Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Summaries of EU Legislation

Data protection in the electronic communications sector

SUMMARY

Information is exchanged through public electronic communication services such as the internet and mobile and landline telephony and via their accompanying networks. These services and networks require specific rules and safeguards to ensure the users’ right to privacy and confidentiality.

WHAT DOES THE DIRECTIVE DO?

It sets out rules to ensure security in the processing of personal data, the notification of personal data breaches, and confidentiality of communications. It also bans unsolicited communications where the user has not given their consent.

KEY POINTS

Providers of electronic communication services must secure their services by at least:

  • ensuring personal data are accessed by authorised persons only;
  • protecting personal data from being destroyed, lost or accidentally altered and from other unlawful or unauthorised forms of processing;
  • ensuring the implementation of a security policy on the processing of personal data.

The service provider must inform the national authority of any personal data breach within 24 hours. If the personal data or privacy of a user is likely to be harmed, they must also be informed unless specifically identified technological measures have been taken to protect the data.

EU countries must ensure the confidentiality of communications made over public networks, in particular they must:

  • prohibit the listening, tapping, storage or any type of surveillance or interception of communications and traffic data without the consent of users, except if the person is legally authorised and in compliance with specific requirements;
  • guarantee that the storing of information or the access to information stored on user’s personal equipment is only permitted if the user has been clearly and fully informed, among other things, of the purpose and been given the right of refusal.

When traffic data are no longer required for communication or billing, they must be erased or made anonymous. However, service providers may process these data for marketing purposes for as long as the users concerned give their consent. This consent may be withdrawn at any time.

User consent is also required in a number of other situations, including:

  • before unsolicited communications (spam) can be sent to them. This also applies to short message services (SMSs) and other electronic messaging systems;
  • before information (cookies) is stored on their computers or devices or before access to that information is obtained - the user must be given clear and full information, among other things, on the purpose of the storage or access;
  • before telephone numbers, e-mail addresses or postal addresses can appear in public directories.

EU countries are required to have a system of penalties including legal sanctions for infringements of the directive.

The scope of the rights and obligations can only be restricted by national legislative measures when such restrictions are necessary and proportionate to safeguard specific public interests, such as to allow criminal investigations or to safeguard national security, defence or public security.

WHEN DOES THIS DIRECTIVE APPLY?

From .

BACKGROUND

This directive is one of five which together form the telecoms package, a legislative framework governing the electronic communications sector. The other directives cover the general framework, access and interconnection, authorisation and licensing and universal service.

The package was amended in 2009 by two directives on better law-making and citizens’ rights as well as by a regulation establishing the Body of European regulators for electronic communications.

For more information, see the European Commission’s ePrivacy directive website.

Following the COVID-19 outbreak and introducing measures to cope with the impact of the crisis, the European Commission adopted: Commission Recommendation (EU) 2020/518 of on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data

ACT

Directive 2002/58/EC of the European Parliament and of the Council of concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

last update

Top