Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995, OJ 1995 L 281, p. 31), as amended by Regulation (EC)
No 1882/2003 of the European Parliament and of the Council of 29 September
2003, OJ 2003 L 284, p. 1
Article 3
1. This Directive shall apply to the processing of personal
data wholly or partly by automatic means, and to the processing
otherwise than by automatic means of personal data which form part
of a filing system or are intended to form part of a filing system.
2. This Directive shall not apply to the processing of personal
data:
– in the course of an activity which falls outside the scope
of Community law, such as those provided for by Titles V and VI of
the Treaty on European Union and in any case to processing
operations concerning public security, defence, State security
(including the economic well-being of the State when the processing
operation relates to State security matters) and the activities of
the State in areas of criminal law,
…
Article 13 (1)
Member States may adopt legislative measures to restrict the scope
of the obligations and rights provided for in Articles 6(1), 10,
11(1), 12 and 21 when such a restriction constitutes a necessary
[measure] to safeguard:
(a) national security;
(b) defence;
(c) public security;
(d) the prevention, investigation, detection and prosecution of
criminal offences, or of breaches of ethics for regulated
professions;
(e) an important economic or financial interest of a Member
State or of the European Union, including monetary, budgetary and
taxation matters;
(f) a monitoring, inspection or regulatory function connected,
even occasionally, with the exercise of official authority in cases
referred to in (c), (d) and (e);
(g) the protection of the data subject or of the rights and
freedoms of others.
Article 25
1. The Member States shall provide that
the transfer to a third country of personal data which are undergoing processing
or are intended for processing after transfer may take place only if, without
prejudice to compliance with the national provisions adopted pursuant to
the other provisions of this Directive, the third country in question ensures
an adequate level of protection.
2. The adequacy of
the level of protection afforded by a third country shall be assessed in the
light of all the circumstances surrounding a data transfer operation or set of
data transfer operations; particular consideration shall be given to the nature
of the data, the purpose and duration of the proposed processing operation or
operations, the country of origin and country of final destination, the rules
of law, both general and sectoral, in force in the third country in question
and the professional rules and security measures which are complied with in
that country.
3. The Member
States and the Commission shall inform each other of cases where they consider
that a third country does not ensure an adequate level of protection within the
meaning of paragraph 2.
4. Where the
Commission finds, under the procedure provided for in Article 31(2), that a
third country does not ensure an adequate level of protection within the
meaning of paragraph 2 of this Article, Member States shall take the measures
necessary to prevent any transfer of data of the same type to the third country
in question.
5. At the
appropriate time, the Commission shall enter into negotiations with a view to
remedying the situation resulting from the finding made pursuant to paragraph
4.
6. The Commission
may find, in accordance with the procedure referred to in Article 31(2), that a
third country ensures an adequate level of protection within the meaning of
paragraph 2 of this Article, by reason of its domestic law or of the
international commitments it has entered into, particularly upon conclusion of
the negotiations referred to in paragraph 5, for the protection of the private
lives and basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission’s
decision.
|