be: (i) adequate, relevant and not excessive in relation to the purpose for which they are held; and (ii) accurate and up to date. Retention period Personal data must be kept for no longer than is considered necessary by the Data Protection Authority. On expiry of that period, the Data Protection Authority may allow further storage for historical, scientific or statistical purposes, as long as it considers that there is no violation of the rights of the data subject or any third party. Rights of Data Subjects Right to information The data controller is obliged, during the collection of personal data, to inform data subjects of the following: (i) the identity of the data controller and/or any representative; (ii) the purpose of the data processing; (iii) the intended recipients of data; and (iv) the existence of the data subject’s right of access. Right of access/correction/objection and other rights Access: Data subjects may obtain copies of their personal data on written request to data controllers. Correction: Data subjects may require to have their data rectified. Objection to processing: A data subject may require in writing that the data controller cease processing. The right to object includes provisional non-utilisation, locking, non-transmission or deletion. Other: A data subject can seek provisional judicial protection from the competent court, such as immediate suspension or non-application of an act or decision affecting the data subject, issued by an administrative authority or public law entity or association or natural person solely on automated processing of data, intended to evaluate the subject’s personality, effectiveness at work, creditworthiness, reliability or general conduct. Security Security requirements in order to protect the data Data controllers must take appropriate organisational and technical security measures to protect against accidental or unlawful destruction, loss, alteration, illegal disclosure, access or any other form of unlawful processing of personal data. Specific rules governing processing by a third party (processor) on behalf of data controller The processor must fulfil certain professional qualifications and provide sufficient guarantees in respect of technical expertise and personal integrity to ensure confidentiality. If the processor is not dependent upon the data controller (i.e. is not an employee of the controller), there must necessarily be a written contract. Transfer of Personal Data to Foreign Countries Transfer within the EEA The DPA permits transfers within the EEA. 44⏐November 2005⏐Data protection legislation in the European Union⏐ Greece. Transfer outside the EEA The DPA prohibits transfers outside the EEA unless the destination ensures adequate protection for the data. Transfer to non-EEA countries is also permitted following special permission granted by the Data Protection Authority and if one of a number of conditions is satisfied (e.g. with the consent of the data subject). Sensitive Data Sensitive personal data is defined by the DPA as information referring to racial or ethnic origin, political ideas, religious or philosophical beliefs, participation in unions, syndicates or other social groups, health, social welfare and sex life, as well as criminal sanctions or convictions. The processing of sensitive personal data is permitted by data controllers who have obtained a licence from the Data Protection Authority and when, in addition, one or more of the following conditions are met: (i) the written consent of the data subject has been obtained; (ii) the processing is necessary to protect the vital interests of data subjects, if they are physically or legally unable to give their consent; (iii) the processing is for defence of the data subject’s right in a court of justice; (iv) the processing is for purposes of preventive medicine, medical diagnosis, provision of care or management of healthcare services and is carried out by a health professional subject to the obligation of professional secrecy or relevant codes of conduct; (v) the processing is for purposes of national security, criminal or correctional policy or public health and is carried out by a public authority; (vi) the processing is for research or scientific purposes provided that anonymity is maintained and all necessary measures for the protection of the persons involved are taken; and (vii) the processing is for journalistic purposes and concerns data pertaining to public figures, provided that such data are in connection with the holding of public office or the management of third parties’ interests. Enforcement Sanctions Administrative (i.e. imposition of fines, temporary or definitive revocation of licences, destruction of files), civil (i.e. compensation) and criminal (i.e. imprisonment and imposition of fines). Practice During 2004, the Greek DPA performed 26 investigations: 17 investigations were conducted ex officio and nine following a complaint of a natural person or legal entity (extraordinary investigations): (a) “Ex officio investigations” were conducted with regard to the following items: Eight investigations regarding health and sensitive personal data; Four investigations regarding closed circuit TV; Two investigations about Olympic Games security; and Three investigations about airlines and transfer of passenger name records to the USA. (b) “Extraordinary investigations” were conducted with regard to: Reality games; Video surveillance; Health and sensitive personal data; Closed circuit TV; and The right to access personal data. The number of prosecutions in 2004 was about 20. More specifically, the Greek DPA imposed on Controllers: 12 penalties; Four recommendations; Two warnings; and Two decisions to destroy files containing data collected and processed. The Greek DPA usually imposes fines of between EUR 5,000 and EUR 20,000. In relation to the most significant penalty levied to date, the Greek Authority imposed a fine amounting to EUR 50,000 on an insurance company for the collection of sensitive personal data regarding the health of a patient claiming compensation by the insurance company, without his prior consent. The Greek authority decided that the sensitive personal data that had actually been collected were irrelevant to the purpose of the data collection and processing and that the collection was violating the personality and the right of privacy of the claimant. ⏐Data protection legislation in the European Union⏐ November 2005⏐45 Sector specific: E-communications | Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has not yet been implemented in Greek legislation. A draft law has been prepared by the Greek Ministry of Justice, replacing the existing Law 2774/99, solely regarding data protection in the telecommunication sector, and it is expected to be submitted to the Greek Parliament for enactment within the next few months. The draft law is currently not available. Until the new legislation comes into force, article 9 of Law 2774/99 is still enforceable and designates that “unsolicited communications may only be allowed in respect of subscribers who have given their prior consent” (the “Opt-in Principle”). Furthermore, in paragraph 2 of the same article, it is provided that unsolicited communications are prohibited in case natural or legal persons have been registered to “Opt-out Registers”, declaring in that way that they do not wish to receive any commercial communication. This provision is in compliance with article 6 of Presidential Decree No. 131/2003 (which implemented the Directive 2000/31/EE on Electronic Commerce), regarding the obligation of service providers undertaking unsolicited commercial communications by e-mail, to consult on a regular basis and respect Opt-out Registers, in which natural or legal persons who do no wish to receive such commercial communications are registered. 46⏐November 2005⏐Data protection legislation in the European Union⏐ Hungary. General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46 has been implemented by Act No. LXIII of 1992 on the protection of personal data and the disclosure of public information (the “DPA”). Entry into force of the implementing legislation The DPA entered into force originally on 1 May 1993; its latest amendment entered into force on 1 July 2005. Scope of application of the National Legislation Territorial scope of application The DPA applies to all data processing operations performed in the Republic of Hungary. Material scope of application The DPA applies to both manual and electronic files. Personal scope of application The DPA applies only to individuals. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. A data controller is the natural or legal person or unincorporated organisation that determines the purpose of the processing of personal data, makes decisions regarding data management (including the means) and implements such decisions itself or engages a processor to implement them. National Regulatory Authority (“NRA”) Details of the competent NRA The Parliamentary Commissioner for Data Protection and Freedom of Information (the “Commissioner”). Nádor u. 22 H-1051 Budapest Hungary http://abiweb.obh.hu/abi/ Notification or registration scheme and timing Any data processing must be notified in the Data Protection Register (the “Register”) kept by the Commissioner. It consists of simply filing information. The notification must take place prior to the commencement of the data processing activity. It should be noted that the wording of the DPA only requires the notification of data controlling, however, the Commissioner requires the notification of data processing activities as well. Exemptions Data controllers do not have to notify to the Register the following types of data processing operations: (i) when it concerns the data of the data controller’s employees, members, students or customers; (ii) when carried out in accordance with the internal rules of the church or other religious organisation; (iii) if it concerns the personal data of a person undergoing medical treatment, for the purposes of health care and preventive measures or for settling claims for benefits and services in the social insurance system; (iv) where it contains information concerning the provision of social and other benefits to the data subject; (v) where it contains the personal data of persons implicated in an official regulatory, public prosecutor or court proceeding to the extent required for such proceeding; (vi) if it contains personal data for official statistical purposes, provided there are adequate guarantees that the data are rendered anonymous in such a way that the data subject is no longer identifiable; (vii) where it contains data of organisations and bodies falling under the scope of the Media Act, if they are used solely for their own information; (viii) if it serves the purposes of scientific research, and if the data are not made available to the ⏐Data protection legislation in the European Union⏐November 2005⏐47 public; (ix) if the data are transferred to a public archive; and (x) if the processing serves the personal purposes of a natural person. Data Quality Rules on the quality of the data processed As a general rule, personal data may only be processed if: (i) the data subject has given his/her consent; or (ii) decreed by law or by a local authority based on authorisation conferred by law concerning specific data defined therein. Personal data collected for processing must be: (i) processed fairly and lawfully; (ii) accurate, complete and, where necessary, kept up to date; and (iii) kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected. The use of personal identification codes or any other identifier of general application shall not be permitted. Retention period There is no specific retention period in the DPA except that the data may not be kept for longer than necessary for the purposes of processing. Rights of Data Subjects Right to information Prior to the collection of data, the data subject must be informed whether disclosure is voluntary or compulsory and, in the latter case, on which basis. The data subject must also be clearly informed of all aspects concerning the processing of his/her personal data, such as the purpose for which the data is processed and the legal grounds, the person entitled to carry out the processing, the duration of the proposed processing operation and the persons to whom data may be disclosed. Information shall also be provided on the data subject’s rights and remedies. If the provision of the above information to each individual data subject is impossible or is likely to result in unreasonable expense, notification of data processing - in particular for statistical or scientific purposes (including historical research) - may occur by way of publishing the fact of the data collection, the scope of the data subjects involved, the purpose and duration of the proposed processing operation and the availability of data. In addition, the register of processing operations may be inspected by any person. An extract of the data contained therein may be requested upon payment of a fee. Right of access/correction/objection and other rights Access: Upon the data subject’s request, the data controller must provide information concerning: (i) the data relating to the data subject, including those processed by a data processor on its behalf, the purpose, grounds and duration of processing, the name and corporate address of the data processor; and (ii) its activities relating to data management, the recipients of its data and the purpose for which they are or have been transferred. Any data subject may also request confirmation as to whether or not data relating to him/her are being processed. Correction: Any data subject may request the rectification or erasure of his/her personal data, with the exception of those processed by order of legal regulation. Data controllers must correct the data if they are false. Personal data must be erased if: (i) processed unlawfully; (ii) so requested by the data subject; (iii) it is deficient or inaccurate and it cannot be legitimately corrected, provided that deletion is not disallowed by statutory provision; (iv) the purpose of processing no longer exists or the legal time limit for storage has expired; or (v) so instructed by court order or by the Commissioner. Object to processing: The data subject has the right to object to the processing of data relating to the data subject: (i) if processing is carried out solely for the purpose of enforcing the rights and legitimate interests of the controller or the recipient, unless processing is prescribed by law; (ii) if personal data are used or transferred for the purposes of direct marketing, public opinion polling or scientific research; and (iii) if the right to object is ensured by law. Security Security requirements in order to protect the data Data controllers, and within their sphere of competence, data processors must implement adequate safeguards and appropriate technical and organisational measures to protect personal data, as well as adequate procedural rules to enforce the provisions of the DPA and other regulations concerning confidentiality and security of data processing. Data must be protected against unauthorised access, alteration, transfer, disclosure by transmission or deletion as well as damage and accidental destruction. For the technical protection of personal data, the controller, the 48⏐November 2005⏐Data protection legislation in the European Union⏐ Hungary. processor or the operator of the telecommunications or information technology equipment shall implement security measures in particular if the processing involves the transmission of data over a network or any other means of information technology. Specific rules governing processing by a third party (processor) on behalf of data controller The controller and the processor must enter into a written contract for the processing of personal data. Any company interested in the business activity for which the personal data is to be processed may not be contracted for the processing of such data. Transfer of Personal Data to Foreign Countries Transfer within the EEA Transmission of data to EU Member States is treated in the same way as transmission within the territory of the Republic of Hungary. Transfer outside the EEA Personal data (including sensitive data) may be transferred - irrespective of the medium and the manner in which it is transferred - to a third-country controller or processor if the data subject has given his/her consent, if the transfer is permitted by law or if it is prescribed by treaty or international convention, provided (in all cases) that the laws of the third country in question afford an adequate level of protection within the meaning of EU standards with respect to the processing of the data transferred. Sensitive Data Sensitive data (i.e. personal data revealing racial, national or ethnic origin, political opinions and any affiliation with political parties, religious or philosophical beliefs, trade union membership, personal data concerning health, addictions, sex life, or criminal record) may only be processed: (i) if the data subject has given his/her explicit consent in writing; (ii) if prescribed by treaty, or if ordered by law in connection with the enforcement of some constitutional right or for national security or law enforcement purposes; or (iii) if ordered by law in other cases. Enforcement Sanctions Criminal sanctions include imprisonment of up to one year (three years in the case of sensitive data), public service or a fine in the amount of HUF 3,000 to HUF 10,800,000 (i.e. approximately EUR 12 to EUR 43,200). If the data controller or processor fails to comply with the Commissioner’s request to cease the unlawful data processing, the Commissioner may order that unlawfully processed data be blocked, deleted or destroyed, or the Commissioner may prohibit the unauthorised data management and/or processing operations and suspend any operation aimed at transferring data abroad. The Commissioner may also announce these unlawful data processing operations to the public. Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by breaching the technical requirements of data protection. Data subjects may file for court action against the controller for any violation of their rights. No compensation shall be paid where the damage was caused by intentional or negligent conduct on the part of the data subject. The court may order publication of its decision. Practice Based on the report prepared by the Data Protection Commissioner for the Hungarian Parliament, there were 712 complaints, 386 consultation papers requested, 33 ex officio investigations, 13 other matters in relation to data protection and 169 matters in relation to freedom of information which were handled by the Commissioner's Office in 2004. In terms of the number of prosecutions last year, seven matters in relation to freedom of information and 33 matters in relation to the protection of personal data were initiated by the Commissioner ex officio, i.e. by way of prosecution. In relation to penalties, the Commissioner is not entitled to order penalties as a sanction for the violation of the Hungarian DPA. ⏐Data protection legislation in the European Union⏐ November 2005⏐49 Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by Act No. C of 2003 on electronic communications (the “Communications Act”) CVIII of 2001 (as amended by Act No. XCVII of 2003) on certain aspects of electronic commerce services and information society services (the “ECA”). The ECA entered into force on 23 January 2002, and its latest amendment entered into force on 10 July 2004. The Communications Act entered into force on 1 January 2004, and its latest amendment entered into force on 10 July 2005. Conditions for sending direct marketing e-mail According to the ECA, advertising by e-mail is authorised on the basis of an opt-in regime. On the other hand, the Communications Act implementing Article 13 of Directive 2002/58/EC requires that direct marketing messages through the telephone or through other electronic communication tools cannot be forwarded to subscribers who have opted out from the receipt of such messages. Messages from automatic calling machines are authorised on the basis of the prior consent of the subscriber. Please note that, contrary to Article 13(1) of Directive 2002/58/EC, no written consent is required under the opt-in regime for automatic calling machines as set out by the Communications Act. Exemptions No exemption is available under the above regimes. Scope of application The regime is equally applicable to individual contacts and to corporate contacts. 50⏐November 2005⏐Data protection legislation in the European Union⏐ Iceland. Contributed by LOGOS - Legal Services General | Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Act 77/2000 on the Protection and Processing of Personal Data (the “DPA”). Entry into force of the implementing legislation The DPA itself entered into force on 1 January 2001, but the amending Acts 90/2001 and 81/2002, which implemented the Directive, entered into force, on 15 June 2001 and 17 May 2002, respectively. Scope of Application of the National Legislation Territorial scope of application The DPA applies: (i) to the processing of personal data on behalf of a controller established in Iceland, if the processing is carried out in the EEA, an EFTA country or a country or a place that the Data Protection Authority lists in a notice in the Law and Ministerial Gazette; (ii) to the processing of personal data despite the controller being established in a country outside the EEA or EFTA if it makes use of equipment and facilities situated in Iceland; and (iii) to the processing of financial and credit standing data concerning legal persons even if the controller is not established in Iceland, if it makes use of equipment and facilities situated in Iceland. Points (ii) and (iii) do not apply if the equipment in question is only used to transmit personal data through the territory of Iceland. Material scope of application The DPA applies to both manual files and electronic files. Personal scope of application The DPA only applies to data relating to individuals, but refers to Regulation 246/2001 on the Collection and Processing of Financial and Credit Standing Data, which deals with individuals, companies and other legal persons. Data Controller Entity responsible for compliance with the National Legislation The data controller is defined as the party that determines the purposes of the processing of personal data, the equipment that is used, the method of processing and other usage of the data. National Regulatory Authority (“NRA”) Details of the competent NRA The Data Protection Authority Rauðarárstíg 10 105 Reykjavík Iceland www.personuvernd.is Notification or registration scheme and timing Any processing of personal data must be notified to the Data Protection Authority. The Data Protection Authority can decide that the processing of certain general or sensitive personal data likely to represent specific risks to the rights and freedoms of data subjects may not begin until it has been examined and approved by the issuing of a special permit. Notification must take place in a timely manner. Exemptions The obligation to notify does not apply if the processing extends only to data that have been and are accessible to the public. The Data Protection Authority has issued instructions according to which the following categories of data processing are exempted from the obligation to notify: (i) data processing carried out in the regular or standard ⏐Data protection legislation in the European Union⏐November 2005⏐51 course of activities, relating solely to those who have a connection to the activities or the relevant field of work, e.g. business associates, employees, members; (ii) data processing necessary to fulfil legal obligations of the controller; (iii) data processing necessary to fulfil a contract to which the data subject is a party, or an agreement between labour market organisations; (iv) data processing extending only to data that have been and are accessible to the public, provided that they are not aligned or combined with other personal data which have not been made accessible to the public; (v) data processing resulting from electronic surveillance, conducted for the purposes of security and property protection only, provided that legal obligations regarding notification have been fulfilled; and (vi) wholly manual data processing. These exemptions do not apply to the following categories of electronic processing of personal data (i) data processing regarding conduct and individual evaluation, e.g. grades and the performance of employees; (ii) data processing for the purposes of aligning individuals to personal profiles; and (iii) data processing incorporating the transfer of unencrypted personal data abroad. Data Quality Rules on the quality of the data processed The data must be processed in a fair, apposite and lawful manner and their use must be in accordance with good practices of personal data processing. The data must have been obtained for specified, explicit, apposite purposes and not processed further for other incompatible purposes. The data must be adequate, relevant and not excessive in relation to the purposes of the processing; they must be accurate and kept up to date when necessary. The data can only be kept as long as is necessary for the purposes of the processing. The data should be preserved in a form which does not permit identification of data subjects for longer than is necessary for the purposes of the processing. Retention period When there is no longer an apposite reason to preserve personal data, the controller must erase them. Rights of Data Subjects Right to information The data subject has a right to be informed by the controller of (i) the data that are processed about him/her; (ii) the purpose of the processing; (iii) the recipients of the data; (iv) the source of the data; (v) his/her right to access/correct/delete the data; and (vi) the security measures in place, provided it does not diminish the security of the processing. This right to information of the data subject does, however, not apply if: (i) the data are used solely for statistical processing or scientific research, provided that their processing cannot have direct influence on a data subject’s interests; (ii) the rights of the data subject, under that clause, are deemed secondary, in part or wholly, to the interests of others or of his own. In such cases, the considerations to be taken into account include the data subject’s health and the interests of his family members. However, the information may be disclosed to a representative of the data subject, there being no special arguments to the