Direktiva Evropskega parlamenta in Sveta 95/46/ES

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

z dne 24. oktobra 1995

of 24 October 1995

o varstvu posameznikov pri obdelavi osebnih podatkov in o prostem pretoku takih podatkov

on the protection of individuals with regard to the processing of personal data and on the free movement of such data

EVROPSKI PARLAMENT IN SVET EVROPSKE UNIJE STA

ob upoštevanju Pogodbe o ustanovitvi Evropske skupnosti in zlasti člena 100a Pogodbe,

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

ob upoštevanju predloga Komisije [1],

Having regard to the Treaty establishing the European Community, and in particular Article 100a thereof,

ob upoštevanju mnenja Ekonomsko-socialnega odbora [2],

Having regard to the proposal from the Commission (1),

v skladu s postopkom, določenim v členu 189b Pogodbe [3],

Having regard to the opinion of the Economic and Social Committee (2),

(1) ker cilji Skupnosti, kakor jih določa Pogodba, spremenjena s Pogodbo o Evropski uniji, vključujejo ustvarjanje vse tesnejše zveze med narodi Evrope, pospeševanje tesnejših odnosov med državami, ki pripadajo Skupnosti, zagotavljanje gospodarskega in socialnega napredka s skupnim delovanjem za odstranitev pregrad, ki delijo Evropo, spodbujanje stalnega izboljševanja življenjskih razmer njenih narodov, ohranjanje in krepitev miru in svobode ter spodbujanje demokracije na podlagi temeljnih pravic, ki jih priznavajo ustave in zakoni držav članic ter Evropska konvencija o varstvu človekovih pravic in temeljnih svoboščin;

Acting in accordance with the procedure referred to in Article 189b of the Treaty (3),

(2) ker so sistemi za obdelavo podatkov namenjeni temu, da služijo človeku; ker morajo, ne glede na državljanstvo ali stalno prebivališče fizičnih oseb, spoštovati njihove temeljne pravice in svoboščine, predvsem pravico do zasebnosti, ter prispevati h gospodarskemu in socialnemu napredku, trgovinskemu razvoju ter blaginji posameznikov;

(1) Whereas the objectives of the Community, as laid down in the Treaty, as amended by the Treaty on European Union, include creating an ever closer union among the peoples of Europe, fostering closer relations between the States belonging to the Community, ensuring economic and social progress by common action to eliminate the barriers which divide Europe, encouraging the constant improvement of the living conditions of its peoples, preserving and strengthening peace and liberty and promoting democracy on the basis of the fundamental rights recognized in the constitution and laws of the Member States and in the European Convention for the Protection of Human Rights and Fundamental Freedoms;

(3) ker ustanovitev in delovanje notranjega trga, na katerem je v skladu s členom 7a Pogodbe zagotovljen prosti pretok blaga, oseb, storitev in kapitala, zahteva ne le, da se osebni podatki lahko prosto prenašajo iz ene države članice v drugo, ampak tudi, da se zaščitijo temeljne pravice posameznikov;

(2) Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals;

(4) ker se v Skupnosti vedno pogosteje zateka k obdelavi osebnih podatkov na različnih področjih gospodarske in družbene dejavnosti; ker napredek v informacijski tehnologiji občutno olajšuje obdelavo in izmenjavo takih podatkov;

(3) Whereas the establishment and functioning of an internal market in which, in accordance with Article 7a of the Treaty, the free movement of goods, persons, services and capital is ensured require not only that personal data should be able to flow freely from one Member State to another, but also that the fundamental rights of individuals should be safeguarded;

(5) ker bo gospodarsko in socialno povezovanje, ki izhaja iz ustanovitve in delovanja notranjega trga v smislu člena 7a Pogodbe, nujno vodilo k občutnemu povečanju čezmejnih prenosov osebnih podatkov med vsemi tistimi, ki so vključeni v zasebno ali javno vlogo pri gospodarski in socialni dejavnosti držav članic; ker bo izmenjava osebnih podatkov med podjetji v različnih državah članicah naraščala; ker so nacionalne oblasti v raznih državah članicah na podlagi zakonodaje Skupnosti pozvane k sodelovanju in izmenjavi osebnih podatkov, da bi lahko opravljale svoje dolžnosti ali izvajale naloge v imenu oblasti v drugi državi članici v smislu območja brez notranjih meja, kakršno vzpostavlja notranji trg;

(4) Whereas increasingly frequent recourse is being had in the Community to the processing of personal data in the various spheres of economic and social activity; whereas the progress made in information technology is making the processing and exchange of such data considerably easier;

(6) ker vrh tega povečanje znanstvenega in tehničnega sodelovanja ter usklajeno vzpostavljanje novih telekomunikacijskih omrežij v Skupnosti zahtevata in olajšujeta čezmejni prenos osebnih podatkov;

(5) Whereas the economic and social integration resulting from the establishment and functioning of the internal market within the meaning of Article 7a of the Treaty will necessarily lead to a substantial increase in cross-border flows of personal data between all those involved in a private or public capacity in economic and social activity in the Member States; whereas the exchange of personal data between undertakings in different Member States is set to increase; whereas the national authorities in the various Member States are being called upon by virtue of Community law to collaborate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State within the context of the area without internal frontiers as constituted by the internal market;

(7) ker lahko razlika v ravneh varstva pravic in svoboščin posameznikov, predvsem pravice do zasebnosti glede obdelave osebnih podatkov, ki je zagotovljena v državah članicah, prepreči prenos takih podatkov z ozemlja ene države članice na ozemlje druge države članice; ker zato ta razlika lahko predstavlja oviro pri izvajanju številnih gospodarskih dejavnosti na ravni Skupnosti, izkrivlja konkurenco in ovira organe pri opravljanju njihovih obveznosti na podlagi zakonodaje Skupnosti; ker je ta razlika na ravni varstva posledica obstoja velike raznolikosti nacionalnih zakonov in drugih predpisov;

(6) Whereas, furthermore, the increase in scientific and technical cooperation and the coordinated introduction of new telecommunications networks in the Community necessitate and facilitate cross-border flows of personal data;

(8) ker mora biti zato, da bi odstranili ovire za prenos osebnih podatkov, raven varstva pravic in svoboščin posameznikov glede obdelave takih podatkov enakovredna v vseh državah članicah; ker je ta cilj bistven za notranji trg, vendar ga države članice same ne morejo doseči, predvsem zaradi obsega razlik, ki trenutno obstajajo med zadevno zakonodajo v državah članicah in potrebo po usklajevanju zakonodaj držav članic za zagotovitev, da se čezmejni prenos osebnih podatkov ureja na dosleden način, ki sledi cilju notranjega trga, kakor ga opredeljuje člen 7a Pogodbe; ker je za približanje teh zakonodaj potrebno ukrepanje Skupnosti;

(7) Whereas the difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State; whereas this difference may therefore constitute an obstacle to the pursuit of a number of economic activities at Community level, distort competition and impede authorities in the discharge of their responsibilities under Community law; whereas this difference in levels of protection is due to the existence of a wide variety of national laws, regulations and administrative provisions;

(9) ker države članice zaradi enakovrednega varstva, ki bo posledica približevanja nacionalnih zakonodaj, ne bodo več mogle ovirati medsebojnega prostega pretoka osebnih podatkov na temelju varstva pravic in svoboščin posameznikov ter predvsem pravice do zasebnosti; ker bo državam članicam puščen manevrski prostor, ki ga lahko v okviru izvajanja te direktive izkoristijo tudi gospodarski in socialni partnerji; ker bodo lahko zato države članice v svoji nacionalni zakonodaji določile splošne pogoje, ki urejajo zakonitost obdelave podatkov; ker si pri tem države članice prizadevajo za izboljšanje varstva, ki ga trenutno predvideva njihova zakonodaja; ker bi se v mejah tega manevrskega prostora in v skladu z zakonodajo Skupnosti lahko pojavila neskladja pri izvajanju direktive in bi to lahko vplivalo na pretok podatkov znotraj države članice, pa tudi znotraj Skupnosti;

(8) Whereas, in order to remove the obstacles to flows of personal data, the level of protection of the rights and freedoms of individuals with regard to the processing of such data must be equivalent in all Member States; whereas this objective is vital to the internal market but cannot be achieved by the Member States alone, especially in view of the scale of the divergences which currently exist between the relevant laws in the Member States and the need to coordinate the laws of the Member States so as to ensure that the cross-border flow of personal data is regulated in a consistent manner that is in keeping with the objective of the internal market as provided for in Article 7a of the Treaty; whereas Community action to approximate those laws is therefore needed;

(10) ker je namen nacionalne zakonodaje o obdelavi osebnih podatkov varovati temeljne pravice in svoboščine, predvsem pravico do zasebnosti, ki jo priznava člen 8 Evropske konvencije o varstvu človekovih pravic in temeljnih svoboščin, pa tudi splošna načela zakonodaje Skupnosti; ker zato približevanje teh zakonodaj ne sme povzročiti zmanjšanja varstva, ki ga zagotavljajo, ampak mora imeti za cilj zagotovitev visoke ravni varstva v Skupnosti;

(9) Whereas, given the equivalent protection resulting from the approximation of national laws, the Member States will no longer be able to inhibit the free movement between them of personal data on grounds relating to protection of the rights and freedoms of individuals, and in particular the right to privacy; whereas Member States will be left a margin for manoeuvre, which may, in the context of implementation of the Directive, also be exercised by the business and social partners; whereas Member States will therefore be able to specify in their national law the general conditions governing the lawfulness of data processing; whereas in doing so the Member States shall strive to improve the protection currently provided by their legislation; whereas, within the limits of this margin for manoeuvre and in accordance with Community law, disparities could arise in the implementation of the Directive, and this could have an effect on the movement of data within a Member State as well as within the Community;

(11) ker načela varstva pravic in svoboščin posameznikov, predvsem pravice do zasebnosti, ki jih vsebuje ta direktiva, dajejo vsebino in razširjajo tista, ki jih vsebuje Konvencija Sveta Evrope z dne 28. januarja 1981 o varstvu posameznikov glede na avtomatsko obdelavo osebnih podatkov;

(10) Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;

(12) ker morajo načela varstva veljati za kakršno koli obdelavo osebnih podatkov za vse osebe, katerih dejavnost ureja zakonodaja Skupnosti; ker je treba izključiti obdelavo podatkov, ki jo izvaja fizična oseba pri opravljanju dejavnosti, ki so izključno osebne ali domače, kakršno je dopisovanje in beleženje naslovov;

(11) Whereas the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data;

(13) ker dejavnosti iz naslovov V in VI Pogodbe o Evropski uniji glede javne varnosti, obrambe, državne varnosti ali dejavnosti države na področju kazenskega prava ne sodijo na področje uporabe zakonodaje Skupnosti, brez poseganja v obveznosti, ki so jim zavezane države članice na podlagi člena 56(2), 57 ali 100a Pogodbe o ustanovitvi Evropske skupnosti; ker obdelava osebnih podatkov, ki je potrebna za varovanje gospodarske blaginje države, ne sodi na področje uporabe te direktive, kadar se taka obdelava nanaša na zadeve državne varnosti;

(12) Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses;

(14) ker bi se morala ta direktiva glede na pomembnost potekajočega razvoja v okviru informacijske družbe v zvezi z metodami za zajetje, prenos, spreminjanje, zbiranje, shranjevanje ali sporočanje zvočnih in slikovnih podatkov v zvezi s fizičnimi osebami, uporabljati za obdelavo, ki vključuje take podatke;

(13) Whereas the acitivities referred to in Titles V and VI of the Treaty on European Union regarding public safety, defence, State security or the acitivities of the State in the area of criminal laws fall outside the scope of Community law, without prejudice to the obligations incumbent upon Member States under Article 56 (2), Article 57 or Article 100a of the Treaty establishing the European Community; whereas the processing of personal data that is necessary to safeguard the economic well-being of the State does not fall within the scope of this Directive where such processing relates to State security matters;

(15) ker ta direktiva zajema obdelavo takih podatkov samo, če je avtomatska ali če so obdelani podatki vsebovani ali nameravajo biti vsebovani v zbirki, ki je strukturirana skladno s posebnimi merili v zvezi s posamezniki, tako da omogoča enostaven dostop do tovrstnih osebnih podatkov;

(14) Whereas, given the importance of the developments under way, in the framework of the information society, of the techniques used to capture, transmit, manipulate, record, store or communicate sound and image data relating to natural persons, this Directive should be applicable to processing involving such data;

(16) ker obdelava zvočnih in slikovnih podatkov, kot na primer videonadzor, ne sodi na področje uporabe te direktive, če se izvaja zaradi javne varnosti, obrambe, državne varnosti ali med državnimi dejavnostmi v zvezi s področjem kazenskega prava ali drugih dejavnosti, ki ne sodijo v zakonodajo Skupnosti;

(15) Whereas the processing of such data is covered by this Directive only if it is automated or if the data processed are contained or are intended to be contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question;

(17) ker se morajo načela direktive v zvezi z obdelavo zvočnih in slikovnih podatkov, ki se izvaja v novinarske namene ali zaradi literarnega ali umetniškega izražanja, predvsem na avdiovizualnem področju, uporabljati omejeno v skladu z določbami iz člena 9;

(16) Whereas the processing of sound and image data, such as in cases of video surveillance, does not come within the scope of this Directive if it is carried out for the purposes of public security, defence, national security or in the course of State activities relating to the area of criminal law or of other activities which do not come within the scope of Community law;

(18) ker se mora vsaka obdelava osebnih podatkov v Skupnosti izvajati v skladu z zakonodajo ene izmed držav članic, zaradi zagotovitve, da posamezniki niso prikrajšani za varstvo, do katerega so upravičeni na podlagi te direktive; ker bi v tej zvezi obdelavo, ki se izvaja pod odgovornostjo upravljavca, ustanovljenega v določeni državi članici, morala urejati zakonodaja te države;

(17) Whereas, as far as the processing of sound and image data carried out for purposes of journalism or the purposes of literary or artistic expression is concerned, in particular in the audiovisual field, the principles of the Directive are to apply in a restricted manner according to the provisions laid down in Article 9;

