Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector
OJ L 24, 30.1.1998, p. 1–8 (ES, DA, DE, EL, EN, FR, IT, NL, PT, FI, SV)
DIRECTIVE 97/66/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty establishing the European Community, and in particular Article 100a thereof,
Having regard to the proposal from the Commission (1),
Having regard to the opinion of the Economic and Social Committee (2),
Acting in accordance with the procedure laid down in Article 189b of the Treaty (3), in the light of the joint text approved by the Conciliation Committee on 6 November 1997,
(1) Whereas Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (4) requires Member States to ensure the rights and freedoms of natural persons with regard to the processing of personal data, and in particular their right to privacy, in order to ensure the free flow of personal data in the Community;
(2) Whereas confidentiality of communications is guaranteed in accordance with the international instruments relating to human rights (in particular the European Convention for the Protection of Human Rights and Fundamental Freedoms) and the constitutions of the Member States;
(3) Whereas currently in the Community new advanced digital technologies are introduced in public telecommunications networks, which give rise to specific requirements concerning the protection of personal data and privacy of the user; whereas the development of the information society is characterised by the introduction of new telecommunications services; whereas the successful cross-border development of these services, such as video-on-demand, interactive television, is partly dependent on the confidence of the users that their privacy will not be at risk;
(4) Whereas this is the case, in particular, with the introduction of the Integrated Services Digital Network (ISDN) and digital mobile networks;
(5) Whereas the Council, in its Resolution of 30 June 1988 on the development of the common market for telecommunications services and equipment up to 1992 (5), called for steps to be taken to protect personal data, in order to create an appropriate environment for the future development of telecommunications in the Community; whereas the Council re-emphasised the importance of the protection of personal data and privacy in its Resolution of 18 July 1989 on the strengthening of the coordination for the introduction of the Integrated Services Digital Network (ISDN) in the European Community up to 1992 (6);
(6) Whereas the European Parliament has underlined the importance of the protection of personal data and privacy in the telecommunications networks, in particular with regard to the introduction of the Integrated Services Digital Network (ISDN);
(7) Whereas, in the case of public telecommunications networks, specific legal, regulatory, and technical provisions must be made in order to protect fundamental rights and freedoms of natural persons and legitimate interests of legal persons, in particular with regard to the increasing risk connected with automated storage and processing of data relating to subscribers and users;
(8) Whereas legal, regulatory, and technical provisions adopted by the Member States concerning the protection of personal data, privacy and the legitimate interest of legal persons, in the telecommunications sector, must be harmonised in order to avoid obstacles to the internal market for telecommunications in conformity with the objective set out in Article 7a of the Treaty; whereas the harmonisation is limited to requirements that are necessary to guarantee that the promotion and development of new telecommunications services and networks between Member States will not be hindered;
(9) Whereas the Member States, providers and users concerned, together with the competent Community bodies, should cooperate in introducing and developing the relevant technologies where this is necessary to apply the guarantees provided for by the provisions of this Directive.
(10) Whereas these new services include interactive television and video on demand;
(11) Whereas, in the telecommunications sector, in particular for all matters concerning protection of fundamental rights and freedoms, which are not specifically covered by the provisions of this Directive, including the obligations on the controller and the rights of individuals, Directive 95/46/EC applies; whereas Directive 95/46/EC applies to non-publicly available telecommunications services;
(12) Whereas this Directive, similarly to what is provided for by Article 3 of Directive 95/46/EC, does not address issues of protection of fundamental rights and freedoms related to activities which are not governed by Community law; whereas it is for Member States to take such measures as they consider necessary for the protection of public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the enforcement of criminal law; whereas this Directive shall not affect the ability of Member States to carry out lawful interception of telecommunications, for any of these purposes;
(13) Whereas subscribers of a publicly available telecommunications service may be natural or legal persons; whereas the provisions of this Directive are aimed to protect, by supplementing Directive 95/46/EC, the fundamental rights of natural persons and particularly their right to privacy, as well as the legitimate interests of legal persons; whereas these provisions may in no case entail an obligation for Member States to extend the application of Directive 95/46/EC to the protection of the legitimate interests of legal persons; whereas this protection is ensured within the framework of the applicable Community and national legislation;
(14) Whereas the application of certain requirements relating to presentation and restriction of calling and connected line identification and to automatic call forwarding to subscriber lines connected to analogue exchanges must not be made mandatory in specific cases where such application would prove to be technically impossible or would require a disproportionate economic effort; whereas it is important for interested parties to be informed of such cases and the Member States should therefore notify them to the Commission;
(15) Whereas service providers must take appropriate measures to safeguard the security of their services, if necessary in conjunction with the provider of the network, and inform subscribers of any special risks of a breach of the security of the network; whereas security is appraised in the light of the provision of Article 17 of Directive 95/46/EC;
(16) Whereas measures must be taken to prevent the unauthorised access to communications in order to protect the confidentiality of communications by means of public telecommunications networks and publicly available telecommunications services; whereas national legislation in some Member States only prohibits intentional unauthorized access to communications;