contrary; or (iii) the data is exempted from access under the Access to Information Act or the Administrative Procedures Act. The controller shall give general information, on any personal data processing conducted on his behalf, to any person that requests such information. Any person who so requests shall be supplied with information on: (i) the name and address of the controller and, where relevant, his representative; (ii) who bears the day-to-day responsibility of fulfilling the controller’s duties under the DPA; (iii) the purpose of the processing; (iv) the categories of personal data being processed; (v) where the data was obtained; and (vi) the recipients of the data, including whether the data are intended to be exported and, if so, to whom. When a controller obtains personal data from the data subject, the controller must provide the data subject with the information listed in the DPA. When a controller collects personal data from someone other than the data subject, the controller shall, with few exceptions, concurrently inform the data subject about the collection and other specific items listed in the DPA. Right of access/correction/objection and other rights If incorrect, misleading or incomplete personal data have been registered, or if personal data have been registered without proper authorisation, the data subject can request the data to be rectified, erased or deleted. The data subject also has the right to object to the processing. In addition, the data subject has the right to be informed regarding electronic surveillance. The data subject can also ask about the reasons for individual decisions that are 52⏐November 2005⏐Data protection legislation in the European Union⏐ Iceland. based on automated data processing. When personal profiles are used for specific purposes, the Data Protection Authority can decide that the controller shall notify the data subject and give him certain information. Security Security requirements in order to protect the data The controller must implement appropriate technical and organisational measures to protect personal data against unlawful destruction, accidental loss or alteration and unauthorised access. Having regard to the state of the art and the cost of their implementation, such measures must ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. The controller is responsible for having risk analysis procedures and security measures in place, in conformity with laws, rules and instructions given by the Data Protection Authority. Specific rules governing processing by a third party (processor) on behalf of data controller A controller is permitted to entrust processing to a processor. The controller and its processor must enter into a written contract that will stipulate that the processor must act only on instructions from the controller and that the obligations set out in the DPA shall also be incumbent on the processing carried out by the processor. Anyone who acts on behalf of the controller or the processor, including the processor itself, may only process personal data according to the instructions of the controller. Transfer of Personal Data to Foreign Countries Transfer within the EEA The transfer of personal data to another country is permitted if the laws of that country provide an adequate level of personal data protection. A country which complies with Directive 95/46/EC is considered to fulfil this requirement. Transfer outside the EEA The transfer of personal data is permitted to the countries which the Data Protection Authority lists in a notice in the Law and Ministerial Gazette, having considered the decisions of the Commission of the EU. The transfer of personal data to a country that does not provide an adequate level of personal data protection is prohibited, unless specific exceptions apply, e.g. if the data subject has consented to the transfer or if the transfer is necessary to establish or fulfil a contract between the data subject and the controller or is in his/her interests. The Data Protection Authority can also authorise a transfer of data in certain cases. Sensitive Data Specific protection is provided for the processing of sensitive personal data. They can only be processed under strict conditions. Processing is permitted when at least one of the conditions (i) to (vi) below has been met and also one of the conditions marked (a) to (j) below is fulfilled. (i) the data subject has unambiguously agreed to the processing or given his consent; (ii) the processing is necessary to honour a contract, to which the data subject is a party, or to take measures at the request of the data subject before a contract is established; (iii) the processing is necessary to fulfil a legal obligation of the controller; (iv) the processing is necessary to protect vital interests of the data subject; (v) the processing is necessary for a task that is carried out in the public interest; or (vi) the processing is necessary in the exercise of official authority vested in the controller or in a third party to whom data are transferred. (a) The data subject gives his consent to the processing; (b) the processing is specifically authorised in another Act of law; (c) the controller is required, by contracts between the Social Partners, to carry out the processing; (d) the processing is necessary to protect vital interests of the data subject or of another party who is incapable of giving his consent in accordance with (a); (e) the processing is carried out by an organisation with a trade union aim or by other non-profit organisations, such as cultural, humanitarian, social or ideological organisations, on condition that the processing is carried out in the course of the organisation’s legitimate activities and relates solely to the members of the body or to individuals who according to the organisation’s goals are, or have been, in regular contact with it; it is, however, prohibited to disclose such personal data to a third party without the data subject’s consent; (f) the processing extends only to information that the data subject himself has made public; (g) the processing is necessary for a claim to be established, exercised or defended because of litigation or other such legal needs; (h) the processing is necessary because of a medical treatment or because of the routine management of health care services, provided that it is carried out by an employee of the health care services who is subject to an obligation of secrecy; or (j) the processing is necessary for the purposes of statistical or scientific research, provided that the privacy of individuals is protected by means of specific and adequate safeguards. ⏐Data protection legislation in the European Union⏐ November 2005⏐53 Material, such as audio and visual material, that is produced by means of electronic surveillance and includes sensitive personal data, may be collected even though the above requirements are not fulfilled, if the following conditions are met: (i) the surveillance is necessary and is conducted for the purposes of security and property protection; (ii) the material produced by the surveillance may not be handed over to anyone else or processed further except with the consent of the subject of the recording, or in accordance with a decision by the Data Protection Authority; however, material that contains data on accidents or a punishable legal offence may be turned over to the police; and (iii) the material, that is collected in conjunction with the surveillance, shall be deleted when there is no longer an apposite reason to preserve it, unless a special permit is issued by the Data Protection Authority. The Data Protection Authority can permit the processing of sensitive personal data in instances other than those above if it considers it to be of urgent public interest. Enforcement Sanctions The sanctions for breaching the DPA are both civil and criminal. The Data Protection Authority can order the cessation of processing of personal data, prohibit further use of data or instruct the controller to implement measures that ensure the legitimacy of the processing. The Data Protection Authority can assign to the Chief of Police the task of temporarily halting the operations of the party in question and sealing its place of operation without delay. If the Data Protection Authority’s instructions are not observed, the Data Protection Authority can decide to impose daily fines on the person receiving the instructions, until it concludes that the necessary improvements have been made. Fines can amount to ISK 100,000 per day. Infringements are also punishable by means of fines or a prison term of up to three years, unless more severe sanctions are provided for in other legal instruments. If a controller or a processor has processed personal data in violation of the DPA, rules or instructions from the Data Protection Authority, the controller must compensate the data subject for the financial damage suffered by him/her as a result. Practice According to the Data Protection Authority, no police investigations took place last year, nor in the years before that. Last year the Data Protection Authority had 365 cases for inspection (administrative level), of which 28 were started of its own initiative, 233 were enquiries resulting in the issuing of opinions and there were 104 complaints regarding which the authority handed down its decision. In relation to the number of prosecutions last year, the Data Protection Authority does not refer cases to the police/prosecutor, as it is up to the person who thinks there has been an infringement of his privacy rights to make a complaint to the police. There are no statistics available on the number of complaints to the police. To date no one has been prosecuted for infringements against the DPA. Since no prosecution has taken place and only the courts can impose penalties for infringements against the DPA, to date no penalties have been imposed. The Data Protection Authority can, according to some provisions in the DPA, impose daily fines upon the receiver of instructions from the Data Protection Authority if he fails to observe them. This power has never been used. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC The Directive has been implemented by the Post and Telecommunication Act No. 81/2003 (the “PTA”), which entered into force on 25 July 2003. Conditions for sending direct marketing e-mail There is a general opt-in rule concerning direct marketing by e-mail and other electronic devices. There is, however, a wide exemption to such rule which allows direct marketing by e-mail for the sender’s own products or services, provided that customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message if the customer has not initially refused such use. The name and address of the sender on whose behalf the communication is made must be clearly indicated in the e-mail. 54⏐November 2005⏐Data protection legislation in the European Union⏐ Iceland. Exemptions There are no exemptions to these rules in the PTA. Scope of application These rules apply to both individual contacts and corporate contacts. ⏐Data protection legislation in the European Union⏐ November 2005⏐55 Ireland. Contributed by Mason Hayes & Curran, Solicitors General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Data Protection Act, 1988 (the “1988 Act”) as modified by the Data Protection (Amendment) Act, 2003 of 10 April 2003 (the “2003 Act”) (collectively, the “DPA”). Entry into force of the implementing legislation Most of the implementing provisions came into force on 1 July 2003. Some provisions of the 2003 Act are not yet in force. In addition, in relation to manual data existing prior to 1 July 2003, some provisions of the 2003 Act do not come into operation until 24 October 2007 (see “Material scope of application” below). Scope of Application of the National Legislation Territorial scope of application The DPA applies to data controllers in respect of the processing of personal data where: (i) the data controller is established in Ireland and the data are processed in the context of that establishment; or (ii) the data controller is established neither in Ireland nor any other state that is a contracting party to the EEA but makes use of equipment in Ireland for processing data otherwise than for the purpose of transit through the territory of Ireland. Material scope of application The DPA applies to electronic files and generally to manual files. However, there is a transitional period until 24 October 2007 in relation to manual data which already existed prior to 1 July 2003 whereby certain provisions of the DPA shall not apply until 24 October 2007. The provisions involved relate to: (i) the basic data protection principles, for example fair obtaining and purpose specification; (ii) additional conditions for legitimate processing of personal data; and (iii) further conditions for the processing of sensitive data. Personal scope of application The DPA only applies to personal data, defined as “data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller”. Thus, the DPA may apply to data relating to living individuals but not to data relating to legal entities or data relating to deceased persons. Data Controller Entity responsible for compliance with the National Legislation The data controller, whether it is a legal entity or an individual, is responsible for complying with the DPA. A data controller is defined as a person who, either alone or with others, controls the contents and use of personal data. National Regulatory Authority (“NRA”) Details of the competent NRA Office of the Data Protection Commissioner Block 6 Irish Life Centre Lower Abbey Street Dublin 1 Ireland www.dataprivacy.ie Notification or registration scheme and timing Certain data controllers and/or data processors (see “Exemptions” below) must register with the Data Protection Commissioner before commencing processing personal data in Ireland. Data controllers and/or data processors are obliged to renew their registration annually and the Commissioner’s office will contact them six weeks prior to this date. The Data Protection Commissioner may refuse an application for registration in certain conditions. There is a right of appeal to the Circuit Court against a refusal. 56⏐November 2005⏐Data protection legislation in the European Union⏐ Ireland. Exemptions Rather than providing exemptions in respect of certain categories that need not register, the 1988 Act stipulates that the following persons must register with the Data Protection Commissioner: (a) data controllers, being public authorities and other bodies and persons referred to in the Third Schedule to the 1988 Act; (b) data controllers, being financial institutions, persons holding authorisations under the EC (Non-Life) Insurance Regulations, 1976, or the EC (Life Assurance) Regulations, 1984, or persons whose business consists wholly or mainly in direct marketing, providing credit references or collecting debts; (c) any other data controllers who keep personal data relating to: (i) racial origin; (ii) political opinions or religious or other beliefs; (iii) physical or mental health (other than any such data reasonably kept by them in relation to the physical or mental health of their employees in the ordinary course of personnel administration and not used or disclosed for any other purpose); (iv) sexual life; or (v) criminal convictions; (d) most data processors; and (e) internet access providers and telecommunications service providers. Although not yet in force, a provision of the 2003 Act provides that all data controllers and data processors will be required to register with the Data Protection Commissioner, subject to a limited number of exceptions. Data Quality Rules on the quality of the data processed Personal data must be accurate and complete and, where necessary, kept up to date. Moreover, the personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are collected and/or further processed. Retention period Personal data may not be kept longer than necessary for the purpose for which such personal data were originally collected or for which they are legitimately further processed. Where personal data are kept for the purposes of direct marketing, Section 2(7) of the DPA provides that where the relevant data subject requests in writing that the Data Controller in question cease processing the data for that purpose, then generally, the data controller has 40 days to accede to such a request. Rights of Data Subjects Right to information Where personal data are obtained directly from the data subject, the data controller must ensure, as far as practicable, that the data subject has, is provided with, or has readily available to him/her the following information: (i) the identity of the data controller and of its representative(s) within Ireland, if any; (ii) the purposes of the processing; and (iii) any other information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data to be fair to the data subject (e.g. information as to the recipients or categories of recipients of the data). Right of access/correction/objection and other rights Access: An individual is entitled to be informed whether any data processed by or on behalf of a data controller are personal data relating to that individual. If they are, the individual may request access to his/her personal data that have been or are being processed, provided that none of the prescribed exceptions is satisfied. Upon receipt of such request, the data controller is required to provide certain prescribed information in a notice in writing. Correction: An individual may apply to a data controller who keeps personal data relating to him/her to have data rectified, blocked or erased in case of contravention of the fair processing principles. Objection to processing: A data subject may, in certain instances, request a data controller to cease processing his/her data for a specified purpose or in a specified manner. Others: A data subject may also object to the processing of his/her personal data for the purpose of direct marketing in which case, depending on the particular circumstances, the data controller may be required to erase the personal data. Security Security requirements in order to protect the data Data controllers or data processors must implement appropriate security measures to protect personal data against: (i) unauthorised access, unauthorised alteration, disclosure or destruction, in particular, where processing involves the transmission of personal data over a network; and (ii) all other unlawful forms of processing. ⏐Data protection legislation in the European Union⏐ November 2005⏐57 Specific rules governing processing by a third party (processor) on behalf of data controller Where processing of personal data is carried out by a data processor, the data controller must ensure that the processing is carried out in pursuance of a contract in writing or equivalent for stipulating, in particular, that: (i) the data processor carries out the processing only on and subject to the instructions of the data controller; and (ii) the data processor complies with the security obligations outlined above. Transfer of Personal Data to Foreign Countries Transfer within the EEA Personal data may be transferred to a country or territory within the EEA. Transfer outside the EEA Personal data may be transferred to countries outside the EEA which have been designated by the European Commission as territories ensuring an adequate level of protection. In the absence of such a designation, there are numerous preconditions, at least one of which will have to be fulfilled before data can be transferred outside the EEA (e.g. the data importer has signed up to the Safe Harbor or the EC Model Clauses, the data subject has consented or the transfer is necessary for the performance of a contract). The DPC has issued guidance in relation to when the prescribed exceptions may be relied upon and in particular, in relation to when a data subject may be considered to have implicitly consented to the transfer of its data outside the EEA. The DPC considers that it may be within reasonable expectations of staff working for a multinational organisation that routine HR data may be transferred for routine HR purposes to an organisation’s corporate headquarters outside the EEA. However, this may not apply to sensitive data or other information that the employee would consider sensitive. Sensitive Data Sensitive data may not be processed unless one of a number of prescribed conditions is satisfied. Sensitive data is defined as personal data as to: (a) racial or ethnic origin, political opinions or religious or philosophical beliefs; (b) trade union membership; (c) physical or mental health or condition, or sexual life; (d) the commission or alleged commission of any offence; or (e) any proceedings for an offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings. Enforcement Sanctions Breaches may incur civil liability or criminal sanctions, which include fines up to EUR 100,000 on indictment but not prison terms. A breach of a data protection principle is not of itself a criminal offence, but may result in an enforcement notice. The DPA also imposes a duty of care on data controllers to comply with the DPA. Therefore, in the event of a breach of the DPA by a data controller, a data subject might be in a position to make a claim for damages against a data controller for breach of its duty of care towards the data subject. In 2005 the Irish Data Protection Commissioner (the “DPC”) issued a series of guidance notes which sought to confer clarity on a number of different data protection issues. It is expected that in time codes of conduct will be put in place. Some of the issues addressed in the DPC’s guidance notes are outlined below. The guidance notes are available at www.dataprivacy.ie Practice In relation to investigations last year, the Data Protection Commissioner received 385 new complaints, of which 366 were concluded. Of the complaints concluded, 26% were upheld, 63% were resolved informally while 11% were rejected. In addition, there were three prosecutions last year. The typical level of penalties imposed is unknown, as is the most significant penalty levied to date. Under the Irish Data Protection legislation the Data Protection Commissioner may launch investigations into possible contraventions of the legislation and has the power to arrange an amicable resolution or issue a decision. The Data Protection Commissioner has no power to issue fines in respect of contraventions, however, he may issue a formal decision which is subject to a right of appeal by either party to the courts. Accordingly, in relation to levels of penalties imposed, there is very little data regarding penalties to draw from as the majority of the investigations are settled amicably. 58⏐November 2005⏐Data protection legislation in the European Union⏐ Ireland. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations, 2003 (the “ECA”). The ECA became effective on 6 November 2003. Conditions for sending direct marketing e-mail The sending of unsolicited e-mail for the purpose of direct marketing is permitted provided that the consent of the recipient has been obtained. The type of consent required depends on whether the recipient is a natural person (opt-out). Exemptions It is permitted to use a customer’s e-mail contact details if: (i) they were collected in accordance with general data protection laws, in the context of a sale of a product or service, for the purposes of direct marketing; (ii) the direct marketing relates only to the sender’s own similar products or services; and (iii) the customer is clearly and distinctly given the opportunity to object, in an easy manner and without charge, to the use of their e-mail contact details when they are collected and on the occasion of each subsequent message. This exemption seems to apply in relation to individual and corporate subscribers. Scope of application The ECA applies to natural persons (individuals) and non-natural persons (corporate entities). ⏐Data protection legislation in the European Union⏐ November 2005⏐59 Italy. Contributed by Gianni, Origoni, Grippo & Partners General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Protection of Individuals and Other Subjects with regard to the Processing of Personal Data Act (No. 675 of 31 December 1996), which was replaced by the Consolidation Act regarding the Protection of Personal Data (Data Protection Code - Legislative Decree No. 196) (the “DPC”) of 30 June 2003. Entry into force of the implementing legislation Law no. 675/96 came into force on 8 May 1997; the DPC came into force on 1 January 2004. Scope of Application of the National Legislation Territorial scope of application The DPC applies to data controllers established in Italy (the DPC also applies to a foreign data controller having a branch in Italy). The DPC also applies if the data controller is established outside the EEA but uses equipment in Italy for processing personal data other than for transit purposes. Material scope of application The DPC applies to both manual and electronic files. Personal scope of application The DPC applies to data relating to individuals and legal entities. Data Controller Entity responsible for compliance with the National Legislation The entity responsible for data processing is the data controller, which is defined as any natural or legal person, public administration, body, association or other entity that is competent, also jointly with another data controller, to determine the purposes and methods of the processing of personal data and the relevant means, including security matters. National Regulatory Authority (“NRA”) Details of the competent NRA Garante per la protezione dei dati personali (Italian Regulatory Authority) (“Garante”) Piazza di Monte Citorio 121 00186 Roma Italy www.garanteprivacy.it Notification or registration scheme and timing Unless the processing is exempt, the data controller has to submit notification to the Garante before commencement of the personal data processing. No approval is required. Exemptions Notification is required only with regard to data processing which could jeopardise rights and the freedom of the data subjects, because of its methods or the nature of the personal data it relates to. Accordingly, only data controllers in certain areas of activity (such as health, heavy marketing, central risk database maintained by banks, telecommunications or operating user profiling), carrying out certain kinds of processing expressly listed by the DPC must notify their processing activities. 