Skip to content. | Skip to navigation

Personal tools
You are here: Home topics Media Data protection in the EU

Data protection in the EU

25 August 2006
by eub2 -- last modified 25 August 2006

Concerns about personal data collection on the Internet are increasing. Developments in the European Union fo create of a frontier free Internal Market and the EU's so-called 'Information Society' have greatly increases the cross-frontier flows of personal data between Member States of the EU.


Information relating to individuals, called 'personal data', is collected and used in many aspects of everyday life. An individual gives personal data when he/she, for example, registers for a library card, signs up for gym membership, opens a bank account, etc. Personal data can be collected directly from the individual or from existing data base. These data may subsequently be used for other purposes and/or shared with other parties. Personal data can be any data that identifies an individual, such as a name, a telephone number, or a photo.

Advancement in computer technology along with new telecommunications networks is allowing personal data to travel across borders with greater ease. As a result, data concerning the citizens of one Member State are sometimes processed in other Member States of the EU. Therefore, as personal data is collected and exchanged more frequently, regulation on data transfers becomes necessary.

In this context, national laws regarding data protection demanded good data management practices on the part of the entities who process data, called 'data controllers'. These included the obligation to process data fairly and in a secure manner and to use personal data for explicit and legitimate purposes.

National laws also guaranteed a series of rights for individuals, such as the right to be informed when personal data was processed and the reason for this processing, the right to access the data and if necessary, the right to have the data amended or deleted.

Although national laws on data protection aimed to guarantee the same rights, some differences existed. These differences could create potential obstacles to the free flow of information and additional burdens for economic operators and citizens. Some of these were: the need to register or be authorised to process data by supervisory authorities in several Member States, the need to comply with different standards and the possibility to be restricted from transferring data to other Member States of the EU. Additionally, some Member States did not have laws on data protection.

For these reasons, there was a need for action at European level, and this took the form of EC Directives.


In order to remove the obstacles to the free movement of data without diminishing the protection of personal data, Directive 95/46/EC (the data protection Directive) was developed to harmonise national provisions in this field.

As a result, the personal data of all citizens will have equivalent protection across the Union. The fifteen Member States of the EU were required to bring their national legislation in line with the provisions of the Directive by 24th October 1998.

The data protection Directive applies to 'any operation or set of operations which is performed upon personal data,' called 'processing' of data. Such operations include the collection of personal data, its storage, disclosure, etc. The Directive applies to data processed by automated means (e.g. a computer database of customers) and to data that are part of or intended to be part of non automated 'filing systems' in which they are accessible according to specific criteria. (For example, the traditional paper files, such as a card file with details of clients ordered according to the alphabetic order of the names).

The data protection Directive does not apply to data processed for purely personal reasons or household activities (e.g. an electronic personal diary or a file with details of family and friends). It also does not apply to areas such as public security, defence or criminal law enforcement, which are outside the competence of the EC and remain a national prerogative. National legislation
generally provides protection for individuals in these areas.

In addition, there is a separate Directive, Directive 97/66/EC, that deals specifically with the protection of privacy in telecommunications. This Directive states that Member States must guarantee the confidentiality of communication through national regulations. This means that any unauthorised listening, tapping, storage or other kinds of interception of surveillance of communications is illegal. Where calling-line identification is offered, users must be given the
possibility to not subscribe to this service or not having their identification revealed when making a telephone call. Conversely, subscribers to this service must have the possibility to reject incoming calls from individuals who have blocked their calling-line identification. Additionally, the Directive states that where printed or electronic telecommunication directories exist, individuals are entitled to omission from the list, in principle, at no cost.

Data protection: EU law and background information

EU data protection law

Source: European Commission

Sponsor a Guide

EUbusiness Guides offer background information and web links about key EU business issues.

Promote your services by providing your own practical information and help to EUbusiness members, with your brand and contact details.

To sponsor a Guide phone us on +44 (0)20 7193 7242 or email sales.

EU Guides