Directive 2002/58/EC of the European Parliament and of
the Council
of 12 July 2002 concerning the processing of personal data and the protection of
privacy in the electronic communications sector (Directive on privacy and
electronic communications)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty establishing the European Community, and in
particular Article 95 thereof,
Having regard to the proposal from the Commission(1),
Having regard to the opinion of the Economic and Social Committee(2),
Having consulted the Committee of the Regions,
Acting in accordance with the procedure laid down in Article 251 of the
Treaty(3),
Whereas:
(1) Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995 on the protection of individuals with regard to the processing of
personal data and on the free movement of such data(4) requires Member States to
ensure the rights and freedoms of natural persons with regard to the processing
of personal data, and in particular their right to privacy, in order to ensure
the free flow of personal data in the Community.
(2) This Directive seeks to respect the fundamental rights and observes the
principles recognised in particular by the Charter of fundamental rights of the
European Union. In particular, this Directive seeks to ensure full respect for
the rights set out in Articles 7 and 8 of that Charter.
(3) Confidentiality of communications is guaranteed in accordance with the
international instruments relating to human rights, in particular the European
Convention for the Protection of Human Rights and Fundamental Freedoms, and the
constitutions of the Member States.
(4) Directive 97/66/EC of the European Parliament and of the Council of 15
December 1997 concerning the processing of personal data and the protection of
privacy in the telecommunications sector(5) translated the principles set out in
Directive 95/46/EC into specific rules for the telecommunications sector.
Directive 97/66/EC has to be adapted to developments in the markets and
technologies for electronic communications services in order to provide an equal
level of protection of personal data and privacy for users of publicly available
electronic communications services, regardless of the technologies used. That
Directive should therefore be repealed and replaced by this Directive.
(5) New advanced digital technologies are currently being introduced in public
communications networks in the Community, which give rise to specific
requirements concerning the protection of personal data and privacy of the user.
The development of the information society is characterised by the introduction
of new electronic communications services. Access to digital mobile networks has
become available and affordable for a large public. These digital networks have
large capacities and possibilities for processing personal data. The successful
cross-border development of these services is partly dependent on the confidence
of users that their privacy will not be at risk.
(6) The Internet is overturning traditional market structures by providing a
common, global infrastructure for the delivery of a wide range of electronic
communications services. Publicly available electronic communications services
over the Internet open new possibilities for users but also new risks for their
personal data and privacy.
(7) In the case of public communications networks, specific legal, regulatory
and technical provisions should be made in order to protect fundamental rights
and freedoms of natural persons and legitimate interests of legal persons, in
particular with regard to the increasing capacity for automated storage and
processing of data relating to subscribers and users.
(8) Legal, regulatory and technical provisions adopted by the Member States
concerning the protection of personal data, privacy and the legitimate interest
of legal persons, in the electronic communication sector, should be harmonised
in order to avoid obstacles to the internal market for electronic communication
in accordance with Article 14 of the Treaty. Harmonisation should be limited to
requirements necessary to guarantee that the promotion and development of new
electronic communications services and networks between Member States are not
hindered.
(9) The Member States, providers and users concerned, together with the
competent Community bodies, should cooperate in introducing and developing the
relevant technologies where this is necessary to apply the guarantees provided
for by this Directive and taking particular account of the objectives of
minimising the processing of personal data and of using anonymous or
pseudonymous data where possible.
(10) In the electronic communications sector, Directive 95/46/EC applies in
particular to all matters concerning protection of fundamental rights and
freedoms, which are not specifically covered by the provisions of this
Directive, including the obligations on the controller and the rights of
individuals. Directive 95/46/EC applies to non-public communications services.
(11) Like Directive 95/46/EC, this Directive does not address issues of
protection of fundamental rights and freedoms related to activities which are
not governed by Community law. Therefore it does not alter the existing balance
between the individual's right to privacy and the possibility for Member States
to take the measures referred to in Article 15(1) of this Directive, necessary
for the protection of public security, defence, State security (including the
economic well-being of the State when the activities relate to State security
matters) and the enforcement of criminal law. Consequently, this Directive does
not affect the ability of Member States to carry out lawful interception of
electronic communications, or take other measures, if necessary for any of these
purposes and in accordance with the European Convention for the Protection of
Human Rights and Fundamental Freedoms, as interpreted by the rulings of the
European Court of Human Rights. Such measures must be appropriate, strictly
proportionate to the intended purpose and necessary within a democratic society
and should be subject to adequate safeguards in accordance with the European
Convention for the Protection of Human Rights and Fundamental Freedoms.
(12) Subscribers to a publicly available electronic communications service may
be natural or legal persons. By supplementing Directive 95/46/EC, this Directive
is aimed at protecting the fundamental rights of natural persons and
particularly their right to privacy, as well as the legitimate interests of
legal persons. This Directive does not entail an obligation for Member States to
extend the application of Directive 95/46/EC to the protection of the legitimate
interests of legal persons, which is ensured within the framework of the
applicable Community and national legislation.
