Information Technology Reference
In-Depth Information
4. Personal data shall be accurate and, where
necessary, kept up to data: The user of in-
formation must take all reasonable steps to
make the data accurate and updated. What
are reasonable steps depends on the circum-
stances of every case.
5. Personal data processed for any purpose or
purposes shall not be kept for longer than is
necessary for that purpose or those purposes.
6. Personal data shall be processed in ac-
cordance with the rights of data subjects.
According to article 7 the EU Directive sets
up the appointment of a Controller who is
to ensure that the data quality principles are
complied with. The Controller will only al-
low the processing of personal data if
A. The subject consented unambiguously;
B. Processing is necessary for the perfor-
mance of a contract to which the data
subject is a party;
C. Processing is necessary for compliance
with a legal obligation to which the
Controller is subjected;
D. Processing is necessary in order to
protect the vital interest of the data
subject;
E. Processing is necessary for the perfor-
mance of a task carried out in the public
interest or in the exercise of official
duty; and
F. Processing is necessary for the purpose
of the legitimate interests pursued by
the controller or by the third party.
7. Appropriate technical and organizational
measures shall be taken against unauthorized
or unlawful processing of personal data and
against accidental loss or destruction of, or
damage to, personal data (article 17), and
8. Personal data shall not be transferred to a
country or territory outside the European
Union unless the country or territory ensures
adequate level of protection for the rights
and freedoms of data subjects in relation to
processing of personal data. Article 25 (1) is
considered as the most crucial section that
received criticism from various sectors and
agencies. What a third country requires is
adequate protection which is more restrictive
than the OECD Guidelines requirement for
equivalent degree of protection.
The adequacy of level of protection guaranteed
by a third country shall be assessed based on the
circumstances. Article 26(2) states that in decid-
ing adequacy of protection consideration shall be
given to the nature of the data, the purpose, and
duration of the proposed processing operation or
operations, the country of origin and country of
final destination, the rule of law, and the profes-
sional rules and security measures implemented
in that particular third county. The adequacy of
level of protection guaranteed by a third country
is to be determined by the Commission and such
decision binds the member countries. The ambi-
guity under the Directive is whether the adequate
level of protection must be satisfied by a country's
overall privacy law or particular categories of
specified personal data.
The Directive under article 26(1) also listed
down circumstances in which the transfer of
data may be allowed even if there is no adequate
protection. The circumstances are:
1. The data subject consented unambiguously,
2. It is necessary for the performances of a
contract between the data subject and the
controller or the implementation of free
contractual measures taken in response to
the data subject's request,
3. It is necessary for the conclusion or perfor-
mance of a contract concluded in the interest
of the data subject between the controller
and a third party,
4. It is necessary on important public interest
ground or for legal claims, and
5. It is necessary to protect the vital interest of
the data subject.
Search WWH ::




Custom Search