(19) ker ustanovitev na ozemlju države članice pomeni učinkovito in dejansko izvajanje dejavnosti prek ustaljenih režimov; ker pravna oblika take ustanovitve, bodisi da je preprosto izpostava bodisi podružnica, ki je pravna oseba, v tem pogledu ni odločilen dejavnik; ker, kadar je ustanovljen en sam upravljavec na ozemlju več držav članic predvsem prek podružnic, mora zato da bi preprečil vsakršno izogibanje nacionalnim predpisom, zagotoviti, da vsaka izmed ustanovitev izpolnjuje obveznosti, ki jih nalaga nacionalna zakonodaja na področju njenih dejavnosti;

(18) Whereas, in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States; whereas, in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State;

(20) ker dejstvo, da obdelavo podatkov izvaja oseba, ustanovljena v tretji državi, ne sme ovirati varstva posameznikov, ki ga opredeljuje ta direktiva; ker bi v teh primerih morala urejati obdelavo zakonodaja države članice, v kateri so uporabljena sredstva, in bi morala obstajati jamstva za zagotovitev, da se pravice in obveznosti, ki jih opredeljuje ta direktiva, spoštujejo v praksi;

(19) Whereas establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities;

(21) ker ta direktiva ne posega v pravila teritorialnosti, ki se uporabljajo v kazenskih zadevah;

(20) Whereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice;

(22) ker morajo države članice v zakonodaji, ki jo sprejemajo, ali kadar izvajajo na podlagi te direktive sprejete predpise, natančneje opredeliti splošne okoliščine, v katerih je obdelava zakonita; ker predvsem člen 5, skupaj s členoma 7 in 8, omogoča državam članicam ne glede na splošne predpise, da predvidijo posebne pogoje obdelave za določene sektorje in za različne vrste podatkov iz člena 8;

(21) Whereas this Directive is without prejudice to the rules of territoriality applicable in criminal matters;

(23) ker so države članice pooblaščene, da zagotovijo izvajanje varstva posameznikov tako s splošno zakonodajo o varstvu posameznikov glede obdelave osebnih podatkov kot s področnimi zakoni, kakršni so tisti, ki se na primer nanašajo na statistične urade;

(22) Whereas Member States shall more precisely define in the laws they enact or when bringing into force the measures taken under this Directive the general circumstances in which processing is lawful; whereas in particular Article 5, in conjunction with Articles 7 and 8, allows Member States, independently of general rules, to provide for special processing conditions for specific sectors and for the various categories of data covered by Article 8;

(24) ker ta direktiva ne vpliva na zakonodajo v zvezi z varstvom pravnih oseb glede obdelave podatkov, ki se nanje nanašajo;

(23) Whereas Member States are empowered to ensure the implementation of the protection of individuals both by means of a general law on the protection of individuals as regards the processing of personal data and by sectorial laws such as those relating, for example, to statistical institutes;

(25) ker se morajo načela varstva po eni strani izražati v obveznostih, ki so naložene osebam, organom oblasti, podjetjem, agencijam ali drugim organom, odgovornim za obdelavo, predvsem glede kakovosti podatkov, tehnične varnosti, uradnega obvestila nadzornemu organu in okoliščin, v katerih se lahko izvaja obdelava, ter po drugi strani v pravici, podeljeni posameznikom, katerih podatki so predmet obdelave, da so obveščeni o potekajoči obdelavi, da imajo vpogled v podatke, da zahtevajo popravke in da v nekaterih okoliščinah celo ugovarjajo obdelavi;

(24) Whereas the legislation concerning the protection of legal persons with regard to the processing data which concerns them is not affected by this Directive;

(26) ker se morajo načela varstva uporabljati za vse informacije v zvezi z določeno ali določljivo osebo; ker bi bilo treba za odločitev o tem, ali je oseba določljiva ali ne, upoštevati vsa sredstva, za katera se pričakuje, da jih bo uporabil bodisi upravljavec ali katera koli druga oseba za določitev take osebe; ker se načela varstva ne uporabljajo za podatke, ki so spremenjeni v anonimne tako, da posameznik, na katerega se osebni podatki nanašajo, ni več določljiv; ker so pravila ravnanja v smislu člena 27 lahko koristen instrument za usmerjanje k načinom, s katerimi se lahko podatki spremenijo v anonimne in se ohranijo v obliki, v kateri identifikacija posameznika, na katerega se osebni podatki nanašajo, ni več mogoča;

(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;

(27) ker se mora varstvo posameznikov uporabljati za avtomatsko in za ročno obdelavo podatkov; ker obseg tega varstva dejansko ne sme biti odvisen od uporabljenih metod, sicer bi to ustvarilo resno tveganje za izogibanje izpolnjevanju obveznosti; ker kljub temu ta direktiva glede ročne obdelave zajema samo zbirke in ne nestrukturiranih zapisov; ker mora biti predvsem vsebina zbirk strukturirana v skladu s posebnimi merili glede posameznikov, tako da omogoča enostaven dostop do osebnih podatkov; ker lahko v skladu z opredelitvijo iz člena 2(c) razna merila za določanje sestavin strukturiranega niza osebnih podatkov in razna merila, ki urejajo dostop do takega niza, določi vsaka država članica; ker zapisi ali nizi zapisov, pa tudi njihove naslovnice, ki niso strukturirane v skladu s posebnimi merili, pod nobenim pogojem ne sodijo na področje uporabe te direktive;

(26) Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; whereas codes of conduct within the meaning of Article 27 may be a useful instrument for providing guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible;

(28) ker mora biti vsaka obdelava osebnih podatkov zakonita in poštena do zadevnih posameznikov; ker morajo biti podatki predvsem primerni, ustrezni in ne pretirani glede na namene, za katere se obdelujejo; ker morajo biti taki nameni izrecni in zakoniti ter jih je treba določiti ob zbiranju podatkov; ker nameni obdelave po zbiranju ne smejo biti nezdružljivi s prvotno določenimi;

(27) Whereas the protection of individuals must apply as much to automatic processing of data as to manual processing; whereas the scope of this protection must not in effect depend on the techniques used, otherwise this would create a serious risk of circumvention; whereas, nonetheless, as regards manual processing, this Directive covers only filing systems, not unstructured files; whereas, in particular, the content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data; whereas, in line with the definition in Article 2 (c), the different criteria for determining the constituents of a structured set of personal data, and the different criteria governing access to such a set, may be laid down by each Member State; whereas files or sets of files as well as their cover pages, which are not structured according to specific criteria, shall under no circumstances fall within the scope of this Directive;

(29) ker naj se nadaljnja obdelava osebnih podatkov v zgodovinske, statistične ali znanstvene namene na splošno ne bi štela za nezdružljivo z nameni, za katere so bili podatki predhodno zbrani, če države članice poskrbijo za primerne zaščitne ukrepe; ker morajo ti ukrepi predvsem izključiti uporabo podatkov v podporo ukrepom ali odločitvam glede katerega koli določenega posameznika;

(28) Whereas any processing of personal data must be lawful and fair to the individuals concerned; whereas, in particular, the data must be adequate, relevant and not excessive in relation to the purposes for which they are processed; whereas such purposes must be explicit and legitimate and must be determined at the time of collection of the data; whereas the purposes of processing further to collection shall not be incompatible with the purposes as they were originally specified;

(30) ker se mora obdelava osebnih podatkov zato, da bi bila zakonita, poleg tega izvajati s privolitvijo posameznika, na katerega se osebni podatki nanašajo, ali mora biti potrebna za sklenitev ali izvajanje pogodbe, ki je zavezujoča za posameznika, na katerega se osebni podatki nanašajo, ali kot zakonska zahteva, ali pa za opravljanje naloge, ki se izvaja v javnem interesu, ali pri izvrševanju javne oblasti, ali pri zakonitih interesih fizične ali pravne osebe, če ne prevladujejo interesi ali pravice in svoboščine posameznika, na katerega se osebni podatki nanašajo; ker lahko države članice predvsem zato, da bi ohranjale ravnotežje med vpletenimi interesi ob zagotavljanju učinkovite konkurence, določijo okoliščine, v katerih se osebni podatki lahko uporabijo ali posredujejo tretji stranki v okviru zakonitih običajnih poslovnih dejavnosti podjetij in drugih organov; ker lahko države članice prav tako določijo pogoje, pod katerimi se osebni podatki lahko posredujejo tretji stranki v namene trženja, bodisi da se slednje izvaja komercialno ali da ga izvaja dobrodelna organizacija ali katero koli združenje ali ustanova, na primer politične narave, ob upoštevanju določb, ki omogočajo posamezniku, na katerega se osebni podatki nanašajo, da brezplačno in brez navedbe razlogov ugovarja obdelavi podatkov, ki se nanašajo nanj;

(29) Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual;

(31) ker se mora obdelava osebnih podatkov prav tako šteti za zakonito tam, kjer se izvaja za zaščito interesa, ki je bistven za življenje posameznika, na katerega se osebni podatki nanašajo;

(30) Whereas, in order to be lawful, the processing of personal data must in addition be carried out with the consent of the data subject or be necessary for the conclusion or performance of a contract binding on the data subject, or as a legal requirement, or for the performance of a task carried out in the public interest or in the exercise of official authority, or in the legitimate interests of a natural or legal person, provided that the interests or the rights and freedoms of the data subject are not overriding; whereas, in particular, in order to maintain a balance between the interests involved while guaranteeing effective competition, Member States may determine the circumstances in which personal data may be used or disclosed to a third party in the context of the legitimate ordinary business activities of companies and other bodies; whereas Member States may similarly specify the conditions under which personal data may be disclosed to a third party for the purposes of marketing whether carried out commercially or by a charitable organization or by any other association or foundation, of a political nature for example, subject to the provisions allowing a data subject to object to the processing of data regarding him, at no cost and without having to state his reasons;

(32) ker je naloga nacionalne zakonodaje, da določi, ali naj bo upravljavec, ki izvaja nalogo v javnem interesu ali pri izvrševanju javne oblasti, državna uprava ali druga fizična ali pravna oseba, ki jo ureja javno pravo, ali pa oseba, ki jo ureja zasebno pravo, kakršno je na primer poklicno združenje;

(31) Whereas the processing of personal data must equally be regarded as lawful where it is carried out in order to protect an interest which is essential for the data subject's life;

(33) ker se podatki, ki so po svoji naravi zmožni poseči v temeljne svoboščine ali zasebnost, ne bi smeli obdelovati, razen če posameznik, na katerega se osebni podatki nanašajo, ne da svoje izrecne privolitve; vendar pa se morajo odstopanja od te prepovedi izrecno predvideti glede posebnih potreb, predvsem kadar obdelavo teh podatkov zaradi nekaterih z zdravjem povezanih razlogov izvajajo osebe, ki so zakonsko zavezane k poklicni molčečnosti, ali med zakonitimi dejavnostmi nekaterih združenj ali ustanov, katerih namen je omogočati uresničevanje temeljnih svoboščin;

(32) Whereas it is for national legislation to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public administration or another natural or legal person governed by public law, or by private law such as a professional association;

(34) ker morajo biti države članice tudi pooblaščene, kadar so zaradi pomembnega javnega interesa upravičene, da odstopijo od prepovedi obdelave občutljivih kategorij podatkov, kadar to upravičujejo pomembni razlogi javnega interesa na področjih, kakršna so javno zdravje in socialno varstvo – predvsem, da bi zagotovile kakovost in racionalnost postopkov, ki se uporabljajo za reševanje zahtevkov za dajatve in storitve v sistemu zdravstvenega zavarovanja – ter kakršna so znanstvene raziskave in vladne statistike; ker morajo vseeno obvezno poskrbeti za posebne in ustrezne zaščitne ukrepe za varstvo temeljnih pravic in zasebnosti posameznikov;

(33) Whereas data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent; whereas, however, derogations from this prohibition must be explicitly provided for in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms;

(35) ker se poleg tega obdelava osebnih podatkov uradno priznanih verskih skupnosti s strani državnih organov za doseganje ciljev, ki so določeni v ustavnem pravu ali mednarodnem javnem pravu, izvaja zaradi pomembnega javnega interesa;

(34) Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals;

(36) ker, kadar med volilnimi dejavnostmi delovanje demokratičnega sistema v nekaterih državah članicah zahteva, da politične stranke zberejo podatke o političnem prepričanju ljudi, se lahko obdelava takih podatkov dovoli zaradi pomembnega javnega interesa, če so vzpostavljeni primerni zaščitni ukrepi;

(35) Whereas, moreover, the processing of personal data by official authorities for achieving aims, laid down in constitutional law or international public law, of officially recognized religious associations is carried out on important grounds of public interest;

(37) ker bi morala obdelava osebnih podatkov v novinarske namene ali zaradi literarnega ali umetniškega izražanja, predvsem na avdiovizualnem področju, predstavljati izjemo od zahtev nekaterih določb te direktive, kadar je to potrebno za uskladitev temeljnih pravic posameznikov s svobodo informiranja ter predvsem s pravico do prejemanja in prenašanja podatkov, zagotovljeno predvsem s členom 10 Evropske konvencije o varstvu človekovih pravic in temeljnih svoboščin; ker bi morale države članice zato določiti izjeme in odstopanja, ki so potrebni za ravnotežje med temeljnimi pravicami glede splošnih ukrepov za zakonitost obdelave podatkov, ukrepov glede prenosa podatkov v tretje države in pooblastil nadzornega organa; ker pa to ne bi smelo voditi držav članic v določanje izjem od ukrepov za zagotovitev varnosti obdelave; ker bi bilo vsaj nadzornemu organu, ki je odgovoren za to področje, tudi treba podeliti nekatera naknadna pooblastila, denimo objavljanje rednega poročila ali predložitev zadev sodnim organom;

(36) Whereas where, in the course of electoral activities, the operation of the democratic system requires in certain Member States that political parties compile data on people's political opinion, the processing of such data may be permitted for reasons of important public interest, provided that appropriate safeguards are established;

(38) ker, če naj bo obdelava podatkov poštena, mora imeti posameznik, na katerega se osebni podatki nanašajo, možnost seznaniti se z obstojem postopka obdelave, in kadar se podatki zbirajo pri njem, se mu morajo dati natančne in polne informacije ob upoštevanju okoliščin zbiranja;

