Directorate-General for Health and Food Safety
Data protection in the EU
Data protection in the EU
- Data protection is enshrined in the Treaty on the functioning of the European Union (article 16). According to the Treaty, everybody has the right to the protection of personal data concerning them.
- The fundamental right to the protection of personal data is explicitly recognised also in Article 8 of the Charter of Fundamental Rights of the European Union
Under the heading "Protection of personal data", Article 8 stipulates:
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
- Directive 95/46/EC was adopted to harmonise national provisions on protection of individuals in processing and free movement of personal data. The directive has been implemented in all EU countries.
On 4 November 2010, the Commission adopted a Communication setting out a comprehensive approach on personal data protection in the European Union on how best to address new challenges to the protection of personal data at EU level and continue to ensure a high level of data protection and the free flow of personal data within the EU.
On 25 January 2012, the Commission proposed a comprehensive revision of the current Data Protection Directive which among other issues aims to address key aspects of processing personal health data, to ensure on the one hand privacy for patients while still enabling the EU to meet the other legitimate objectives in the Treaties such as a high level of health protection.
The Data Protection Directive 95/46/EC
In view of the differences of data protection laws across the EU and with regard to the lack of data protection laws in some Member States, there was a need for action at European level as the differences could create potential obstacles to the free flow of information and additional burdens for economic operators and citizens.
The need to remove these potential obstacles to the flow of personal data and to ensure a high level of protection within the EU resulted in the Data Protection Directive 95/46/EC of 24 October 1995 to harmonise national provisions in this field. To date, all EU Member States have implemented this Directive into national law.
The data protection directive applies to "any operation or set of operations which is performed upon personal data", called "processing" of data. Such operations include the collection of personal data, its recording, storage, disclosure, consultation, adaptation, use etc.
The directive applies to data processed by automated means (eg a computer database) and to data that are part of or intended to be part of non-automated filing systems in which they are accessible according to specific criteria.
General rules for data processing
The persons or the body determining the purposes and the means of the processing is called the "data controller". A medical practitioner for example would usually be the controller of the data processed on his patients.
The data subject is an identified or identifiable natural person (eg the patient).
Data controllers are required to observe several principles. These principles aim to protect the data subjects and to ensure reliable and efficient data processing.
Each data controller (such as the medical practitioner) must adhere to the data processing rules of the Member State where he or she is established even if the data processed belong to an individual residing in another State.
These rules are:
- Data must be processed fairly and lawfully and must be collected for explicit and legitimate purposes and used accordingly.
- Data must be relevant and not excessive in relation to the purpose for which they are processed.
- Data must be accurate and where necessary, kept up to date.
- Data controllers are required to provide reasonable measures for data subjects to rectify, erase or block incorrect data about them.
- Data that identify individuals must not be kept longer than necessary.
- Member States must provide one or more supervisory authorities to monitor the application of the directive.
- In principle, all data controllers must notify supervisory authorities when they process data.
Particularities of data protection in the area of public health
The Data Protection Directive provides for some specific rules in the area of public health.
Due to their sensitive nature, health data require a high level of protection in the European Union. Against that background, the Directive defines as a principle that data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent.
However, the directive recognises that derogations from this prohibition must be explicitly provided for in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy.
The Directive furthermore explicitly provides for the authorisation of Member States, when justified by grounds of important public interests, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify such as public health. This is the case where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment of the management of health-care services. Member States may provide for additional exceptions for reasons of substantial public interest.
These specific rules for the area of public health reflect the fact that, as far as public health is concerned, there can be situations where sensitive health data need to be processed in order to allow the public health authorities to take the right measures to protect the citizens. This applies for example in the cases of communicable diseases such as the A(H1N1) pandemic where the exchange of data is necessary for tracing contacts of an infected person in order to prevent the further spread of the disease.