60⏐November 2005⏐Data protection legislation in the European Union⏐ Italy. Data Quality Rules on the quality of the data processed The DPC states that the data must be: (i) accurate; (ii) up to date; and (iii) adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Retention period The data must be retained for a period of time not exceeding that required for the furtherance of the purposes of the processing. The Garante has issued guidelines for the permitted data retention period in relation to specific kinds of data or processing (such as loyalty programmes, databases for consumer credit, reliability and timeliness of payments). Rights of Data Subjects Right to information The data subjects have the right to be informed about: (i) the purposes and methods of the processing; (ii) the mandatory or voluntary nature of the supply of data; (iii) the consequence of possible refusal to consent to the data processing; (iv) the (categories of) entities to whom the data may be communicated; (v) their rights as data subject; and (vi) the name and address of the controller and, if applicable, of the data processor. Right of access/correction/objection and other rights Access: Data subjects may have access to their personal data by addressing a request to the data controller. Correction: Data subjects may have their personal data updated, amended or supplemented or have their personal data cancelled, transformed into anonymous data, or blocked, by the data controller. The Garante has specified that a data subject cannot ask for correction of data if the data are the result of an evaluation of the data controller. Objection to processing: Data subjects may object to the processing of their personal data on the basis of lawful reasons or discretionally in the case of commercial information, advertising material or marketing research. Security Security requirements in order to protect the data Further to the generic duty to implement the security measures appropriate to protect personal data from accidental or unlawful destruction, accidental loss, alteration and unauthorised disclosure or access, the DPC requires, under criminal sanction, the implementation of specific technical, logical and organisational minimum security measures set forth by a “Disciplinare Tecnico” (“Technical Specifications”), attached to the DPC. Specific rules governing processing by a third party (processor) on behalf of data controller According to the DPC, the data controller has to give instruction to the data processor and make the security measures applicable also to data processors. Transfer of Personal Data to Foreign Countries Transfer within the EEA The DPC permits data transfers within the EEA without restrictions. Transfer outside the EEA Transfer to non-EEA countries is only permitted if: (1) the non-EEA country guarantees an adequate level of protection (a) as recognised by the Garante (e.g. Canada, Hungary, Switzerland, Argentina, Isle of Man, GuernseyUnited Kingdom, U.S. companies having adhered to Safe Harbor principles) or (b) by means of the adoption of standard contractual clauses; (2) in compliance with certain conditions, inter alia: (i) the data subject’s consent; (ii) the transfer is necessary for the execution of an agreement in which the data subject is a party; (iii) the processing relates to personal data regarding legal entities and any other entity or association; and (iv) the transfer is necessary in order to judicially challenge, exercise or defend a right. ⏐Data protection legislation in the European Union⏐ November 2005⏐61 Sensitive Data Sensitive data are data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organisations of a religious, philosophical, political or trade union nature, as well as personal data disclosing details of health and sexual life. Sensitive data may be processed only with both the data subject’s written consent and the Garante’s prior authorisation. Enforcement Sanctions The DPC sets forth civil, criminal and administrative sanctions. The DPC states that the data controller shall be liable for damages caused by the improper use or disclosure of the processed data. The Garante may impose administrative sanctions (fines), inter alia, in case of: (i) non-fulfilment of the obligation to provide the data subject with the Information Notice; or (ii) failure to notify or incomplete notification to the Garante. The DPC provides for up to three years’ imprisonment and publication of the judgment decision in the event of, inter alia: (i) unlawful personal data processing, if damage occurs; (ii) false notification; or (iii) failure to adopt and implement the required security measures. The Garante has investigation powers and can use also the Financial Police (“Guardia di Finanza”). Practice During 2004 the Garante started roughly 100 inspections, mainly in the area of security measures and notification, with specific reference to sensitive data. The investigations resulted in about 20 criminal proceedings and, in several cases, blocking orders of the processing. In a regulation in July 2005, the Garante stated that future investigations will focus mainly on internet services, consumer credit, fidelity programmes and interactive television. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by the DPC. The effective date was 1 January 2004. Conditions for sending direct marketing e-mail The DPC provides that sending unsolicited marketing or advertising communications by e-mail shall be permitted only with the consent of the data subject (opt-in). In any event, the data subject has a right to opt-out and must be expressly informed of this right. Exemptions The opt-in system is not applicable to e-mail marketing by the sender to parties who are already its clients (opt-out system). Scope of application The provisions of the DPC regarding e-mail marketing apply to both individual contacts and corporate contacts. 62⏐November 2005⏐Data protection legislation in the European Union⏐ Latvia. Contributed by Klavins & Slaidins General I Directive 95/46/EC National Legislation Status of implementation of the Directive The Law on Protection of Personal Data of Natural Persons (the “DPA”) was adopted on 23 March 2000. The DPA incorporates the principles and provisions of Directive 95/46/EC. Entry into force of the implementing legislation The DPA came into force on 20 April 2000. Scope of Application of the National Legislation Territorial scope of application The DPA applies to: (i) data controllers registered in Latvia; (ii) processing where the personal data processing equipment is located in Latvia; and (iii) data processing performed outside Latvia in the territories which belong to Latvia in accordance with international agreements. Material scope of application The DPA applies to structured sets of personal data recorded in any manner (both manual and electronic files). Personal scope of application The DPA only applies to data relating to individuals and not to data relating to legal entities. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The DPA defines a data controller as a natural or legal person who determines the purposes and means of processing of the personal data. National Regulatory Authority (“NRA”) Details of the competent NRA State Data Inspection (“SDI”) Kr. Barona street 5-4 Riga LV-1050 Latvia www.dvi.gov.lv Applications relating to personal data processing systems must be submitted to: SDI registration department Dzirnavu street 93 Riga LV-1011 Latvia Notification or registration scheme and timing Under the DPA, and unless the processing is exempt, all state and municipal authorities and other natural and legal persons who perform or wish to commence personal data processing and create personal data processing systems must register such processing with the NRA. The NRA reviews the information submitted and, if necessary, performs a pre-registration examination. Exemptions Exemptions from registration of processing apply in respect of: (i) processing for accounting and personnel registration needs; (ii) processing of personal data not stored in electronic form; and (iii) processing created by religious organisations or churches referred to in the Civil Law. ⏐Data protection legislation in the European Union⏐November 2005⏐63 Data Quality Rules on the quality of the data processed The DPA states that the data controller must ensure the correctness of the personal data and their timely updating, correction and deletion if the personal data are inaccurate or incomplete. Retention period The personal data processed shall not be kept in a form which allows identification of the data subject longer than is necessary for the purpose. Rights of Data Subjects Right to information The data controller must provide the data subject with the details of the data controller and data processor, the purposes for which the data are processed and the reasons for the intended personal data processing. Right of access/correction/objection and other rights Access: A data subject has the right to obtain information regarding those natural or legal persons which over a certain period of time have received from the data controller his/her personal data. The data subject also has the right to obtain a copy of all his/her personal data, unless prohibited under the DPA. Correction: A data subject has the right to request that his/her personal data be supplemented, corrected or destroyed, or that the data processing be terminated if the personal data are incomplete, out of date, untrue or illegally obtained or if the data are no longer necessary for the purpose for which they were gathered. Objection to processing: A data subject has the right to object to processing of his/her personal data for direct marketing purposes. Security Security requirements in order to protect the data The data controller and the processor have an obligation to use the necessary technical and organisational means in order to protect the personal data and prevent illegal processing. The mandatory technical and organisational requirements for protection of personal data processing systems are established by the Cabinet of Ministers of the Republic of Latvia in the form of specific regulations. Specific rules governing processing by a third party (processor) on behalf of data controller Data processors must undertake in writing to maintain and not illegally disclose personal data. The data controller has an obligation to register the data processors. Transfer of Personal Data to Foreign Countries Transfer within the EEA Personal data can be transferred to another country if that country ensures a level of data protection which corresponds to the level of data protection effective in Latvia. Assessment of the protection level is made by the NRA which issues a written consent to the transfer of personal data. Transfer outside the EEA Personal data can be transferred to another country if that country ensures the level of data protection which corresponds to the level of data protection effective in Latvia. Assessment of the protection level is made by the NRA which issues written consent to the transfer of personal data. Sensitive Data The processing of sensitive personal data is prohibited, except in certain cases provided for in the DPA. Personal data are sensitive if they relate to racial or ethnic origin, religious, philosophical and political convictions, participation in trade unions or health or sexual life. 64⏐November 2005⏐Data protection legislation in the European Union⏐ Latvia. Enforcement Sanctions The NRA has the right to impose administrative fines or issue warnings for violations of the DPA. These fines range from LVL25 to 250 for individuals and from LVL100 to 1,000 for legal entities (1 LVL = EUR 0.70). Practice There were 136 investigations by the SDI last year, of which administrative penalties were imposed in 18 cases and fines in 14 cases. There was LVL 1,610 collected in total. The number of prosecutions last year is not known, but the SDI has won in all those proceedings which took place. The typical level of penalty imposed on a natural person is LVL 25. For legal persons it is LVL 100, which most often arises out of data processing without a legal basis. The most significant penalty levied to date was LVL 350. The former president of the Bank of Latvia, Mr Repse, was involved in the case. Mr Repse was filmed by CCTV cameras in a supermarket. Photos were extracted from the CCTV footage and then appeared in “Privata Dzive” (Private Life) Magazine. The store’s system manager was found guilty of disclosing the data to the magazine. The PSI fined the supermarket LVL 350. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented in the new Electronic Communications Law (“ECL”). The ECL took effect on 1 December 2004, replacing the Law on Telecommunications. The ECL stipulates the allocation of supervisory functions for the electronic communications market. The ECL provides for the protection of user data, including the protection of personal data in the field of electronic communications services. Supervision of data protection is carried out by the SDI. ⏐Data protection legislation in the European Union⏐ November 2005⏐65 Liechtenstein. Contributed by Wanger Advokaturburo General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Data Protection Act dated 14 March 2002 and the relevant Ordinance on the Data Protection Act (Data Protection Ordinance) dated 9 July 2002 (together, the “DPA”). Entry into force of the implementing legislation The DPA came into force on 1 August 2002. Scope of Application of the National Legislation Territorial scope of application The DPA regulates all data processing conducted as part of the activities of a branch of a data controller in Liechtenstein or by a data controller established in a place where the law of Liechtenstein is applicable, or by a data controller not established in the EEA who makes use of automated or non-automated means located in Liechtenstein for the purpose of processing data, unless such means are used solely for the purpose of transit of data through the EEA. Material scope of application The DPA applies to both manual and electronic files. Personal scope of application The DPA applies to data relating to individuals and legal entities. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The DPA defines a data controller as private persons or authorities who decide on the purpose and content of the processing. National Regulatory Authority (“NRA”) Details of the competent NRA Commissions Dr Philipp Mittelberger Data Protection Unit Aeulestrasse 51 FL-9490 Vaduz Liechtenstein www.llv.li/amtstellen/llv-sds-home.htm Notification or registration scheme and timing Under the DPA, data controllers must notify to the Data Protection Registrar the processing of personal data prior to commencement of processing if either: (i) personal data are to be disclosed; or (ii) the data controller processes sensitive data or personality profiles and discloses data to third parties, unless there is a legal requirement for the data processing and the subject is aware of the data processing. Exemptions Until an act comes into force regulating the processing of personal data for fighting terrorism, violent extremism, organised crime, and illicit news services and to guarantee state security, the government may make exceptions to the provisions to the notification obligation. 66⏐November 2005⏐Data protection legislation in the European Union⏐ Liechtenstein. Data Quality Rules on the quality of the data processed There are no other rules relating to data quality. Retention period There are no time limits on retention of data under the DPA. Rights of Data Subjects Right to information Data subjects have the right to obtain information, including access, to their personal data with regard to: (i) whether or not their personal data are being processed, and information as to the source of those data; (ii) the purpose of the data processing and its legal basis, the categories of personal data concerned and the categories of both the data controller and recipients to whom the data are disclosed; and (iii) the logic involved in any fully automated processing of their personal data. Right of access/correction/objection and other rights Access: See “Right to information” above. Correction: Data subjects have the right to require the rectification, erasure or blocking of personal data if the data are incomplete or inaccurate. Objection to processing: Unless the processing is authorised by law, data subjects have the right to object to the processing by the data controller of personal data on the grounds of predominant interests which are worthy of protection and which relate to the data subject’s particular situation. Where there is a justified objection, the processing undertaken by the data controller may no longer involve the personal data in regard to which the objection was made. Security Security requirements in order to protect the data Personal data must be protected against unauthorised processing by appropriate technical and organisational measures. Specific rules governing processing by a third party (processor) on behalf of data controller The processing of personal data may be entrusted to a data processor provided: (i) the data controller ensures that no processing occurs that it would not be permitted to carry out itself; and (ii) the processing is not prohibited by a legal or contractual duty of confidentiality. The data processor will be subject to the same duties and may assert the same grounds of lawful justification as the data controller. Transfer of Personal Data to Foreign Countries Transfer within the EEA The DPA permits transfers within the EEA. Under the DPA, the transfer must be notified to the Data Protection Commissioner in advance, unless the transfer is required in order to comply with a legal obligation and the data subject is aware of the transfer. However, the government may issue further regulations, particularly in order to simplify or create exemptions from the notification requirements when the processing does not adversely affect the data subject, and to specify foreign countries which do not provide adequate protection of personal data. Under the Data Protection Ministerial Order, notification of the transfer of personal data to countries which ensure adequate data protection is not required unless the data are sensitive data or data constituting a personality profile. Transfer outside the EEA As with transfer to EEA Member States, under the DPA the transfer must be notified to the Data Protection Commissioner in advance, unless the transfer is required in order to comply with a legal obligation and the data subject is aware of the transfer. ⏐Data protection legislation in the European Union⏐ November 2005⏐67 However, the government may issue further regulations, particularly in order to simplify or create exemptions from the notification requirements when the processing does not adversely affect the data subject, and to specify foreign countries which do not provide adequate protection of personal data. Under the Data Protection Ministerial Order, notification of the transfer of personal data to countries which ensure adequate data protection is not required unless the data are sensitive data or data constituting a personality profile. States whose data protection legislation is regarded as equivalent are Argentina, Guernsey, Canada, Switzerland and the U.S. Safe Harbor according to measures of the decision 2000/520/EG of the Commission dated 26 July 2000. Sensitive Data Both sensitive personal data and data constituting a personality profile are the subject of specific rules. Sensitive data are data relating to: (i) religious, philosophical, or political opinions or activities; (ii) health, sexuality, or racial origin; (iii) social security files; and (iv) criminal or administrative proceedings and penalties. “Personality profile” refers to a collection of data that allows the appraisal of fundamental characteristics of the personality of an individual. Enforcement Sanctions The criminal sanctions for breaching the DPA include fines up to CHF 20,000/360 daily rates (which is a figure calculated by reference to the income of the offender) or imprisonment for a period of up to one year. The following civil procedures/sanctions also apply under the DPA: (i) under the DPA, in conjunction with the Persons and Companies Act, infringement of the right of personality under the DPA provides a data subject with a right to pursue civil proceedings in court for rectification, destruction or prevention of disclosure of personal data and for compensation for damage suffered; and (ii) the right of access to personal data may be pursued under a special non-contentious civil proceeding (Rechtsfiirsorgeverfahren). Practice Information about numbers of investigations and penalties imposed is not public. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has not yet been implemented. A Communication Act (the “ECA”) implementing this provision is currently under preparation. It is likely that the ECA will come into force in summer 2006. Conditions for sending direct marketing e-mail Under the DPA, in the event data is processed for the purpose of direct marketing, the data subject must be notified in advance and must be informed of the cost-free and immediately effective right to object to which it is entitled (opt-out). The draft ECA (the so called Vernehmlassungsbericht) is now available. 68⏐November 2005⏐Data protection legislation in the European Union⏐ Lithuania. Contributed by Lideika, Petrauskas, Valiunas ir Partneriai General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Law on Legal Protection of Personal Data dated 11 June 1996 (as modified on 17 July 2000, 22 January 2002 and 21 January 2003) (the “DPA”). Entry into force of the implementing legislation The latest modifications to the DPA came into force on 1 July 2003. Scope of Application of the National Legislation Territorial scope of application The DPA regulates data processing activities in the territory of the Republic of Lithuania. Material scope of application The DPA is applicable to the processing of personal data by automated means (electronic files) and to the processing of personal data by non-automated means (manual files) in filing systems, such as lists, card indexes, files, codes, etc. Personal scope of application The DPA only applies to data relating to individuals and not to data relating to legal entities. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. “Data controller” is defined as any natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. National Regulatory Authority (“NRA”) Details of the competent NRA The State Data Protection Inspectorate Gedimino Avenue 27/2 LT-01104 Vilnius Lithuania www.ada.lt Notification or registration scheme and timing Data controllers are obliged to register with the State Data Protection Inspectorate. The registration needs to be approved by the State Data Protection Inspectorate. Registration must take place prior to commencement of data processing. Unless the processing is exempt, personal data may be processed by automated means subject to notification by the data controller or its representative to the State Data Protection Inspectorate two months before the intended commencement of the data processing activities. Such data processing operations may be carried out only if authorisation has been granted by the State Data Protection Inspectorate. Within two months of receipt of the notification, the State Data Protection Inspectorate must carry out prior checking according to the procedure it determines and grant or refuse authorisation. Exemptions Exemptions from the registration/notification procedures described above apply when the data are processed for the purposes of internal administration, or when personal data are processed for journalistic purposes or the purposes of artistic or literary expression, or other means of providing information to the public, or where personal data on the person’s health (condition, diagnosis, prognosis and treatment) are processed by a health care ⏐Data protection legislation in the European Union⏐November 2005⏐69 professional, or non-profit organisations which manage data about their members, or data are processed for the purposes of ensuring state and official secrets. Data Quality Rules on the quality of the data processed Under the DPA, personal data must be: (i) accurate, and, where necessary for the processing of personal data, up to date; and (ii) relevant, adequate and not excessive in relation to the purposes for which they are collected and processed. Retention period Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed. Rights of Data Subjects Right to information Upon submitting to the data controller or the data processor a document certifying his/her identity, the data subject is entitled to obtain information on the source and type of personal data that have been collected, the purposes of processing and the recipient to whom the data are disclosed. Under the DPA, the data subject has the right to be informed about the processing of his/her personal data. Right of access/correction/objection and other rights Access: The data subject has the right of access to his/her personal data and to familiarisation with the processing method. Correction: The data subject has the right to demand rectification or destruction of his/her personal data or restriction of further processing, with the exception of storage, where the data are not processed in compliance with the provisions of the DPA or other legislation. Personal data must be rectified and destroyed in response to the request of the data subject and on the basis of documents confirming his/her identity and personal data. Objection to processing: The data subject has the right to object to the processing of his/her personal data. Security Security requirements in order to protect the data The data controller must have adequate means for protecting the secrecy of personal data. The data controller and data processor must implement appropriate organisational and technical measures to ensure the protection of personal data against any accidental or unlawful destruction, alteration and/or disclosure and against any other unlawful processing. These measures must ensure an appropriate level of security in view of the nature of the data to be protected and the risks represented by the processing. Specific rules governing processing by a third party (processor) on behalf of data controller The data controller must choose a data processor providing guarantees in respect of adequate technical and organisational data protection measures and ensuring compliance with those measures. When authorising the data processor to process personal data, the data controller must stipulate that personal data must be processed only upon instructions from the data controller. The staff processing personal data, when applying for a job or when performing their work, must assume an obligation in writing