TUTORIALS

 

Data Protection

Data protection is the primary instrument of law available to protect the privacy of individuals in the context of information and communication technology projects such as SafeTRIP. The EU Data Protection Directive aims to protect individuals from the misuse of personal data.

EU Members’ legislation on data protection is based on the Data Protection Directive of 1995 which set out the legal balance between allowing data processing and the right to privacy.

Consequently, any processing of data must comply with the following principles:

-     Data must be adequate, relevant and not excessive in relation to the purposes for which they are processed; such purposes must be explicit and legitimate and must be determined at the time of data collection.

-     The processing must be carried out with the consent of the data subject or be necessary for the conclusion or performance of a contract, or as a legal requirement, or for the performance of a task carried out in the public interest or in the exercise of official authority.

-     The controller must provide the data subject with certain information relating to the identity of the data controller, the purposes for which it is being processed and the data recipients.

-     Every data subject has a right of access to his/her data as well as rights of rectification, erasure, blocking, and the right to object on legitimate grounds to the processing of data relating to him/her.

-     Confidentiality and security of processing must be assured. The controller has to implement appropriate measures to protect personal data against accidental or unlawful destruction, accidental loss or alteration and unauthorized disclosure or access.

It is forbidden:

-     to process personal data considered as sensitive, such as data relating to racial origin, political opinions, religious beliefs, personal health…

-     to transfer personal data from a Member State to a third country, unless an adequate level of protection is ensured.

What is not under the scope of the law:

-     anonymous data, in so far as protection must apply to any information concerning an identified or identifiable person.

-     processing data concerning legal persons.

-     processing data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses.

-     activities regarding public safety, defense, state security or the activities of a State in the area of criminal laws.

The controller must notify the supervisory authority on data protection before carrying out any processing operation. Any person who has suffered damage as a result of the unlawful processing of their personal data is entitled to receive compensation for the damage suffered.

The definition of the Data Protection Directive will be followed by a number of terms that will be encountered by users and application developers of the SafeTRIP system and definitions when grappling with data protection issues. These should be cross-referenced with the definitions of privacy and sensitive data in the section above.