(13) The contractual relation between a subscriber and a service provider may
entail a periodic or a one-off payment for the service provided or to be
provided. Prepaid cards are also considered as a contract.
(14) Location data may refer to the latitude, longitude and altitude of the
user's terminal equipment, to the direction of travel, to the level of accuracy
of the location information, to the identification of the network cell in which
the terminal equipment is located at a certain point in time and to the time the
location information was recorded.
(15) A communication may include any naming, numbering or addressing information
provided by the sender of a communication or the user of a connection to carry
out the communication. Traffic data may include any translation of this
information by the network over which the communication is transmitted for the
purpose of carrying out the transmission. Traffic data may, inter alia, consist
of data referring to the routing, duration, time or volume of a communication,
to the protocol used, to the location of the terminal equipment of the sender or
recipient, to the network on which the communication originates or terminates,
to the beginning, end or duration of a connection. They may also consist of the
format in which the communication is conveyed by the network.
(16) Information that is part of a broadcasting service provided over a public
communications network is intended for a potentially unlimited audience and does
not constitute a communication in the sense of this Directive. However, in cases
where the individual subscriber or user receiving such information can be
identified, for example with video-on-demand services, the information conveyed
is covered within the meaning of a communication for the purposes of this
Directive.
(17) For the purposes of this Directive, consent of a user or subscriber,
regardless of whether the latter is a natural or a legal person, should have the
same meaning as the data subject's consent as defined and further specified in
Directive 95/46/EC. Consent may be given by any appropriate method enabling a
freely given specific and informed indication of the user's wishes, including by
ticking a box when visiting an Internet website.
(18) Value added services may, for example, consist of advice on least expensive
tariff packages, route guidance, traffic information, weather forecasts and
tourist information.
(19) The application of certain requirements relating to presentation and
restriction of calling and connected line identification and to automatic call
forwarding to subscriber lines connected to analogue exchanges should not be
made mandatory in specific cases where such application would prove to be
technically impossible or would require a disproportionate economic effort. It
is important for interested parties to be informed of such cases and the Member
States should therefore notify them to the Commission.
(20) Service providers should take appropriate measures to safeguard the
security of their services, if necessary in conjunction with the provider of the
network, and inform subscribers of any special risks of a breach of the security
of the network. Such risks may especially occur for electronic communications
services over an open network such as the Internet or analogue mobile telephony.
It is particularly important for subscribers and users of such services to be
fully informed by their service provider of the existing security risks which
lie outside the scope of possible remedies by the service provider. Service
providers who offer publicly available electronic communications services over
the Internet should inform users and subscribers of measures they can take to
protect the security of their communications for instance by using specific
types of software or encryption technologies. The requirement to inform
subscribers of particular security risks does not discharge a service provider
from the obligation to take, at its own costs, appropriate and immediate
measures to remedy any new, unforeseen security risks and restore the normal
security level of the service. The provision of information about security risks
to the subscriber should be free of charge except for any nominal costs which
the subscriber may incur while receiving or collecting the information, for
instance by downloading an electronic mail message. Security is appraised in the
light of Article 17 of Directive 95/46/EC.
(21) Measures should be taken to prevent unauthorised access to communications
in order to protect the confidentiality of communications, including both the
contents and any data related to such communications, by means of public
communications networks and publicly available electronic communications
services. National legislation in some Member States only prohibits intentional
unauthorised access to communications.
(22) The prohibition of storage of communications and the related traffic data
by persons other than the users or without their consent is not intended to
prohibit any automatic, intermediate and transient storage of this information
in so far as this takes place for the sole purpose of carrying out the
transmission in the electronic communications network and provided that the
information is not stored for any period longer than is necessary for the
transmission and for traffic management purposes, and that during the period of
storage the confidentiality remains guaranteed. Where this is necessary for
making more efficient the onward transmission of any publicly accessible
information to other recipients of the service upon their request, this
Directive should not prevent such information from being further stored,
provided that this information would in any case be accessible to the public
without restriction and that any data referring to the individual subscribers or
users requesting such information are erased.
(23) Confidentiality of communications should also be ensured in the course of
lawful business practice. Where necessary and legally authorised, communications
can be recorded for the purpose of providing evidence of a commercial
transaction. Directive 95/46/EC applies to such processing. Parties to the
communications should be informed prior to the recording about the recording,
its purpose and the duration of its storage. The recorded communication should
be erased as soon as possible and in any case at the latest by the end of the
period during which the transaction can be lawfully challenged.
(24) Terminal equipment of users of electronic communications networks and any
information stored on such equipment are part of the private sphere of the users
requiring protection under the European Convention for the Protection of Human
Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers
and other similar devices can enter the user's terminal without their knowledge
in order to gain access to information, to store hidden information or to trace
the activities of the user and may seriously intrude upon the privacy of these
users. The use of such devices should be allowed only for legitimate purposes,
with the knowledge of the users concerned.