(37) Whereas the processing of personal data for purposes of journalism or for purposes of literary of artistic expression, in particular in the audiovisual field, should qualify for exemption from the requirements of certain provisions of this Directive in so far as this is necessary to reconcile the fundamental rights of individuals with freedom of information and notably the right to receive and impart information, as guaranteed in particular in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; whereas Member States should therefore lay down exemptions and derogations necessary for the purpose of balance between fundamental rights as regards general measures on the legitimacy of data processing, measures on the transfer of data to third countries and the power of the supervisory authority; whereas this should not, however, lead Member States to lay down exemptions from the measures to ensure security of processing; whereas at least the supervisory authority responsible for this sector should also be provided with certain ex-post powers, e.g. to publish a regular report or to refer matters to the judicial authorities;

(39) ker nekateri postopki obdelave vključujejo podatke, ki jih upravljavec ni zbral neposredno od posameznika, na katerega se osebni podatki nanašajo; ker se poleg tega podatki lahko zakonito posredujejo tretji stranki, tudi če posredovanje ni bilo predvideno v času, ko so bili zbrani od posameznika, na katerega se osebni podatki nanašajo; ker bi bilo treba v vseh teh primerih posameznika, na katerega se nanašajo osebni podatki, obvestiti, kadar se podatki zbirajo ali najpozneje kadar se prvič posredujejo tretji stranki;

(38) Whereas, if the processing of data is to be fair, the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection;

(40) ker pa ni treba naložiti te obveznosti, če je posameznik, na katerega se osebni podatki nanašajo, o tem že obveščen; ker poleg tega take obveznosti ne bo, če zbiranje ali posredovanje izrecno zagotavlja zakonodaja ali če se informiranje posameznika, na katerega se nanašajo osebni podatki, izkaže za nemogoče ali bi vključevalo nesorazmerne napore, kar bi se lahko zgodilo, kadar je obdelava namenjena zgodovinskim, statističnim ali znanstvenim ciljem; ker se v tem pogledu lahko upošteva število posameznikov, na katere se osebni podatki nanašajo, starost podatkov in vsi sprejeti nadomestni ukrepi;

(39) Whereas certain processing operations involve data which the controller has not collected directly from the data subject; whereas, furthermore, data can be legitimately disclosed to a third party, even if the disclosure was not anticipated at the time the data were collected from the data subject; whereas, in all these cases, the data subject should be informed when the data are recorded or at the latest when the data are first disclosed to a third party;

(41) ker mora biti vsaka oseba sposobna uresničiti pravico dostopa do podatkov v obdelavi, ki se nanašajo nanjo, da bi preverila zlasti njihovo točnost in zakonitost obdelave; ker mora iz istih razlogov vsak posameznik, na katerega se osebni podatki nanašajo, imeti tudi pravico do seznanitve logike sistema, ki je vključena v avtomatsko obdelavo podatkov v zvezi z njim, vsaj pri avtomatiziranih odločitvah iz člena 15(1); ker ta pravica ne sme škodljivo vplivati na poslovne skrivnosti ali intelektualno lastnino in predvsem na avtorske pravice, ki ščitijo programsko opremo; ker to upoštevanje ne sme povzročiti, da se posamezniku, na katerega se osebni podatki nanašajo, zavrnejo vse informacije;

(40) Whereas, however, it is not necessary to impose this obligation of the data subject already has the information; whereas, moreover, there will be no such obligation if the recording or disclosure are expressly provided for by law or if the provision of information to the data subject proves impossible or would involve disproportionate efforts, which could be the case where processing is for historical, statistical or scientific purposes; whereas, in this regard, the number of data subjects, the age of the data, and any compensatory measures adopted may be taken into consideration;

(42) ker lahko države članice v interesu posameznika, na katerega se osebni podatki nanašajo, ali zato da bi varovale pravice in svoboščine drugih, omejijo pravice do dostopa in informacij; ker lahko na primer določijo, da je dostop do zdravstvenih podatkov mogoč samo prek zdravstvenega delavca;

(41) Whereas any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing; whereas, for the same reasons, every data subject must also have the right to know the logic involved in the automatic processing of data concerning him, at least in the case of the automated decisions referred to in Article 15 (1); whereas this right must not adversely affect trade secrets or intellectual property and in particular the copyright protecting the software; whereas these considerations must not, however, result in the data subject being refused all information;

(43) ker države članice lahko prav tako naložijo omejitve pravic do dostopa in informacij ter nekaterih obveznosti upravljavca, če so potrebne na primer za zaščito državne varnosti, obrambe, javne varnosti ali pomembnih gospodarskih ali finančnih interesov države članice ali Unije, pa tudi za kazenske preiskave in pregone ter ukrepanje zaradi kršitev etike v zakonsko urejenih poklicih; ker bi moral seznam izjem in omejitev vključevati naloge spremljanja, pregledovanja ali urejanja, ki so potrebne na zadnjih treh navedenih področjih v zvezi z javno varnostjo, gospodarskimi ali finančnimi interesi in preprečevanjem kaznivih dejanj; ker navajanje nalog na teh treh področjih ne vpliva na upravičenost izjem ali omejitev zaradi državne varnosti ali obrambe;

(42) Whereas Member States may, in the interest of the data subject or so as to protect the rights and freedoms of others, restrict rights of access and information; whereas they may, for example, specify that access to medical data may be obtained only through a health professional;

(44) ker lahko države članice na podlagi določb zakonodaje Skupnosti določijo odstopanje od določb te direktive glede pravice do dostopa, obveznosti obveščanja posameznikov in kakovosti podatkov, da bi zagotovile nekatere od zgoraj navedenih namenov;

(43) Whereas restrictions on the rights of access and information and on certain obligations of the controller may similarly be imposed by Member States in so far as they are necessary to safeguard, for example, national security, defence, public safety, or important economic or financial interests of a Member State or the Union, as well as criminal investigations and prosecutions and action in respect of breaches of ethics in the regulated professions; whereas the list of exceptions and limitations should include the tasks of monitoring, inspection or regulation necessary in the three last-mentioned areas concerning public security, economic or financial interests and crime prevention; whereas the listing of tasks in these three areas does not affect the legitimacy of exceptions or restrictions for reasons of State security or defence;

(45) ker bi moral biti v primerih, pri katerih bi se lahko podatki zakonito obdelali na podlagi javnega interesa, javne oblasti ali zakonitih interesov fizične ali pravne osebe, vsak posameznik, na katerega se osebni podatki nanašajo, kljub vsemu upravičen na podlagi zakonitih in nujnih razlogov, povezanih z njegovim posebnim položajem, upravičen, da ugovarja obdelavi vseh podatkov, ki se nanašajo nanj; ker lahko države članice kljub temu sprejmejo nasprotne nacionalne določbe;

(44) Whereas Member States may also be led, by virtue of the provisions of Community law, to derogate from the provisions of this Directive concerning the right of access, the obligation to inform individuals, and the quality of data, in order to secure certain of the purposes referred to above;

(46) ker varstvo pravic in svoboščin posameznikov, na katere se osebni podatki nanašajo, v zvezi z obdelavo osebnih podatkov zahteva, da se sprejmejo primerni tehnični in organizacijski ukrepi med načrtovanjem sistema obdelave, pa tudi med samo obdelavo, predvsem zato, da bi ohranjali varnost in tako preprečili vsako nepooblaščeno obdelavo; ker morajo države članice obvezno zagotoviti, da se upravljavci ravnajo po teh ukrepih; ker morajo ti ukrepi zagotoviti ustrezno raven varnosti ob upoštevanju najsodobnejše tehnologije in stroškov njihovega izvajanja glede na tveganja, ki so povezana z obdelavo, ter narave podatkov, ki jih je treba varovati;

(45) Whereas, in cases where data might lawfully be processed on grounds of public interest, official authority or the legitimate interests of a natural or legal person, any data subject should nevertheless be entitled, on legitimate and compelling grounds relating to his particular situation, to object to the processing of any data relating to himself; whereas Member States may nevertheless lay down national provisions to the contrary;

(47) ker, kadar se sporočilo, ki vsebuje osebne podatke, prenese po telekomunikacijah ali elektronski pošti, katerih edini namen je prenos takih sporočil, se upravljavec v zvezi z osebnimi podatki, ki jih vsebuje to sporočilo, običajno šteje za osebo, od katere to sporočilo izvira, in ne oseba, ki nudi storitve prenosa; ker se tisti, ki nudijo take storitve, običajno štejejo za upravljavce v zvezi z obdelavo dodatnih osebnih podatkov, potrebnih za dejavnost storitve;

(46) Whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorized processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected;

(48) ker so postopki za uradno obveščanje nadzornega organa oblikovani tako, da zagotavljajo razkritje namenov in glavnih značilnosti vseh postopkov obdelave zaradi preverjanja, da je postopek v skladu z nacionalnimi predpisi, ki so sprejeti na podlagi te direktive;

(47) Whereas where a message containing personal data is transmitted by means of a telecommunications or electronic mail service, the sole purpose of which is the transmission of such messages, the controller in respect of the personal data contained in the message will normally be considered to be the person from whom the message originates, rather than the person offering the transmission services; whereas, nevertheless, those offering such services will normally be considered controllers in respect of the processing of the additional personal data necessary for the operation of the service;

(49) ker zato, da bi se izognili neprimernim upravnim formalnostim, države članice lahko predvidijo izjeme od obveznosti po uradnem obveščanju in poenostavljanju zahtevanega uradnega obveščanja, kadar obdelava zelo verjetno ne bo škodljivo vplivala na pravice in svoboščine posameznikov, na katere se osebni podatki nanašajo, če je v skladu z določbami, ki jih sprejme država članica skupaj z navedbo njihovih omejitev; ker lahko države članice prav tako predvidijo izjemo ali poenostavitev, kadar oseba, ki jo določi upravljavec, zagotovi, da obdelava v teku zelo verjetno ne bo škodljivo vplivala na pravice in svoboščine posameznikov, na katere se osebni podatki nanašajo; ker mora biti taka odgovorna oseba za varstvo osebnih podatkov sposobna opravljati svoje naloge popolnoma samostojno, ne glede na to, ali je zaposlena pri upravljavcu ali ne;

(48) Whereas the procedures for notifying the supervisory authority are designed to ensure disclosure of the purposes and main features of any processing operation for the purpose of verification that the operation is in accordance with the national measures taken under this Directive;

(50) ker se lahko izjema ali poenostavitev predvidi pri postopkih obdelave, katerih edini namen je vodenje registra, ki je skladno z nacionalno zakonodajo namenjen zagotavljanju informacij javnosti in je na voljo za vpogled javnosti ali kateri koli osebi, ki lahko izkaže zakoniti interes;

(49) Whereas, in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification required may be provided for by Member States in cases where processing is unlikely adversely to affect the rights and freedoms of data subjects, provided that it is in accordance with a measure taken by a Member State specifying its limits; whereas exemption or simplification may similarly be provided for by Member States where a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects; whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;

(51) ker kljub temu poenostavitev ali izjema od obveznosti po uradnem obveščanju ne razreši upravljavca nobenih drugih obveznosti, ki izhajajo iz te direktive;

(50) Whereas exemption or simplification could be provided for in cases of processing operations whose sole purpose is the keeping of a register intended, according to national law, to provide information to the public and open to consultation by the public or by any person demonstrating a legitimate interest;

(52) ker se mora v tem smislu naknadni pregled s strani pristojnih organov na splošno šteti za zadosten ukrep;

(51) Whereas, nevertheless, simplification or exemption from the obligation to notify shall not release the controller from any of the other obligations resulting from this Directive;

(53) ker bodo nekateri postopki obdelave zaradi svoje narave, obsega ali namenov, kot na primer izključevanje posameznikov iz pravice, ugodnosti ali pogodbe, ali na podlagi posebne uporabe novih tehnologij verjetno predstavljali posebne grožnje za pravice in svoboščine posameznikov, na katere se nanašajo osebni podatki; ker je stvar držav članic, da opredelijo take grožnje v svoji zakonodaji, če to želijo;

(52) Whereas, in this context, ex post facto verification by the competent authorities must in general be considered a sufficient measure;

(54) ker bi moralo biti število obdelav, ki predstavljajo tako posebno grožnjo, glede na vse obdelave, ki se opravijo v družbi zelo omejeno; ker morajo države članice določiti, da nadzorni organ ali odgovorna oseba za varstvo osebnih podatkov v sodelovanju z organom preveri tako obdelavo pred njeno izvedbo; ker lahko nadzorni organ po tem predhodnem preverjanju v skladu s svojo nacionalno zakonodajo da mnenje ali dovoljenje v zvezi z obdelavo; ker lahko tako preverjanje ravno tako poteka med pripravo ukrepa nacionalnega parlamenta ali ukrepa, temelječega na takem zakonskem ukrepu, ki opredeljuje naravo obdelave in predpisuje ustrezne zaščitne ukrepe;

(53) Whereas, however, certain processing operation are likely to pose specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, such as that of excluding individuals from a right, benefit or a contract, or by virtue of the specific use of new technologies; whereas it is for Member States, if they so wish, to specify such risks in their legislation;

(55) ker mora nacionalna zakonodaja predvideti sodno varstvo, če upravljavec ne spoštuje pravic posameznikov, na katere se osebni podatki nanašajo; ker mora vso škodo, ki jo lahko utrpi oseba zaradi nezakonite obdelave, nadomestiti upravljavec, ki pa je prost odgovornosti, zlasti če dokaže, da ni odgovoren za škodo, predvsem kadar ugotovi napako na strani posameznika, na katerega se osebni podatki nanašajo, ali v primeru višje sile; ker se morajo sankcije naložiti vsaki osebi, ki ne ravna v skladu z nacionalnimi predpisi na podlagi te direktive, ne glede na to, ali osebo ureja zasebno ali javno pravo;

(54) Whereas with regard to all the processing undertaken in society, the amount posing such specific risks should be very limited; whereas Member States must provide that the supervisory authority, or the data protection official in cooperation with the authority, check such processing prior to it being carried out; whereas following this prior check, the supervisory authority may, according to its national law, give an opinion or an authorization regarding the processing; whereas such checking may equally take place in the course of the preparation either of a measure of the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing and lays down appropriate safeguards;

