Personal data protection

The Council was in agreement with the approach adopted in the Commission's amended proposal. The amendments which were accepted by the Commission and incorporated in the modified proposal were adopted in the common position, and mainly comprise: - General approach: . the formal distinction between the requirements of the public and private sectors has been abandoned; . protection should not depend solely on the compilation of files containing personal data; a wider approach should be adopted which covers all the uses to which the data could be put; . data processing systems should serve the citizens; - Definitions: . the definition of personal data was clarified; . the data-collection phase and the different forms of data communication were included in the definition of the processing method; . definitions were introduced for third parties and subcontractors; - Data quality: . the purpose which the data will serve should be established before collection commences; . a derogation was introduced to the principle of the maximum duration for which data may be stored, which is laid down as a function of the purposes of the processing, in respect of data which is held for historical, statistical or scientific purposes; - Special processing categories: . data processing which is undertaken by non-profitmaking organizations involved in political, religious and trade-union activities, etc., would be entitled to a special derogation when the data in question were of a sensitive nature and came under the prohibition on all processing; . greater flexibility for the processing of data relating to criminal offences and prosecutions; . Member States would determine the conditions under which a national identification number or any other identifier of general application may be processed; - individual rights were specified and reinforced as follows: . the right to be kept informed was extended to include the origin of the data; . the right of access should be provided without restraint; . the right of objection would be exercisable at any time, particularly with regard to processing for canvassing purposes; . the rights of appeal, which were to be provided by the Member States, were extended; . the requirement was introduced that those responsible for the processing operation would be held accountable for any illicit processing; . penalties were also to be imposed on those responsible for processing who were operating in the public sector; - notification of processing and prior checks: . the notification procedure was made more selective; Member States were offered the possibility of simplifying the procedure and of being exempt from the obligation to provide notification when the processing did not infringe individual rights and freedoms or when the processing was carried out by organizations engaged in political, religious or trade-union activities, etc.; . the principle was adopted that the controlling authority should conduct prior checks when carrying out processing which involved specific risks to individual rights and freedoms; . the public were offered the opportunity to consult the register of notified processing, which is kept by the controlling authority; - codes of conduct: . to encourage the drawing up of codes of conduct at both national and European level; the controlling authorities, the Working Party and the persons concerned could be involved in the drawing-up of these codes; - the Working Party on the protection of individuals with regard to the processing of personal data would be given the following tasks: . advising on the implementation of national provisions adopted pursuant to the Directive; . advising on the level of protection provided in the Community and in third countries; . submitting recommendations on its own initiative. . the Commission would draw up and publish a report informing the Working Party of the actions taken in response to its recommendations; this report would be submitted to Parliament and the Council. The Council also introduced the following amendments to its common position: - definitions: . a definition was introduced for the recipient of the processing data - data held in manual filing systems: . in order to help implement the Directive in Member States where manually-filed data have not yet been covered, a transitional period of 12 years was to be provided for the application of certain measures contained in the Directive; - national law applying: . the criterion of the place of domicile of the body controlling the processing was confirmed; . clarifications were made in respect of the security obligations of the subcontractor and the responsibilities of the controlling authorities for processing operations carried out in their territory; - special categories of processing: . exceptions to the measures prohibiting the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or concerning health or sex life, were included in order to cover the requirements of the medical and employment sectors; . derogations on grounds of major public interest, and derogations relating to offences, criminal convictions and security measures, were to be notified to the Commission; - freedom of expression: . the processing of personal data for journalistic purposes was included in the scope of the Directive; - processing of data for statistical, historical or scientific purposes: . scientific research and statistics were cited as areas in which major public interest could justify derogations from the prohibition on processing data of a sensitive nature; - processing transparency: . greater flexibility was given to the obligations under which information on the processing of personal data was to be provided to the individuals concerned; . Member States were to ensure that the processing operations were given proper publicity; - notification and prior checks: . derogations and/or simplifications could be applied when an official was appointed by the body responsible for processing who would ensure that the processing operations were not likely to infringe individual rights and freedoms; . prior checks could be carried out on processing operations which involved specific risks with regard to individual rights and freedoms; these checks would be undertaken either by the controlling authority or by the appointed official acting in cooperation with the controlling authority; - third countries: . confirmation of the principle of an adequate level of protection in third countries to which the data were transferred, and the obligation for Member States to ensure that this protection was provided; - controlling authority: . routine consultation of the controlling authorities would be introduced when drawing up statutory or administrative measures at national level; the powers of intervention of the controlling authorities were clarified. - The Council limited the powers of enforcement solely to the area of data transfer to third countries and retained procedure III a) in respect of the committee assisting the Commission in this field; - the deadline for the transposition of the Directive was increased to three years with effect from its date of adoption. �