(17) Whereas the data relating to subscribers processed to establish calls contain information on the private life of natural persons and concern the right to respect for their correspondence or concern the legitimate interests of legal persons; whereas such data may only be stored to the extent that is necessary for the provision of the service for the purpose of billing and for interconnection payments, and for a limited time; whereas any further processing which the provider of the publicly available telecommunications services may want to perform for the marketing of its own telecommunications services may only be allowed if the subscriber has agreed to this on the basis of accurate and full information given by the provider of the publicly available telecommunications services about the types of further processing he intends to perform;
(18) Whereas the introduction of itemized bills has improved the possibilities for the subscriber to verify the correctness of the fees charged by the service provider; whereas, at the same time, it may jeopardise the privacy of the users of publicly available telecommunications services; whereas therefore, in order to preserve the privacy of the user, Member States must encourage the development of telecommunications service options such as alternative payment facilities which allow anonymous or strictly private access to publicly available telecommunications services, for example calling cards and facilities for payment by credit card; whereas, alternatively, Member States may, for the same purpose, require the deletion of a certain number of digits from the called numbers mentioned in itemized bills;
(19) Whereas it is necessary, as regards calling line identification, to protect the right of the calling party to withhold the presentation of the identification of the line from which the call is being made and the right of the called party to reject calls from unidentified lines; whereas it is justified to override the elimination of calling line identification presentation in specific cases; whereas certain subscribers, in particular helplines and similar organizations, have an interest in guaranteeing the anonymity of their callers; whereas it is necessary, as regards connected line identification, to protect the right and the legitimate interest of the called party to withhold the presentation of the identification of the line to which the calling party is actually connected, in particular in the case of forwarded calls; whereas the providers of publicly available telecommunications services must inform their subscribers of the existence of calling and connected line identification in the network and of all services which are offered on the basis of calling and connected line identification and about the privacy options which are available; whereas this will allow the subscribers to make an informed choice about the privacy facilities they may want to use; whereas the privacy options which are offered on a per-line basis do not necessarily have to be available as an automatic network service but may be obtainable through a simple request to the provider of the publicly available telecommunications service;
(20) Whereas safeguards must be provided for subscribers against the nuisance which may be caused by automatic call forwarding by others; whereas, in such cases, it must be possible for subscribers to stop the forwarded calls being passed on to their terminals by simple request to the provider of the publicly available telecommunications service;
(21) Whereas directories are widely distributed and publicly available; whereas the right to privacy of natural persons and the legitimate interest of legal persons require that subscribers are able to determine the extent to which their personal data are published in a directory; whereas Member States may limit this possibility to subscribers who are natural persons;
(22) Whereas safeguards must be provided for subscribers against intrusion into their privacy by means of unsolicited calls and telefaxes; whereas Member States may limit such safeguards to subscribers who are natural persons;
(23) Whereas it is necessary to ensure that the introduction of technical features of telecommunications equipment for data protection purposes is harmonised in order to be compatible with the implementation of the internal market;
(24) Whereas in particular, similarly to what is provided for by Article 13 of Directive 95/46/EC, Member States can restrict the scope of subscribers' obligations and rights in certain circumstances, for example by ensuring that the provider of a publicly available telecommunications service may override the elimination of the presentation of calling line identification in conformity with national legislation for the purpose of prevention or detection of criminal offences or State security;
(25) Whereas where the rights of the users and subscribers are not respected, national legislation must provide for judicial remedy; whereas sanctions must be imposed on any person, whether governed by private or public law, who fails to comply with the national measures taken under this Directive;
(26) Whereas it is useful in the field of application of this Directive to draw on the experience of the Working Party on the protection of individuals with regard to the processing of personal data composed of representatives of the supervisory authorities of the Member States, set up by Article 29 of Directive 95/46/EC;
(27) Whereas, given the technological developments and the attendant evolution of the services on offer, it will be necessary technically to specify the categories of data listed in the Annex to this Directive for the application of Article 6 of this Directive with the assistance of the Committee composed of representatives of the Member States set up in Article 31 of Directive 95/46/EC in order to ensure a coherent application of the requirements set out in this Directive regardless of changes in technology; whereas this procedure applies solely to specifications necessary to adapt the Annex to new technological developments, taking into consideration changes in market and consumer demand; whereas the Commission must duly inform the European Parliament of its intention to apply this procedure and whereas, otherwise, the procedure laid down in Article 100a of the Treaty shall apply;
(28) Whereas, to facilitate compliance with the provisions of this Directive, certain specific arrangements are needed for processing of data already under way on the date that national implementing legislation pursuant to this Directive enters into force,
HAVE ADOPTED THIS DIRECTIVE:
Article 1 Object and scope
1. This Directive provides for the harmonisation of the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the telecommunications sector and to ensure the free movement of such data and of telecommunications equipment and services in the Community.