(56) ker so čezmejni prenosi osebnih podatkov potrebni za razvoj mednarodne trgovine; ker varstvo posameznikov, ki ga ta direktiva zagotavlja v Skupnosti, ne ovira prenosa osebnih podatkov v tretje države, ki zagotavljajo primerno raven varstva; ker se mora primernost ravni varstva, ki jo zagotavlja tretja država, oceniti glede na vse okoliščine, ki spremljajo postopek prenosa ali niz postopkov prenosa;

(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;

(57) ker se mora po drugi strani prepovedati prenos osebnih podatkov v tretjo državo, ki ne zagotavlja primerne ravni varstva;

(56) Whereas cross-border flows of personal data are necessary to the expansion of international trade; whereas the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection; whereas the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations;

(58) ker bi bilo treba predvideti izjeme od te prepovedi v okoliščinah, kadar je posameznik, na katerega se osebni podatki nanašajo, dal svojo privolitev, kadar je prenos potreben v zvezi s pogodbo ali pravnim zahtevkom, kadar to zahteva zaščita pomembnega javnega interesa, na primer pri mednarodnih prenosih podatkov med davčnimi ali carinskimi upravami ali med službami, ki so pristojne za zadeve socialne varnosti, ali pa kadar se opravi prenos iz registra, ki je ustanovljen z zakonom in namenjen vpogledu javnosti ali oseb, ki imajo zakoniti interes; ker v tem primeru tak prenos ne bi smel vključevati celotnih podatkov ali celotnih kategorij podatkov, ki jih vsebuje register, in kadar je register namenjen vpogledu oseb, ki imajo zakoniti interes, bi bilo treba prenos opraviti samo na zahtevo teh oseb ali če bodo te osebe prejemniki;

(57) Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited;

(59) ker se lahko sprejmejo posebni ukrepi za nadomestitev pomanjkanja varstva v tretji državi, če upravljavec ponudi ustrezne zaščitne ukrepe; ker je poleg tega treba predvideti postopke za pogajanja med Skupnostjo in takimi tretjimi državami;

(58) Whereas provisions should be made for exemptions from this prohibition in certain circumstances where the data subject has given his consent, where the transfer is necessary in relation to a contract or a legal claim, where protection of an important public interest so requires, for example in cases of international transfers of data between tax or customs administrations or between services competent for social security matters, or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest; whereas in this case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients;

(60) ker se v vsakem primeru prenosi v tretje države lahko opravijo samo v popolni skladnosti s predpisi, ki so jih sprejele države članice na podlagi te direktive in predvsem člena 8;

(59) Whereas particular measures may be taken to compensate for the lack of protection in a third country in cases where the controller offers appropriate safeguards; whereas, moreover, provision must be made for procedures for negotiations between the Community and such third countries;

(61) ker morajo države članice in Komisija v skladu s svojimi pristojnostmi spodbujati poslovna združenja in druge predstavniške organizacije, ki se ukvarjajo s pripravljanjem pravil ravnanja za pospeševanje uporabe te direktive, ob upoštevanju posebnih značilnosti obdelave, ki se izvaja na nekaterih področjih, in ob spoštovanju nacionalnih predpisov, sprejetih za njeno izvajanje;

(60) Whereas, in any event, transfers to third countries may be effected only in full compliance with the provisions adopted by the Member States pursuant to this Directive, and in particular Article 8 thereof;

(62) ker je v državah članicah ustanovitev nadzornih organov, ki opravljajo svoje naloge popolnoma samostojno, bistvena sestavina varstva posameznikov pri obdelavi osebnih podatkov;

(61) Whereas Member States and the Commission, in their respective spheres of competence, must encourage the trade associations and other representative organizations concerned to draw up codes of conduct so as to facilitate the application of this Directive, taking account of the specific characteristics of the processing carried out in certain sectors, and respecting the national provisions adopted for its implementation;

(63) ker morajo taki organi za opravljanje svojih nalog imeti potrebna sredstva, vključno s pooblastili za preiskavo in ukrepanje, predvsem pri pritožbah posameznikov, in pooblastila za sodelovanje v sodnih postopkih; ker morajo taki organi pomagati zagotoviti preglednost obdelave v državah članicah, v katere pristojnost sodijo;

(62) Whereas the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data;

(64) ker bodo morali organi v raznih državah članicah drug drugemu pomagati pri opravljanju svojih nalog, da bi zagotovili ustrezno spoštovanje predpisov o varstvu v celotni Evropski uniji;

(63) Whereas such authorities must have the necessary means to perform their duties, including powers of investigation and intervention, particularly in cases of complaints from individuals, and powers to engage in legal proceedings; whereas such authorities must help to ensure transparency of processing in the Member States within whose jurisdiction they fall;

(65) ker je treba na ravni Skupnosti vzpostaviti delovno skupino za varstvo posameznikov pri obdelavi osebnih podatkov in ker mora biti ta popolnoma samostojna pri opravljanju svojih nalog; ker mora upoštevajoč svojo posebno naravo svetovati Komisiji in predvsem prispevati k enotni uporabi nacionalnih predpisov, sprejetih na podlagi te direktive;

(64) Whereas the authorities in the different Member States will need to assist one another in performing their duties so as to ensure that the rules of protection are properly respected throughout the European Union;

(66) ker uporaba te direktive glede prenosa podatkov v tretje države zahteva podelitev izvedbenih pooblastil Komisiji in uporabo enega izmed postopkov iz Sklepa Sveta 87/373/EGS [4];

(65) Whereas, at Community level, a Working Party on the Protection of Individuals with regard to the Processing of Personal Data must be set up and be completely independent in the performance of its functions; whereas, having regard to its specific nature, it must advise the Commission and, in particular, contribute to the uniform application of the national rules adopted pursuant to this Directive;

(67) ker je bil 20. decembra 1994 dosežen sporazum o modusu vivendi med Evropskim parlamentom, Svetom in Komisijo glede izvedbenih ukrepov za akte, sprejete v skladu s postopkom iz člena 189b Pogodbe ES;

(66) Whereas, with regard to the transfer of data to third countries, the application of this Directive calls for the conferment of powers of implementation on the Commission and the establishment of a procedure as laid down in Council Decision 87/373/EEC (1);

(68) ker lahko načela, ki so opredeljena v tej direktivi v zvezi z varstvom pravic in svoboščin posameznikov pri obdelavi osebnih podatkov, predvsem njihove pravice do zasebnosti, dopolnijo ali razjasnijo posebna pravila, ki bodo temeljila na teh načelih, zlasti kar zadeva nekatera področja;

(67) Whereas an agreement on a modus vivendi between the European Parliament, the Council and the Commission concerning the implementing measures for acts adopted in accordance with the procedure laid down in Article 189b of the EC Treaty was reached on 20 December 1994;

(69) ker bi moralo biti državam članicam odobreno obdobje največ treh let od začetka veljavnosti nacionalnih predpisov, ki prenašajo to direktivo, v katerem naj bi se taki novi nacionalni predpisi uporabljali postopoma za vse postopke obdelave, ki že potekajo; ker bo državam članicam z namenom omogočiti njihovo racionalno izvajanje odobren nadaljnji rok, ki bo potekel 12 let po dnevu sprejetja te direktive, da bi zagotovili usklajenost obstoječih ročno obdelanih zbirk z nekaterimi določbami direktive; ker je treba tam, kjer se podatki, ki jih vsebujejo take zbirke, ročno obdelujejo v tem podaljšanem prehodnem obdobju, te zbirke v trenutku obdelave uskladiti s temi določbami;

(68) Whereas the principles set out in this Directive regarding the protection of the rights and freedoms of individuals, notably their right to privacy, with regard to the processing of personal data may be supplemented or clarified, in particular as far as certain sectors are concerned, by specific rules based on those principles;

(70) ker posamezniku, na katerega se osebni podatki nanašajo, po začetku veljavnosti nacionalnih predpisov, sprejetih v skladu s to direktivo, ni treba ponovno privoliti, da upravljavcu dovoli nadaljevati obdelavo občutljivih podatkov, ki so potrebni za izvajanje pogodbe, sklenjene na podlagi prostovoljnega in informiranega soglasja pred začetkom veljavnosti teh določb;

(69) Whereas Member States should be allowed a period of not more than three years from the entry into force of the national measures transposing this Directive in which to apply such new national rules progressively to all processing operations already under way; whereas, in order to facilitate their cost-effective implementation, a further period expiring 12 years after the date on which this Directive is adopted will be allowed to Member States to ensure the conformity of existing manual filing systems with certain of the Directive's provisions; whereas, where data contained in such filing systems are manually processed during this extended transition period, those systems must be brought into conformity with these provisions at the time of such processing;

(71) ker ta direktiva ne preprečuje državam članicam, da urejajo aktivnosti trženja, ki so usmerjene k potrošnikom, ki stalno prebivajo na njihovem ozemlju, v kolikor tako urejanje ne zadeva varstva posameznikov v zvezi z obdelavo osebnih podatkov;

(70) Whereas it is not necessary for the data subject to give his consent again so as to allow the controller to continue to process, after the national provisions taken pursuant to this Directive enter into force, any sensitive data necessary for the performance of a contract concluded on the basis of free and informed consent before the entry into force of these provisions;

(72) ker ta direktiva omogoča, da se pri izvrševanju načel iz te direktive upošteva načelo javnega dostopa do uradnih dokumentov,

(71) Whereas this Directive does not stand in the way of a Member State's regulating marketing activities aimed at consumers residing in territory in so far as such regulation does not concern the protection of individuals with regard to the processing of personal data;

SPREJELA NASLEDNJO DIREKTIVO:

(72) Whereas this Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in this Directive,

POGLAVJE I

HAVE ADOPTED THIS DIRECTIVE:

SPLOŠNE DOLOČBE

Člen 1

Namen direktive

CHAPTER I GENERAL PROVISIONS

1. V skladu s to direktivo države članice varujejo temeljne pravice in svoboščine fizičnih oseb in predvsem njihovo pravico do zasebnosti pri obdelavi osebnih podatkov.

2. Države članice ne omejujejo niti ne prepovedujejo prostega prenosa osebnih podatkov med državami članicami zaradi razlogov, povezanih z varstvom, ki je zagotovljeno na podlagi odstavka 1.

Article 1

Člen 2

Object of the Directive

Opredelitev pojmov

1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.

V tej direktivi:

2. Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1.

(a) "osebni podatek" pomeni katero koli informacijo, ki se nanaša na določeno ali določljivo fizično osebo ("posameznik, na katerega se nanašajo osebni podatki"); določljiva oseba je tista, ki se lahko neposredno ali posredno identificira, predvsem s sklicevanjem na identifikacijsko številko ali na enega ali več dejavnikov, ki so značilni za njeno fizično, fiziološko, duševno, ekonomsko, kulturno ali socialno identiteto;

(b) "obdelava osebnih podatkov" ("obdelava") pomeni kakršen koli postopek ali niz postopkov, ki se izvajajo v zvezi z osebnimi podatki z avtomatskimi sredstvi ali brez njih, kakršno je zbiranje, beleženje, urejanje, shranjevanje, prilagajanje ali predelava, iskanje, posvetovanje, uporaba, posredovanje s prenosom, širjenje ali drugo razpolaganje, prilagajanje ali kombiniranje, blokiranje, izbris ali uničenje;

Article 2

(c) "zbirka osebnih podatkov" ("zbirka") pomeni vsak strukturiran niz osebnih podatkov, ki je dostopen v skladu s posebnimi merili, bodisi da je centraliziran, decentraliziran ali razpršen na funkcionalni ali geografski podlagi;

Definitions

(d) "upravljavec" pomeni fizično ali pravno osebo, javni organ, agencijo ali kateri koli drug organ, ki sam ali skupaj z drugimi določa namene in sredstva obdelave osebnih podatkov; kadar namene in sredstva obdelave določa nacionalna zakonodaja ali zakonodaja Skupnosti, lahko upravljavca ali posebna merila za njegovo imenovanje določi nacionalna zakonodaja ali zakonodaja Skupnosti;

For the purposes of this Directive:

(e) "obdelovalec" pomeni fizično ali pravno osebo, javni organ, agencijo ali kateri koli drug organ, ki obdeluje osebne podatke v imenu upravljavca;

(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

(f) "tretja stranka" pomeni katero koli fizično ali pravno osebo, javni organ, agencijo ali kateri koli drug organ, ki ni posameznik, na katerega se osebni podatki nanašajo, upravljavec, obdelovalec in oseba, ki je pod neposredno oblastjo upravljavca ali obdelovalca pooblaščena za obdelavo podatkov;

(b) 'processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(g) "prejemnik" pomeni fizično ali pravno osebo, javni organ, agencijo ali kateri koli drug organ, ki se mu posreduje podatke, bodisi da je tretja stranka ali ne; vendar pa se organi, ki lahko prejmejo podatke v okviru posamezne poizvedbe, ne štejejo kot prejemniki;

(c) 'personal data filing system' ('filing system') shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

(h) "privolitev posameznika, na katerega se nanašajo osebni podatki" pomeni vsako prostovoljno dano posebno in informirano izjavo volje, s katero posameznik, na katerega se osebni podatki nanašajo, izrazi soglasje, da se osebni podatki o njem obdelujejo.

(d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;

Člen 3

(e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

Področje uporabe

(f) 'third party' shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data;

1. Ta direktiva se uporablja za obdelavo osebnih podatkov v celoti ali delno z avtomatskimi sredstvi in za drugačno obdelavo kakor z avtomatskimi sredstvi za osebne podatke, ki sestavljajo del zbirke ali so namenjeni sestavljanju dela zbirke.

(g) 'recipient' shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients;

2. Ta direktiva se ne uporablja za obdelavo osebnih podatkov:

(h) 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

- med dejavnostjo, ki ne sodi na področje uporabe zakonodaje Skupnosti, kot so tiste, opredeljene v naslovih V in VI Pogodbe o Evropski uniji, in v vsakem primeru v postopkih obdelave v zvezi z javno varnostjo, obrambo, državno varnostjo (vključno z gospodarsko blaginjo države, kadar se postopek obdelave nanaša na zadeve državne varnosti) in pri dejavnostih države na področju kazenskega prava,

- s strani fizične osebe med potekom popolnoma osebne ali domače dejavnosti.