(25) However, such devices, for instance so-called "cookies", can be a
legitimate and useful tool, for example, in analysing the effectiveness of
website design and advertising, and in verifying the identity of users engaged
in on-line transactions. Where such devices, for instance cookies, are intended
for a legitimate purpose, such as to facilitate the provision of information
society services, their use should be allowed on condition that users are
provided with clear and precise information in accordance with Directive
95/46/EC about the purposes of cookies or similar devices so as to ensure that
users are made aware of information being placed on the terminal equipment they
are using. Users should have the opportunity to refuse to have a cookie or
similar device stored on their terminal equipment. This is particularly
important where users other than the original user have access to the terminal
equipment and thereby to any data containing privacy-sensitive information
stored on such equipment. Information and the right to refuse may be offered
once for the use of various devices to be installed on the user's terminal
equipment during the same connection and also covering any further use that may
be made of those devices during subsequent connections. The methods for giving
information, offering a right to refuse or requesting consent should be made as
user-friendly as possible. Access to specific website content may still be made
conditional on the well-informed acceptance of a cookie or similar device, if it
is used for a legitimate purpose.
(26) The data relating to subscribers processed within electronic communications
networks to establish connections and to transmit information contain
information on the private life of natural persons and concern the right to
respect for their correspondence or concern the legitimate interests of legal
persons. Such data may only be stored to the extent that is necessary for the
provision of the service for the purpose of billing and for interconnection
payments, and for a limited time. Any further processing of such data which the
provider of the publicly available electronic communications services may want
to perform, for the marketing of electronic communications services or for the
provision of value added services, may only be allowed if the subscriber has
agreed to this on the basis of accurate and full information given by the
provider of the publicly available electronic communications services about the
types of further processing it intends to perform and about the subscriber's
right not to give or to withdraw his/her consent to such processing. Traffic
data used for marketing communications services or for the provision of value
added services should also be erased or made anonymous after the provision of
the service. Service providers should always keep subscribers informed of the
types of data they are processing and the purposes and duration for which this
is done.
(27) The exact moment of the completion of the transmission of a communication,
after which traffic data should be erased except for billing purposes, may
depend on the type of electronic communications service that is provided. For
instance for a voice telephony call the transmission will be completed as soon
as either of the users terminates the connection. For electronic mail the
transmission is completed as soon as the addressee collects the message,
typically from the server of his service provider.
(28) The obligation to erase traffic data or to make such data anonymous when it
is no longer needed for the purpose of the transmission of a communication does
not conflict with such procedures on the Internet as the caching in the domain
name system of IP addresses or the caching of IP addresses to physical address
bindings or the use of log-in information to control the right of access to
networks or services.
(29) The service provider may process traffic data relating to subscribers and
users where necessary in individual cases in order to detect technical failure
or errors in the transmission of communications. Traffic data necessary for
billing purposes may also be processed by the provider in order to detect and
stop fraud consisting of unpaid use of the electronic communications service.
(30) Systems for the provision of electronic communications networks and
services should be designed to limit the amount of personal data necessary to a
strict minimum. Any activities related to the provision of the electronic
communications service that go beyond the transmission of a communication and
the billing thereof should be based on aggregated, traffic data that cannot be
related to subscribers or users. Where such activities cannot be based on
aggregated data, they should be considered as value added services for which the
consent of the subscriber is required.
(31) Whether the consent to be obtained for the processing of personal data with
a view to providing a particular value added service should be that of the user
or of the subscriber, will depend on the data to be processed and on the type of
service to be provided and on whether it is technically, procedurally and
contractually possible to distinguish the individual using an electronic
communications service from the legal or natural person having subscribed to it.
(32) Where the provider of an electronic communications service or of a value
added service subcontracts the processing of personal data necessary for the
provision of these services to another entity, such subcontracting and
subsequent data processing should be in full compliance with the requirements
regarding controllers and processors of personal data as set out in Directive
95/46/EC. Where the provision of a value added service requires that traffic or
location data are forwarded from an electronic communications service provider
to a provider of value added services, the subscribers or users to whom the data
are related should also be fully informed of this forwarding before giving their
consent for the processing of the data.
(33) The introduction of itemised bills has improved the possibilities for the
subscriber to check the accuracy of the fees charged by the service provider
but, at the same time, it may jeopardise the privacy of the users of publicly
available electronic communications services. Therefore, in order to preserve
the privacy of the user, Member States should encourage the development of
electronic communication service options such as alternative payment facilities
which allow anonymous or strictly private access to publicly available
electronic communications services, for example calling cards and facilities for
payment by credit card. To the same end, Member States may ask the operators to
offer their subscribers a different type of detailed bill in which a certain
number of digits of the called number have been deleted.
(34) It is necessary, as regards calling line identification, to protect the
right of the calling party to withhold the presentation of the identification of
the line from which the call is being made and the right of the called party to
reject calls from unidentified lines. There is justification for overriding the
elimination of calling line identification presentation in specific cases.
