Chapter 4: Privacy, protection of personal data and security15
(1) Personal data protection is a fundamental right, and is also enshrined in the Lisbon Treaty. The Charter of Fundamental Rights of the European Union provides that "Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified".16
Every individual has the right to adequate protection of his personal data17 . Processing of personal data must be necessary, fair, lawful and proportionate. The data that individuals provide directly or indirectly must not be used for purposes other than originally intended. Nor can such data be passed on indiscriminately to entities that the individual has not chosen to be involved with. These rights apply to everyone, irrespective of nationality or place of residence. Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life is only permitted with explicit consent of the individual, where allowed by national legislation.18
(2) Individuals have the right to receive information from people and companies holding some of their personal data in their files, such as websites, data bases, service providers etc. (“data controllers”), and they have the right to correct or erase this data if it is incomplete or inaccurate:
- Data controllers are required to inform consumers when they collect personal data about them;
- Individuals have the right to know the name of the controller, the intended use of the data processing, and to whom the data may be transferred;
- Individuals are entitled to ask the data controller whether he is processing personal data about them;
- Individuals have the right to receive a copy of the data that relates to them in intelligible form;
- Individuals have the right to ask for the deletion, blocking or erasing of the data if it is incomplete, inaccurate or obtained unlawfully. Individuals have the right to object to the processing of personal data.
(3) Individuals have the right not to be subject to a decision which produces legal effects concerning them or that significantly affects them and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to them, such as their performance at work, credit worthiness, reliability, conduct, etc.19
(4) These rights also apply online, where individuals have in addition the following rights:20
- To be fully informed and give their agreement if a website stores and retrieves information from their terminal equipment or wants to track them when they surf the internet;
- Confidentiality of their online communications, such as emails;
- To be notified if their personal data held by their Internet Service Provider has been compromised, e.g. lost or stolen, and their privacy is likely to be adversely affected;
- Not to be sent unsolicited commercial communications, known as 'spam', unless they have given their agreement.