Article 3

Člen 4

Scope

Uporaba nacionalne zakonodaje

1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

1. Vsaka država članica za obdelavo osebnih podatkov uporablja nacionalne predpise, ki jih sprejme v skladu s to direktivo, kadar:

2. This Directive shall not apply to the processing of personal data:

(a) se obdelava izvaja v okviru dejavnosti ustanovitve upravljavca na ozemlju države članice; kadar je isti upravljavec ustanovljen na ozemlju več držav članic, mora sprejeti potrebne ukrepe za zagotovitev, da vsaka od teh ustanovitev izpolnjuje obveznosti, ki jih določa veljavno nacionalno pravo;

- in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,

(b) upravljavec ni ustanovljen na ozemlju države članice, ampak v kraju, kjer se njegova nacionalna zakonodaja uporablja na podlagi mednarodnega javnega prava;

- by a natural person in the course of a purely personal or household activity.

(c) upravljavec ni ustanovljen na ozemlju Skupnosti in za obdelavo osebnih podatkov uporablja avtomatsko ali drugo opremo, ki se nahaja na ozemlju te države članice, razen če se taka oprema uporablja samo za prehod prek Skupnosti.

2. V okoliščinah, navedenih v odstavku 1(c), mora upravljavec določiti predstavnika, ki je ustanovljen na ozemlju omenjene države članice, ne da bi to posegalo v tožbe, ki se lahko vložijo zoper samega upravljavca.

Article 4

POGLAVJE II

National law applicable

SPLOŠNA PRAVILA O ZAKONITOSTI OBDELAVE OSEBNIH PODATKOV

1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

Člen 5

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

Države članice v mejah določb tega poglavja natančneje določijo pogoje, pod katerimi je obdelava osebnih podatkov zakonita.

(b) the controller is not established on the Member State's territory, but in a place where its national law applies by virtue of international public law;

ODDELEK I

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

NAČELA V ZVEZI S KAKOVOSTJO PODATKOV

2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.

Člen 6

1. Države članice določijo, da morajo biti osebni podatki:

CHAPTER II GENERAL RULES ON THE LAWFULNESS OF THE PROCESSING OF PERSONAL DATA

(a) pošteno in zakonito obdelani;

(b) zbrani za določene, izrecne ter zakonite namene in se ne smejo naprej obdelovati na način, ki je nezdružljiv s temi nameni. Nadaljnja obdelava podatkov v zgodovinske, statistične ali znanstvene namene se ne šteje za nezdružljivo, če države članice zagotovijo ustrezne zaščitne ukrepe;

Article 5

(c) primerni, ustrezni in ne pretirani glede na namene, za katere se zbirajo in/ali naprej obdelujejo;

Member States shall, within the limits of the provisions of this Chapter, determine more precisely the conditions under which the processing of personal data is lawful.

(d) točni in po potrebi ažurirani; uporabiti je treba vse primerne ukrepe za zagotovitev, da se podatki, ki so netočni ali nepopolni, zbrišejo ali popravijo, ob upoštevanju namenov, za katere so bili zbrani ali za katere se naprej obdelujejo;

SECTION I

(e) shranjeni v obliki, ki dopušča identifikacijo posameznikov, na katere se osebni podatki nanašajo, le toliko časa, kolikor je potrebno za namene, za katere so bili podatki zbrani ali za katere se naprej obdelujejo. Države članice določijo ustrezne zaščitne ukrepe za osebne podatke, shranjene za daljša obdobja za zgodovinsko, statistično ali znanstveno uporabo.

PRINCIPLES RELATING TO DATA QUALITY

2. Upravljavec mora zagotoviti, da se ravna v skladu z odstavkom 1.

ODDELEK II

Article 6

MERILA ZA ZAKONITOST OBDELAVE PODATKOV

1. Member States shall provide that personal data must be:

Člen 7

(a) processed fairly and lawfully;

Države članice določijo, da se lahko osebni podatki obdelujejo samo, če:

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(a) je posameznik, na katerega se osebni podatki nanašajo, nedvoumno dal svojo privolitev; ali

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(b) je obdelava potrebna za izvajanje pogodbe, katere stranka je posameznik, na katerega se nanašajo osebni podatki, ali pa za izvajanje ukrepov na zahtevo posameznika, na katerega se osebni podatki nanašajo, pred sklenitvijo pogodbe; ali

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

(c) je obdelava potrebna za skladnost z zakonsko obveznostjo, ki velja za upravljavca; ali

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

(d) je obdelava potrebna za varstvo življenjskih interesov posameznikov, na katere se osebni podatki nanašajo; ali

2. It shall be for the controller to ensure that paragraph 1 is complied with.

(e) je obdelava potrebna za izvajanje naloge, ki se opravlja v javnem interesu ali pri izvrševanju javne oblasti, dodeljene upravljavcu ali tretji stranki, ki so ji posredovani podatki; ali

SECTION II

(f) je obdelava potrebna zaradi zakonitih interesov, za katere si prizadeva upravljavec ali tretja stranka ali stranke, ki so jim osebni podatki posredovani, razen kadar nad takimi interesi prevladajo temeljne pravice in svoboščine posameznika, na katerega se osebni podatki nanašajo, ki se varujejo na podlagi člena 1(1).

CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE

ODDELEK III

POSEBNE VRSTE OBDELAVE

Article 7

Člen 8

Member States shall provide that personal data may be processed only if:

Obdelava posebnih vrst podatkov

(a) the data subject has unambiguously given his consent; or

1. Države članice prepovejo obdelavo osebnih podatkov, ki kažejo na rasni ali etnični izvor, politična mnenja, verska ali filozofska prepričanja, pripadnost sindikatu, in obdelavo podatkov v zvezi z zdravjem ali spolnim življenjem.

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

2. Odstavek 1 se ne uporablja, kadar:

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or

(a) je posameznik, na katerega se osebni podatki nanašajo, dal svojo izrecno privolitev k obdelavi teh podatkov, razen kadar zakonodaja države članice določi, da se od prepovedi iz odstavka 1 ne sme odstopiti s tem, da posameznik, na katerega se osebni podatki nanašajo, da svojo privolitev; ali

(d) processing is necessary in order to protect the vital interests of the data subject; or

(b) je obdelava potrebna zaradi izpolnjevanja obveznosti in posebnih pravic upravljavca na področju prava zaposlovanja, če jo dovoljuje nacionalna zakonodaja, ki zagotovi ustrezne zaščitne ukrepe; ali

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

(c) je obdelava potrebna za varstvo življenjskih interesov posameznika, na katerega se osebni podatki nanašajo, ali druge osebe, kadar posameznik, na katerega se osebni podatki nanašajo, fizično ali pravno ni sposoben dati svoje privolitve; ali

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

(d) obdelavo pri svojih zakonitih dejavnostih z ustreznimi garancijami izvaja ustanova, združenje ali kateri drug neprofitni organ s političnim, filozofskim, verskim ali sindikalnim ciljem in pod pogojem, da se obdelava nanaša samo na člane organa ali na osebe, ki so v rednem stiku z njim v zvezi z njegovimi nameni, in da se podatki ne posredujejo tretji stranki brez privolitve posameznikov, na katere se nanašajo; ali

SECTION III

(e) se obdelava nanaša na podatke, ki jih posameznik, na katerega se nanašajo, javno objavi ali je potrebna za uveljavljanje, izvajanje ali obrambo pravnih zahtevkov.

SPECIAL CATEGORIES OF PROCESSING

3. Odstavek 1 se ne uporablja, kadar se podatki obdelujejo za potrebe preventivne medicine, zdravstvene diagnoze, za zagotovitev oskrbe, ali zdravljenja, ali vodenje zdravstvenih služb in kadar te podatke obdeluje zdravstveni delavec na podlagi nacionalne zakonodaje ali pravil, ki jih sprejmejo pristojni nacionalni organi glede dolžnosti poklicne molčečnosti, ali druga oseba, ki je prav tako zavezana enaki dolžnosti molčečnosti.

4. Ob upoštevanju ustreznih zaščitnih ukrepov lahko države članice zaradi javnega interesa bistvenega pomena določijo dodatne izjeme poleg tistih iz odstavka 2, bodisi z nacionalno zakonodajo ali odločitvijo nadzornega organa.

Article 8

5. Obdelava podatkov v zvezi s prekrški, kazenskimi obsodbami ali varnostnimi ukrepi se lahko izvaja samo pod nadzorom uradnega organa ali pa če nacionalna zakonodaja določi ustrezne posebne zaščitne ukrepe ob upoštevanju odstopanj, ki jih lahko zagotovi država članica na podlagi nacionalnih predpisov, ki določajo ustrezne posebne zaščitne ukrepe. Vendar pa se popoln register kazenskih obsodb lahko vodi samo pod nadzorom uradnega organa.

The processing of special categories of data

Države članice lahko določijo, da se podatki v zvezi z upravnimi kaznimi ali sodbami v civilnih zadevah lahko tudi obdelujejo pod nadzorom uradnega organa.

1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

6. Komisija je uradno obveščena o odstopanjih od odstavka 1, ki jih opredeljujeta odstavka 4 in 5.

2. Paragraph 1 shall not apply where:

7. Države članice določijo pogoje, pod katerimi se lahko obdela nacionalna identifikacijska številka ali kateri koli drug identifikator splošne uporabe.

(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or

Člen 9

(b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or

Obdelava osebnih podatkov in svoboda izražanja

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or

Države članice določijo izjeme ali odstopanja od določb tega poglavja, poglavja IV in poglavja VI za obdelavo osebnih podatkov, ki se izvaja zgolj v novinarske namene ali zaradi umetniškega ali literarnega izražanja samo, če so potrebna za uskladitev pravice do zasebnosti s predpisi, ki urejajo svobodo izražanja.

(d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or

ODDELEK IV

(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.

INFORMACIJE, POSREDOVANE POSAMEZNIKU, NA KATEREGA SE OSEBNI PODATKI NANAŠAJO

3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

Člen 10

4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.

Informacije v primerih zbiranja podatkov od posameznika, na katerega se osebni podatki nanašajo

5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.

Države članice določijo, da morata upravljavec ali njegov predstavnik zagotoviti posamezniku, na katerega se osebni podatki nanašajo in od katerega se podatki v zvezi z njim zbirajo, vsaj naslednje informacije, razen kadar jih že ima:

Member States may provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority.

(a) istovetnost upravljavca ali njegovega predstavnika, če obstaja;

6. Derogations from paragraph 1 provided for in paragraphs 4 and 5 shall be notified to the Commission.

(b) namene obdelave podatkov;

7. Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed.

(c) vse nadaljnje informacije, npr.

- prejemnike ali vrste prejemnikov podatkov,

Article 9

- ali so odgovori na vprašanja obvezni ali prostovoljni, pa tudi možne posledice, če ne odgovori,

Processing of personal data and freedom of expression

- obstoj pravice do dostopa in pravice do popravka podatkov, ki se nanašajo nanj,

Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.

kolikor so take nadaljnje informacije potrebne, ob upoštevanju posebnih okoliščin, v katerih se podatki zbirajo, za zagotovitev poštene obdelave glede na posameznika, na katerega se osebni podatki nanašajo.

SECTION IV

Člen 11

INFORMATION TO BE GIVEN TO THE DATA SUBJECT

Informacije, kadar podatki niso bili pridobljeni od posameznika, na katerega se osebni podatki nanašajo

1. Kadar podatki niso bili pridobljeni od posameznika, na katerega se osebni podatki nanašajo, države članice zagotovijo, da mora upravljavec ali njegov predstavnik med zbiranjem osebnih podatkov ali, če se predvideva posredovanje tretji stranki, najpozneje tedaj, ko se podatki prvič posredujejo, zagotoviti posamezniku, na katerega se osebni podatki nanašajo, vsaj naslednje informacije, razen kadar jih že ima:

Article 10

- istovetnost upravljavca in njegovega predstavnika, če obstaja;

Information in cases of collection of data from the data subject

- namene obdelave;

Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

- vse nadaljnje informacije, npr.

(a) the identity of the controller and of his representative, if any;

- vrste zadevnih podatkov,

(b) the purposes of the processing for which the data are intended;

- prejemnike ali vrste prejemnikov,

(c) any further information such as

- obstoj pravice do dostopa in pravice do popravka podatkov, ki se nanašajo nanj,

- the recipients or categories of recipients of the data,

kolikor so take nadaljnje informacije potrebne, ob upoštevanju posebnih okoliščin, v katerih se podatki obdelujejo, za zagotovitev poštene obdelave glede na posameznika, na katerega se osebni podatki nanašajo.

- whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,

2. Odstavek 1 se ne uporablja tam, kjer se predvsem za obdelavo v statistične namene ali zaradi zgodovinskih ali znanstvenih raziskav zagotovitev takih informacij izkaže za nemogočo, ali bi vključevala nesorazmeren napor, ali pa zakon izrecno določa zbiranje oziroma posredovanje. V teh primerih države članice zagotovijo ustrezne zaščitne ukrepe.

- the existence of the right of access to and the right to rectify the data concerning him

ODDELEK V

in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.

PRAVICA POSAMEZNIKA, NA KATEREGA SE NANAŠAJO OSEBNI PODATKI, DO DOSTOPA DO PODATKOV

Člen 12

Article 11

Pravica do dostopa

Information where the data have not been obtained from the data subject

Države članice jamčijo vsakemu posamezniku, na katerega se osebni podatki nanašajo, pravico, da pridobi od upravljavca:

1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:

(a) brez omejitev v razumnem času in brez večjih zamud ali stroškov:

(a) the identity of the controller and of his representative, if any;

- potrditev tega, ali se podatki v zvezi z njim obdelujejo ali ne, in informacije vsaj glede namenov obdelave, vrste zadevnih podatkov in prejemnikov ali vrste prejemnikov, ki so jim podatki posredovani,

(b) the purposes of the processing;

- sporočilo v razumljivi obliki o osebnih podatkih, ki so v obdelavi, in vseh razpoložljivih informacijah glede njihovega vira,

(c) any further information such as

- informacije o logiki, zajeti v vse avtomatske obdelave podatkov, ki se nanašajo nanj, vsaj pri avtomatiziranih odločitvah iz člena 15(1);

- the categories of data concerned,

(b) po potrebi popravke, izbris ali blokiranje podatkov, katerih obdelava ni v skladu z določbami te direktive, predvsem zaradi nepopolnih ali netočnih podatkov;

- the recipients or categories of recipients,

(c) uradno obvestilo tretjim strankam, ki so jim bili posredovani podatki, o vseh popravkih, izbrisu ali blokiranju, izvedenem v skladu z (b), razen če se to izkaže za nemogoče ali če vključuje nesorazmeren napor.