2. The provisions of this Directive particularise and complement Directive 95/46/EC for the purposes mentioned in paragraph 1. Moreover, they provide for protection of legitimate interests of subscribers who are legal persons.
3. This Directive shall not apply to the activities which fall outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union, and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.
Article 2 Definitions
In addition to the definitions given in Directive 95/46/EC, for the purposes of this Directive:
(a) 'subscriber` shall mean any natural or legal person who or which is party to a contract with the provider of publicly available telecommunications services for the supply of such services;
(b) 'user` shall mean any natural person using a publicly available telecommunications service, for private or business purposes, without necessarily having subscribed to this service;
(c) 'public telecommunications network` shall mean transmission systems and, where applicable, switching equipment and other resources which permit the conveyance of signals between defined termination points by wire, by radio, by optical or by other electromagnetic means, which are used, in whole or in part, for the provision of publicly available telecommunications services;
(d) 'telecommunications service` shall mean services whose provision consists wholly or partly in the transmission and routing of signals on telecommunications networks, with the exception of radio- and television broadcasting.
Article 3 Services concerned
1. This Directive shall apply to the processing of personal data in connection with the provision of publicly available telecommunications services in public telecommunications networks in the Community, in particular via the Integrated Services Digital Network (ISDN) and public digital mobile networks.
2. Articles 8, 9 and 10 shall apply to subscriber lines connected to digital exchanges and, where technically possible and if it does not require a disproportionate economic effort, to subscriber lines connected to analogue exchanges.
3. Cases where it would be technically impossible or require a disproportionate investment to fulfil the requirements of Articles 8, 9 and 10 shall be notified to the Commission by the Member States.
Article 4 Security
1. The provider of a publicly available telecommunications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public telecommunications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented.
2. In case of a particular risk of a breach of the security of the network, the provider of a publicly available telecommunications service must inform the subscribers concerning such risk and any possible remedies, including the costs involved.
Article 5 Confidentiality of the communications
1. Member States shall ensure via national regulations the confidentiality of communications by means of a public telecommunications network and publicly available telecommunications services. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications, by others than users, without the consent of the users concerned, except when legally authorised, in accordance with Article 14 (1).
2. Paragraph 1 shall not affect any legally authorised recording of communications in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication.
Article 6 Traffic and billing data
1. Traffic data relating to subscribers and users processed to establish calls and stored by the provider of a public telecommunications network and/or publicly available telecommunications service must be erased or made anonymous upon termination of the call without prejudice to the provisions of paragraphs 2, 3 and 4.
2. For the purpose of subscriber billing and interconnection payments, data indicated in the Annex may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment may be pursued.
3. For the purpose of marketing its own telecommunications services, the provider of a publicly available telecommunications service may process the data referred to in paragraph 2, if the subscriber has given his consent.
4. Processing of traffic and billing data must be restricted to persons acting under the authority of providers of the public telecommunications networks and/or publicly available telecommunications services handling billing or traffic management, customer enquiries, fraud detection and marketing the provider's own telecommunications services and it must be restricted to what is necessary for the purposes of such activities.