to keep the personal data confidential when the data are not meant for public disclosure. This obligation remains valid after the employment has ended. Transfer of Personal Data to Foreign Countries Transfer within the EEA Personal data can be transferred to data recipients in foreign countries without receiving authorisation from the State Data Protection Inspectorate if international agreements to which the Republic of Lithuania is a party provide for such a possibility. This exception will be applicable as of 1 May 2004 to data transfers to other EEA countries. Transfer outside the EEA As a general rule, personal data may be transferred to data recipients in foreign countries only upon receiving authorisation from the State Data Protection Inspectorate. Such authorisation may be issued provided that there is an adequate level of protection in the recipient country. The State Data Protection Inspectorate may, however, 70⏐November 2005⏐Data protection legislation in the European Union⏐ Lithuania. grant authorisation to transfer personal data to a foreign country which does not guarantee an adequate level of protection if the data controller transferring the personal data specifies to the recipient of the data in a contract the requirements for the safeguarding of personal data. Personal data can be transferred outside the EEA without authorisation from the State Data Protection Inspectorate under the usual circumstances (e.g. the data subject has consented to the transfer of the data; the provision of personal data is necessary for the conclusion or performance of a contract between the data controller and a third party concluded in the interests of the data subject; the transfer of personal data is necessary for the performance of a contract between the data controller and the data subject or the implementation of pre-contractual measures taken in response to the data subject’s request). Sensitive Data The DPA defines sensitive data as personal data about an individual’s racial, national and ethnic origin, political opinions, religious and other beliefs, party membership, previous convictions, health, pathological defects and sexual (private) life. Special protection is provided for personal data that are sensitive as their processing is prohibited except in certain circumstances: (i) the data subject has given consent; (ii) such processing is necessary for the purposes of work or public service in the exercise of the rights and obligations of the data controller in the field of labour law in cases provided by law; (iii) it is necessary to protect vital interests of the data subject or of any other person, where the data subject is unable to give consent due to a physical disability or because he/she is legally incapable; (iv) processing is carried out in the course of its activities by a foundation, association or any other non-profit-seeking body for political, philosophical, religious or trade union purposes, provided that the processed data relate solely to the members of the body or to persons who have regular contact with it in connection with its purposes; however, such personal data may not be disclosed to a third party without the consent of the data subject; (v) the data have been made public by the data subject; (vi) it is necessary, in cases provided by the DPA, for the prevention and investigation of criminal offences; or (vii) the data are necessary for a court hearing. Enforcement Sanctions Any act of non-compliance with the DPA or secondary data protection legislation gives rise to civil and administrative (but not criminal) liability. Administrative sanctions include reprimand and monetary fines of amounts from EUR 30 to EUR 1,200. Administrative sanctions may only be applied to individuals, and not to legal entities. Affected data subjects may also seek civil damages from either individual or corporate perpetrators. Practice In 2004 the Lithuanian DPA (the State Data Protection Inspectorate) carried out 365 investigations, 87 of which were carried out as a result of complaints of individuals, 136 of which were as a result of applications for advance review of planned automated personal data processing, and the rest were carried out by the State Data Protection Inspectorate of its own accord. 27 investigations resulted in administrative prosecutions in 2004. Administrative prosecution can only be initiated against individuals who have committed a data protection violation, or the officer responsible for data protection issues within the company which has committed the violation. If such an officer does not exist, the CEO of the entity is held responsible for the data protection issues. The company itself may not be subject to administrative prosecution. Typical administrative penalties are fines from 300 to 1,000 Litas (EUR 85 to 300). Penalties are roughly doubled for repeated violations. The individual affected by the breach of the DPA is also entitled to claim pecuniary and moral damages. The most significant penalty levied to date was 2,000 Litas (EUR 600) against the responsible officer of one of the biggest Lithuanian commercial banks, which was found repeatedly infringing the personal data treatment regime, by collecting excessive data on its clients and by transferring personal data to other entities. ⏐Data protection legislation in the European Union⏐ November 2005⏐71 Sector specific: E-communications I Directive 2002/58/EC Marketing by e-mail Marketing by e-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been fully implemented by Article 68 of 15 April 2004 Law on Electronic Communications (the “LOEC”) of the Republic of Lithuania, which came into force on 1 May 2004. Conditions for sending direct marketing e-mail The LOEC prohibits the use of e-mail for advertising purposes without prior and free consent of the addressees. The LOEC is designed to be implemented along with the DPA, which provides that personal data may be processed for the purpose of direct marketing if this purpose is expressly declared during the collection of the data and the data subject has given his/her express consent (opt-in). The practice of the State Data Protection Inspectorate, maintained in most recent cases, suggests that the right of consent must be clearly and separately explained to the data subject, and silence (no response) shall not be considered as consent. In sum the above regulations clearly impose an “opt-in” system. Additionally, the LOEC expressly prohibits use of e-mail for advertising purposes when the sender’s identity is disguised or a valid e-mail address for the addressee to cancel the sending of such information is not provided. Exemptions Only one exemption is provided in the LOEC, and provided that no consent needs to be obtained if the e-mail is sent to existing customers, all the following conditions must be fulfilled: (i) the sender of the e-mail directly obtained the electronic contact details of the addressee in compliance with the provisions of the DPA; (ii) the sender uses the electronic contact details only for marketing the sender’s own similar products or services; (iii) the sender offered the customer, at the time of collecting his/her electronic contact details, the clear opportunity, free of charge and in a simple manner, to object to such use; and (iv) the customer has not objected to such use of his/her data in respect of any electronic message. Scope of application The above regulation regime is applicable to both individual and corporate contacts, as it does not specify any particular limitations on the addressees. 72⏐November 2005⏐Data protection legislation in the European Union⏐ Luxembourg. General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the law of 2 August 2002 on the protection of persons with regard to the processing of personal data (the “DPA”). Entry into force of the implementing legislation The DPA entered into force on 1 December 2002. Scope of Application of the National Legislation Territorial scope of application The DPA applies to: (i) processing done by a data controller that is subject to Luxembourg law; and (ii) processing by a controller that is not based in Luxembourg or any other EU Member State but uses equipment in Luxembourg for processing personal data other than for transit purposes. Material scope of application The DPA applies to both manual and electronic files. Personal scope of application The DPA applies to data relating to individuals and legal entities. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The DPA defines the data controller as a natural or legal person, public authority, agency or any other body that solely or jointly with others determines the purposes and methods of processing personal data. When the purposes and methods of processing are determined by or pursuant to legal provisions, the controller is determined by or pursuant to specific criteria in accordance with those legal provisions. National Regulatory Authority (“NRA”) Details of the competent NRA Commission NPD (“CNPD”). 41, avenue de la gare L-1611 Luxembourg www.cnpd.lu Notification or registration scheme and timing The data controller must notify all processing to the CNPD. A prior authorisation from the CNPD is required in specific cases. The notification/authorisation has to be done prior to the processing. Exemptions The exemptions from the notification/authorisation requirement include: (i) the existence of a data protection official appointed by the data controller; (ii) processing for the sole purpose of keeping a register, which is legally introduced for public information purposes and open to consultation by the public or by a person having a legitimate interest; and (iii) processing necessary to acknowledge, exercise or defend a right at law carried out in accordance with the rules governing legal proceedings applicable to civil matters. The processing by a data controller pursuant exclusively to his personal or domestic activities is excluded from the scope of the DPA. ⏐Data protection legislation in the European Union⏐November 2005⏐73 Data Quality Rules on the quality of the data processed The data controller must process the data in a fair and lawful manner. The data must be: (i) collected for specified, explicit and legitimate purposes and not further processed in a way that is incompatible with those purposes; (ii) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (iii) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data that are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; and (iv) kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed. Retention period The DPA does not provide a specific retention period for the data but the retention period has to be proportionate to the processing. Rights of Data Subjects Right to information The data subject has to be provided with the following information: (i) the identity of the data controller and of its representative, if any; (ii) the purpose or purposes of the processing for which the data are intended; and (iii) any further information such as the (categories of) recipients of the data; the categories of data concerned; whether answering the questions is compulsory or voluntary, as well as the possible consequences of failure to answer; the existence of the right of access to data concerning him/her and the right to rectify them; the period of time the data will be stored. Right of access/correction/objection and other rights Access: Upon request to the data controller, the data subject or his/her beneficiaries who can prove they have a legitimate interest may obtain, free of charge, at reasonable intervals and without excessive waiting periods: (i) access to his/her data; (ii) confirmation as to whether or not data relating to him/her are being processed and information at least as to the purposes of the processing, the categories of data concerned and the recipients or categories of recipients to whom the data are disclosed; (iii) disclosure to him/her in an intelligible form of the data undergoing processing and of any available information as to their source; and (iv) knowledge of the logic involved in any automatic processing of data concerning him/her at least in the case of automated decisions. Correction: The data subjects have a right to rectification, but the way to exercise this right is not specified in the DPA. The data controller is required to rectify, delete or block data if such data are incomplete or inaccurate. Object to processing: The data subject may object at any time, for compelling and legitimate reasons relating to his/her special situation, to the processing of any data on him/her except in cases where legal provisions expressly provide for that processing. Where there is a justified objection, the processing instigated by the data controller may not involve those data. The data subject may also object to the processing of his/her data for direct marketing purposes and he/she may forbid the data controller to disclose his/her data to third parties or enable his/her data to be used by third parties for marketing purposes. The data controller must inform the data subject about this right. Security Security requirements in order to protect the data The data controller must implement all appropriate technical and organisational measures to protect the data against accidental or unlawful destruction or accidental loss, falsification, unauthorised dissemination or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. These measures have to be contained in an annual report to be submitted by the data controller to the CNPD. Specific rules governing processing by a third party (processor) on behalf of data controller If the processing is carried out on behalf of the data controller, the data controller must choose a data processor that provides sufficient guarantees as regards the technical and organisational security measures pertaining to the processing to be carried out. It is up to the data controller as well as the data processor to ensure that the said measures are respected. Any processing carried out on behalf of a controller must be governed by a written contract or legal instrument binding the data processor to the data controller. 74⏐November 2005⏐Data protection legislation in the European Union⏐ Luxembourg. Transfer of Personal Data to Foreign Countries Transfer within the EEA The DPA permits transfers within the EEA. Transfer outside the EEA Data transfers to a third country may take place only where that country provides an adequate level of protection of personal data and complies with the provisions of the DPA. If the European Commission or the CNPD finds that a third country does not have an adequate level of protection, transfer of data to that country is prohibited. The transfer to countries not ensuring an adequate level of protection is, however, permitted in specific circumstances such as if the data subject provided his/her consent or if the transfer is necessary for the performance of a contract to which the data subject is a party. Sensitive Data Processing operations that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life, including the processing of genetic data, are forbidden except in limited situations described in the DPA. Enforcement Sanctions The sanctions for breaching the DPA are both civil and criminal (they range from eight days to one year imprisonment and/or a fine between EUR 251 and EUR 125,000). Practice As at 1 April 2004, 16 complaints had been filed with the CNPD. According to the latest available information, no sanctions have been imposed so far by the CNPD. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC A draft of the Bill relating to specific provisions concerning the processing of personal data and the protection of privacy in the electronic communications sector, modifying provisions 88-2 and 88-4 of the Criminal Instruction Code and modifying the DPA (the “draft ECA”), is pending before the “Chambre des Députés”. Conditions for sending direct marketing e-mail The draft ECA provides that sending direct marketing e-mail shall only be permitted with the prior consent of the data subject (opt-in). Exemptions The opt-in system is not applicable where the person has obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service; the direct marketing is with respect to a similar product or service only; and the recipient has been given a simple means of refusing (free of charge) the use of his/her contact details for the purposes of such direct marketing at the time of collection of the details and for each subsequent communication. Scope of application The provisions of the draft ECA regarding e-mail marketing apply to both individual contacts and corporate contacts. ⏐Data protection legislation in the European Union⏐ November 2005⏐75 Malta. Contributed by Mamo TCV Advocates General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Data Protection Act 2001 (the “DPA”), Chapter 440 of the Laws of Malta. Entry into force of the implementing legislation The DPA came into force on 15 July 2003, subject to transitional periods for certain provisions. These periods differ depending on whether the processing is automated or manual. Scope of Application of the National Legislation Territorial scope of application The DPA applies to the processing of personal data carried out in the context of activities of a data controller established in Malta or in a Maltese embassy or High Commission abroad and to the processing of personal data where the data controller is established in a third country but the equipment used for the processing of personal data is situated in Malta (unless such equipment is only used to transfer information between the third country and another such country). Material scope of application The DPA applies to manual files and electronic files. Personal scope of application The DPA only applies to individuals but subsidiary legislation implementing Directive 2002/58/EC establishes a broad definition of “personal data” that also includes data relating to legal entities unless otherwise specified by the subsidiary legislation. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The DPA defines the data controller as “a person who alone or jointly with others determines the purposes and means of the processing of personal data”. National Regulatory Authority (“NRA”) Details of the competent NRA The Office of the Data Protection Commissioner 2, Airways House High Street Sliema SLM 16 Malta www.dataprotection.gov.mt Notification or registration scheme and timing Data controllers must notify their processing of personal data to the Office of the Data Protection Commissioner. In the case of manual processing this must be done by 24 October 2007. This involves the filing of information relating to the processing operations carried out by the data controller, against payment of a notification fee, renewable annually, and the subsequent notification of any updates regarding new processes, prior to implementing such new processes. Exemptions By virtue of Legal Notice 162 of 2004, published on 16 April 2004, an exemption from notification has been laid down in circumstances where the only personal data processed by a company is that contained in its Memorandum and Articles of Association as registered with the Registrar of Companies under the Companies Act. Moreover the following categories of persons are obliged to notify but are exempt from payment of the notification fee: (i) self- 76⏐November 2005⏐Data protection legislation in the European Union⏐ Malta. employed persons who carry on a trade, business, profession or other economic activity and do not employ any employees with them; and (ii) any philanthropic institutions and similar organisations, band clubs, sports clubs and similar institutions, registered trade unions and political parties and clubs adhering to political parties, which are also exempt from tax under the Income Tax Act. Data Quality Rules on the quality of the data processed The data must be processed fairly and lawfully in accordance with good practice. They must be collected only for specific, explicitly stated, legitimate purposes. They cannot be processed for a purpose incompatible with that for which they have been collected. The data must be adequate, relevant, accurate and cannot be retained for a period longer than necessary for the stated purposes of the processing. Retention period There is no specific retention period. The DPA only requires that personal data not be kept for a period longer than is necessary for the purposes for which the data are processed. Rights of Data Subjects Right to information The data subject must be informed of: (i) the identity and contact details of the data controller and any other person authorised by the data controller to take action on its behalf; (ii) the purposes of the processing; (iii) the recipients or categories of recipients of the data; (iv) whether replies to questions are voluntary or obligatory and consequences of failure to reply; (v) the existence of the right to access, rectify, and if applicable erase the data relating to him/her; and (vi) if the data are not collected from the data subject, the categories of data processed. Right of access/correction/objection and other rights Access: Data subjects have a right to request access to their data. Requests must be made in writing to the data controller and signed by the data subject. Correction: Data subjects have a right to have their data rectified where the data would not have been processed in accordance with the DPA. Objection to processing: Data subjects have a right to object to the processing in specific circumstances, such as direct marketing. Other: Data subjects also have the right to ask the data controller to reconsider any decisions based solely on automated processing (unless such decisions are taken in the course of entering into or performing a contract with the data subject, under certain conditions). Security Security requirements in order to protect the data Data controllers are obliged to take “appropriate technical and organisational measures to protect the data processed against accidental destruction or loss or unlawful forms of processing thereby providing an adequate level of security” (Article 26(1) DPA). Specific rules governing processing by a third party (processor) on behalf of data controller Data controllers must further ensure that data processors can and actually do implement security measures as described above. The carrying out of processing by way of a data processor must be governed by a written agreement binding the data processor to the data controller and stipulating that the processor shall only act on the data controller’s instructions and shall take the security measures identified above. Transfer of Personal Data to Foreign Countries Transfer within the EEA The DPA permits transfers within the EU. They must, however, be notified. Transfer outside the EEA Transfers to a country outside the EU must be notified and further approved by the Data Protection Commissioner provided that an adequate level of data protection is ensured by that third country. Data controllers are required to ⏐Data protection legislation in the European Union⏐ November 2005⏐77 complete and submit a data transfer form to the Commissioner providing details of any such transfers that they make to third countries. Exemptions from the prohibition of such transfers to third countries exist, e.g. where the data subject has given his/her unambiguous consent to the transfer; or if the transfer is necessary for the performance of a contract between the data subject and the data controller. Sensitive Data Special protection is provided for data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual life and health data. Enforcement Sanctions Sanctions under the DPA are both civil and criminal. A data controller in breach of the DPA may also be liable to: (i) an administrative fine imposed by the Data Protection Commissioner; (ii) an order to pay compensation to the aggrieved data subject following a successful action for damages by the data subject; or (iii) a criminal fine (currently, maximum 10,000 Maltese liri), imprisonment (currently, maximum six months) or both. Practice Four investigations were carried out during 2004. No prosecutions were conducted last year and no financial penalties have been imposed to date. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by the Processing of Personal Data (Telecommunications Sector) Regulations, 2003 (the “ECA”), subsidiary legislation enacted by Legal Notice 16 of 2003 under the DPA. The ECA entered into force on 15 July 2003. Conditions for sending direct marketing e-mail The ECA provides that direct marketing e-mail cannot be sent without prior explicit consent of the data subject in writing. This is opt-in. Exemptions Where a person has obtained from its customers their e-mail addresses in the context of a sale of a product or a service, according to the ECA that same person may use such details for direct marketing of its own similar products or services. This exception applies provided that customers have been given the opportunity to object, free of charge and in an easy and simple manner, to such use of electronic contact details when they are collected and on the occasion of each message where the customer has not initially refused such use. Scope of application The provisions of the ECA regarding direct marketing e-mail apply both to individual and corporate contacts. 