Who can collect and process personal data?
The people or bodies that collect and manage personal data are called "data controllers". They must respect EU law when handling the data entrusted to them.
Individuals regularly disclose personal information such as their names, photographs, telephone numbers, birth date and address while engaged in a whole range of everyday activities. This personal data may be collected and processed for a wide variety of legitimate purposes such as business transactions, joining clubs, applying for a job, and so on.
Nonetheless, the privacy rights of individuals supplying their personal data must be respected by anyone collecting and processing that data. The Data Protection Directive lays down a series of rights and duties in relation to personal data when it is collected and processed.
The Directive refers to the persons or entities which collect and process personal data as "data controllers". For instance, a medical practitioner is usually the controller of his patients' data; a company is the controller of data on its clients and employees; a sports club is controller of its members' data and a library of its borrowers' data.
Data controllers determine 'the purposes and the means of the processing of personal data'. This applies to both public and private sectors.
Data controllers must respect the privacy and data protection rights of those whose personal data is entrusted to them. They must:
- collect and process personal data only when this is legally permitted;
- respect certain obligations regarding the processing of personal data;