Data protection


In order to remove potential obstacles to the flow of personal data and to ensure a high level of protection within the EEA, data protection legislation has been harmonized.

The applicable rules are found in the Data Protection Directive (Directive 95/46/EC). The aim of these rules is twofold:

  • To ensure a minimum level of protection of individuals' right to privacy with regard to the processing of personal data
  • To provide for free movement of personal data within the EEA while ensuring an “adequate level of protection

Protection of individuals

The main provisions in the Directive concern the criteria for lawfully processing personal data. “Processing” covers almost any handling or manipulation of information relating to a specific person. Processing of personal data is allowed where:

  • the data subject has consented
  • processing is necessary for the performance of a contract to which the data subject is a party
  • processing is necessary for the purposes of legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed

The processing of certain special categories of data is prohibited unless certain requirements are satisfied. Those categories include data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade-union membership
  • information relating to health or sex life

Individuals have the right to information about the processing of their personal data, to have access to such data, and to require that information which does not comply with the rules is rectified, blocked or erased. An individual may also, in certain cases, object to the processing of data about them.

Free movement of data

EEA States are prohibited from restricting or prohibiting the flow of personal data between EEA States for reasons related to the protection of individuals' right to privacy since all EEA States are required to ensure the same level of protection.

Personal data may be transferred to third countries only if the country in question can ensure an equivalent level of protection.

National Data Protection Authorities

Each EEA State is required to establish an independent authority responsible for ensuring that the obligations stemming from the data protection rules are complied with.

In the EFTA States, the relevant authorities are:

Relevant links

Other EEA Institutions

This website is built with Eplica CMS