78⏐November 2005⏐Data protection legislation in the European Union⏐ The Netherlands. Contributed by De Brauw Blackstone Westbroek General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented. The Dutch implementation legislation consists of two acts: (i) the Act on the Protection of Personal Data of 6 July 2000 (“Wet bescherming persoonsgegevens” - the “DPA”); and (ii) the Exemption Decree DPA of 7 May 2001 (“vrijstellingsbesluit Wbp” - the “Decree”). Entry into force of the implementing legislation The DPA entered into force on 1 September 2001. Scope of Application of the National Legislation Territorial scope of application The DPA applies to the processing of personal data carried out in the context of the activities of an establishment of a responsible party (“data controller”) in The Netherlands. Furthermore, the DPA applies to the processing of personal data by or for data controllers who are not established in the EU, whereby use is made of automated or non-automated means situated in The Netherlands, unless these means are used only for forwarding personal data. Such data controllers are prohibited from processing personal data unless they designate a person or body in The Netherlands to act on their behalf in accordance with the provisions of the DPA; that body shall be deemed to be the data controller. Material scope of application The DPA applies to the fully or partly automated processing of personal data, and to the non-automated processing of personal data entered in a file or intended to be entered therein. Personal scope of application The DPA applies only to personal data (any information relating to an identified or identifiable natural person). As a rule, data relating to legal entities do not qualify as personal data, since a legal entity is not a natural person. However, data concerning legal entities can be classified as personal data if these data are of such a nature that they can (together with other data) be decisive for the manner in which a natural person may be judged or treated in society. Data about contact persons of legal entities also constitute personal data. Data Controller Entity responsible for compliance with the National Legislation The data controller is the person or entity responsible for compliance with the DPA. The DPA defines a data controller as the natural person, legal person, administrative body or any other entity which, alone or in conjunction with others, determines the purpose of and means for processing personal data. National Regulatory Authority (“NRA”) Details of the competent NRA Dutch DPB (“College bescherming persoonsgegevens”) Mailing address: College bescherming persoonsgegevens (CBP) Postbus 93374 2509 AJ Den Haag The Netherlands Visiting address: Prins Clauslaan 20 2595 AJ Den Haag The Netherlands www.cbpweb.nl ⏐Data protection legislation in the European Union⏐November 2005⏐79 Notification or registration scheme and timing In general, fully or partly automated processing of personal data must be notified to the Dutch Data protection board or the (internal) privacy officer before processing commences. The Dutch Data protection board has designed standard notification forms. The notification does not require the approval of the Dutch Data protection board; it is a mere filing of information. Exemptions Pursuant to the Decree, certain common categories of processing are exempt from the notification obligation (such as the processing of data as part of salary and/or personnel administration), provided that the processing only involves the data and purposes explicitly prescribed in the Decree. Furthermore, certain conditions mentioned in the Decree must be complied with, such as the obligation not to keep the data longer than a certain period of time, unless otherwise required by law. Data Quality Rules on the quality of the data processed Personal data may only be processed where, given the purposes for which they are collected or subsequently processed, they are adequate, relevant and not excessive. Furthermore, the data must be correct and accurate given the purposes for which they are collected or subsequently processed. Retention period Generally, personal data may not be retained in an identifiable form for any longer than is necessary for achieving the purposes for which they were collected or subsequently processed. Please note that the Decree contains specific retention periods for certain categories of data, which must be complied with in order to be exempt from the notification obligation. Rights of Data Subjects Right to information Pursuant to the DPA, the data controller must provide the data subject with the following information prior to obtaining the personal data, unless the data subject is already acquainted with this information: the identity of the data controller and the purposes of the data processing; the identity of recipients of the data; the right of the data subject to have access to his/her data; the right to request rectification of data, etc.; or, in the event of transfer of data to a country outside the EU, the fact that this is occurring and for what purposes, etc. Right of access/correction/objection and other rights Access: Upon written request, the data controller must provide the data subject with a full and clear summary of the data that are being processed about him/her, including a definition of the purposes of the processing, the categories of processed data and the (categories of) recipients, as well as the available information as to the origin of the data. Correction: Data subjects may ask the data controller to correct, supplement, delete or block the data processed about them in the event that such data are inaccurate, incomplete or irrelevant for the purposes of the processing, or are being processed in any other way that infringes a legal provision. Objection to processing: Data subjects have a right to object to the processing if the data controller is planning to provide personal data to third parties or to use personal data for the purposes of direct marketing. Other: Upon request by the data subject, the data controller must provide information concerning the underlying logic of any automated decision relating to the data subject. Security Security requirements in order to protect the data The data controller must implement appropriate technical and organisational measures to secure personal data against loss or against any form of unlawful processing. These measures must guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, and having regard to the risks associated with the processing and the nature of the data to be protected. 80⏐November 2005⏐Data protection legislation in the European Union⏐ The Netherlands. Specific rules governing processing by a third party (processor) on behalf of data controller The carrying out of processing by a third party processor must be governed by an agreement or another legal act set out in writing or in another equivalent form. Pursuant to the DPA, the data controller is obliged to ensure that the data processor only processes the data on the orders of the data controller and that the data processor implements appropriate technical and organisational measures. Transfer of Personal Data to Foreign Countries Transfer within the EEA The DPA permits transfer within the EEA. Transfer outside the EEA The transfer of data to a country outside the EEA is only authorised if that country offers adequate data protection. Otherwise, the transfer will be prohibited, unless one of the exceptions provided for by the DPA is applicable, e.g. if: (i) the data subjects have given their consent to the data transfer; or (ii) the Minister of Justice has, after consulting the Dutch Data protection board, issued a permit for the data transfer on the basis that sufficient safeguards are provided. Sufficient safeguards may be: (i) the entering into model contractual clauses approved by the European Commission; and (ii) the implementation of Binding Corporate Rules. Sensitive Data The general rule is that it is prohibited to process sensitive personal data, except as otherwise provided in the DPA. Pursuant to the DPA, sensitive data are data concerning a person’s religion or philosophy of life, race, political persuasion, health and sexual life, or personal data concerning trade union membership, and personal data concerning a person’s criminal behaviour, or unlawful or objectionable conduct connected with a ban imposed with regard to such conduct. Enforcement Sanctions Certain violations of the DPA qualify as a criminal offence. The sanction is a penal fine up to a maximum of EUR 4,500, and in the event of intentional violation a prison sentence with a maximum of six months. Also, the Dutch Data protection board may apply an administrative fine with a maximum of EUR 4,500. With respect to all violations of the DPA, the Dutch Data protection board may apply administrative sanctions and/or a penalty payment. Furthermore, the Dutch Data protection board may carry out an investigation concerning compliance with the DPA within a certain company. The Dutch Data protection board is free to present its findings to the press. Finally, civil proceedings such as claims for damages or for injunctions may be started by the parties concerned. Practice In 2004, there were 216 complaints, 56 investigations and one official report for criminal prosecution. The penalties imposed by the Data protection board range from EUR 3,000 to EUR 15,000. The highest penalty levied to date was a penalty of EUR 15,000 which was imposed because of failure to notify multiple processings to the Data protection board. Sector specific: E-communications I Directive 2002/58/EC Marketing by e-mail Marketing by e-mail Status of implementation of Article 13 of Directive 2002/58/EC Directive 2002/58/EC has been implemented by an amendment to the Telecommunications Act (Wet implementatie Europees regelgevingskader voor de elektronische communicatiesector 2002) (the “TA”). The new TA entered into force in May 2004. ⏐Data protection legislation in the European Union⏐ November 2005⏐81 Conditions for sending direct marketing e-mail The new TA provides that the use of e-mail to transmit unsolicited communications for commercial, idealistic or charitable purposes is only permitted if the sender can demonstrate that the subscriber concerned has provided his/her prior consent. This is opt-in. Exemptions The new TA provides that a recipient of the electronic contact details may use those details to transmit communications for commercial purposes where: (i) it has received the data in the context of the sale of its product or service; (ii) the commercial communication relates to its own similar products or services; and (iii) at the time of receipt of the contact details, the customer is clearly and expressly offered the opportunity to object to the use of such electronic details, and, where the customer did not object to this use, the customer is clearly and expressly offered the opportunity to object to further use of his/her electronic contact details in each transmitted communication. This is opt-out. Scope of application The relevant provisions of the new TA only apply to “individual subscribers”. Accordingly, the new TA does not apply to corporate subscribers (e.g. [email protected]). The Dutch Minister of Justice has announced that he/she will file a proposal to amend the TA so that it will apply to corporate subscribers as well in the future. 82⏐November 2005⏐Data protection legislation in the European Union⏐ Norway. Contributed by Wiersholm, Mellbye & Bech, advokatfirma AS General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Act on Processing of Personal Data (the “DPA”) dated 14 April 2000. The DPA is supplemented by a regulation dated 15 December 2000 (the “Regulation”), as last amended on 6 May 2005. Entry into force of the implementing legislation The DPA came into force on 1 January 2001. Scope of Application of the National Legislation Territorial scope of application The DPA applies to data controllers who are established in Norway. The DPA also applies to data controllers who are established in states outside the territory of the EEA if the data controller makes use of equipment in Norway. However, this does not apply if such equipment is used only for transit purposes. Material scope of application The DPA applies to processing of personal data wholly or partly by automatic means, and other processing of personal data which form part of or are intended to form part of a personal data filing system. Personal scope of application Except for credit information agencies, the DPA only applies to processing of data relating to natural persons (individuals). Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The DPA defines the data controller as the person who determines the purposes of the processing and the means which are to be used. National Regulatory Authority (“NRA”) Details of the competent NRA The Data Inspectorate P.O. Box 8177 Dep, N-0034 Oslo Norway www.datatilsynet.no Notification or registration scheme and timing The data controller must notify the Data Inspectorate before processing personal data by automatic means, or establishing a manual personal data filing system which contains sensitive personal data. The notification must be made no later than 30 days prior to commencement of processing. The Data Inspectorate does not provide approval. The processing of sensitive data and the processing of personal data in the telecommunications sector, insurance industry, banks and financial institutions and credit information agencies requires a licence from the Data Inspectorate prior to processing. Exemptions There are some exemptions from the notification/licensing requirements, i.e. with regard to processing of data as part of administration of and performance of contractual obligations to customers, subscribers and suppliers. ⏐Data protection legislation in the European Union⏐November 2005⏐83 Data Quality Rules on the quality of the data processed The DPA requires that the data processed are adequate, relevant and not excessive in relation to the purpose of the processing. Personal data must also be accurate and up to date. Retention period Data must not be stored longer than is necessary for the purpose of the processing. Rights of Data Subjects Right to information Under the DPA, the data subject must be informed of: (i) the identity of the data controller and of his/her representative, if any; (ii) the purpose for which the data are to be processed; (iii) the (categories of) recipients of data; and (iv) the fact that the provision of data is voluntary, and the existence of the right to access and to rectify the data concerning him/her. The data controller does not need to provide information about the specific data that are being used in a personal profile, or the assumptions which form the basis for a personal profile. There are also some exemptions from the duty to inform. Right of access/correction/objection and other rights The data controller may not request compensation for providing data to or meeting demands of the data subject. Access: Any data subject who so requests must be informed of the kind of processing of personal data that a data controller is performing and must be given a copy of the data collected. Upon written request from the data subject, the information will be given in writing. Correction: The data subject has a right to require rectification of personal data which are inaccurate, incomplete or the processing of which is not authorised. Objection to processing: The data subject is also given the right to object to certain categories of processing, i.e. processing of personal data for direct marketing purposes. Security Security requirements in order to protect the data In accordance with the DPA and the Regulation, the data controller must by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of personal data, as well as internal control. The data system and the security measures must be documented, and must be accessible to such employees of the data controller as need this in their work, as well as to the Data Inspectorate and the Privacy Appeals Board. Specific rules governing processing by a third party (processor) on behalf of data controller A third party processor is defined as a person or entity that processes personal data on behalf of the data controller. Under the DPA, there must be a written agreement between the processor and the data controller regarding such processing of information. Transfer of Personal Data to Foreign Countries Transfer within the EEA The DPA permits transfers within the EEA. Transfer outside the EEA The DPA prohibits transfers outside the EEA unless the destination ensures adequate protection for the data. Otherwise personal data can be transferred outside the EEA under the usual circumstances (e.g. if there has been a Community adequacy finding, the data importer has signed up to the Safe Harbor or the EC Model Clauses, the data subject has consented). The Data Inspectorate may allow transfer even if the above conditions are not fulfilled if the data controller provides adequate safeguards with respect to the protection of the rights of the data subject. The Data Inspectorate may stipulate conditions for the transfer. 84⏐November 2005⏐Data protection legislation in the European Union⏐ Norway. Sensitive Data Under the DPA, sensitive data means data relating to racial or ethnic origin, political opinions, union membership, religious or philosophical convictions, health and sexual preference of the data subject, and the fact that a person has been suspected of, charged with, indicted for or convicted of a criminal act. As set out above, a licence from the Data Inspectorate is required prior to the processing of sensitive data. Enforcement Sanctions Anyone who wilfully or through gross negligence does not comply with the provisions of the DPA shall be liable to fines or imprisonment for a term not exceeding one year or both. In particularly aggravating circumstances, a sentence of imprisonment for a term not exceeding three years may be imposed. A coercive fine may also be imposed by the Data Inspectorate. Finally, under the DPA, the data controller must compensate for damage suffered if personal data have been processed contrary to the DPA, unless it is established that the damage is not due to error or negligence on the part of the data controller. The compensation must be equivalent to the financial loss incurred by the claimant as a result of the unlawful processing. The Data Controller may also be ordered to pay such compensation for damage of a non-economic nature (compensation for non-pecuniary damage) as seems reasonable. Practice The Data Inspectorate carried out 161 investigations in 2004. None led to prosecution. In 2005 there have been two reports so far. Since the coming into force of the DPA, only one penalty has been imposed by a lower court in an unpublished judgment. Sector specific: E-communications I Directive 2002/58/EC Marketing by e-mail Marketing by e-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by an amendment to the Marketing Control Act Section 2b dated 21 January 2005. The Marketing Control Act Section 2b originally implemented Directive 1997/7/EC. Conditions for sending direct marketing e-mail The Marketing Control Act Section 2b prohibits direct marketing to individuals in the course of business using methods of telecommunication which permit individual communication, such as e-mail, text messaging services to mobile telephones, facsimile or automatic calling machines, without the prior consent of the recipient (opt-in requirement). Exemptions Direct marketing using telecommunication such as e-mail to existing customers will not require prior consent provided that certain conditions are met. However, the e-mail must contain an explanation of how to opt-out of future communications. Individual-to-individual e-mail routines set up by companies on the company’s website (tip-a-friend) are permitted in most circumstances. Scope of application The legislation applies to direct marketing to natural persons (individuals, not only consumers) by a business using methods of telecommunication which permit individual communication. ⏐Data protection legislation in the European Union⏐ November 2005⏐85 Poland. General I Directive 95/46/EC National Legislation Status of implementation of the Directive The rules established by Directive 95/46/EC were implemented in Poland by the Act on the Protection of Personal Data of 29 August 1997 (Journal of Laws of 2002, No. 101, item 926, as amended) (the “DPA”). Entry into force of the implementing legislation The DPA entered into force on 30 April 1998. However, certain statements came into force on 1 May 2004, including, but not limited to, those on “Territorial scope of application“ and “Transfer within the EEA”. Scope of application of the National Legislation Territorial scope of application The DPA is applicable in Poland. The DPA applies if: (i) the data controller is established or domiciled in Poland and data are processed in the context of its activities; or (ii) the data controller is established outside the EEA, but uses equipment in Poland for processing personal data. Material scope of application The DPA determines the principles of processing personal data and the rights of individuals whose personal data are or can be processed as part of a data filing system. The DPA applies to the processing of personal data in computer systems, files, indexes, books, lists and other registers. Personal scope of application The DPA applies only to individuals. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The DPA defines the data controller as a body or an organisational unit, an establishment or a person that decides about the purposes and means of processing personal data. National Regulatory Authority (“NRA”) Details of the competent NRA The Inspector General for the Protection of Personal Data (the “IGPPD”) ul. Stawki 2 00-193 Warsaw Poland Tel.+48 (22) 860-70-86 e-mail: [email protected] www.giodo.gov.pl Notification or registration scheme and timing The DPA provides for a registration scheme. The data controller must register any data filing system with the IGPPD before starting to process the data in a data filing system. The IGPPD may refuse registration. Exemptions The obligation to register filing systems does not apply to certain data controllers, in cases where there is a public interest or a low level of risk to the rights and freedoms of the persons whose data are being processed. The DPA identifies such situations in detail. 86⏐November 2005⏐Data protection legislation in the European Union⏐ Poland. Data Quality Rules on the quality of the data processed The DPA provides rules on the quality of the data processed. The controller must protect the interests of the data subjects with due care, and it must in particular ensure that the data are: (i) processed lawfully; (ii) collected and processed for specified and legitimate purposes; (iii) relevant and adequate for the purposes for which they are processed; and (iv) kept in a form that permits identification of the subjects of the data for no longer than is necessary for the purposes for which they are processed. Retention period The DPA provides no specific retention period for personal data. The sole indication is that the data shall not be kept in a form that enables identification of the data subjects for longer than is necessary for the purposes for which they are processed. Rights of Data Subjects Right to information Data subjects have the right to obtain information: (i) on whether a filing system exists and on the controller’s identity; (ii) regarding the purpose, scope, and the means of processing of the data contained in the filing system; (iii) as to when processing of the personal data commenced; (iv) about the source of the personal data; (v) about the form in which the data are disclosed, and in particular about the recipients or categories of recipients of the data; and (vi) about the rights of data subjects. Right of access/correction/objection and other rights Data subjects have a right to control the processing of their personal data contained in the filing systems, and in particular have the right to obtain extensive information, to correct their data and to object to their data being processed. Data subjects have the right to demand that the data be completed, updated, rectified, temporarily or permanently suspended or erased, if they are incomplete, outdated, untrue or collected in violation of the DPA, or if they are no longer required for the purpose for which they were collected. Data subjects also have the right to file a substantiated demand in writing, in certain cases, to have the data processing halted. Security Security requirements in order to protect the data Data controllers must implement technical and organisational measures to protect the personal data processed, appropriate to the risks and category of data that are protected and protect them against unauthorised disclosure, takeover, change, loss, damage or destruction. Specific rules governing processing by a third party (processor) on behalf of data controller A data controller may authorise another entity to carry out the processing of the personal data by way of a written contract, if there are sufficient security measures protecting the data filing system. The data controller remains responsible for the proper processing of the data. Transfer of Personal Data to Foreign Countries Transfer within the EEA The transfer of data within the EEA is authorised. Transfer outside the EEA Personal data may be transferred to a third country only if the country of destination ensures at least the same level of personal data protection as that in Poland. The data controller may also transfer personal data to a third country not ensuring an adequate level of data protection if: (i) the data subject has given written consent; (ii) it is necessary for the performance of a contract between the data subject and the controller; (iii) it is necessary for the performance of a contract concluded in the interests of the data subject between the controller and a third party; (iv) the transfer is required by reason of public interest or to establish legal claims; (v) the transfer is necessary in order to protect the vital interests of the data subject; or (vi) the transfer relates to data that are publicly available. ⏐Data protection legislation in the European Union⏐ November 2005⏐87 Sensitive Data Certain restrictions are imposed on the processing of sensitive data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade union membership, as well as data concerning health, genetic code, addictions or sexual life and data relating to convictions, decisions on penalty or fines and other decisions issued in court or administrative proceedings. It is prohibited to process sensitive data unless the data subject has given written consent or in other specific circumstances described in detail in the DPA. Enforcement Sanctions A breach of the DPA would give rise to criminal liability, including a fine (varying between PLN 100 and PLN 720,000), a partial restriction of freedom or a prison sentence of up to three years. Apart from criminal sanctions defined in the DPA, civil liability could arise on the basis of general civil law rules. Practice According to the IGPPD, there were 1,024 complaints brought before it and 144 inspections conducted by it in 2004. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by the Act on the Provision of Services by way of Electronic Means, dated 18 July 2002 (Journal of Laws of 2002, No. 144, Item 1204) (the “ECA”), which entered into force on 10 March 2003, and by the Telecommunication Law dated 16 July 2004 (Journal of Laws of 2004, No. 171, Item 1800), the majority of which entered into force on 2 September 2004. Conditions for sending direct marketing e-mail Direct marketing by e-mail is authorised if the recipient gave his/her prior consent for receiving such e-mails. The ECA provides for certain conditions on sending direct marketing e-mail based on the recipient’s consent. Such marketing communication should be isolated and clearly designated as marketing communication and should contain: (i) the identification of the entity ordering marketing activities, including e-mail address; (ii) a clear description of marketing activities, in particular price reduction, gratuitous services and any other benefits; and (iii) any information that could have an impact on the scope of responsibility of the parties, in particular warnings and reservations. Exemptions There are no exemptions. Scope of application Restrictions imposed by the ECA are applicable both to individual and corporate contacts. 