Certain subscribers, in particular help lines and similar organisations, have an
interest in guaranteeing the anonymity of their callers. It is necessary, as
regards connected line identification, to protect the right and the legitimate
interest of the called party to withhold the presentation of the identification
of the line to which the calling party is actually connected, in particular in
the case of forwarded calls. The providers of publicly available electronic
communications services should inform their subscribers of the existence of
calling and connected line identification in the network and of all services
which are offered on the basis of calling and connected line identification as
well as the privacy options which are available. This will allow the subscribers
to make an informed choice about the privacy facilities they may want to use.
The privacy options which are offered on a per-line basis do not necessarily
have to be available as an automatic network service but may be obtainable
through a simple request to the provider of the publicly available electronic
communications service.
(35) In digital mobile networks, location data giving the geographic position of
the terminal equipment of the mobile user are processed to enable the
transmission of communications. Such data are traffic data covered by Article 6
of this Directive. However, in addition, digital mobile networks may have the
capacity to process location data which are more precise than is necessary for
the transmission of communications and which are used for the provision of value
added services such as services providing individualised traffic information and
guidance to drivers. The processing of such data for value added services should
only be allowed where subscribers have given their consent. Even in cases where
subscribers have given their consent, they should have a simple means to
temporarily deny the processing of location data, free of charge.
(36) Member States may restrict the users' and subscribers' rights to privacy
with regard to calling line identification where this is necessary to trace
nuisance calls and with regard to calling line identification and location data
where this is necessary to allow emergency services to carry out their tasks as
effectively as possible. For these purposes, Member States may adopt specific
provisions to entitle providers of electronic communications services to provide
access to calling line identification and location data without the prior
consent of the users or subscribers concerned.
(37) Safeguards should be provided for subscribers against the nuisance which
may be caused by automatic call forwarding by others. Moreover, in such cases,
it must be possible for subscribers to stop the forwarded calls being passed on
to their terminals by simple request to the provider of the publicly available
electronic communications service.
(38) Directories of subscribers to electronic communications services are widely
distributed and public. The right to privacy of natural persons and the
legitimate interest of legal persons require that subscribers are able to
determine whether their personal data are published in a directory and if so,
which. Providers of public directories should inform the subscribers to be
included in such directories of the purposes of the directory and of any
particular usage which may be made of electronic versions of public directories
especially through search functions embedded in the software, such as reverse
search functions enabling users of the directory to discover the name and
address of the subscriber on the basis of a telephone number only.
(39) The obligation to inform subscribers of the purpose(s) of public
directories in which their personal data are to be included should be imposed on
the party collecting the data for such inclusion. Where the data may be
transmitted to one or more third parties, the subscriber should be informed of
this possibility and of the recipient or the categories of possible recipients.
Any transmission should be subject to the condition that the data may not be
used for other purposes than those for which they were collected. If the party
collecting the data from the subscriber or any third party to whom the data have
been transmitted wishes to use the data for an additional purpose, the renewed
consent of the subscriber is to be obtained either by the initial party
collecting the data or by the third party to whom the data have been
transmitted.
(40) Safeguards should be provided for subscribers against intrusion of their
privacy by unsolicited communications for direct marketing purposes in
particular by means of automated calling machines, telefaxes, and e-mails,
including SMS messages. These forms of unsolicited commercial communications may
on the one hand be relatively easy and cheap to send and on the other may impose
a burden and/or cost on the recipient. Moreover, in some cases their volume may
also cause difficulties for electronic communications networks and terminal
equipment. For such forms of unsolicited communications for direct marketing, it
is justified to require that prior explicit consent of the recipients is
obtained before such communications are addressed to them. The single market
requires a harmonised approach to ensure simple, Community-wide rules for
businesses and users.
(41) Within the context of an existing customer relationship, it is reasonable
to allow the use of electronic contact details for the offering of similar
products or services, but only by the same company that has obtained the
electronic contact details in accordance with Directive 95/46/EC. When
electronic contact details are obtained, the customer should be informed about
their further use for direct marketing in a clear and distinct manner, and be
given the opportunity to refuse such usage. This opportunity should continue to
be offered with each subsequent direct marketing message, free of charge, except
for any costs for the transmission of this refusal.
(42) Other forms of direct marketing that are more costly for the sender and
impose no financial costs on subscribers and users, such as person-to-person
voice telephony calls, may justify the maintenance of a system giving
subscribers or users the possibility to indicate that they do not want to
receive such calls. Nevertheless, in order not to decrease existing levels of
privacy protection, Member States should be entitled to uphold national systems,
only allowing such calls to subscribers and users who have given their prior
consent.
(43) To facilitate effective enforcement of Community rules on unsolicited
messages for direct marketing, it is necessary to prohibit the use of false
identities or false return addresses or numbers while sending unsolicited
messages for direct marketing purposes.
(44) Certain electronic mail systems allow subscribers to view the sender and
subject line of an electronic mail, and also to delete the message, without
having to download the rest of the electronic mail's content or any attachments,
thereby reducing costs which could arise from downloading unsolicited electronic
mails or attachments. These arrangements may continue to be useful in certain
cases as an additional tool to the general obligations established in this
Directive.
