Navigation path

Obligations of data controllers

The Data Protection Directive requires data controllers to observe a number of principles when they process personal data. These principles not only protect the rights of those about whom the data is collected ("data subjects") but also reflect good business practices that contribute to reliable and efficient data processing.

Each data controller must respect the following rules as set out in the Directive:

  • Personal Data must be processed legally and fairly;
  • It must be collected for explicit and legitimate purposes and used accordingly;
  • It must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed;
  • It must be accurate, and updated where necessary;
  • Data controllers must ensure that data subjects can rectify, remove or block incorrect data about themselves;
  • Data that identifies individuals (personal data) must not be kept any longer than strictly necessary;
  • Data controllers must protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures;
  • These protection measures must ensure a level of protection appropriate to the data.

Responsibilities towards data subjects

If a data subject is of the view that his/her data has been compromised, he/she can send a complaint to the data controller. If the data controller's handling of a complaint is not satisfactory, the data subject can file a complaint to the national supervisory data protection authority.

National supervisory authorities

The Directive states that every EU country must provide one or more independent supervisory authorities to monitor its application.

In principle, all data controllers must notify their supervisory authorities when they process personal data.