88⏐November 2005⏐Data protection legislation in the European Union⏐ Portugal. General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46 has been implemented by Law 67/98 of 26 of October on personal data protection (the “DPA”). Entry into force of the implementing legislation The DPA came into force on 1 November 1998. Scope of Application of the National Legislation Territorial scope of application The DPA applies to the processing of data carried out: (i) in the context of the activities of an establishment of the data controller in Portugal; (ii) outside national territory, in those places where Portuguese law is applicable by virtue of international public law; or (iii) by a data controller that is not established on EU territory and that for purposes of processing personal data makes use of equipment, automated or otherwise, situated in Portugal, unless such equipment is used only for purposes of transit through the territory of the EU. Material scope of application The DPA applies to both manual and electronic files. Personal scope of application The DPA applies only to data relating to individuals. Data Controller Entity responsible for compliance with the National Legislation The person responsible for compliance with the DPA is the data controller defined as the natural or legal person, public authority, agency or any other body, which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by laws or regulations, the data controller shall be designated in the DPA establishing the organisation and functioning or in the statutes of the legal or statutory body competent to protect the personal data concerned. National Regulatory Authority (“NRA”) Details of the competent NRA Comissão Nacional de Protecção de Dados (the “CNPD”) Rua de São Bento, n.° 148, 3° 1200-821 Lisboa Portugal www.cnpd.pt Notification or registration scheme and timing The controller must notify the CNPD before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes. The authorisation of the CNPD is required for: (i) the processing of personal data revealing philosophical or political beliefs, political party or trade union membership, religion, privacy and racial or ethnic origin, and concerning health or sex life, including genetic data, and it is only awarded when such processing is essential for the exercise of the legal or statutory rights of the data controller or when the data subject has given his/her explicit consent for such processing; and the processing of data relating to persons suspected of illegal activities, criminal and administrative offences and decisions applying penalties, security measures, fines and additional penalties, which may only be created and kept by public services vested with that specific responsibility; (ii) the processing of data relating to credit and the solvency of the data subjects; (iii) the use of personal data for purposes other than those which determined their collection; and (iv) the combination of personal data not provided for in a legal provision. ⏐Data protection legislation in the European Union⏐November 2005⏐89 The non-automatic processing of personal data revealing philosophical or political beliefs, political party or trade union membership, religion, privacy and racial or ethnic origin, and concerning health or sex life, including genetic data, shall also be subject to authorisation. Exemptions CNPD may authorise the simplification of or the exemption from notification for particular categories of processing that are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of the data subjects and in order to take account of criteria of speed, economy and efficiency. Processing whose sole purpose is the keeping of a register which, according to laws or regulations, is intended to provide information to the public and which is open to public consultation is exempted from notification. Data Quality Rules on the quality of the data processed Data must be: (i) processed lawfully and in compliance with the principle of good faith; (ii) collected for specified, explicit and legitimate purposes; (iii) adequate, relevant and not excessive in relation to the purposes for which they are collected; and (iv) accurate and kept up to date. Retention period The only time limit on the retention of data is that data must be kept in a form that permits identification of their data subjects for no longer than is necessary for the purposes for which they were collected or for which they are further processed. However, the storing of data for historical, statistical or scientific purposes for longer periods may be authorised by the CNPD at the request of the data controller in the case of a legitimate interest. Rights of Data Subjects Right to information Data subjects have the right to be informed about the processing of their data. The documents supporting the collection of personal data must contain: (i) the identity of the controller or its representative; (ii) the purposes of the processing; and (iii) other information such as the recipients or categories of recipients; whether replies are mandatory or voluntary; and the existence and conditions of the right of access and the right to rectify, provided they are necessary, taking into account the specific circumstances of collection of the data in order to guarantee the data subject that they will be processed fairly. Right of access/correction/objection and other rights Access: The data subject has the right to obtain from the data controller at reasonable intervals and without excessive delay or expenses: (i) confirmation as to whether or not data relating to him/her are being processed and information as to the purposes of the processing, the categories of data concerned and the recipients to whom the data are disclosed; (ii) communication in an intelligible form of the data undergoing processing and of any available information as to their source; and (iii) information on the automatic processing of data. Correction: The data subject has the right to obtain from the data controller the rectification, erasure or blocking of data, the processing of which does not comply with the DPA; and the notification to third parties to whom the data have been disclosed of any such rectification, erasure or blocking. Object to processing: The data subject has the right to object at any time on compelling legitimate grounds relating to his/her particular situation to the processing of data relating to him/her; and to object, on request and free of charge, to the processing of personal data for the purposes of direct marketing or any other form of research. Security Security requirements in order to protect the data The data controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. Specific rules governing processing by a third party (processor) on behalf of data controller The processor chosen by the data controller must provide sufficient guarantees with respect to the technical security measures and organisational measures governing the processing to be carried out and must ensure compliance with those measures. 90⏐November 2005⏐Data protection legislation in the European Union⏐ Portugal. There must be a contract or legal act binding the processor to the data controller and stipulating in particular that the processor shall act only upon instructions from the data controller and that it is bound to implement the appropriate technical and organisational measures to protect personal data. Transfer of personal data to foreign countries Transfer within the EEA Personal data may move freely within the EU. Transfer outside the EEA The transfer of personal data to a country that is not a member of the EU may only take place provided that country ensures an adequate level of protection. The adequacy of the level of protection of a country must be assessed in light of all the circumstances surrounding a (set of) data transfer operation(s); particular, consideration must be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectorial, in force in the country in question, and the professional rules and security measures that are complied with in that country. A transfer of personal data to a country which does not ensure an adequate level of protection may be allowed by the CNPD in the usual circumstances (e.g. if the data subject has given his/her unambiguous consent to the proposed transfer). Sensitive Data The processing of personal data revealing philosophical or political beliefs, political party or trade union membership, religion, privacy, and racial or ethnic origin, and concerning health or sex life, including genetic data, is prohibited unless authorised by the CNPD (see above). Enforcement Sanctions The sanctions have a quasi-criminal and criminal nature: the imposition of fines of up to EUR 30,000 and imprisonment of up to two years. In addition, the entity that breaches the DPA is liable, under general legal rules of law, for the damages caused to the data subject or third parties. Practice The number of investigations and prosecutions in 2004 is not publicly available, but there were at least 80. In 2004, penalties of between EUR 3,500 and EUR 20,000 were imposed. The most significant penalty levied was EUR 20,000, applied to Radiotelevisão Portuguesa, S.A. (“RTP”), the public television company, in April 2004. RTP decided to carry out some research on the professional skills of its employees. It hired a company to assess various pieces of data about its workers but failed to notify its employees of this assessment process. Under Portuguese law, RTP was obliged to notify the CNPD before carrying out such a data processing operation. RTP also informed the contractor about the trade union membership of its employees which was not authorised by CNPD or consented to by the data subjects. The CNPD also found that RTP had a video surveillance system in operation in its building which had not been authorised by the CNPD. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by Decree-Law No. 7/2004 of 7 January 2004 (the “ECA”). ⏐Data protection legislation in the European Union⏐ November 2005⏐91 Conditions for sending direct marketing e-mail Direct marketing by e-mail is authorised provided the addressee gives its prior consent (opt-in regime). Exemptions The supplier of goods/services may send unrequested advertising to its clients, as long as the client has been given the explicit option to refuse, free of any charge. Scope of application These rules are applicable to individual contacts, although an opt-out regime for corporate contacts is foreseen. 92⏐November 2005⏐Data protection legislation in the European Union⏐ Slovakia. General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by Act No. 428/2002 Coll. on the Protection of Personal Data dated 3 July 2002, as amended by Act No. 90/2005 Coll. (the “Act”). Entry into force of the implementing legislation The Act came into force on 1 September 2002 (the amending Act No. 90/2005 came into force on 1 May 2005). Scope of Application of the National Legislation Territorial scope of application The Act applies to the processing of personal data: (i) in the territory of Slovakia; (ii) in the territory where the data controller is established and where Slovak law applies by virtue of public international law; and (iii) where the data controller is outside the EEA but uses equipment situated in the territory of Slovakia, for processing personal data other than for transit purposes. Material scope of application The Act protects all personal data made available by natural persons to other entities manually or electronically including personal data processed systematically in a filing system. Personal scope of application The Act applies only to personal data relating to individuals. Data Controller Entity responsible for compliance with the National Legislation The Act makes a distinction between the data controller and the data processor. Both are responsible for compliance with the Act. Where the data controller is not established in an EU Member State, but has a representative in Slovakia, such representative is bound by the same obligations as the data controller. A data controller is defined as a state organ, an organ of local government, other public authority or a legal or natural person which alone or jointly with others determines the purposes and means of processing. If a separate law regulates the purposes and means of processing of personal data, the data controller is an entity which is designated by such law to fulfil the purposes of processing or satisfies the conditions set out by the law. The same also applies if so determined by Community law. A data processor is defined as a state organ, an organ of local government, other public authority or a legal or natural person that processes personal data on behalf of the data controller or the data controller’s representative. National Regulatory Authority (“NRA”) Details of the competent NRA Office for the Protection of Personal Data (Úrad na ochranu osobných údajov) (the “Office”) Odborárske námestieč .3 SK-817 60 Bratislava 15 Slovakia www.dataprotection.gov.sk Notification or registration scheme and timing Under the Act there are two types of registration scheme: (i) a general registration scheme, which applies to all information systems where personal data are processed by wholly or partly automatic means (subject to the exemptions listed below); and (ii) a special registration scheme, which applies to all information systems in which the data controller processes: (a) at least one special category of data, and this special category of data is transferred to a non-EU country that does not ensure an adequate level of protection; (b) personal data without the ⏐Data protection legislation in the European Union⏐November 2005⏐93 consent of the data subject where such processing is aimed at protecting the legally protected rights and interests of the data controller or a third party; or (c) biometric data, except for DNA analysis for the purposes of recording entries into highly protected facilities and if so required for the internal interests of the data controller. The general registration scheme does not require any approval by the Office; the processing of data may commence upon filing the necessary information with the Office. In case of the special registration scheme, prior approval by the Office is necessary before the processing may begin. The data controller must register the information system under the general registration scheme and under the special registration scheme, in both cases prior to starting to process the data. Exemptions The standard registration scheme does not apply to information systems which: (i) are subject to special registration; (ii) are supervised by a responsible person designated by the data controller in writing, who supervises data protection under the Act; (iii) contain data of natural persons (including data of their close persons) which are processed for the purposes of carrying out the rights or obligations of the data controller under employment or membership relationships; (iv) contain data on membership in trade unions, political parties or religious organisations, if such data are used solely for internal purposes; and (v) contain data which are necessary for exercising rights or observing obligations under a separate law, or which are processed on the basis of a separate law. No exemptions apply in the case of the special registration scheme. Data Quality Rules on the quality of the data processed The data controller must determine the purpose and means of processing personal data in advance and may only process personal data that are compatible in scope and content with such purpose. With respect to the quality of the data processed the data controller is obliged to: (i) collect personal data exclusively for the specified or determined purpose; (ii) collect personal data that are adequate, relevant and not excessive in relation to the purpose; (iii) collect personal data for different purposes separately and ensure that they are processed and used exclusively for the purpose for which they have been collected; it is forbidden to merge personal data collected for different purposes; and (iv) process only data which are accurate, complete and, where necessary, kept up to date in relation to the purpose of processing; inaccurate or incomplete data should be blocked by the data controller and rectified or completed without delay, or otherwise erased. Retention period The data controller must ensure that collected data is retained only for the time period necessary to attain the purpose of processing, and must without delay delete personal data after this purpose has been achieved. The following exceptions apply when data need not be deleted immediately: (i) if a time limit for which personal data must be kept is set by a specific law; once such time limit has expired the personal data must be deleted; (ii) if such data are part of archived documents; or (iii) if data are subject to further processing for historical, statistical or scientific purposes, subject to conditions set by the Act. Rights of Data Subjects Right to information A data subject must be informed by the data controller (or, where data are collected by the data processor, then by the data processor) of: (i) the identity of the data controller or representative of the data controller, and/or the data processor; (ii) the purpose of processing of personal data; or (iii) other information necessary for the protection of rights of a data subject, including: (a) the identity of the person collecting personal data; (b) information on whether the provision of personal data is voluntary or compulsory; (c) third parties or other recipients that may have access to personal data; (d) form of publication, should such data be published; (e) non-EU countries to which the data may be transferred; and (f) an explanation of the rights of data subjects. Right of access/correction/objection and other rights Data subjects have the right to request from the data controller information regarding the processing of their personal data, the source from which it has acquired the personal data and a transcript of his/her personal data that are the subject of processing, and also correction of incorrect and out of date personal data that are the subject of processing, deletion of personal data after the purpose of processing is achieved, and deletion of personal data processed in breach of the Act. 94⏐November 2005⏐Data protection legislation in the European Union⏐ Slovakia. Data subjects are entitled to object to the processing of their data for the purposes of direct marketing and to the processing of their data in certain cases where the Act does not require the consent of a data subject, where such processing represents an unjustified interference with their rights or their interests protected by law. Data subjects have the right not to be subject to a decision that produces legal effects concerning them or significantly affects them which is based solely on automated processing of data, and the right to reject the crossborder transfer of their personal data to a third country which does not have an adequate level of protection. Security Security requirements in order to protect the data Both the data controller and the data processor are responsible for the security of personal data by implementing appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of processing. When taking the appropriate measures, the following must be taken into consideration: (i) the technical means that may be used; (ii) the extent of risks that may negatively impact the safety or functionality of the information system; and (iii) the confidentiality and importance of data that are processed. In certain cases, the technical and organisational measures are to be implemented by the data controller and the data processor in the form of a security project. Specific rules governing processing by a third party (processor) on behalf of data controller A data controller may authorise a data processor to carry out the processing of personal data by way of a written contract if there are sufficient security measures protecting the information system. Transfer of Personal Data to Foreign Countries Transfer within the EEA The Act guarantees the free movement of personal data between Slovakia and the EU Member States. Transfer outside the EEA Transfer of data to third (non-EU) countries is subject to certain conditions and generally depends on whether or not the other country offers an adequate level of protection. In such case, the only conditions that must be satisfied relate to the fact that data subjects must be adequately informed. If the destination country does not offer an adequate level of protection, cross-border transfer of personal data is allowed if such transfer takes place on the basis of a decision of the European Commission, or one of a series of other conditions is satisfied such as: (i) the data subject has authorised in writing the proposed transmission while being aware that the country of destination does not guarantee an adequate level of protection; (ii) the transmission is necessary for the execution of a contract between the data subject and the data controller; (iii) the transmission is necessary for the signing or fulfilment of a contract between the data controller and another subject, in the interests of the data subject; (iv) the transmission is necessary for the execution of an international treaty binding on Slovakia; (v) the transmission is necessary for the protection of vital interests of the data subject; or (vi) the transmission concerns personal data contained in lists or registers that are publicly accessible under law. Sensitive Data The processing of sensitive data, being data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union or political party membership, and data on health, sexual orientation and criminal convictions, is forbidden. Biometric data can be processed if data subjects have agreed to such processing in a written form, or under a special law and processing by the data controller stems from such law. The prohibition on processing of sensitive data shall not apply if the data subject has consented to such processing, or in exceptional circumstances specified in the Act. Enforcement Sanctions The Office may impose a penalty of up to SKK 10,000,000 for the processing of personal data in breach of the Act or other serious offences; a penalty of up to SKK 5,000,000 for breach of obligations related to liquidation of personal data or certain other major offences; a penalty of up to SKK 3,000,000 for breach of the obligation related to registration of information systems, or certain other minor offences; or a penalty of up to SKK 1,000,000 for other named offences. ⏐Data protection legislation in the European Union⏐ November 2005⏐95 The Slovak Criminal Code provides for criminal sanctions for the unauthorised manipulation of personal data including imprisonment or a fine. Unauthorised breach of the right to personal integrity and privacy can also trigger responsibility under the Slovak Civil Code. Practice The number of investigations last year is not known. According to the most recent Report on the Data Protection in the Slovak Republic issued by the Office, between June 2003 and March 2005 the number of investigations undertaken by the Office was 175. According to the online statistics of the General Prosecutor’s Office of the Slovak Republic, 12 persons were prosecuted in 2004 in connection with the crime of unauthorised manipulation of personal data under the Slovak Criminal Code. The Office imposes penalties only rarely, thus it is not possible to generalise on the typical level of penalties imposed. The highest penalty levied by the Office to date was SKK 200,000 (approx. EUR 5,000) imposed on the city administration of Košice for obstructing the exercise of functions by the Office during an inspection. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of the European Directive 2002/58/EC has been implemented by Act No. 610/2003 on Electronic Communications of 3 December 2003 (the “ECA”). Direct marketing is subject to Section 65 of the ECA, which came into force on 1 January 2004. Conditions for sending direct marketing e-mail Direct marketing by e-mail is authorised, subject to the subscriber’s prior consent (opt-in). A subscriber is a natural or legal person that uses or requests the use of electronic communication services. Consent already given can be withdrawn at any time. The sending of e-mail for purposes of direct marketing that does not specify the identity of the sender or a valid address to which the recipient may send a request seeking termination of such communication is prohibited. The ECA does not distinguish between marketing e-mails sent to individual or corporate contacts. Exemptions There are no exemptions from the opt-in regime for existing clients. Scope of application The ECA applies with regard to both individual contacts and corporate contacts. 96⏐November 2005⏐Data protection legislation in the European Union⏐ Slovenia. Contributed by Schönherr Rechtsanwälte OEG General I Directive 95/46/EC National Legislation Status of implementation of the Directive The new Slovenian Personal Data Protection Act (Zakon o varstvu osebnih podatkov, UL RS No. 86/2004) (the “ZVOP”) replaced the previous Personal Data Protection Act (UL RS No. 59/1999) and implemented Directive 95/46/EC. Entry into force of the implementing legislation The old ZVOP, which first transposed Directive 95/46/EC into Slovenian law, entered into force on 7 August 1999. The new ZVOP entered into force on 1 January 2005. Scope of Application of the National Legislation Territorial scope of application The ZVOP applies to any personal data processing if the data controller is incorporated or established in Slovenia or has its registered seat in Slovenia or a branch of the controller is registered in Slovenia. The ZVOP also applies when the data controller is not established in a Community territory and, for the purposes of processing personal data, makes use of equipment, automated or otherwise, situated in the territory of Slovenia, unless such equipment is used only for the purposes of transit through the territory of Slovenia. Every individual in Slovenia is protected, regardless of the individual’s citizenship or permanent residence, or state of establishment of the data controller/administrator. Material scope of application The ZVOP applies to personal data relating to an identified or identifiable natural person, whether in manual or electronic files. Personal scope of application The ZVOP applies exclusively to personal data relating to individuals. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the ZVOP. The ZVOP defines a data controller as either: (i) the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; or (ii) the natural or legal person set by an act which defines the purposes and means of personal data processing. National Regulatory Authority (“NRA”) Details of the competent NRA The Inspection Authority established within the Ministry of Justice (Inšpektorat za varstvo osebnih podatkov) (the “Inspection Authority”) Župančičeva 3 SL-1000 Ljubljana Slovenia www.mp.gov.si Notification or registration scheme and timing The data controller must notify the Inspection Authority before carrying out any wholly or partly automatic processing operation or before adding a new category of information to the system. No approval or consent is required. The notification must occur no later than 15 days prior to commencing data processing. ⏐Data protection legislation in the European Union⏐November 2005⏐97 Exemptions Data controllers that have no more than 20 employees hired for an indefinite term are not required to notify the Inspection Authority of the personal data filing system which contains information on its employees and which the controller is required to manage in compliance with the Labour Records Act (Zakon o evidencah na podro ju dela, UL SFRJ No. 17/1990). Data Quality Rules on the quality of the data processed The personal data must be accurate and, where necessary, kept up to date. Retention period Personal data may be kept and processed for as long as necessary to achieve the purpose for which they have been collected. Rights of the Data Subjects Right to information The data controller must inform the data subjects of the type of data collected and the list of persons/entities to whom/which personal data referring to the data subject were provided. The data subject must also receive information on the data controller and the purpose of information processing. Right of access/correction/objection and other rights Access: Data subjects may review and obtain copies of their personal data free of charge. Correction: The data subject may ask the data controller to change and/or amend incomplete, incorrect or out of date personal data and to erase personal data which have been collected illegally. Others: The data subject has a right to review the sources from which data are collected and the method of processing. Security Security requirements in order to protect the data Data controllers must protect and secure personal data by organisational, technical and technical-logistical procedures and measures against unauthorised access to information, deletion, amendment or loss of information. Specific rules governing processing by a third party (processor) on behalf of data controller Processors are only authorised to carry out activities within the scope of the authorisation granted by the data controller. Transfer of Personal Data to Foreign Countries The data controller may transfer personal data to a foreign recipient (non-EU based), provided the importing country has an adequate data protection system. The Inspection Authority must give prior approval to the data transfer. Prior approval is not required if the importing country is included in the list of countries that provide adequate data protection. The above paragraph does not apply to transfers of personal data to persons incorporated or resident within the EU or EEA. Sensitive Data Sensitive data is defined as information on racial, national or ethnic origin, political, religious or philosophical beliefs, union membership, medical records, sexual orientation and criminal records. Sensitive data may be collected with the consent of the data subject and for certain other important purposes (e.g. health personnel and medical records). In processing sensitive data, the data must be labelled and protected so as to prevent unauthorised access. Transfer of sensitive data is deemed adequately secure if the data are encrypted and protected with an electronic signature so that the data are illegible and unrecognisable during transfer. 98⏐November 2005⏐Data protection legislation in the European Union⏐ Slovenia. Enforcement Sanctions The civil sanction is liability for damages. Punitive damages are not awarded. Criminal sanctions include imprisonment of up to one year for individuals and fines of up to approximately EUR 300,000 for legal entities. Certain violations of the ZVOP are also considered as misdemeanours, which are subject to fines of up to approximately EUR 12,500. Practice In 2004 the Inspection Authority performed 100 investigations. Of these, the Inspection Authority issued six administrative decisions, initiated misdemeanour proceedings in 13 cases and criminal proceedings in two cases. The average fine imposed to date is between SIT 500,000 and SIT 1,000,000 (approximately EUR 2,000 to EUR 4,000). The highest fine levied to date is SIT 1,000,000 for two discrete violations. In addition, the Inspection Authority issued 32 warnings with instructions to remedy the problem. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by an amendment to the Slovenian Consumer Protection Act (Zakon o varstvu potrošnikov, UL RS No. 110/2002, the “ZVPot”). The effective date of implementation was 17 January 2003. Conditions for sending direct marketing e-mail Direct marketing by e-mail is permitted upon prior consent of the consumer (opt-in). Exemptions There are no exemptions. Scope of application The ZVPot only applies to natural persons. ⏐Data protection legislation in the European Union⏐ November 2005⏐99 Spain. General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Organic Law 15/1999 relating to Personal Data Protection (Ley Orgánica 15/1999, de Protección de Datos de Carácter Persona) (the “DPA”). Entry into force of the implementing legislation The DPA entered into force on 14 January 2000. Scope of Application of the National Legislation Territorial scope of application The DPA is applicable to processing carried out by a data controller established in Spain and by a data controller not established in the EU but using equipment situated in Spain for purposes other than the mere transit of data. The DPA is also applicable to processing carried out by a data processor established in Spain (for example, the data processor will have to comply with the Security Measures Regulations). Material scope of application The DPA applies to both manual and electronic files. The processing of data already held in manual filing systems on the date of entry of the DPA shall be brought into conformity by 24 October 2007. Personal scope of application The DPA only applies to data relating to individuals. Data relating to legal entities do not fall within the scope of application of the DPA. Data Controller Entity responsible for compliance with the National Legislation Data Controllers and processors are responsible for compliance and shall be subject to the sanctioning provisions of the DPA. A data controller is defined as the public or private natural or legal person, or agency of the administration, which determines the purpose, content and use of the data processing. The processor is defined as the natural or legal person, public authority, agency or any other body that alone or jointly with others processes personal data on behalf of the controller. National Regulatory Authority (“NRA”) Details of the competent NRA Agenda Española de Protección de Datos (“AEPD”) Sagasta, 22 28004 Madrid Spain www.agpd.es Notification or registration scheme and timing Any person intending to create personal data files is required to register with the AEPD by completing the forms (available on the AEPD website). The General Data Protection Register of the AEPD approves the notification if the notification form complies with the necessary requirements. It is a mere filing of information that must take place prior to the creation of the data file. Any changes in the processing must be notified within a month of the change. Exemptions There are no exemptions from notification/registration. 100⏐November 2005⏐Data protection legislation in the European Union⏐ Spain. Data Quality Rules on the quality of the data processed The data processed must be: (i) adequate, relevant and not excessive in relation to the purposes of the processing; and (ii) accurate and, where necessary, kept up to date. Retention period Personal data shall be kept for the periods stipulated in the applicable provisions or in the contractual relations, if any, between the data controller and the data subject. Personal data shall be erased when they have ceased to be necessary or relevant for the purpose for which they were collected or recorded. They shall not be kept in a form permitting identification of the data subject for longer than necessary for the purposes for which they were collected or recorded. Rights of Data Subjects Right to information Data subjects from whom personal data are requested shall be informed in advance expressly, precisely and unambiguously of: (i) the existence of a personal data filing or processing system, the purpose of the collection of such data and the recipients of such information; (ii) the obligatory or voluntary nature of their reply to the questions put to them; (iii) the consequences of the collection of the data or of the refusal to supply the data; (iv) the possibility of exercising the rights of access, rectification, erasure and opposition; and (v) the identity and address of the data controller or its representative, if any. Furthermore, where questionnaires or other printed forms are used for the collection of personal data, they shall set out, in clearly legible form, the information referred to above. Right of access/correction/objection and other rights Data subjects have the right to access their data and to rectify them when necessary. They also have the right to object to the processing under specific circumstances. Data subjects have the right: (i) not to be subject to a decision that produces legal effects based solely on automated procession of data; (ii) to consult the General Data Protection Register; and (iii) to compensation if they have suffered damage or injury to their property or rights as a result of the infringement of the DPA. Security Security requirements in order to protect the data Royal Decree 994/1999, of 11 June, approved the Security Measures Regulations, which classify security measures into three levels: basic, medium and high, depending on the nature of the information processed. Specific rules governing processing by a third party (processor) on behalf of data controller The performance of processing operations by a processor on behalf of a data controller must be governed by a contract that must be in writing or another form permitting its conclusion and contents to be evidenced. The processing contract shall expressly stipulate that the processor shall only process the data in accordance with the instructions of the data controller, that it shall not process the data for purposes other than those provided in such contract nor disclose the data, even for storage purposes, to other persons. Once the contractual obligations have been performed, the personal data must be destroyed or returned to the data controller, together with any medium or document in which any personal data that is the subject of processing are recorded. Sub-contracting by the processor to a third party is only permitted if the contract between the data controller and the processor contemplates such sub-contracting, identifying the processing to be sub-contracted and the identity of the sub-processor, and if the processing carried out by the sub-processor complies with the instructions of the controller. Transfer of Personal Data to Foreign Countries Transfer within the EEA The Act authorises the transfer of data within the EEA. ⏐Data protection legislation in the European Union⏐ November 2005⏐101 Transfer outside the EEA The principle is that international transfers to countries that do not provide an equivalent level of protection as provided under Spanish law is prohibited, unless prior authorisation has been granted by the Director of the AEPD. The Act sets out a number of derogations where prior authorisation shall not be required. Whether or not the transfer requires prior authorisation, it has to be notified to the AEPD. In this regard, the standard form to notify the creation of data files includes a section on international transfers. If this section is not completed when the file is initially notified, the notification must be amended to include the transfer. Sensitive Data Personal data revealing ideology, trade union membership, religion and beliefs may only be processed with the express, written consent of the data subject. Personal data relating to racial origin, health or sex life may only be obtained, processed and disclosed when so provided by a law on grounds of general interest, or with the data subject’s express consent. Data files containing sensitive data must implement high-level security measures (in addition to basic and medium security measures they must, among other duties, encrypt the information when distributing it, etc., as set out in the Security Measures Regulations). Enforcement Sanctions Spain has one of the most stringent penalty systems in the entire EU in the event of breach of the DPA, with fines of up to EUR 601,012.10. The penalties established pursuant to the DPA range from EUR 601.01 to EUR 601,012.10, depending on the severity of the breach. Breach of the DPA implies fines but it must be noted that the Spanish Criminal Code also establishes a number of criminal offences derived from the violation of secrets and breach of privacy. Practice In 2003, there were approximately 600 investigations carried out by the AEPD. There were 191 sanctioning proceedings started (163 against private entities and 28 against public entities) in that period. In most of the cases, the AEPD imposed the minimum level of fine for single infringements. Therefore, the typical fine imposed for a non serious breach was EUR 601.01, for a serious breach EUR 60,101.21 and for a very serious breach EUR 300,506.10. Nevertheless, in some proceedings, the AEPD imposed a single fine that corresponds to several infringements, and in some occasions, the AEPD imposed a fine for a higher amount than the minimum amount of the corresponding threshold. The highest fine imposed by the AEPD in a single administrative proceeding to date is the one imposed on Zeppelin (the producer of the television programme “Gran Hermano” (“Big Brother”)) in January 2001. The fine amounted to EUR 1,081,822. The breaches of the DPA were the following: (i) not complying with the information rights of the participants in the programme; (ii) not obtaining their express consent for the processing of sensitive data; (iii) not fulfilling the requirements for data processing by third parties, it therefore being deemed that a disclosure of data which had not been consented to had taken place; and (iv) not complying with regulations on security measures. The facts that led to the investigation were that Zeppelin’s security system was breached and the data of the participants in the programme were made available over the Internet. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented in Law 34/2002 on information society services and electronic commerce (the “ECA”) as amended by Law 32/2003 on General Telecommunications (the “Amended ECA”).The ECA is effective as of 12 October 2002. The Amended ECA is effective as of 5 November 2003. 102⏐November 2005⏐Data protection legislation in the European Union⏐ Spain. The rest of the provisions concerning the processing of personal data and the protection of privacy in the electronic communications sector set out in Directive 2002/58/EC such as itemised billing, traffic data, location data other than traffic data, directories of subscribers, etc. were incorporated into Spanish Law by Royal Decree 424/2005, which entered into force on 30 April 2005. Conditions for sending direct marketing e-mail The Amended ECA provides that it is forbidden to send advertising or promotional communications by e-mail, or by any other equivalent means, if they have not been requested or expressly authorised by the recipient of such communication. This is an opt-in. Exemption Exemption to the opt-in is established when there is a previous contractual relationship between the service provider and the recipient, as long as the contact data has been obtained lawfully, and the data are used to send commercial communications regarding the products or services of the service provider that are similar to those of the previous contractual relationship. Scope of application The ECA and Amended ECA apply both to corporate and individual subscribers. Individual subscribers include individuals at corporate accounts as well as private accounts. ⏐Data protection legislation in the European Union⏐ November 2005⏐103 Sweden. General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented through the Swedish Data Protection Act (Personuppgiftslagen (1998:204), the “DPA”). Entry into force of the implementing legislation The DPA entered into force on 24 October 1998 but due to transitional regulations it only entered into full force on 1 October 2001. Scope of Application of the National Legislation Territorial scope of application The DPA applies to data controllers established in Sweden. It also applies when a data controller is established in a third country (i.e. a country outside the EU/EEA) but for the processing of personal data uses equipment that is situated in Sweden, provided that the equipment is not used only to transfer information between the third country and another such country. Material scope of application The DPA is applicable to both manual and electronic files. Personal scope of application It is only applicable to data relating to individuals. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The DPA defines the data controller as the person who alone or together with others decides the purpose and means of processing personal data. National Regulatory Authority (“NRA”) Details of the competent NRA Datainspektionen (the “Data Inspection Board”) Box 8114 SE-104 20 Stockholm Sweden www.datainspektionen.se Notification or registration scheme and timing There is a general duty to notify the Data Inspection Board about processing of data. The registration scheme is merely a filing of information. The notification should take place before the processing is conducted. Exemptions The notification duty only includes processing of data that is completely or partially automated. There are, however, several exceptions to the general notification duty. The notification duty does not apply, for example, if the data subject has given his/her consent or if the data controller has appointed a personal data representative. Neither is notification required, for example, if the personal data processed relates to a data subject with whom the data controller has a certain relationship (such as follows from employment, membership, customer relationship or similar) if the data controller maintains a schedule of the processing including such information that otherwise would have been included in a notification. 104⏐November 2005⏐Data protection legislation in the European Union⏐ Sweden. Data Quality Rules on the quality of the data processed There are some general requirements regarding data that is processed, which prescribe, for example, that the personal data processed must be correct and, if necessary, up to date, adequate and relevant in relation to the purposes of the processing and that no more personal data than necessary may be processed. Retention period The personal data should not be kept for a longer period than necessary for the purpose of the processing. There are no fixed time limits. Rights of Data Subjects Right to information The data controller must voluntarily inform the data subject about the processing of personal data. The information must comprise the identity of the data controller, the purpose of the processing and all other information necessary in order for the data subject to be able to exercise his/her rights in connection with the processing. Right of access/correction/objection and other rights Access: Every individual is, once per year and free of charge, entitled, upon written request, to receive notification as to whether personal data concerning him/her has been processed. If so, information regarding the processing should be provided. Correction: The data subject is entitled to obtain immediate rectification, blocking or erasure of such personal data that has not been legally processed under the DPA. Objection to processing: Personal data may not be processed for purposes of direct marketing if the registered person notifies the data controller in writing that he/she opposes such processing. Security Security requirements in order to protect the data The data controller must implement appropriate technical and organisational measures to protect the personal data that are processed. Specific rules governing processing by a third party (processor) on behalf of data controller If the data controller engages a processor, the parties must enter into a written contract. The contract must stipulate that the processor is permitted to process the data only in accordance with instructions from the data controller. Further, the data controller must ensure that the processor complies with security requirements as described above. Transfer of Personal Data to Foreign Countries Transfer within the EEA Transfer within the EEA is permitted. Transfer outside the EEA The transfer of personal data to third countries (i.e. countries outside the EU/EEA) is prohibited unless the third country has an adequate level of protection. Notwithstanding this prohibition, it is permitted to transfer the data if the data subject has given his/her consent to the transfer or if the transfer is necessary for purposes specified in the DPA. In addition, it is also permitted to transfer data for use: (i) in a state that has acceded to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data; (ii) in a state considered by the European Commission to have an adequate level of protection for the data processed; (iii) in accordance with the standard EC Model Clauses; or (iv) to a data controller in the U.S. that has signed up to the Safe Harbor framework. ⏐Data protection legislation in the European Union⏐ November 2005⏐105 Sensitive Data As a general rule, it is prohibited to process sensitive personal data. Sensitive personal data are data that reveal race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or sexual life. Such data may, however, be processed if the data subject has given his/her explicit consent, if the data subject, in a clear way, has published the information or if the processing is necessary with regard to certain purposes specified in the DPA. Data concerning legal offences may in principle only be processed by public authorities. Personal identity numbers may, in the absence of consent, only be processed when it is clearly justified with regard to the purpose of the processing, the importance of secure identification, or some other noteworthy reason. Enforcement Sanctions The DPA provides for both civil and criminal sanctions. The data controller must compensate the data subject for damages and violation of personal integrity that processing of personal data in contravention of the DPA has caused. Certain violations of the DPA may lead to fines or imprisonment for a maximum of six months or, if the crime is major, to imprisonment for a maximum of two years. A sentence is not imposed in minor cases. Practice The Data Inspection Board registered 229 matters last year. The typical penalties imposed are fines and damages which are awarded to the victim. The level of the penalty varies according to the severity of the crime and the income of the person responsible for the breach of the data protection legislation. There have been cases of imprisonment for breaches of the data protection legislation, in particular cases where the infringer has committed other additional offences, for example, severe defamation. Another case which involved imprisonment for breach of the data protection legislation concerned two persons with Nazi leanings who set up a register containing a large group of people with their religious and political beliefs, sexual life, race etc. The sentence referred mainly to the breach against the data protection legislation. One of the victims of the infringement received SEK 10,000 in damages (approximately EUR 1,070). Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC was implemented on 1 April 2004 through a modification of the Marketing Act (Sw. marknadsforingslagen (1995:450)). Conditions for sending direct marketing e-mail Direct marketing by e-mail is in principle only permitted if the recipient has given his/her consent (opt-in). Exemptions Such marketing may, however, be permitted provided that the marketing company: (i) has received the e-mail address from a customer in connection with the sale of a product; (ii) if the customer has not opposed the use of the e-mail address for marketing by e-mail; (iii) the marketing concerns the company’s own, similar products; and (iv) the customer is given the opportunity, without charge and in an easy way, to oppose the information being used for marketing purposes both when the information is collected and on every further marketing occasion. Scope of application The rules are applicable only to individuals. 