We all need to see our private life guaranteed properly, in a universe that has changed a lot these last fifteen years through the digital world where we are exposed towards others' detection, of our work data and our health, etc. Europe has had a long legislative experience in enacting data protection legislation. At a national level, Germany (Land of Hesse) was the first country in the world to enact data protection laws in 1970. Denmark, Austria, France, Norway and Luxemburg followed suit in the late 1970s.

In December of 1983 the German Federal Constitutional Court declared unconstitutional (as infringement upon the Basic Law) some provisions of the act concerning the census adopted the same year, and with this decision produced a global effect on data protection policy and law. In its famous census decision (Volkszählungsurteil) the court ruled that the "basic right warrants [...] the capacity of the individual to determine in principle the disclosure and use of his/her personal data”.

Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data was adopted in 1995. The Directive is one of the most important legislative measure relating to privacy protection in the European Union member states.

The Data Protection Directive provides that personal data may be processed only if:

• (a) the data subject has unambiguously given his consent; or
• (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
• (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
• (d) processing is necessary in order to protect the vital interests of the data subject; or
• (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
• (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

In the law of UK these criteria are set out as in the Directive but they are linked to the “fair and lawful processing” requirement. German law takes a more hierarchical view of the criteria: “consent” and processing based on a law are given primary status; the other criterion are seen as exceptions to these primary criteria.

The principle holds that the processing of certain types of data which are regarded as especially sensitive for data subjects, should be subject to more stringent controls than other personal data. In principle, such data cannot be processed. Derogation is tolerated under very specific circumstances. The Data Protection Directive defines “sensitive data” as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life”. Similar seemingly minor textual differences can be found in other laws. The German law refers to data “on” the matters concerned while the UK law uses “as to”. Several countries impose special restrictions on certain categories of data, which are not formally included in the list of sensitive data in Art 8(1) of the Directive. For example, the French law neither considers ethnic origin nor data concerning health or sex life as sensitive.

If you want to get detailed information about this subject, don't hasitate to contact us.