España: Data Protection in Internet

Autor:Juan Antonio Mayol, Rafael Medrán, Alfonso Ortega
Cargo:Graduated in Law. University of Alicante (Spain). Graduated in Law and Master in International Commerce. University of Alicante (Spain). Professor of Private International Law. University Cardenal Herrera-CEU and University Miguel Hernandez (Spain).
Páginas:30
RESUMEN

As a result of the rapid development in computer technology large quantities of information relating to individuals ('personal data') are routinely collected and used by public administrations and in every sector of business.

 
EXTRACTO GRATUITO
  1. Introduction.- II. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. II.1. Introduction. II.2. General rules on the lawfulness of the processing of personal data. II.3. Judicial remedies, liability and sanctions. II.4. Transfer of personal data to third countries. II.5. Codes of conduct. II.6. Supervisory authority and working party on the protection of individuals with regard to the processing of personal data. II.7. Community implementing measures. - III. Organic Law 15/1999 of 13 December on the Protection of Personal Data. III.1. Principles of data protection. III.2. Public and private files. III.2.1. Public files. III.2.2. Private files. III.3. International movement of data. III.4. Data Protection Agency. III.5. Infringements and sanctions. - IV. Final conclusions. - V. Bibliography.

  2. Introduction.

    1. As a result of the rapid development in computer technology large quantities of information relating to individuals ('personal data') are routinely collected and used by public administrations and in every sector of business.

    Several Member states of the European Union have since the 1970s passed legislation protecting the fundamental rights of individuals and in particular their right to privacy from abuses resulting from the processing (for example, the collection, the use, the storage, etc.) of personal data. International institutions such as the United Nations, the Organisation for Economic Cooperation and Development (OECD) and the Council of Europe have produced legal texts addressing these issues. A Council of Europe convention (Treaty 108 of 1981) establishes the basic principles regarding the protection of individuals with regard to the processing of personal data which can be found in all data protection laws in Europe.

    Data protection laws provide for a series of rights for individuals such as the right to receive certain information whenever data are collected, the right of access to the data, and if necessary, the right to have the data corrected, and the right to object to certain types of data processing. These laws generally demand good data management practices on the part of the entities that process data ('data controllers') and include a series of obligations. These include the obligation to use personal data for specified, explicit and legitimate purposes, the obligation to guarantee the security of the data against accidental or unauthorised access or manipulation and in some cases the obligation to notify a specific independent supervisory body before carrying out all or certain types of data processing operations. These laws normally provide for certain safeguards or special procedures to be applied in case of transfers of data abroad.

    Although national data protection laws are to a certain extent similar, a number of differences exist between them. The level of protection guaranteed to the citizens in the Member States is not uniform (two Member States are still in the process of passing data protection laws). This situation creates potential obstacles to the free flow of information and additional burdens for economic operators and citizens, such as the need to register or be authorised to process data by supervisory authorities in several member Sates, the need to comply with different standards and the possibility to be restricted from transferring data in other member states of the EU.

    Furthermore the development of a frontier free internal market and the development of the so called 'information society' imply that processing of personal data grows irrespective of national boundaries and that the data concerning the citizens of one Member State are increasingly processed in other Member Sates of the EU.

    In order to remove the obstacles to the free movement of data while guaranteeing the protection of the right to privacy, Directive 95/46/EC aims at harmonising the national provisions in this field. The right to privacy of citizens will therefore have equivalent protection across the Union. The fifteen member States of the EU are required to put their national legislation in line with the provisions of the Directive by 24th October 1998.

  3. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

    II.1. Introduction.

    1. On October 24th, 1995, the Council and Parliament of the European Union adopted a Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data ('data protection Directive').

      A key objective of the data protection Directive was to allow the free flow of personal data between Member Sates by harmonising the level of adequate protection granted to individuals. The Directive sets forth the applicable law, conditions for data processing, information to be given to the data subject, the latter's right of access, object, confidentiality and security of processing, obligation of notification and content of such notification, as well as the limitations to the transfer of data to third countries imposed within the harmonised scope.

      A great value has been placed in the individual's consent, as well as his entitlement to full and fair information on the collection and use of personally identifiable data, the right to access and correct such data, and the right to oppose the user or distribution of such data for marketing purposes.

      Beside, the Directive encourages the drawing up of codes of conduct intended to contribute to the proper implementation on the national provisions.

      The Directive also requires that any third country to which data are transferred provides 'adequate' data protection. Such requirement has been the reason for a delay on its entry into force and the undertaken of negotiations with the US leading to current 'safe harbor' proposal.

      The Directive 95/46/EC has been complemented by a Directive 97/66/EC of 15 December 1997 on the protection of personal data in the field of telecommunications

      II.2. General rules on the lawfulness of the processing of personal data.

    2. The Directive 95/46/EC dedicates its Chapter II, mainly in the articles from 5 to 21, to list the limits by means of which the States will establish the general rules on the lawfulness of the processing of personal data.

      In the Section I (article 6) are established the principles relating to data quality. We could see that the data must be processed fairly and lawfully; these data collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible if Member States provide appropriate safeguards; the data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; in addition to, the data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; the data will be kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

      In the Section II (article 7), it is enumerated the circumstances under which it is possible to realise a data processing. Personal data may be processed only if the data subject has unambiguously given its consent, or it is necessary for the performance of a contract in which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or it is necessary for compliance with a legal obligation to which the controller is subject, or it is necessary to protect the vital interests of the data subject, or it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed, or it is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection.

      The Section III (articles 8 and 9) is dedicated to special categories of processing; those categories are special as a consequence of kind of data that they use. For that reason is forbidden unambiguously the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

      The explicit consent given by the data subject to the processing of those data, except where the laws of the Member State provide that the prohibition may not be lifted by the data subject's giving his consent, or it is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or it is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other...

Para continuar leyendo

SOLICITA TU PRUEBA