- the existence of the right of access to and the right to rectify the data concerning him

ODDELEK VI

in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

IZJEME IN OMEJITVE

2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.

Člen 13

SECTION V

Izjeme in omejitve

THE DATA SUBJECT'S RIGHT OF ACCESS TO DATA

1. Države članice lahko sprejmejo predpise za omejitev obsega obveznosti in pravic, opredeljenih v členih 6(1), 10, 11(1), 12 in 21, kadar taka omejitev predstavlja potrebni ukrep za zaščito:

(a) državne varnosti;

Article 12

(b) obrambe;

Right of access

(c) javne varnosti;

Member States shall guarantee every data subject the right to obtain from the controller:

(d) preprečevanja, preiskovanja, odkrivanja in pregona kaznivih dejanj ali kršitve etike za zakonsko urejene poklice;

(a) without constraint at reasonable intervals and without excessive delay or expense:

(e) pomembnega gospodarskega ali finančnega interesa države članice ali Evropske unije, vključno z denarnimi, proračunskimi in davčnimi zadevami;

- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,

(f) spremljanja, pregledovanja ali urejanja, povezanega, četudi občasno, z izvajanjem javne oblasti v primerih iz (c), (d) in (e);

- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,

(g) posameznika, na katerega se nanašajo osebni podatki, ali pravic in svoboščin drugih.

- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1);

2. Ob upoštevanju ustreznih zakonskih zaščitnih ukrepov, predvsem da se podatki ne uporabijo za sprejemanje ukrepov ali odločitev v zvezi z določenim posameznikom, lahko države članice takrat, ko očitno ni nevarnosti za kršitev zasebnosti posameznika, na katerega se nanašajo osebni podatki, zakonsko omejijo pravice, ki jih opredeljuje člen 12, kadar se podatki obdelujejo samo v znanstvenoraziskovalne namene ali se hranijo v obliki, ki omogoča identifikacijo posameznika, za obdobje, ki ne presega potrebnega obdobja, česar edini namen je izdelava statistike.

(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;

ODDELEK VII

(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

PRAVICA POSAMEZNIKA, NA KATEREGA SE NANAŠAJO OSEBNI PODATKI, DO UGOVORA

SECTION VI

Člen 14

EXEMPTIONS AND RESTRICTIONS

Pravica posameznika, na katerega se nanašajo osebni podatki, do ugovora

Države članice priznavajo posamezniku, na katerega se osebni podatki nanašajo, pravico:

Article 13

(a) da vsaj v primerih iz člena 7(e) in (f) na podlagi zakonitih in nujnih razlogov, povezanih z njegovim posebnim položajem kadar koli ugovarja obdelavi podatkov, ki se nanašajo nanj, razen kjer nacionalna zakonodaja določa drugače. Kadar obstaja utemeljen ugovor, obdelava, ki jo uvede upravljavec, ne sme več vključevati teh podatkov;

Exemptions and restrictions

(b) da na zahtevo in brezplačno ugovarja obdelavi osebnih podatkov, ki se nanašajo nanj, glede katerih upravljavec pričakuje obdelavo zaradi neposrednega trženja, ali da je obveščen, preden se osebni podatki prvič posredujejo tretjim strankam ali se uporabijo v njihovem imenu zaradi neposrednega trženja, in da je izrecno opozorjen na pravico, da brezplačno ugovarja takemu posredovanju ali uporabi.

1. Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard:

Države članice sprejmejo potrebne ukrepe za zagotovitev, da se posamezniki, na katere se osebni podatki nanašajo, zavedajo obstoja pravice iz prvega pododstavka (b).

(a) national security;

Člen 15

(b) defence;

Avtomatizirane posamične odločitve

(c) public security;

1. Države članice vsaki osebi priznavajo pravico, da se o njej ne bo sprejela odločitev, ki ima pravne učinke v zvezi z njo ali nanjo znatno vpliva in ki temelji zgolj na avtomatski obdelavi podatkov, namenjeni ovrednotenju nekaterih osebnih vidikov v zvezi s to osebo, kakršni so njena uspešnost pri delu, kreditna sposobnost, zanesljivost, ravnanje itn.

(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;

2. Ob upoštevanju preostalih členov te direktive države članice določijo, da se o osebi lahko sprejme vrsta odločitve iz odstavka 1, če se ta odločitev:

(e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters;

(a) sprejme med sklepanjem ali izvrševanjem pogodbe, pod pogojem, da je zahteva po sklepanju ali izvajanju pogodbe, ki jo vloži posameznik, na katerega se osebni podatki nanašajo, izpolnjena ali da obstajajo primerni ukrepi za zaščito njegovih zakonitih interesov, kakršni so dogovori, ki mu omogočajo izraziti njegovo stališče; ali

(f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);

(b) je dovoljena z zakonodajo, ki določa tudi ukrepe za zaščito zakonitih interesov posameznika, na katerega se nanašajo osebni podatki.

(g) the protection of the data subject or of the rights and freedoms of others.

ODDELEK VIII

2. Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States may, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.

ZAUPNOST IN VARNOST OBDELAVE

SECTION VII

Člen 16

THE DATA SUBJECT'S RIGHT TO OBJECT

Zaupnost obdelave

Nobena oseba, ki odgovarja upravljavcu ali obdelovalcu, vključno s samim obdelovalcem, ki ima dostop do osebnih podatkov, teh ne sme obdelovati brez navodil upravljavca, razen če to od nje zahteva zakon.

Article 14

Člen 17

The data subject's right to object

Varnost obdelave

Member States shall grant the data subject the right:

1. Države članice določijo, da mora upravljavec izvajati ustrezne tehnične in organizacijske ukrepe za zavarovanje osebnih podatkov pred slučajnim ali nezakonitim uničenjem ali slučajno izgubo, predelavo, nepooblaščenim posredovanjem ali dostopom, predvsem kadar obdelava vključuje prenos podatkov po omrežju, ter proti vsem drugim nezakonitim oblikam obdelave.

(a) at least in the cases referred to in Article 7 (e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data;

Taki ukrepi ob upoštevanju stanja tehnologije in stroškov za njihovo izvajanje zagotavljajo raven zaščite, ustrezno tveganju, ki ga predstavljata obdelava in narava podatkov, ki jih je potrebno varovati.

(b) to object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses.

2. Države članice določijo, da mora upravljavec, kadar se obdelava izvaja v njegovem imenu, izbrati obdelovalca, ki zagotavlja zadostne garancije glede tehničnih varnostnih ukrepov in organizacijskih ukrepov, ki urejajo obdelavo, ki jo je treba opraviti, ter mora zagotoviti skladnost s temi ukrepi.

Member States shall take the necessary measures to ensure that data subjects are aware of the existence of the right referred to in the first subparagraph of (b).

3. Izvajanje obdelave prek obdelovalca mora urejati pogodba ali pravni akt, ki obdelovalca zavezuje nasproti upravljavcu in ki določa predvsem, da:

- obdelovalec deluje samo po navodilih upravljavca,

Article 15

- so obveznosti iz odstavka 1, kakor jih določa zakonodaja države članice, v kateri je ustanovljen obdelovalec, zavezujoče tudi za obdelovalca.

Automated individual decisions

4. Zaradi dokazovanja morajo biti deli pogodbe ali pravnega akta, ki se nanaša na varstvo podatkov, in zahteve v zvezi z ukrepi iz odstavka 1 v pisni ali drugi enakovredni obliki.

1. Member States shall grant the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.

ODDELEK IX

2. Subject to the other Articles of this Directive, Member States shall provide that a person may be subjected to a decision of the kind referred to in paragraph 1 if that decision:

URADNO OBVEŠČANJE

(a) is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or that there are suitable measures to safeguard his legitimate interests, such as arrangements allowing him to put his point of view; or

Člen 18

(b) is authorized by a law which also lays down measures to safeguard the data subject's legitimate interests.

Obveznost uradnega obveščanja nadzornega organa

SECTION VIII

1. Države članice določijo, da morata upravljavec ali njegov predstavnik, če obstaja, uradno obvestiti nadzorni organ iz člena 28 pred začetkom izvajanja popolnoma ali delno avtomatskega postopka obdelave ali niza takih postopkov, ki so namenjeni enemu samemu cilju ali več povezanim ciljem.

CONFIDENTIALITY AND SECURITY OF PROCESSING

2. Države članice lahko predvidijo poenostavitev ali izjeme od uradnega obveščanja samo v naslednjih primerih in pod naslednjimi pogoji:

- kadar za kategorije postopkov obdelave, ki zelo verjetno ne bodo, ob upoštevanju podatkov, ki naj bi se obdelali, škodljivo vplivali na pravice in svoboščine posameznikov, na katere se nanašajo osebni podatki, določijo namene obdelave, podatke ali kategorije podatkov, ki se obdelujejo, kategorijo ali kategorije posameznika, na katerega se nanašajo osebni podatki, prejemnike ali kategorije prejemnikov, ki naj bi se jim podatki posredovali, in obdobje, v katerem naj bi se podatki shranili, in/ali

Article 16

- kadar upravljavec v skladu z nacionalno zakonodajo, ki se zanj uporablja, imenuje odgovorno osebo za varstvo osebnih podatkov, ki je odgovorna predvsem za:

Confidentiality of processing

- zagotavljanje notranje uporabe nacionalnih določb, sprejetih v skladu s to direktivo, na neodvisen način,

Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law.

- vodenje registra postopkov obdelave, ki jih izvaja upravljavec, ki vsebuje posamezne informacije iz člena 21(2),

s čimer zagotovi, da postopki obdelave zelo verjetno ne bodo škodljivo vplivali na pravice in svoboščine posameznikov, na katere se osebni podatki nanašajo.

Article 17

3. Države članice lahko določijo, da se odstavek 1 ne uporablja za obdelavo, katere edini namen je vodenje registra, ki je v skladu z zakoni ali predpisi namenjen zagotavljanju informacij javnosti in ki je na voljo za vpogled javnosti na splošno, pa tudi kateri koli osebi, ki izkaže zakoniti interes.

Security of processing

4. Države članice lahko predvidijo izjemo od obveznosti uradnega obveščanja ali poenostavitev uradnega obveščanja pri postopkih obdelave iz člena 8(2)(d).

1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

5. Države članice lahko predpišejo, da se o nekaterih ali o vseh neavtomatskih postopkih obdelave, ki vključujejo osebne podatke, uradno obvešča, ali pa predvidijo, da se za te postopke obdelave upošteva poenostavljeno uradno obveščanje.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

Člen 19

2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

Vsebina uradnega obveščanja

3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:

1. Države članice določijo informacije, ki morajo biti v uradnem obvestilu. To vključuje vsaj:

- the processor shall act only on instructions from the controller,

(a) osebno ime in naslov upravljavca in njegovega predstavnika, če ta obstaja;

- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.

(b) namen ali namene obdelave;

4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.

(c) opis kategorije ali kategorij posameznika, na katerega se osebni podatki nanašajo, in podatkov ali kategorij podatkov, ki se nanje nanašajo;

SECTION IX

(d) prejemnike ali kategorije prejemnika, ki bi se jim podatki lahko posredovali;

NOTIFICATION

(e) predlagane prenose podatkov v tretje države;

(f) splošni opis, ki omogoča oblikovanje predhodne ocene ustreznosti ukrepov, sprejetih v skladu s členom 17, da bi zagotovili varnost obdelave.

Article 18

2. Države članice določijo postopke, na podlagi katerih se mora kakršna koli sprememba, ki vpliva na informacije iz odstavka 1, uradno sporočiti nadzornemu organu.

Obligation to notify the supervisory authority

Člen 20

1. Member States shall provide that the controller or his representative, if any, must notify the supervisory authority referred to in Article 28 before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes.

Predhodno preverjanje

2. Member States may provide for the simplification of or exemption from notification only in the following cases and under the following conditions:

1. Države članice določijo postopke obdelave, ki bodo verjetno predstavljali posebno nevarnost za pravice in svoboščine posameznikov, na katere se osebni podatki nanašajo, in preverijo, da se ti postopki obdelave preučijo, preden se začnejo izvajati.

- where, for categories of processing operations which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects, they specify the purposes of the processing, the data or categories of data undergoing processing, the category or categories of data subject, the recipients or categories of recipient to whom the data are to be disclosed and the length of time the data are to be stored, and/or

2. Tako predhodno preverjanje izvaja nadzorni organ po prejemu uradnega obvestila upravljavca ali odgovorne osebe za varstvo osebnih podatkov, v dvomu pa se mora posvetovati z nadzornim organom.

- where the controller, in compliance with the national law which governs him, appoints a personal data protection official, responsible in particular:

3. Države članice lahko tako preverjanje izvajajo tudi v okviru priprave bodisi ukrepa nacionalnega parlamenta bodisi ukrepa, temelječega na takem zakonodajnem ukrepu, ki opredeljuje naravo obdelave in predpisuje ustrezne zaščitne ukrepe.

- for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive

Člen 21

- for keeping the register of processing operations carried out by the controller, containing the items of information referred to in Article 21 (2),

Objava postopkov obdelave

thereby ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.

1. Države članice sprejmejo ukrepe, da se zagotovi objava postopkov obdelave.

3. Member States may provide that paragraph 1 does not apply to processing whose sole purpose is the keeping of a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person demonstrating a legitimate interest.

2. Države članice določijo, da register postopkov obdelave, ki so uradno sporočeni v skladu s členom 18, vodi nadzorni organ.

4. Member States may provide for an exemption from the obligation to notify or a simplification of the notification in the case of processing operations referred to in Article 8 (2) (d).

Register vsebuje vsaj informacije, navedene v členu 19(1)(a) do (e).

