Data Protection in EU
Everyone has the right to the protection of personal data.
Data Protection Directive
Under EU law, personal data can only be gathered legally under strict conditions, for a
legitimate purpose. Furthermore, persons or organisations which collect and manage your
personal information must protect it from misuse and must respect certain rights of the data
owners which are guaranteed by EU law.
Every day within the EU, businesses, public authorities and individuals transfer vast
amounts of personal data across borders. Conflicting data protection rules in different
countries would disrupt international exchanges. Individuals might also be unwilling to
transfer personal data abroad if they were uncertain about the level of protection in other
countries.
Therefore, common EU rules have been established to ensure that your personal data
enjoys a high standard of protection everywhere in the EU. You have the right to complain
and obtain redress if your data is misused anywhere within the EU.
The EU's Data Protection Directive also foresees specific rules for the transfer of
personal data outside the EU to ensure the best possible protection of your data when it is
exported abroad.
The Data Protection Directive is a European Union directive adopted in 1995 which
regulates the processing of personal data within the European Union. It is an important
component of EU privacy and human rights law. On 25 January 2012, the European
Commission unveiled a draft European General Data Protection Regulation that will
supersede the Data Protection Directive.
Personal data are defined as "any information relating to an identified or
identifiable natural person ("data subject"); an identifiable person is one who can be
identified, directly or indirectly, in particular by reference to an identification number or to
one or more factors specific to his physical, physiological, mental, economic, cultural or
social identity. This definition is meant to be very broad. Data are "personal data" when
someone is able to link the information to a person, even if the person holding the data cannot
make this link. Some examples of "personal data" are: address, credit card number, bank
statements, criminal record.
Implementation by the member states
�EU directives are addressed to the member states, and aren't legally binding for
individuals in principle. The member states must transpose the directive into internal law.
Directive 95/46/EC on the protection of personal data had to be transposed by the end of
1998. All member states have enacted their own data protection legislation. In Romania, this
directive was transposed into Law No. 677/2001 for the Protection of Persons concerning the
Processing of Personal Data and Free Circulation of Such Data, published in the Official
Gazette No. 790 of 12 December 2001.
Comparison with U.S. data protection law
As of 2003, the U.S. has no single data protection law comparable to the EU's Data
Protection Directive. Privacy legislation in the United States tends to be adopted on an ad
hoc basis, with legislation arising when certain sectors and circumstances require (e.g.,
the Video Privacy Protection Act , the Cable Television Protection and Competition Act of
the Fair Credit Reporting Act, and Health Insurance Portability and Accountability Act).
Data protection authorities in EU
The Regulation on the protection of individuals with regard to the processing of
personal data by EU institutions sets up a European Data Protection Supervisor (EDPS).
This is an independent EU body responsible for monitoring the application of data protection
rules by EU institutions. The EDPS works at the European level, and is similar to national
data protection authorities across the EU. Individuals can lodge complaints directly with the
EDPS, if they consider that their data protection rights have been ignored. The EDPS can hear
and investigate complaints, monitor and ensure that the Regulation is applied and advise EU
institutions and bodies on everything about processing personal data. The European
Commission must consult the EDPS when adopting legislative proposals relating to the
processing of personal data in any sector.
The Regulation on the protection of individuals with regard to the processing of
personal data by EU institutions provides for the appointment of a Data Protection Officer
(DPO) in every EU institution. The task of DPOs is to independently ensure the internal
application of the Regulation in close cooperation with the European Data Protection
Supervisor.
Data protection in Romania
�The Ministry of Foreign Affairs from Romania is paying special attention to
processing of personal data through the prism to guarantee and to protect fundamental rights
and freedoms of individuals, and in particular their right to intimate, family and private life.
In Romania, processing personal data is followed by the next principles:
-
Legality (Law No. 677/2001 for the Protection of Persons concerning the Processing
of Personal Data and Free Circulation of Such Data);
The well determinate scope (any processing of personal data is carried out in wellspecified scope, explicit and legitimate, adequate, relevant and not excessive in
relation to the purposes for which they are collected and then processed);
Confidentiality (the persons who prelucrate personal datas, in name of an institution,
in their contract of employment and job description have a confidentiality clause
about personal data);
The consent of the person concerned ( any processing of personal data, with the
exception of processing which affects data in categories strictly referred into the Law
677/2001, can only be performed if the data subject has given his consent expressly
and unambiguously for that processing);
Providing information (The persons should be informed by the institution which
processes personal data of the subject);
Protection of the persons involved in the process ( persons concerned shall have the
right to access the data which are to be processed, as well as the right to apply to the
national monitoring of the processing of personal data or Court ruling in the case to
defend any rights guaranteed by the law);
Security (the security measures of personal data shall be settle in such a way as to
ensure an adequate level of safety of personal data).