(45) This Directive is without prejudice to the arrangements which Member States
make to protect the legitimate interests of legal persons with regard to
unsolicited communications for direct marketing purposes. Where Member States
establish an opt-out register for such communications to legal persons, mostly
business users, the provisions of Article 7 of Directive 2000/31/EC of the
European Parliament and of the Council of 8 June 2000 on certain legal aspects
of information society services, in particular electronic commerce, in the
internal market (Directive on electronic commerce)(6) are fully applicable.
(46) The functionalities for the provision of electronic communications services
may be integrated in the network or in any part of the terminal equipment of the
user, including the software. The protection of the personal data and the
privacy of the user of publicly available electronic communications services
should be independent of the configuration of the various components necessary
to provide the service and of the distribution of the necessary functionalities
between these components. Directive 95/46/EC covers any form of processing of
personal data regardless of the technology used. The existence of specific rules
for electronic communications services alongside general rules for other
components necessary for the provision of such services may not facilitate the
protection of personal data and privacy in a technologically neutral way. It may
therefore be necessary to adopt measures requiring manufacturers of certain
types of equipment used for electronic communications services to construct
their product in such a way as to incorporate safeguards to ensure that the
personal data and privacy of the user and subscriber are protected. The adoption
of such measures in accordance with Directive 1999/5/EC of the European
Parliament and of the Council of 9 March 1999 on radio equipment and
telecommunications terminal equipment and the mutual recognition of their
conformity(7) will ensure that the introduction of technical features of
electronic communication equipment including software for data protection
purposes is harmonised in order to be compatible with the implementation of the
internal market.
(47) Where the rights of the users and subscribers are not respected, national
legislation should provide for judicial remedies. Penalties should be imposed on
any person, whether governed by private or public law, who fails to comply with
the national measures taken under this Directive.
(48) It is useful, in the field of application of this Directive, to draw on the
experience of the Working Party on the Protection of Individuals with regard to
the Processing of Personal Data composed of representatives of the supervisory
authorities of the Member States, set up by Article 29 of Directive 95/46/EC.
(49) To facilitate compliance with the provisions of this Directive, certain
specific arrangements are needed for processing of data already under way on the
date that national implementing legislation pursuant to this Directive enters
into force,
HAVE ADOPTED THIS DIRECTIVE:
Article 1
Scope and aim
1. This Directive harmonises the provisions of the Member States required to
ensure an equivalent level of protection of fundamental rights and freedoms, and
in particular the right to privacy, with respect to the processing of personal
data in the electronic communication sector and to ensure the free movement of
such data and of electronic communication equipment and services in the
Community.
2. The provisions of this Directive particularise and complement Directive
95/46/EC for the purposes mentioned in paragraph 1. Moreover, they provide for
protection of the legitimate interests of subscribers who are legal persons.
3. This Directive shall not apply to activities which fall outside the scope of
the Treaty establishing the European Community, such as those covered by Titles
V and VI of the Treaty on European Union, and in any case to activities
concerning public security, defence, State security (including the economic
well-being of the State when the activities relate to State security matters)
and the activities of the State in areas of criminal law.
Article 2
Definitions
Save as otherwise provided, the definitions in Directive 95/46/EC and in
Directive 2002/21/EC of the European Parliament and of the Council of 7 March
2002 on a common regulatory framework for electronic communications networks and
services (Framework Directive)(8) shall apply.
The following definitions shall also apply:
(a) "user" means any natural person using a publicly available
electronic communications service, for private or business purposes, without
necessarily having subscribed to this service;
(b) "traffic data" means any data processed for the purpose of the
conveyance of a communication on an electronic communications network or for the
billing thereof;
(c) "location data" means any data processed in an electronic
communications network, indicating the geographic position of the terminal
equipment of a user of a publicly available electronic communications service;
(d) "communication" means any information exchanged or conveyed
between a finite number of parties by means of a publicly available electronic
communications service. This does not include any information conveyed as part
of a broadcasting service to the public over an electronic communications
network except to the extent that the information can be related to the
identifiable subscriber or user receiving the information;
(e) "call" means a connection established by means of a publicly
available telephone service allowing two-way communication in real time;
(f) "consent" by a user or subscriber corresponds to the data
subject's consent in Directive 95/46/EC;
(g) "value added service" means any service which requires the
processing of traffic data or location data other than traffic data beyond what
is necessary for the transmission of a communication or the billing thereof;
(h) "electronic mail" means any text, voice, sound or image message
sent over a public communications network which can be stored in the network or
in the recipient's terminal equipment until it is collected by the recipient.
Article 3
Services concerned
1. This Directive shall apply to the processing of personal data in connection
with the provision of publicly available electronic communications services in
public communications networks in the Community.
2. Articles 8, 10 and 11 shall apply to subscriber lines connected to digital
exchanges and, where technically possible and if it does not require a
disproportionate economic effort, to subscriber lines connected to analogue
exchanges.
3. Cases where it would be technically impossible or require a disproportionate
economic effort to fulfil the requirements of Articles 8, 10 and 11 shall be
notified to the Commission by the Member States.