5. Paragraphs 1, 2, 3 and 4 shall apply without prejudice to the possibility for competent authorities to be informed of billing or traffic data in conformity with applicable legislation in view of settling disputes, in particular interconnection or billing disputes.
Article 7 Itemized billing
1. Subscribers shall have the right to receive non-itemized bills.
2. Member States shall apply national provisions in order to reconcile the rights of subscribers receiving itemised bills with the right to privacy of calling users and called subscribers, for example by ensuring that sufficient alternative modalities for communications or payments are available to such users and subscribers.
Article 8 Presentation and restriction of calling and connected line identification
1. Where presentation of calling-line identification is offered, the calling user must have the possibility via a simple means, free of charge, to eliminate the presentation of the calling-line identification on a per-call basis. The calling subscriber must have this possibility on a per-line basis.
2. Where presentation of calling-line identification is offered, the called subscriber must have the possibility via a simple means, free of charge for reasonable use of this function, to prevent the presentation of the calling line identification of incoming calls.
3. Where presentation of calling line identification is offered and where the calling line identification is presented prior to the call being established, the called subscriber must have the possibility via a simple means to reject incoming calls where the presentation of the calling line identification has been eliminated by the calling user or subscriber.
4. Where presentation of connected line identification is offered, the called subscriber must have the possibility via a simple means, free of charge, to eliminate the presentation of the connected line identification to the calling user.
5. The provisions set out in paragraph 1 shall also apply with regard to calls to third countries originating in the Community; the provisions set out in paragraphs 2, 3 and 4 shall also apply to incoming calls originating in third countries.
6. Member States shall ensure that where presentation of calling and/or connected line identification is offered, the providers of publicly available telecommunications services inform the public thereof and of the possibilities set out in paragraphs 1, 2, 3 and 4.
Article 9 Exceptions
Member States shall ensure that there are transparent procedures governing the way in which a provider of a public telecommunications network and/or a publicly available telecommunications service may override the elimination of the presentation of calling line identification:
(a) on a temporary basis, upon application of a subscriber requesting the tracing of malicious or nuisance calls; in this case, in accordance with national law, the data containing the identification of the calling subscriber will be stored and be made available by the provider of a public telecommunications network and/or publicly available telecommunications service;
(b) on a per-line basis for organisations dealing with emergency calls and recognized as such by a Member State, including law enforcement agencies, ambulance services and fire brigades, for the purpose of answering such calls.
Article 10 Automatic call forwarding
Member States shall ensure that any subscriber is provided, free of charge and via a simple means, with the possibility to stop automatic call forwarding by a third party to the subscriber's terminal.
Article 11 Directories of subscribers
1. Personal data contained in printed or electronic directories of subscribers available to the public or obtainable through directory enquiry services should be limited to what is necessary to identify a particular subscriber, unless the subscriber has given his unambiguous consent to the publication of additional personal data. The subscriber shall be entitled, free of charge, to be omitted from a printed or electronic directory at his or her request, to indicate that his or her personal data may not be used for the purpose of direct marketing, to have his or her address omitted in part and not to have a reference revealing his or her sex, where this is applicable linguistically.
2. Notwithstanding paragraph 1, Member States may allow operators to require a payment from subscribers wishing to ensure that their particulars are not entered in a directory, provided that the sum involved does not act as a disincentive to the exercise of this right, and that, taking account of the quality requirements of the public directory in the light of the universal service, it is limited to the actual costs incurred by the operator for the adaptation and updating of the list of subscribers not to be included in the public directory.
3. The rights conferred by paragraph 1 shall apply to subscribers who are natural persons. Member States shall also guarantee, in the framework of Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons with regard to their entry in public directories are sufficiently protected.
Article 12 Unsolicited calls
1. The use of automated calling systems without human intervention (automatic calling machine) or facsimile machines (fax) for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.
2. Member States shall take appropriate measures to ensure that, free of charge, unsolicited calls for purposes of direct marketing, by means other than those referred to in paragraph 1, are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these calls, the choice between these options to be determined by national legislation.
3. The rights conferred by paragraphs 1 and 2 shall apply to subscribers who are natural persons. Member States shall also guarantee, in the framework of Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons with regard to unsolicited calls are sufficiently protected.