5. Member States may stipulate that certain or all non-automatic processing operations involving personal data shall be notified, or provide for these processing operations to be subject to simplified notification.

Register lahko pregleda katera koli oseba.

3. Države članice v zvezi s postopki obdelave, ki niso predmet uradnega obveščanja, določijo, da upravljavci ali kateri koli drug organ, ki ga določijo države članice, vsaki osebi na zahtevo da na voljo vsaj informacije iz člena 19(1)(a) do (e) v ustrezni obliki.

Article 19

Države članice lahko določijo, da se ta določba ne uporablja za obdelavo, katere edini namen je vodenje registra, ki je v skladu z zakoni ali drugimi predpisi namenjen zagotavljanju informacij javnosti in je na voljo za vpogled javnosti na splošno, pa tudi kateri koli osebi, ki lahko izkaže zakoniti interes.

Contents of notification

POGLAVJE III

1. Member States shall specify the information to be given in the notification. It shall include at least:

PRAVNA SREDSTVA, ODGOVORNOST IN SANKCIJE

(a) the name and address of the controller and of his representative, if any;

Člen 22

(b) the purpose or purposes of the processing;

Pravna sredstva

(c) a description of the category or categories of data subject and of the data or categories of data relating to them;

Brez poseganja v upravnopravna pravna sredstva pred predložitvijo zadeve sodnemu organu, ki jih je možno med drugim predvideti pred nadzornim organom iz člena 28, države članice zagotovijo, da ima vsaka oseba v primeru kršitve pravic, zagotovljenih z nacionalno zakonodajo, ki se nanaša na zadevno obdelavo, pravico vložiti pravno sredstvo na sodišču.

(d) the recipients or categories of recipient to whom the data might be disclosed;

Člen 23

(e) proposed transfers of data to third countries;

Odgovornost

(f) a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to Article 17 to ensure security of processing.

1. Države članice določijo, da je katera koli oseba, ki je utrpela škodo kot posledico nezakonitega postopka obdelave ali katerega koli dejanja, ki je nezdružljivo z nacionalnimi določbami, sprejetimi v skladu s to direktivo, upravičena od upravljavca zahtevati odškodnino za to škodo.

2. Member States shall specify the procedures under which any change affecting the information referred to in paragraph 1 must be notified to the supervisory authority.

2. Upravljavec je lahko v celoti ali delno prost te odgovornosti, če dokaže, da ni odgovoren za dogodek, ki je povzročil škodo.

Člen 24

Article 20

Sankcije

Prior checking

Države članice sprejmejo ustrezne ukrepe za zagotovitev popolne izvedbe določb te direktive in predvsem določijo sankcije, ki se naložijo ob kršitvi določb, sprejetih v skladu s to direktivo.

1. Member States shall determine the processing operations likely to present specific risks to the rights and freedoms of data subjects and shall check that these processing operations are examined prior to the start thereof.

POGLAVJE IV

2. Such prior checks shall be carried out by the supervisory authority following receipt of a notification from the controller or by the data protection official, who, in cases of doubt, must consult the supervisory authority.

PRENOS OSEBNIH PODATKOV V TRETJE DRŽAVE

3. Member States may also carry out such checks in the context of preparation either of a measure of the national parliament or of a measure based on such a legislative measure, which define the nature of the processing and lay down appropriate safeguards.

Člen 25

Načela

Article 21

1. Države članice predvidijo, da se lahko prenos osebnih podatkov, ki so v obdelavi ali so namenjeni obdelavi po dovoljenem prenosu, v tretjo državo izvede le, če brez poseganja v skladnost z nacionalnimi določbami, ki so sprejete v skladu z drugimi določbami te direktive, ta tretja država zagotovi ustrezno raven varstva.

Publicizing of processing operations

2. Ustreznost ravni varstva, ki jo nudi tretja država, se oceni glede na vse okoliščine, ki so povezane s postopkom prenosa ali z nizom postopkov prenosa podatkov; predvsem je treba upoštevati značaj podatkov, namen in trajanje predlaganega postopka ali postopkov obdelave, državo izvora in ciljno državo, pravno ureditev, bodisi splošno ali sektorsko, ki je v veljavi v tretji državi, ter strokovne predpise in varnostne ukrepe, ki se uporabljajo v tej državi.

1. Member States shall take measures to ensure that processing operations are publicized.

3. Države članice in Komisija se medsebojno obveščajo o primerih, za katere menijo, da tretja država ne zagotavlja ustrezne ravni varstva v smislu odstavka 2.

2. Member States shall provide that a register of processing operations notified in accordance with Article 18 shall be kept by the supervisory authority.

4. Kadar Komisija na podlagi postopka iz člena 31(2) ugotovi, da tretja država ne zagotavlja ustrezne ravni varstva v smislu odstavka 2 tega člena, države članice sprejmejo ukrepe, ki so potrebni za preprečevanje kakršnih koli prenosov podatkov iste vrste v to tretjo državo.

The register shall contain at least the information listed in Article 19 (1) (a) to (e).

5. Ko je ustrezno, Komisija začne pogajanja glede ureditve položaja, ki izhaja iz ugotovitve po odstavku 4.

The register may be inspected by any person.

6. Komisija lahko v skladu s postopkom iz člena 31(2) ugotovi, da tretja država zagotavlja ustrezno raven varstva v smislu odstavka 2 tega člena zaradi svoje domače zakonodaje ali mednarodnih obveznosti, ki jih je prevzela, predvsem na podlagi zaključka pogajanj iz odstavka 5, za zaščito zasebnega življenja in temeljnih svoboščin in pravic posameznikov.

3. Member States shall provide, in relation to processing operations not subject to notification, that controllers or another body appointed by the Member States make available at least the information referred to in Article 19 (1) (a) to (e) in an appropriate form to any person on request.

Države članice sprejmejo ukrepe, ki so potrebni za uskladitev z odločitvijo Komisije.

Member States may provide that this provision does not apply to processing whose sole purpose is the keeping of a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can provide proof of a legitimate interest.

Člen 26

Odstopanja

CHAPTER III JUDICIAL REMEDIES, LIABILITY AND SANCTIONS

1. Z odstopanjem od člena 25 in če nacionalno pravo za posamične primere ne določa drugače, države članice določijo, da se prenos ali niz prenosov osebnih podatkov v tretjo državo, ki ne zagotavlja ustrezne ravni varstva v smislu člena 25(2), lahko izvede pod pogojem, da:

(a) je posameznik, na katerega se osebni podatki nanašajo, nedvoumno dal svojo privolitev k predlaganemu prenosu; ali

Article 22

(b) je prenos potreben za izvedbo pogodbe med posameznikom, na katerega se nanašajo osebni podatki, in upravljavcem ali za izvajanje predpogodbenih ukrepov, sprejetih kot odgovor na zahtevo posameznika, na katerega se nanašajo osebni podatki; ali

Remedies

(c) je prenos potreben za sklenitev ali izvedbo pogodbe med upravljavcem in tretjo stranko, ki je v korist posameznika, na katerega se osebni podatki nanašajo; ali

Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.

(d) je prenos potreben oziroma ga zahteva zakon na temelju pomembnega javnega interesa ali pa za uveljavitev, izvajanje ali obdržanje pravice do pravnih zahtevkov; ali

(e) je prenos potreben, da bi zaščitili življenjske interese posameznikov, na katere se osebni podatki nanašajo; ali

Article 23

(f) se prenos opravi iz registra, ki je skladno z zakoni ali predpisi namenjen zagotavljanju informacij javnosti in je na voljo za vpogled javnosti na splošno ali kateri koli osebi, ki lahko izkaže zakoniti interes, v kolikor so v posameznem primeru izpolnjeni pogoji, ki jih za vpogled določa zakon.

Liability

2. Brez poseganja v odstavek 1 lahko država članica dovoli prenos ali niz prenosov osebnih podatkov v tretjo državo, ki ne zagotavlja ustrezne ravni varstva v smislu člena 25(2), kadar upravljavec navede ustrezne zaščitne ukrepe glede varstva zasebnosti ter temeljnih pravic in svoboščin posameznikov in glede uresničevanja ustreznih pravic; takšni zaščitni ukrepi lahko predvsem izhajajo iz ustreznih pogodbenih klavzul.

1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.

3. Država članica obvesti Komisijo in druge države članice o dovoljenjih, ki jih odobri v skladu z odstavkom 2.

2. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.

Če država članica ali Komisija ugovarja iz utemeljenih razlogov, ki zadevajo varstvo zasebnosti ter temeljnih pravic in svoboščin posameznikov, Komisija sprejme ustrezne ukrepe v skladu s postopkom iz člena 31(2).

Države članice sprejmejo potrebne ukrepe za uskladitev z odločitvijo Komisije.

Article 24

4. Kadar Komisija v skladu s postopkom iz člena 31(2) odloči, da nekatera standardna pogodbena določila nudijo zadostno zaščito iz odstavka 2, države članice sprejmejo potrebne ukrepe za uskladitev z odločitvijo Komisije.

Sanctions

POGLAVJE V

The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.

PRAVILA RAVNANJA

Člen 27

CHAPTER IV TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

1. Države članice in Komisija spodbujajo pripravljanje kodeksov ravnanja, katerih namen je prispevati k pravilnemu izvajanju nacionalnih predpisov, ki so jih sprejele države članice v skladu s to direktivo, ob upoštevanju posebnih značilnosti različnih področij.

2. Države članice omogočijo trgovinskim združenjem in drugim organom, ki predstavljajo druge kategorije upravljavcev, ki so pripravili osnutke nacionalnih kodeksov ravnanja ali imajo namen spreminjati ali razširjati obstoječe nacionalne kodekse ravnanja, da jih lahko predložijo v presojo nacionalnemu organu.

Article 25

Države članice zagotovijo, da ta organ med drugim preveri, ali so osnutki, ki so mu predloženi, skladni z nacionalnimi določbami, sprejetimi v skladu s to direktivo. Če se zdi organu primerno, zaprosi za mnenje posameznike, na katere se osebni podatki nanašajo, ali njihove predstavnike.

Principles

3. Osnutki kodeksov ravnanja Skupnosti in spremembe ali razširitve obstoječih kodeksov ravnanja Skupnosti se lahko predložijo delovni skupini iz člena 29. Ta skupina med drugim določi, ali so osnutki, ki so ji predloženi, skladni z nacionalnimi določbami, sprejetimi v skladu s to direktivo. Če se zdi organu primerno, zaprosi za mnenje posameznike, na katere se osebni podatki nanašajo, ali njihove predstavnike. Komisija lahko zagotovi primerno objavo pravil, ki jih je odobrila delovna skupina.

1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

POGLAVJE VI

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

NADZORNI ORGAN IN DELOVNA SKUPINA ZA VARSTVO POSAMEZNIKOV PRI OBDELAVI OSEBNIH PODATKOV

3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.

Člen 28

4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.

Nadzorni organ

5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.

1. Vsaka država članica določi, da je eden ali več javnih organov na njenem ozemlju odgovornih za spremljanje uporabe predpisov, ki so jih sprejele države članice v skladu s to direktivo.

6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

Ti organi pri izvajanju nalog, ki so jim zaupane, delujejo popolnoma samostojno.

Member States shall take the measures necessary to comply with the Commission's decision.

2. Vsaka država članica zagotovi, da se ob pripravi zakonodajnih in upravnih aktov, ki se nanašajo na varstvo posameznikovih pravic in svoboščin pri obdelavi osebnih podatkov, posvetuje z nadzornimi organi.

3. Vsakemu organu se podeli predvsem:

Article 26

- preiskovalna pooblastila, kakršna so pooblastila za dostop do podatkov, ki sestavljajo vsebino postopkov obdelave, in pooblastila za zbiranje vseh informacij, ki so potrebne za izvajanje njegovih nadzornih nalog,

Derogations

- učinkovita pooblastila za posredovanje, kakšna so npr. dajanje mnenj pred izvajanjem postopkov obdelave v skladu s členom 20 in zagotavljanje ustrezne objave takih mnenj, odrejanje blokiranja, izbrisa ali uničenja podatkov, naložitev začasne ali dokončne prepovedi obdelave, opozarjanje ali opominjanje upravljavca ali napotitev zadeve v nacionalne parlamente ali druge politične institucije,

1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that:

- pooblastila za sodelovanje v sodnih postopkih, kadar so kršene nacionalne določbe, sprejete v skladu s to direktivo, ali za seznanitev sodnih organov s temi kršitvami.

(a) the data subject has given his consent unambiguously to the proposed transfer; or

Zoper odločitve nadzornega organa je zagotovljeno sodno pravno sredstvo.

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or

4. Vsak nadzorni organ obravnava zahtevke, ki jih je vložila katera koli oseba ali združenje, ki predstavlja to osebo, v zvezi z varstvom svojih pravic in svoboščin glede obdelave osebnih podatkov. Zadevna oseba je obveščena o odločitvah o zahtevkih.

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or

Vsak nadzorni organ obravnava predvsem zahtevke za preverjanje zakonitosti obdelave podatkov, ki jih vloži katera koli oseba, kadar se uporabljajo nacionalne določbe, sprejete v skladu s členom 13 te direktive. Oseba mora biti v vsakem primeru obveščena, da je bilo opravljeno preverjanje.

(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or

5. Vsak nadzorni organ redno pripravi poročilo o svojih dejavnostih. Poročilo se objavi.

(e) the transfer is necessary in order to protect the vital interests of the data subject; or

6. Vsak nadzorni organ je pristojen, da na ozemlju lastne države članice izvaja pooblastila, ki so mu bila podeljena v skladu z odstavkom 3, ne glede na to, kateri nacionalni zakon se uporablja za zadevno obdelavo. Od vsakega nadzornega organa je mogoče zahtevati, da izvaja svoja pooblastila na prošnjo nadzornega organa druge države članice.

(f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

Nadzorni organi sodelujejo drug z drugim v obsegu, ki je potreben za izvedbo njihovih dolžnosti, predvsem z izmenjavo vseh koristnih informacij.

2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

7. Države članice določijo, da so člani in uslužbenci nadzornega organa celo po tem, ko je njihova zaposlitev končana, zavezani dolžnosti poklicne molčečnosti glede zaupnih informacij, do katerih imajo dostop.