Article 4
Security
1. The provider of a publicly available electronic communications service must
take appropriate technical and organisational measures to safeguard security of
its services, if necessary in conjunction with the provider of the public
communications network with respect to network security. Having regard to the
state of the art and the cost of their implementation, these measures shall
ensure a level of security appropriate to the risk presented.
2. In case of a particular risk of a breach of the security of the network, the
provider of a publicly available electronic communications service must inform
the subscribers concerning such risk and, where the risk lies outside the scope
of the measures to be taken by the service provider, of any possible remedies,
including an indication of the likely costs involved.
Article 5
Confidentiality of the communications
1. Member States shall ensure the confidentiality of communications and the
related traffic data by means of a public communications network and publicly
available electronic communications services, through national legislation. In
particular, they shall prohibit listening, tapping, storage or other kinds of
interception or surveillance of communications and the related traffic data by
persons other than users, without the consent of the users concerned, except
when legally authorised to do so in accordance with Article 15(1). This
paragraph shall not prevent technical storage which is necessary for the
conveyance of a communication without prejudice to the principle of
confidentiality.
2. Paragraph 1 shall not affect any legally authorised recording of
communications and the related traffic data when carried out in the course of
lawful business practice for the purpose of providing evidence of a commercial
transaction or of any other business communication.
3. Member States shall ensure that the use of electronic communications networks
to store information or to gain access to information stored in the terminal
equipment of a subscriber or user is only allowed on condition that the
subscriber or user concerned is provided with clear and comprehensive
information in accordance with Directive 95/46/EC, inter alia about the purposes
of the processing, and is offered the right to refuse such processing by the
data controller. This shall not prevent any technical storage or access for the
sole purpose of carrying out or facilitating the transmission of a communication
over an electronic communications network, or as strictly necessary in order to
provide an information society service explicitly requested by the subscriber or
user.
Article 6
Traffic data
1. Traffic data relating to subscribers and users processed and stored by the
provider of a public communications network or publicly available electronic
communications service must be erased or made anonymous when it is no longer
needed for the purpose of the transmission of a communication without prejudice
to paragraphs 2, 3 and 5 of this Article and Article 15(1).
2. Traffic data necessary for the purposes of subscriber billing and
interconnection payments may be processed. Such processing is permissible only
up to the end of the period during which the bill may lawfully be challenged or
payment pursued.
3. For the purpose of marketing electronic communications services or for the
provision of value added services, the provider of a publicly available
electronic communications service may process the data referred to in paragraph
1 to the extent and for the duration necessary for such services or marketing,
if the subscriber or user to whom the data relate has given his/her consent.
Users or subscribers shall be given the possibility to withdraw their consent
for the processing of traffic data at any time.
4. The service provider must inform the subscriber or user of the types of
traffic data which are processed and of the duration of such processing for the
purposes mentioned in paragraph 2 and, prior to obtaining consent, for the
purposes mentioned in paragraph 3.
5. Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must
be restricted to persons acting under the authority of providers of the public
communications networks and publicly available electronic communications
services handling billing or traffic management, customer enquiries, fraud
detection, marketing electronic communications services or providing a value
added service, and must be restricted to what is necessary for the purposes of
such activities.
6. Paragraphs 1, 2, 3 and 5 shall apply without prejudice to the possibility for
competent bodies to be informed of traffic data in conformity with applicable
legislation with a view to settling disputes, in particular interconnection or
billing disputes.
Article 7
Itemised billing
1. Subscribers shall have the right to receive non-itemised bills.
2. Member States shall apply national provisions in order to reconcile the
rights of subscribers receiving itemised bills with the right to privacy of
calling users and called subscribers, for example by ensuring that sufficient
alternative privacy enhancing methods of communications or payments are
available to such users and subscribers.
Article 8
Presentation and restriction of calling and connected line identification
1. Where presentation of calling line identification is offered, the service
provider must offer the calling user the possibility, using a simple means and
free of charge, of preventing the presentation of the calling line
identification on a per-call basis. The calling subscriber must have this
possibility on a per-line basis.
2. Where presentation of calling line identification is offered, the service
provider must offer the called subscriber the possibility, using a simple means
and free of charge for reasonable use of this function, of preventing the
presentation of the calling line identification of incoming calls.
3. Where presentation of calling line identification is offered and where the
calling line identification is presented prior to the call being established,
the service provider must offer the called subscriber the possibility, using a
simple means, of rejecting incoming calls where the presentation of the calling
line identification has been prevented by the calling user or subscriber.
4. Where presentation of connected line identification is offered, the service
provider must offer the called subscriber the possibility, using a simple means
and free of charge, of preventing the presentation of the connected line
identification to the calling user.
5. Paragraph 1 shall also apply with regard to calls to third countries
originating in the Community. Paragraphs 2, 3 and 4 shall also apply to incoming
calls originating in third countries.
6. Member States shall ensure that where presentation of calling and/or
connected line identification is offered, the providers of publicly available
electronic communications services inform the public thereof and of the
possibilities set out in paragraphs 1, 2, 3 and 4.
