Directive 95/46 - European Union

From The Secure Arc Wiki

Jump to: navigation, search

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The directive requires that E.U. member states (countries) protect the privacy of personal information that is processed using equipment in the member state, whether the processing is done by government agencies, businesses, or other organizations.

“Personal data” includes, but is not limited to, name, address, phone numbers, email addresses, ethnicity, religion, gender, sexual orientation, birthdate, employment, and financial account numbers. The responsibility for compliance with the directive rests with the "controller,” which is the person, group of people, public authority, agency, or other body that determines the purposes and means of processing personal data.

Major publications

Directive 95/46 can be found at the following Part 1, Part 2 links (English). The Directive in other languages can be found here.


Directive 95/46/EC requires organizations to protect the integrity of personal data and take steps to prevent unauthorized access to it. Following are some of the requirements:

  • “Member States …must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. …Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.”
  • Sending personal information from a member state to a non-member country is legal only with the consent of those persons whose data is sent. Furthermore, the data may only be sent to countries with similar laws protecting personal information.
  • Individuals have the right to give their consent for the use and storage of personal information, and to revoke consent at any time.
  • Penalties for violating member states’ directive implementations include fines and criminal liability for business owners or executives, data controllers, and employees who report to them.


Personal tools