106⏐November 2005⏐Data protection legislation in the European Union⏐ Switzerland. Contributed by Homburger Rechtsanwalte General I Directive 95/46/EC National Legislation Status of implementation of the Directive The Swiss Federal Data Protection Act (the “DPA”) is dated 19 June 1992. Since Switzerland is neither an EU Member State nor an EEA Member State, Directive 95/46/EC does not need to be implemented in Swiss law. However, in order to implement the Additional Protocol to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 181), the Swiss Legislator has suggested a revision of the DPA. The suggested changes are highly disputed and it cannot be judged if and when the revised DPA will enter into force. Entry into force of the implementing legislation The DPA came into force on 1 July 1993. Scope of Application of the National Legislation Territorial scope of application Swiss courts will in general apply the DPA, upon free choice of the data subject, if either: (i) the data subject is resident in Switzerland (provided this was foreseeable for the data controller or processor); (ii) the data controller or processor has its seat of residence in Switzerland; or (iii) the data processing (or other violation of privacy) occurs in Switzerland (provided this was foreseeable for the data controller or processor). In addition, the DPA's export notification obligations will apply whenever personal data databases are exported out of Switzerland. Material scope of application Processing of personal data comprises all operations relating to personal data, regardless of the means and procedures used. Accordingly, the DPA applies to both manual and electronic files. The DPA does not apply to personal data processed by an individual solely for personal purposes and not disclosed to third parties. Another important exception is that the DPA does not apply to pending civil, criminal, judicial assistance and administrative recourse proceedings. Personal scope of application The DPA applies to all processing of personal data relating to individuals and to legal entities. Data Controller Entity responsible for compliance with the National Legislation Everyone who processes personal data must comply with the DPA. Accordingly, not only data controllers but also data processors are responsible for compliance. The data controller is defined in the DPA as any private person or federal authority who decides on the purpose and the content of the files. Cantonal and local authorities are governed by separate, cantonal data protection legislation, not the DPA. National Regulatory Authority (“NRA”) Details of the competent NRA The Swiss Federal Data Protection Commissioner (“DPC”) Feldeggweg 1 CH-3003 Berne Switzerland www.edsb.ch Notification or registration scheme and timing Data controllers which regularly process sensitive personal data or personality profiles or regularly disclose personal data to third parties must publicly register their data collection with the DPC. This registration does not require any approval and is, therefore, a mere notification system. The registration must take place before the processing is commenced. ⏐Data protection legislation in the European Union⏐November 2005⏐107 In addition, data controllers must notify the DPC prior to transferring (or otherwise making available) personal data databases outside of Switzerland. Exemptions No registration/notification is required if there is: (i) a statutory obligation to process the personal data in a particular way; or (ii) if the data subject is aware (no consent must be obtained) of the data processing which is subject to the registration/notification obligation. Most data processors rely on the latter exemption to avoid any registration/notification. There are further exceptions to the above notification obligations. For instance, there is no obligation to notify a transfer of a personal data database abroad if: (i) the database is transferred to a country with equivalent data protection legislation; (ii) it does not contain sensitive personal data or personality profiles; and (iii) no further transfer to a country without equivalent data protection legislation is intended. Data Quality Rules on the quality of the data processed Personal data must be accurate. Moreover, data must be relevant and necessary for the purpose for which they are collected. Retention period Personal data may not be kept for longer than is necessary for the purpose for which they are processed. Absent a sufficient justification, personal data may only be processed for the purposes that: (i) have been communicated upon their collection; (ii) were apparent based on the circumstances; or (iii) are provided for by statutory law. In addition, mandatory statutory restrictions apply to the processing of employee personal data. Rights of Data Subjects Right to information Currently there is no statutory duty requiring the data controller to explicitly inform the data subject of the processing. With the intended revision of the DPA (see above), however, a provision may be added to the DPA which would provide for an information obligation if sensitive data or personality profiles are processed. Right of access/correction/objection and others rights Access: Data subjects, which must identify themselves, may ask data controllers in writing for confirmation as to whether they process personal data relating to them, and request (usually free of charge) information as to all personal data relating to them that is contained in the data controller's data collection, the purposes of the processing and, where applicable, the legal basis for the processing, the categories of personal data concerned, the persons involved in the processing of the data collection and, finally, the recipients to whom the data are disclosed. Correction: The data subject may request the personal data to be rectified or deleted. Objection: The data subject may request that no personal data be disclosed to third parties or processed further. Security Security requirements in order to protect the data Personal data must be protected against unauthorised processing by adequate technical and organisational means. Specific rules governing processing by a third party (processor) on behalf of data controller Processing of personal data may be outsourced to a third party: (i) if the data controller ensures that the data are only processed in the way that the data controller would be entitled to; and (ii) if no statutory or contractual confidentiality obligations prohibit the outsourcing. To the extent that a certain data processing requires a particular justification, the third party may rely on the same justifications as the data controller. Transfer of Personal Data to Foreign Countries Personal data may only be transferred to countries with equivalent protection of personal data. According to the non-binding list of countries with equivalent data protection published by the DPC, personal data relating to individuals may for instance in principle be transferred to EU Member States that have implemented Directive 108⏐November 2005⏐Data protection legislation in the European Union⏐ Switzerland. 95/46/EC. If data are to be transferred to countries with no equivalent protection, a justification such as the data subject’s consent is required. Alternatively, the data exporter may establish a sufficient level of data protection by entering into a transborder data flow contract with the data importer (comparable to the standard contract clauses adopted by the EU Commission, a copy of which is available from the Swiss authority’s website). Sensitive Data Sensitive data may not be disclosed to third parties without sufficient justification such as the data subject’s consent and regular processing of such data may require a registration with the DPC. Sensitive data are personal data regarding opinions or activities relating to religion, philosophy, politics or trade unions; health, the private sphere or racial origin; social aid; and administrative or criminal proceedings and sanctions. It should be noted that under the DPA, the rules for sensitive data also apply to personality profiles, i.e. combinations of data that allow the assessment of fundamental characteristics of the personality of an individual. Enforcement Sanctions The data subject is entitled to civil remedies such as damages and legal redress. In addition, individuals who are in breach of their statutory duties of information, notification and co-operation are subject to criminal sanctions and may be imprisoned or fined. The same criminal sanctions also apply for the breach of professional secrecy. However, in practice, the competent authorities are very reluctant to impose criminal sanctions on data controllers. Practice There are no official statistics on the number of investigations and prosecutions concerning violations of the DPA. Between April 2004 and March 2005, the DPC conducted 30 official investigations (four of which were not completed in the period, and 15 cases concerned the right of access to homeland security files) and made six official “recommendations” (see below). The Federal Data Protection Commission, which acts as an appellate instance, processed 32 cases in 2004, of which 17 were new and 11 were completed in 2004 (most cases relate to data processing by federal authorities). The number of DPA related cases decided by civil or criminal courts is not known; it is known, however, that since coming into force in 1993, as of August 2004, the criminal provisions of the DPA have resulted in only one prison sentence (a five day term plus a fine of CHF 750 in 1996); convictions that only resulted in fines are not recorded. In addition to the criminal provisions of the DPA, the Swiss Penal Code provides that a person who obtains sensitive data or personality profiles from a non-public data collection without authorisation shall be punished by imprisonment or fined. Since 1993, the foregoing provision has led to a total of five recorded criminal convictions (in the years 1995, 1996 and 2002, where the most significant term was for 28 days, the most significant fine was CHF 750 and the average fine was CHF 575). Apart from the civil and criminal sanctions, the DPC may conduct investigations in the private sector if a particular method of data processing could violate the privacy of a larger number of people (in addition to supervising the federal authorities’ DPA compliance). Based on such investigations in the private sector, the DPC may issue case specific “recommendations” and may publish them. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Since Switzerland is neither an EU Member State nor an EEA Member State, Directive 2002/58/EC does not need to be implemented in Swiss law. Nevertheless, the Swiss Legislator is currently discussing a proposed revision of the Swiss Unfair Competition Act in order to expressly prohibit spamming and other forms of unsolicited commercial e-communications except under certain conditions (“opt-in” as a principle; “opt-out” for existing clients). The provision would be similar to Article 13 of Directive 2002/58/EC. Since the (undisputed) proposal is part of a controversial revision of the Swiss Telecommunications Act, it is not clear when the anti-spamming provision will enter into force. ⏐Data protection legislation in the European Union⏐ November 2005⏐109 Conditions for sending direct marketing e-mail Currently, Swiss law has no specific provision regarding unsolicited e-mails. However, the Federal Data Protection Commission (“FDPC”) has ruled that under the DPA, e-mail marketing is admissible only on an “opt-in” basis, i.e. with the prior express consent of the intended recipients. The FDPC found that sending unsolicited e-mails to unknown recipients using e-mail addresses indiscriminately collected on the Internet violates the DPA, regardless of whether such e-mails provide for an opt-out. Of course, since the DPA entitles data subjects to ban data controllers from using personal data, they in any case may require spammers to stop sending unsolicited e-mails (opt-out). In addition, unsolicited e-mails may already under present law qualify as unfair competition, for instance if a false or unrecognisable sender address is used, if the e-mails are sent to a large, unspecific group of recipients or if the e-mails are sent to recipients that have previously opted-out. 110⏐November 2005⏐Data protection legislation in the European Union⏐ United Kingdom. General I Directive 95/46/EC National Legislation Status of implementation of the Directive Directive 95/46/EC has been implemented by the Data Protection Act 1998 (the “DPA”) dated 16 July 1998. Entry into force of the implementing legislation The majority of the provisions came into force on 1 March 2000. Scope of Application of the National Legislation Territorial scope of application The DPA applies to data controllers in respect of any data if: (i) the data controller is established in the UK (including offices, branches, agencies or other regular practice in the UK) and data are processed in the context of that establishment; or (ii) the data controller is established outside the EEA, but uses equipment in the UK for processing personal data other than for transit purposes. Material scope of application The DPA applies to both manual and electronic files. The manual files must form part of an organised filing system. Personal scope of application The DPA only applies to “personal data”, which is any data relating to individuals. In order for the DPA to apply, such individuals must be identifiable from: (i) the data; or (ii) the data and other information which is, or is likely to come into, the possession of the data controller. The definition of “personal data” was considered further by the court of appeal in the case of Durant, which suggested that there are two notions which may be used to help decide whether information could be considered to be “personal data”. The first is whether the information is “biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised”. The second is that the information should have the data subject as its focus rather than some other person or event such as an investigation into some other body’s conduct. The court also held that: “In short, [personal data] is information that affects his privacy, whether in his personal or family life, business or professional capacity.” The decision was a controversial one, and has attracted considerable criticism. Data Controller Entity responsible for compliance with the National Legislation The data controller is responsible for compliance with the DPA. The DPA defines a data controller as a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. National Regulatory Authority (“NRA”) Details of the competent NRA The Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF United Kingdom www.informationcommissioner.gov.uk ⏐Data protection legislation in the European Union⏐November 2005⏐111 Notification or registration scheme and timing Unless the processing is exempt, personal data may not be processed by a data controller that has not submitted notification to the Information Commissioner. No approval is required. The notification must occur prior to the first processing of personal data. Exemptions Every data controller who is processing personal data must notify the Information Commissioner unless they are exempt. Exemptions apply in respect of: (i) staff administration; (ii) advertising and marketing etc. of the data controller’s business; (iii) accounts and records of the data controller or its customer/supplier; and (iv) certain processing relating to non-profit making organisations. Data Quality Rules on the quality of the data processed The rules are set out in the data protection principles listed in the DPA. The third data protection principle states that personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. The fourth principle states that personal data shall be accurate and, where necessary, kept up to date. Retention period The fifth data protection principle states that personal data processed for any purpose shall not be kept longer than is necessary for that purpose. Rights of Data Subjects Right to information Upon written request, any data controller must inform the individual whether it has processed or is processing any data concerning him/her. If it has or is, it must describe the personal data, the purpose for which they are processed and third parties to which they are, or may be, disclosed. Where data are processed automatically and are likely to form the sole basis for a decision significantly affecting the data subject, he/she will be entitled to know the logic involved in that decision making, provided it is not confidential. Right of access/correction/objection and other rights Access: Data subjects may obtain copies of their personal data on written request to data controllers. Correction: In certain cases, the data subject may ask the court to order the data controller to rectify, block, erase or destroy the data. Objection to processing: An individual may in writing require that the data controller cease processing either generally or for a specified purpose or in a specified manner data concerning the individual if such processing is likely to cause substantial damage or distress to the individual or a third party and that damage/distress would be unwarranted. Other: A data subject may require in writing that a data controller stop processing data for direct marketing purposes. In certain cases, a data subject may object to decisions being taken about him/her based solely on automatic processing. Security Security requirements in order to protect the data Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data. Data controllers must ensure an appropriate level of security for the processed data having regard to possible damage and the nature of the data. The adequacy of measures taken is to be judged with regard to the state of technology and the cost of such measures. Specific rules governing processing by a third party (processor) on behalf of data controller The processing of personal data by a data processor must be in accordance with a written contract with the data controller requiring the processor to act only on instruction from the data controller and requiring the data processor to comply with the obligations equivalent to those imposed on the data controller by the seventh principle (security). 112⏐November 2005⏐Data protection legislation in the European Union⏐ United Kingdom. Transfer of Personal Data to Foreign Countries Transfer within the EEA The DPA permits transfers within the EEA. Transfer outside the EEA The DPA prohibits transfers outside the EEA unless the destination ensures adequate protection for that data. Adequacy is to be assessed by the data controller. PersonaI data can be transferred outside the EEA under the usual circumstances (e.g. if there has been a Community adequacy finding, the data importer has signed up to the Safe Harbor or the EC Model Clauses, the data subject has consented or the transfer is necessary for the performance of a contract). A number of more minor grounds also exist. Sensitive Data Special protection is provided for personal data that are sensitive, i.e. concerning the data subject’s racial or ethnic origin, political opinions, religious or similar beliefs, membership of a trade union, physical or mental health or conditions, sexual life, commission of an offence or proceedings for an offence. Enforcement Sanctions Breaches may incur civil liability or criminal sanctions, which include unlimited fines (including for directors) but not jail terms. A breach of a data protection principle is not of itself a criminal offence, but may result in an Enforcement Notice. Breach of that notice may be a criminal offence. Practice 20,138 cases were closed by the Information Commissioner in 2004/5. In that period there were 12 prosecutions. The penalties imposed range from £100 to £3,150, with the average level of penalty being around £250. The most significant penalty levied to date was a fine of £5,000 plus costs. The penalty was imposed on the London Borough of Havering. Sector specific: E-communications I Directive 2002/58/EC Marketing by E-mail Marketing by E-mail Status of implementation of Article 13 of Directive 2002/58/EC Article 13 of Directive 2002/58/EC has been implemented by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “ECA”). The effective date was 11 December 2003. Conditions for sending direct marketing e-mail It is not permitted to transmit unsolicited direct marketing e-mail unless the recipient has previously notified the sender that he/she consents for the time being to such communications being sent by the sender. This is usually considered opt-in, but may also be achieved using an opt-out approach in certain circumstances. Exemptions It is permitted to send e-mail for the purposes of direct marketing where: (a) the sender has obtained the contact details of the recipient of that e-mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of the sender’s similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of transmitting the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected and with each subsequent communication. This is therefore opt-out. Scope of application The ECA only applies to individual contacts. It does not apply to corporate contacts (including individuals at corporates). ⏐Data protection legislation in the European Union⏐ November 2005⏐113 Contacts. Austria Estonia Greece Michael Lagler Schöeherr Rechtsanwälte OEG Tel: (43) 1 53437 127 Fax: (43) 1 53437 6177 [email protected] Raino Paron Raidla & Partners Tel: (372) 6 407 170 Fax: (372) 6 407 171 [email protected] Maria Giannakaki J. Karageorgiou & Associates Tel: (30) 210 7221021 Fax: (30) 210 7213981 [email protected] A-1010 Wien, Tuchlauben 17, Vienna, Austria Roosikrantsi 2, 10119 Tallinn, Estonia www.raidla.ee 35, Vas. Sofias Avenue, GR-106 75 Athens, Greece [email protected] Belgium Finland Hungary Tanguy Van Overstraeten Linklaters De Bandt Tel: (32) 2 501 95.15 Fax: (32) 2 501 91.14 [email protected] Kaisa Fahllund Hannes Snellman Attorneys at Law Ltd Tel (358) 9 2288 841 Fax:(358)9 2288 4323 [email protected] Dr András Lendvai Berecz & Andrékó Linklaters Tel: (36) 1428 4400 Fax: (36) 1 428 4444 [email protected] 13, rue Brederodestraat, 1000 Brussels, Belgium www.linklaters.be Etelaranta 8, 00130 Helsinki, Finland www.hannessnellman.fi H -1054 Budapest, Szechenyi rkp. 3., Hungary Cyprus France Iceland Ms Galatia Sazeidou Georgiades & Pelides Tel: (357) 22 315939 Fax:(357)22 315553 [email protected] Pierre Gougé Linklaters Tel: (33) 1 56 43 56 43 Fax: (33) 1 43 59 41 96 [email protected] Erlendur Gíslason LOGOS - Legal Services Tel: (354) 5 400 300 Fax:(354) 5 400 301 [email protected] Eagle House, 10th floor, 16 Kyriakos Matsis Avenue, Ayioi Omoloyites, 1082 Nicosia, Cyprus 25, rue de Marignan, 75008 Paris, France Efstaleiti 5, 103 Reykjavík, Iceland www.schoenherr.at www.cypruslaw.com.cy Czech Republic Barbora Lezatkova & Hana Gawlasova Linklaters Tel: (420) 221 622 224/125 Fax:(420)221622 199 [email protected] [email protected] Na Prikope 19, Prague 1, Czech Republic www.linklaters.com Denmark Jakob Skaadstrup Andersen & Nicolai Hesgaard Gorrissen Federspiel Kierkegaard Tel: (45) 33 41 41 41 Fax: (45) 33 41 41 33 [email protected] [email protected] H.C. Andersens Boulevard 12, DK-1553 Copenhagen V, Denmark www.gfklaw.dk www.linklaters.com Germany Dr Fabian Niemann Linklaters Oppenhoff & Rädler Tel: (49) 69 71003-372 Fax: (49) 69 71003-333 [email protected] Mainzer Landstrasse 16, 60325 Frankfurt am Main, Germany www.linklaters.com Dr Jürgen Hartung Linklaters Oppenhoff & Rädler Tel: (49) 221 20910 Fax: (49) 221 2091 435 [email protected] Börsenplatz 1, Cologne, D-50667 Germany www.linklaters.com Dr Konrad Berger Linklaters Oppenhoff & Rädler Tel: (49) 89 4 18 08 0 Fax: (49) 89 4 18 08 100 [email protected] Prinzregentenplatz 10, Munich, D-81675 Germany www.linklaters.com 114⏐November 2005⏐Data protection legislation in the European Union⏐ www.linklaters.com www.logos.is Ireland Philip Nolan Mason Hayes & Curran, Solicitors Tel: (353) 16145000 Fax: (353) 16145001 [email protected] 6 Fitzwilliam Square, Dublin 2, Ireland www.mhc.ie Italy Avv. Daniele Vecchi Avv. Melissa Marchese Gianni, Origoni, Grippo & Partners Tel: (39) 02 763741 Fax: (39) 02 76009628 [email protected] [email protected] Piazza Belgioioso, 2, 20121 Milano, Italy www.gop. it Contacts. Latvia Malta Slovenia Sanda Lace Klavins & Slaidins Tel: (371) 781 4848 Fax: (371) 781 4849 [email protected] Dr Florian Kirchhof Schönherr Rechtsanwälte Tel: (386) 12000 980 Fax: (386) 14260 711 [email protected] Elizabetes 15, Riga LV-1010, Latvia Dr Brigitte Zammit Mamo TCV Advocates Tel: (356) 2123 1345 or (356) 2124 8375 Fax: (356) 2124 4291 or (356) 2123 1298 [email protected] Palazzo Pietro Stiges, 90, Strait Street, Valletta VLT 01, Malta www.schoenherr.at Liechtenstein www.klavinsslaidins.Iv Dr Johannes Grabher Wanger Advokaturbüro Tel: (423) 237 52 52 Fax: (423) 237 52 53 [email protected] Äulestrasse 45, FL-9490 Vaduz, Liechtenstein www.wanger.net Lithuania Dr Mindaugas Kiskis Lideika, Petrauskas, Valiunas ir partneriai Tel: (370) 5 268 1888 Fax: (370) 5 212 5591 [email protected] Tomsiceva 3, SI-1000 Ljubljana, Slovenia www.mamotcv.com Spain Norway Carmen Burgos Linklaters Andreas Wahl Wiersholm, Mellbye & Bech, advokatfirma AS Tel: (47) 210 210 00 Fax: (47) 210 210 01 [email protected] www.linklaters.com Ruseløkkveien 26, PO Box 1400 Vika, N-0115 0slo, Norway Sweden Poland Jonas Forzelius Linklaters Advokatbyrå AB Tel: (46) 8 665 67 66 Fax: (46) 8 667 68 83 [email protected] www.wiersholm.no Tel: (34) 91 399 60 35 Fax: (34) 91 399 61 43 [email protected] Zurbarán, 28. 28010 Madrid, Spain Jogailos g.9/1, LT-01116 Vilnius, Lithuania Daniel Hasik Linklaters Tel: (48) 22 526 51 36 Fax: (48) 22 526 50 60 [email protected] www.linklaters.com Luxembourg Warsaw Towers, ul. Sienna 39, Warsaw, PL-00-121, Poland Switzerland Portugal David Rosenthal Homburger Rechtsanwälte Tel: (41) 43 222 10 00 Fax: (41) 43 222 15 00 [email protected] www.lawin.lt Emmanuelle Ragot Linklaters Loesch Tel: (352) 26 08 1 Fax: (352) 26 08 88 88 [email protected] www.linklaters.com 35, avenue John F. Kennedy L-1855 Luxembourg Carlos Pinto Correia Linklaters Tel: (351) 21 864 00 32 Fax: (351) 21 864 00 04 [email protected] The Netherlands Avenida Fontes Pereira de Melo, 14-15°, 1050-121, Lisbon, Portugal www.linklaters.com Catrien Noorda De Brauw Blackstone Westbroek Tel: (31) 20 577 1412 Fax: (31) 20 471 5831 [email protected] P.O. box 75084, 1070 AB Amsterdam, The Netherlands www.debrauw.com www.linklaters.com Regeringsgatan 67, Box 7833, SE-103 98 Stockholm, Sweden Weinbergstrasse 56/58, PO Box 338, CH-8035 Zurich, Switzerland www.homburger.ch United Kingdom Zuzana Turayová Linklaters Tel: (421) 2 5929 1148 Fax: (421)2 5929 1210 [email protected] Christopher Millard Richard Cumbley Linklaters Tel: (44) 20 7456 2000 Fax: (44) 20 7456 2222 [email protected] [email protected] Hlavné námestie 5, 811 01 Bratislava, Slovakia One Silk Street, London EC2Y 8HQ, United Kingdom Slovakia www.linklaters.com www.linklaters.com ⏐Data protection legislation in the European Union⏐November 2005⏐115 Linklaters, One Silk Street, London EC2Y 8HQ. Tel: (44) 20 7456 2000 Fax: (44) 20 7456 2222. www.linklaters.com © Linklaters 2005 November 2005⏐Data protection legislation in the European Union⏐