Article 9
Location data other than traffic data
1. Where location data other than traffic data, relating to users or subscribers
of public communications networks or publicly available electronic
communications services, can be processed, such data may only be processed when
they are made anonymous, or with the consent of the users or subscribers to the
extent and for the duration necessary for the provision of a value added
service. The service provider must inform the users or subscribers, prior to
obtaining their consent, of the type of location data other than traffic data
which will be processed, of the purposes and duration of the processing and
whether the data will be transmitted to a third party for the purpose of
providing the value added service. Users or subscribers shall be given the
possibility to withdraw their consent for the processing of location data other
than traffic data at any time.
2. Where consent of the users or subscribers has been obtained for the
processing of location data other than traffic data, the user or subscriber must
continue to have the possibility, using a simple means and free of charge, of
temporarily refusing the processing of such data for each connection to the
network or for each transmission of a communication.
3. Processing of location data other than traffic data in accordance with
paragraphs 1 and 2 must be restricted to persons acting under the authority of
the provider of the public communications network or publicly available
communications service or of the third party providing the value added service,
and must be restricted to what is necessary for the purposes of providing the
value added service.
Article 10
Exceptions
Member States shall ensure that there are transparent procedures governing the
way in which a provider of a public communications network and/or a publicly
available electronic communications service may override:
(a) the elimination of the presentation of calling line identification, on a
temporary basis, upon application of a subscriber requesting the tracing of
malicious or nuisance calls. In this case, in accordance with national law, the
data containing the identification of the calling subscriber will be stored and
be made available by the provider of a public communications network and/or
publicly available electronic communications service;
(b) the elimination of the presentation of calling line identification and the
temporary denial or absence of consent of a subscriber or user for the
processing of location data, on a per-line basis for organisations dealing with
emergency calls and recognised as such by a Member State, including law
enforcement agencies, ambulance services and fire brigades, for the purpose of
responding to such calls.
Article 11
Automatic call forwarding
Member States shall ensure that any subscriber has the possibility, using a
simple means and free of charge, of stopping automatic call forwarding by a
third party to the subscriber's terminal.
Article 12
Directories of subscribers
1. Member States shall ensure that subscribers are informed, free of charge and
before they are included in the directory, about the purpose(s) of a printed or
electronic directory of subscribers available to the public or obtainable
through directory enquiry services, in which their personal data can be included
and of any further usage possibilities based on search functions embedded in
electronic versions of the directory.
2. Member States shall ensure that subscribers are given the opportunity to
determine whether their personal data are included in a public directory, and if
so, which, to the extent that such data are relevant for the purpose of the
directory as determined by the provider of the directory, and to verify, correct
or withdraw such data. Not being included in a public subscriber directory,
verifying, correcting or withdrawing personal data from it shall be free of
charge.
3. Member States may require that for any purpose of a public directory other
than the search of contact details of persons on the basis of their name and,
where necessary, a minimum of other identifiers, additional consent be asked of
the subscribers.
4. Paragraphs 1 and 2 shall apply to subscribers who are natural persons. Member
States shall also ensure, in the framework of Community law and applicable
national legislation, that the legitimate interests of subscribers other than
natural persons with regard to their entry in public directories are
sufficiently protected.
Article 13
Unsolicited communications
1. The use of automated calling systems without human intervention (automatic
calling machines), facsimile machines (fax) or electronic mail for the purposes
of direct marketing may only be allowed in respect of subscribers who have given
their prior consent.
2. Notwithstanding paragraph 1, where a natural or legal person obtains from its
customers their electronic contact details for electronic mail, in the context
of the sale of a product or a service, in accordance with Directive 95/46/EC,
the same natural or legal person may use these electronic contact details for
direct marketing of its own similar products or services provided that customers
clearly and distinctly are given the opportunity to object, free of charge and
in an easy manner, to such use of electronic contact details when they are
collected and on the occasion of each message in case the customer has not
initially refused such use.
3. Member States shall take appropriate measures to ensure that, free of charge,
unsolicited communications for purposes of direct marketing, in cases other than
those referred to in paragraphs 1 and 2, are not allowed either without the
consent of the subscribers concerned or in respect of subscribers who do not
wish to receive these communications, the choice between these options to be
determined by national legislation.
4. In any event, the practice of sending electronic mail for purposes of direct
marketing disguising or concealing the identity of the sender on whose behalf
the communication is made, or without a valid address to which the recipient may
send a request that such communications cease, shall be prohibited.
5. Paragraphs 1 and 3 shall apply to subscribers who are natural persons. Member
States shall also ensure, in the framework of Community law and applicable
national legislation, that the legitimate interests of subscribers other than
natural persons with regard to unsolicited communications are sufficiently
protected.
Article 14
Technical features and standardisation
1. In implementing the provisions of this Directive, Member States shall ensure,
subject to paragraphs 2 and 3, that no mandatory requirements for specific
technical features are imposed on terminal or other electronic communication
equipment which could impede the placing of equipment on the market and the free
circulation of such equipment in and between Member States.