3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2.

Člen 29

If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31 (2).

Delovna skupina za varstvo posameznikov pri obdelavi osebnih podatkov

Member States shall take the necessary measures to comply with the Commission's decision.

1. Ustanovi se Delovna skupina za varstvo posameznikov pri obdelavi osebnih podatkov, v nadaljevanju "delovna skupina".

4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member States shall take the necessary measures to comply with the Commission's decision.

Delovna skupina ima svetovalni status in deluje samostojno.

2. Delovno skupino sestavlja predstavnik nadzornega organa ali organov, ki jih določi vsaka država članica, in predstavnik organa ali organov, ustanovljenih za ustanove ali organe Skupnosti, ter predstavnik Komisije.

CHAPTER V CODES OF CONDUCT

Vsakega člana delovne skupine določi institucija, organ ali organi, ki jih predstavlja. Kadar država članica določi več kakor en nadzorni organ, le-ti imenujejo skupnega predstavnika. Isto velja za organe, ki so ustanovljeni za institucije in organe Skupnosti.

3. Delovna skupina odloča z navadno večino predstavnikov nadzornih organov.

Article 27

4. Delovna skupina izbere svojega predsednika. Predsednikov mandat je dve leti. Lahko je ponovno imenovan.

1. The Member States and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors.

5. Sekretariat delovne skupine zagotavlja Komisija.

2. Member States shall make provision for trade associations and other bodies representing other categories of controllers which have drawn up draft national codes or which have the intention of amending or extending existing national codes to be able to submit them to the opinion of the national authority.

6. Delovna skupina sprejme svoj poslovnik.

Member States shall make provision for this authority to ascertain, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives.

7. Delovna skupina obravnava točke, ki jih na njen dnevni red uvrsti njen predsednik, bodisi na lastno pobudo bodisi na zahtevo predstavnika nadzornih organov ali na zahtevo Komisije.

3. Draft Community codes, and amendments or extensions to existing Community codes, may be submitted to the Working Party referred to in Article 29. This Working Party shall determine, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives. The Commission may ensure appropriate publicity for the codes which have been approved by the Working Party.

Člen 30

1. Delovna skupina:

CHAPTER VI SUPERVISORY AUTHORITY AND WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA

(a) preučuje vsa vprašanja, ki zajemajo uporabo nacionalnih predpisov, sprejetih na podlagi te direktive, da bi prispevala k njihovi enotni uporabi;

(b) poda Komisiji mnenje o ravni varstva v Skupnosti in v tretjih državah;

Article 28

(c) svetuje Komisiji o vseh predlaganih spremembah te direktive, o vseh dodatnih ali posebnih ukrepih za zaščito pravic in svoboščin fizičnih oseb pri obdelavi osebnih podatkov ter o vseh drugih predlaganih ukrepih Skupnosti, ki vplivajo na take pravice in svoboščine;

Supervisory authority

(d) da mnenje o kodeksih ravnanja, ki se pripravijo na ravni Skupnosti.

1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

2. Če delovna skupina ugotovi, da prihaja do razhajanj med zakonodajami ali praksami držav članic, ki bodo verjetno vplivale na enakovrednost varstva oseb pri obdelavi osebnih podatkov v Skupnosti, o tem obvesti Komisijo.

These authorities shall act with complete independence in exercising the functions entrusted to them.

3. Delovna skupina lahko na lastno pobudo poda priporočila o vseh zadevah v zvezi z varstvom oseb pri obdelavi osebnih podatkov v Skupnosti.

2. Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data.

4. Mnenja in priporočila delovne skupine se posredujejo Komisiji in odboru iz člena 31.

3. Each authority shall in particular be endowed with:

5. Komisija obvesti delovno skupino o ukrepih, ki jih je sprejela kot odgovor na njena mnenja in priporočila. To stori v poročilu, ki se ga posreduje tudi Evropskemu parlamentu in Svetu. Poročilo se objavi.

- investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

6. Delovna skupina pripravi letno poročilo o položaju glede zaščite fizičnih oseb pri obdelavi osebnih podatkov v Skupnosti in v tretjih državah, ki ga pošlje Komisiji, Evropskemu parlamentu in Svetu. Poročilo se objavi.

- effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

POGLAVJE VII

- the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

IZVEDBENI UKREPI SKUPNOSTI

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

Člen 31

4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

Odbor

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.

1. Komisiji pomaga odbor, ki ga sestavljajo predstavniki držav članic in mu predseduje predstavnik Komisije.

5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.

2. Predstavnik Komisije predloži odboru osnutek potrebnih ukrepov. Odbor da svoje mnenje o osnutku v roku, ki ga lahko določi predsednik glede na nujnost zadeve.

6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

Mnenje se sprejme z večino, ki jo določa člen 148(2) Pogodbe. Glasovi predstavnikov držav članic v odboru se ponderirajo na način iz navedenega člena. Predsednik ne glasuje.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

Komisija sprejme ukrepe, ki začnejo veljati takoj. Če ukrepi niso v skladu z mnenjem odbora, jih Komisija brez odlašanja sporoči Svetu. V takem primeru:

7. Member States shall provide that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access.

- Komisija za tri mesece od datuma sporočila odloži uporabo ukrepov, o katerih je odločala,

- Svet v roku iz prve alinee lahko s kvalificirano večino sprejme drugačno odločitev.

Article 29

KONČNE DOLOČBE

Working Party on the Protection of Individuals with regard to the Processing of Personal Data

Člen 32

1. A Working Party on the Protection of Individuals with regard to the Processing of Personal Data, hereinafter referred to as 'the Working Party', is hereby set up.

1. Države članice sprejmejo zakone in druge predpise, potrebne za uskladitev s to direktivo, najpozneje v treh letih od dneva njenega sprejetja.

It shall have advisory status and act independently.

Države članice se v sprejetih predpisih sklicujejo na to direktivo ali pa sklic nanjo navedejo ob njihovi uradni objavi. Način sklicevanja določijo države članice.

2. The Working Party shall be composed of a representative of the supervisory authority or authorities designated by each Member State and of a representative of the authority or authorities established for the Community institutions and bodies, and of a representative of the Commission.

2. Države članice zagotovijo, da se obdelave, ki že potekajo na dan začetka veljavnosti nacionalnih predpisov, sprejetih v skladu s to direktivo, uskladijo s temi določbami v treh letih od tega dneva.

Each member of the Working Party shall be designated by the institution, authority or authorities which he represents. Where a Member State has designated more than one supervisory authority, they shall nominate a joint representative. The same shall apply to the authorities established for Community institutions and bodies.

Z odstopanjem od prejšnjega pododstavka lahko države članice določijo, da se obdelava podatkov, ki so že vsebovani v ročnih zbirkah na dan začetka veljavnosti nacionalnih predpisov, sprejetih za izvajanje te direktive, uskladi s členi 6, 7 in 8 te direktive v 12 letih od dneva njenega sprejetja. Vendar države članice priznajo posamezniku, na katerega se nanašajo osebni podatki, na njegovo zahtevo in predvsem ob uresničevanju njegove pravice do dostopa pravico, da doseže popravek, izbris ali blokiranje podatkov, ki so nepopolni, netočni ali shranjeni na način, ki je nezdružljiv z zakonitimi nameni, ki jih zasleduje upravljavec.

3. The Working Party shall take decisions by a simple majority of the representatives of the supervisory authorities.

3. Z odstopanjem od odstavka 2 lahko države članice določijo, ob upoštevanju ustreznih zaščitnih ukrepov, da podatkov, ki se hranijo zgolj zaradi zgodovinskih raziskav, ni treba uskladiti s členi 6, 7 in 8 te direktive.

4. The Working Party shall elect its chairman. The chairman's term of office shall be two years. His appointment shall be renewable.

4. Države članice predložijo Komisiji besedila temeljnih predpisov nacionalne zakonodaje, sprejetih na področju, ki ga ureja ta direktiva.

5. The Working Party's secretariat shall be provided by the Commission.

Člen 33

6. The Working Party shall adopt its own rules of procedure.

Komisija redno poroča Svetu in Evropskemu parlamentu o izvajanju te direktive, z začetkom najpozneje tri leta po dnevu iz člena 32(1), pri čemer k svojemu poročilu po potrebi priloži ustrezne predloge sprememb. Poročilo se objavi.

7. The Working Party shall consider items placed on its agenda by its chairman, either on his own initiative or at the request of a representative of the supervisory authorities or at the Commission's request.

Komisija predvsem preverja uporabo te direktive pri obdelavi zvočnih in slikovnih podatkov v zvezi s fizičnimi osebami ter predloži vse ustrezne predloge, ki se izkažejo za potrebne, ob upoštevanju razvoja informacijske tehnologije in glede na stanje tehnologije v informacijski družbi.

Člen 34

Article 30

Ta direktiva je naslovljena na države članice.

1. The Working Party shall:

(a) examine any question covering the application of the national measures adopted under this Directive in order to contribute to the uniform application of such measures;

V Luxembourgu, 24. oktobra 1995

(b) give the Commission an opinion on the level of protection in the Community and in third countries;

Za Evropski parlament

(c) advise the Commission on any proposed amendment of this Directive, on any additional or specific measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data and on any other proposed Community measures affecting such rights and freedoms;

Predsednik

(d) give an opinion on codes of conduct drawn up at Community level.

K. Hänsch

2. If the Working Party finds that divergences likely to affect the equivalence of protection for persons with regard to the processing of personal data in the Community are arising between the laws or practices of Member States, it shall inform the Commission accordingly.

Za Svet

3. The Working Party may, on its own initiative, make recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the Community.

Predsednik

4. The Working Party's opinions and recommendations shall be forwarded to the Commission and to the committee referred to in Article 31.

L. Atienza serna

5. The Commission shall inform the Working Party of the action it has taken in response to its opinions and recommendations. It shall do so in a report which shall also be forwarded to the European Parliament and the Council. The report shall be made public.

[1] UL C 277, 5.11.1990, str. 3, in UL C 311, 27.11.1992, str. 30.

6. The Working Party shall draw up an annual report on the situation regarding the protection of natural persons with regard to the processing of personal data in the Community and in third countries, which it shall transmit to the Commission, the European Parliament and the Council. The report shall be made public.

[2] UL C 159, 17.6.1991, str. 38.

[3] Mnenje Evropskega parlamenta z dne 11. marca 1992 (UL C 94, 13.4.1992, str. 198), potrjeno dne 2. decembra 1993 (UL C 342, 20.12.1993, str. 30); Skupno stališče Sveta z dne 20. februarja 1995 (UL C 93, 13.4.1995, str. 1) in Sklep Evropskega parlamenta z dne 15. junija 1995 (UL C 166, 3.7.1995).

CHAPTER VII COMMUNITY IMPLEMENTING MEASURES

[4] UL L 197, 18.7.1987, str. 33.

--------------------------------------------------

Article 31

The Committee

1. The Commission shall be assisted by a committee composed of the representatives of the Member States and chaired by the representative of the Commission.

2. The representative of the Commission shall submit to the committee a draft of the measures to be taken. The committee shall deliver its opinion on the draft within a time limit which the chairman may lay down according to the urgency of the matter.

The opinion shall be delivered by the majority laid down in Article 148 (2) of the Treaty. The votes of the representatives of the Member States within the committee shall be weighted in the manner set out in that Article. The chairman shall not vote.

The Commission shall adopt measures which shall apply immediately. However, if these measures are not in accordance with the opinion of the committee, they shall be communicated by the Commission to the Council forthwith. It that event:

- the Commission shall defer application of the measures which it has decided for a period of three months from the date of communication,

- the Council, acting by a qualified majority, may take a different decision within the time limit referred to in the first indent.

FINAL PROVISIONS

Article 32

1. Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive at the latest at the end of a period of three years from the date of its adoption.

When Member States adopt these measures, they shall contain a reference to this Directive or be accompanied by such reference on the occasion of their official publication. The methods of making such reference shall be laid down by the Member States.

2. Member States shall ensure that processing already under way on the date the national provisions adopted pursuant to this Directive enter into force, is brought into conformity with these provisions within three years of this date.

By way of derogation from the preceding subparagraph, Member States may provide that the processing of data already held in manual filing systems on the date of entry into force of the national provisions adopted in implementation of this Directive shall be brought into conformity with Articles 6, 7 and 8 of this Directive within 12 years of the date on which it is adopted. Member States shall, however, grant the data subject the right to obtain, at his request and in particular at the time of exercising his right of access, the rectification, erasure or blocking of data which are incomplete, inaccurate or stored in a way incompatible with the legitimate purposes pursued by the controller.

3. By way of derogation from paragraph 2, Member States may provide, subject to suitable safeguards, that data kept for the sole purpose of historical research need not be brought into conformity with Articles 6, 7 and 8 of this Directive.

4. Member States shall communicate to the Commission the text of the provisions of domestic law which they adopt in the field covered by this Directive.

Article 33

The Commission shall report to the Council and the European Parliament at regular intervals, starting not later than three years after the date referred to in Article 32 (1), on the implementation of this Directive, attaching to its report, if necessary, suitable proposals for amendments. The report shall be made public.

The Commission shall examine, in particular, the application of this Directive to the data processing of sound and image data relating to natural persons and shall submit any appropriate proposals which prove to be necessary, taking account of developments in information technology and in the light of the state of progress in the information society.

Article 34

This Directive is addressed to the Member States.

Done at Luxembourg, 24 October 1995.

For the European Parliament

The President

K. HAENSCH

For the Council

The President

L. ATIENZA SERNA

(1) OJ No C 277, 5. 11. 1990, p. 3 and OJ No C 311, 27. 11. 1992, p. 30.

(2) OJ No C 159, 17. 6. 1991, p 38.

(3) Opinion of the European Parliament of 11 March 1992 (OJ No C 94, 13. 4. 1992, p. 198), confirmed on 2 December 1993 (OJ No C 342, 20. 12. 1993, p. 30); Council common position of 20 February 1995 (OJ No C 93, 13. 4. 1995, p. 1) and Decision of the European Parliament of 15 June 1995 (OJ No C 166, 3. 7. 1995).

(1) OJ No L 197, 18. 7. 1987, p. 33.