Data Protection: The Basics Of EU Law

Charles Hylton-Potts explains the basics of EU data protection law. In a series of articles, Charles Hylton-Potts, a lawyer based in London, covers a range of legal topics relevant to establishing a business in the EU. Click here to check out his previous article.

Recent news stories have focused on the planned reform of EU data protection law. Whilst there is currently some harmonisation, as each EU country had to implement minimum standards following a 1995 EU Directive, differing interpretations and new technologies have caused the lawmakers to return to the drawing board. For now, however, the existing law is what you need to comply with. Businesses should also be aware of a 2002 EU Directive and its requirements for direct marketing and cookies, although these are not covered here.

The existing law

It is important to understand the EU’s minimum standards when launching your business in one of its countries.

Your data may be a valuable asset, but serious breaches of the law can attract fines, criminal liability and compensation claims, potentially making it an expensive one too.

The minimum standards cover the “processing” of “personal data” and the rights which “data subjects” have. Processing means collecting, storing or using personal data in pretty much any way; personal data means data that identify an individual on their own or with other data held or likely to be held; the individual is the data subject. The rules are stricter where data reveal race, ethnic origin, political opinions, beliefs or union membership, or concern health, sex life, criminal proceedings, allegations or convictions (known as “special categories”).

Anyone who decides the purposes and manner of processing is a “controller” and usually will need to register with the national authority before any processing takes place. All obligations fall on the controller, which must ensure its own compliance and that of anyone processing data on its behalf, such as a subcontractor.

You should note that the national laws of EU countries may be more detailed or have greater obligations and varied exemptions. Enforcement is carried out on a national level. Local advice in your chosen country is essential.

Data quality principles

The EU Directive requires personal data to be:

  1. Processed fairly and lawfully;
  2. Collected for specified, explicit and legitimate purposes and not further processed in a way that is incompatible with those purposes;
  3. Adequate, relevant and not excessive in relation to those purposes;
  4. Accurate and, where necessary, kept up to date; and
  5. Kept for no longer than is necessary.

Processing requirements

To process personal data lawfully, a controller is also required to provide the data subject with its identity, the purposes of the processing and any further information which is necessary for the processing to be fair.

For data collection online, usually a privacy notice or policy will aim to achieve this. Any policy you use outside of Europe should be checked locally.

Additionally, personal data may only be processed if one of a number of conditions is met. The most relevant for businesses are: (a) the obtaining of consent from the data subject; (b) where processing is necessary to perform or enter into a contract with the data subject; or (c) where the controller has legitimate interests which outweigh the data subject’s rights. Different conditions apply for the special categories, including the obtaining of explicit consent from the data subject or the controller’s compliance with national employment law.

Data security

Each controller is responsible for implementing appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, and unauthorised disclosure or access.

You should carry out a risk assessment on the data you hold, your processing operations and the likely harm that would result from a security breach to decide what is “appropriate”. 

Your security standards will depend on the state of the art and the cost of the measures. The measures (and examples of each) may include: physical (locked filing cabinets); management (appointment of a data protection officer); organisational (a data protection policy and staff training); and technological (passwords, firewalls and encryption).   


Any person processing personal data on behalf of the controller must only do so in accordance with the controller’s instructions. The controller needs to ensure that any processor sufficiently guarantees its security measures and its compliance with them. These obligations must be incorporated into a written contract between the parties.

If you engage a consultant, subcontract or outsource any functions, you will need to consider if the other party will process any personal data on your behalf and therefore what due diligence and contractual provisions are necessary.

International data transfers

There is a general prohibition against transferring personal data out of the European Economic Area (being the EU, Norway, Iceland and Liechtenstein) unless the country to which it is being transferred ensures an adequate level of protection for personal data and data subject rights. 

There are exceptions to the rule, most notably where the consent of the data subject is obtained for the transfer, or where the transfer is necessary for performance of a contract between the data subject and the controller.

Eleven countries have so far been designated as having an adequate level of protection. No such finding has been made for the US, but US businesses may sign up to and comply with the US-EU Safe Harbor Framework to achieve an adequate level of protection. The effectiveness of this framework has been questioned in recent months however, so it would be prudent to put in place an adequate safeguard too (see below).

A controller may consider if any other country passes a test of adequacy but, alternatively and for greater certainty, adequate safeguards may be put in place. A controller can use approved standard contractual clauses with the recipient of data abroad. Alternatively, less popular binding corporate rules may be drafted and approved by the national authority to allow intra-group transfers of personal data. 

Alternatively, there is always the option to ensure that personal data you hold is stored on European servers and therefore does not leave the EEA.

Where your storage is in the cloud, check where the service provider’s servers are and what rights it has to move your data around.

Data subject rights  

Data subjects have a number of rights under the EU Directive including:

  1. To obtain from a controller confirmation as to whether data relating to him are being processed and, if so, the purposes for processing, categories of data, a copy of the data being processed and any available information on the source;
  2. To require the rectification, erasure or blocking of data where processing does not comply with the Directive, particularly if the data are incomplete or inaccurate;
  3. To object to the processing of data for direct marketing purposes; and
  4. To object to the processing of data on “compelling legitimate grounds”, such as in the UK, for example, where processing causes or is likely to cause substantial damage or distress.

The new regulation

A new EU Regulation has been drafted to replace the existing law. Currently in draft form, it would reiterate, tweak and strengthen the current minimum standards. Its proposed changes include:

  1. Widening jurisdiction so that the law will apply equally to EU controllers and processors but also to any controller established outside of the EU who offers goods or services to EU individuals or monitors their behaviour;
  2. Requiring an individual’s consent to be explicit where it is to be relied upon for lawful data processing; and
  3. Creating a right to be forgotten, i.e. a right to require deletion of one’s personal data.

The wording of the draft Regulation will need approval by the European Parliament and all 28 EU countries. There is concern about the compliance costs to businesses and are differing views on how it should be enforced. The new regime will therefore not come into force for some time (likely in 2017), so watch this space. 

Disclaimer: This article is intended to provide a general guide to the subject matter. Specialist, local advice should be sought about your specific circumstances and no liability is accepted by the author or Redfern Legal on the basis of this article.

This article was written by Charles Hylton-Potts, a lawyer at Redfern Legal based in London specialising in corporate, commercial and real estate matters, particularly for businesses setting up in or moving into the United Kingdom. In addition to those services, Redfern Legal provides a full range of business legal services to support inward investment into the UK including business immigration and employment law advice.

Image courtesy of ddpavumba/

Sign Up to our Newsletter

So you enjoy The NextWomen. Why not sign up to our monthly newsletter?
You get a Letter from the CEO :-), the chance to catch up with the best of our recent articles - and some extra things we throw in once in a while.

We try hard for smart reading.