2. Where provisions of this Directive can be implemented only by requiring
specific technical features in electronic communications networks, Member States
shall inform the Commission in accordance with the procedure provided for by
Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998
laying down a procedure for the provision of information in the field of
technical standards and regulations and of rules on information society
services(9).
3. Where required, measures may be adopted to ensure that terminal equipment is
constructed in a way that is compatible with the right of users to protect and
control the use of their personal data, in accordance with Directive 1999/5/EC
and Council Decision 87/95/EEC of 22 December 1986 on standardisation in the
field of information technology and communications(10).
Article 15
Application of certain provisions of Directive 95/46/EC
1. Member States may adopt legislative measures to restrict the scope of the
rights and obligations provided for in Article 5, Article 6, Article 8(1), (2),
(3) and (4), and Article 9 of this Directive when such restriction constitutes a
necessary, appropriate and proportionate measure within a democratic society to
safeguard national security (i.e. State security), defence, public security, and
the prevention, investigation, detection and prosecution of criminal offences or
of unauthorised use of the electronic communication system, as referred to in
Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia,
adopt legislative measures providing for the retention of data for a limited
period justified on the grounds laid down in this paragraph. All the measures
referred to in this paragraph shall be in accordance with the general principles
of Community law, including those referred to in Article 6(1) and (2) of the
Treaty on European Union.
2. The provisions of Chapter III on judicial remedies, liability and sanctions
of Directive 95/46/EC shall apply with regard to national provisions adopted
pursuant to this Directive and with regard to the individual rights derived from
this Directive.
3. The Working Party on the Protection of Individuals with regard to the
Processing of Personal Data instituted by Article 29 of Directive 95/46/EC shall
also carry out the tasks laid down in Article 30 of that Directive with regard
to matters covered by this Directive, namely the protection of fundamental
rights and freedoms and of legitimate interests in the electronic communications
sector.
Article 16
Transitional arrangements
1. Article 12 shall not apply to editions of directories already produced or
placed on the market in printed or off-line electronic form before the national
provisions adopted pursuant to this Directive enter into force.
2. Where the personal data of subscribers to fixed or mobile public voice
telephony services have been included in a public subscriber directory in
conformity with the provisions of Directive 95/46/EC and of Article 11 of
Directive 97/66/EC before the national provisions adopted in pursuance of this
Directive enter into force, the personal data of such subscribers may remain
included in this public directory in its printed or electronic versions,
including versions with reverse search functions, unless subscribers indicate
otherwise, after having received complete information about purposes and options
in accordance with Article 12 of this Directive.
Article 17
Transposition
1. Before 31 October 2003 Member States shall bring into force the provisions
necessary to comply with this Directive. They shall forthwith inform the
Commission thereof.
When Member States adopt those provisions, they shall contain a reference to
this Directive or be accompanied by such a reference on the occasion of their
official publication. The methods of making such reference shall be laid down by
the Member States.
2. Member States shall communicate to the Commission the text of the provisions
of national law which they adopt in the field governed by this Directive and of
any subsequent amendments to those provisions.
Article 18
Review
The Commission shall submit to the European Parliament and the Council, not
later than three years after the date referred to in Article 17(1), a report on
the application of this Directive and its impact on economic operators and
consumers, in particular as regards the provisions on unsolicited
communications, taking into account the international environment. For this
purpose, the Commission may request information from the Member States, which
shall be supplied without undue delay. Where appropriate, the Commission shall
submit proposals to amend this Directive, taking account of the results of that
report, any changes in the sector and any other proposal it may deem necessary
in order to improve the effectiveness of this Directive.
Article 19
Repeal
Directive 97/66/EC is hereby repealed with effect from the date referred to in
Article 17(1).
References made to the repealed Directive shall be construed as being made to
this Directive.
Article 20
Entry into force
This Directive shall enter into force on the day of its publication in the
Official Journal of the European Communities.
Article 21
Addressees
This Directive is addressed to the Member States.
Done at Brussels, 12 July 2002.
For the European Parliament
The President
P. Cox
For the Council
The President
T. Pedersen
(1) OJ C 365 E, 19.12.2000, p. 223.
(2) OJ C 123, 25.4.2001, p. 53.
(3) Opinion of the European Parliament of 13 November 2001 (not yet published in
the Official Journal), Council Common Position of 28 January 2002 (OJ C 113 E,
14.5.2002, p. 39) and Decision of the European Parliament of 30 May 2002 (not
yet published in the Official Journal). Council Decision of 25 June 2002.
(4) OJ L 281, 23.11.1995, p. 31.
(5) OJ L 24, 30.1.1998, p. 1.
(6) OJ L 178, 17.7.2000, p. 1.
(7) OJ L 91, 7.4.1999, p. 10.
(8) OJ L 108, 24.4.2002, p. 33.
(9) OJ L 204, 21.7.1998, p. 37. Directive as amended by Directive 98/48/EC (OJ L
217, 5.8.1998, p. 18).
(10) OJ L 36, 7.2.1987, p. 31. Decision as last amended by the 1994 Act of
Accession.
|