Article 13 Technical features and standardisation
1. In implementing the provisions of this Directive, Member States shall ensure, subject to paragraphs 2 and 3, that no mandatory requirements for specific technical features are imposed on terminal or other telecommunications equipment which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.
2. Where provisions of this Directive can be implemented only by requiring specific technical features, Member States shall inform the Commission according to the procedures provided for by Directive 83/189/EEC (7) which lays down a procedure for the provision of information in the field of technical standards and regulations.
3. Where required, the Commission will ensure the drawing up of common European standards for the implementation of specific technical features, in accordance with Community legislation on the approximation of the laws of the Member States concerning telecommunications terminal equipment, including the mutual recognition of their conformity, and Council Decision 87/95/EEC of 22 December 1986 on standardisation in the field of information technology and telecommunications (8).
Article 14 Extension of the scope of application of certain provisions of Directive 95/46/EC
1. Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 5, 6 and Article 8(1), (2), (3) and (4), when such restriction constitutes a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the telecommunications system, as referred to in Article 13(1) of Directive 95/46/EC.
2. The provisions of Chapter III on judicial remedies, liability and sanctions of Directive 95/46/EC shall apply with regard to national provisions adopted pursuant to this Directive and with regard to the individual rights derived from this Directive.
3. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data established according to Article 29 of Directive 95/46/EC shall carry out the tasks laid down in Article 30 of the abovementioned Directive also with regard to the protection of fundamental rights and freedoms and of legitimate interests in the telecommunications sector, which is the subject of this Directive.
4. The Commission, assisted by the Committee established by Article 31 of Directive 95/46/EC, shall technically specify the Annex according to the procedure mentioned in this Article. The aforesaid Committee shall be convened specifically for the subjects covered by this Directive.
Article 15 Implementation of the Directive
1. Member States shall bring into force the laws, regulations and administrative provisions necessary for them to comply with this Directive not later than 24 October 1998.
By way of derogation from the first subparagraph, Member States shall bring into force the laws, regulations and administrative provisions necessary for them to comply with Article 5 of this Directive not later than 24 October 2000.
When Member States adopt these measures, they shall contain a reference to this Directive or shall be accompanied by such a reference at the time of their official publication. The procedure for such reference shall be adopted by Member States.
2. By way of derogation from Article 6(3), consent is not required with respect to processing already under way on the date the national provisions adopted pursuant to this Directive enter into force. In those cases the subscribers shall be informed of this processing and if they do not express their dissent within a period to be determined by the Member State, they shall be deemed to have given their consent.
3. Article 11 shall not apply to editions of directories which have been published before the national provisions adopted pursuant to this Directive enter into force.
4. Member States shall communicate to the Commission the text of the provisions of national law which they adopt in the field governed by this Directive.
Article 16 Addressees
This Directive is addressed to the Member States.
Done at Brussels, 15 December 1997.
For the European Parliament
J. M. GIL-ROBLES
For the Council
(1) OJ C 200, 22.7.1994, p. 4.
(2) OJ C 159, 17.6.1991, p. 38.
(3) Opinion of the European Parliament of 11 March 1992 (OJ C 94, 13.4.1992, p. 198). Council Common Position of 12 September 1996 (OJ C 315, 24.10.1996, p. 30) and Decision of the European Parliament of 16 January 1997 (OJ C 33, 3.2.1997, p. 78). Decision of the European Parliament of 20 November 1997 (OJ C 371, 8.12.1997). Council Decision of 1 December 1997.
(4) OJ L 281, 23.11.1995, p. 31.
(5) OJ C 257, 4.10.1988, p. 1.
(6) OJ C 196, 1.8.1989, p. 4.
(7) OJ L 109, 26.4.1983, p. 8. Directive as last amended by Directive 94/10/EC (OJ L 100, 19.4.1994, p. 30).
(8) OJ L 36, 7.2.1987, p. 31. Decision as last amended by the 1994 Act of Accession.
List of data
For the purpose referred to in Article 6(2) the following data may be processed:
Data containing the:
- number or identification of the subscriber station,
- address of the subscriber and the type of station,
- total number of units to be charged for the accounting period,
- called subscriber number,
- type, starting time and duration of the calls made and/or the data volume transmitted,
- date of the call/service,
- other information concerning payments such as advance payment, payments by instalments, disconnection and reminders.