For those who are curious, I’ll give a bit of a primer on the EU privacy directives:
(Directive 95/46/EC on the protection of personal data)
The EU drafted the original law which was then handed off to the original member states (countries) for them to draft their own laws in compliance and implement the requirements of the EU directive.
I’m dealing directly with the Spanish implementation which you can read here in English if you want a headache: https://www.agpd.es/upload/Ley Orgánica 15-99_ingles.pdf
Each business which deals with any type of personal data has to register with the Data Protection Agency and detail their data stores and the type of data that each data store can contain. So, normally you might have the following data stores
You have to specify the type of data contained in each data store and the level of security required with each data store.
The registration is required and it doesn’t matter whether you use computers or have exclusively paper-based files.
Personal data is any data related to an individual. Address, phone number, e-mail address, name, birthdate, and any transactional information (invoices, visits, e-mails, etc.). Also included is any financial information.
All information needs to be under lock and key (whether digital or paper-based) and can only be accessed by employees who have authorization and used for the purpose for which it was collected. Backups also have to be under lock and key and permission has to be granted also for info provided to 3rd parties.
So, for practical matters, when you receive and record somebody’s address or telephone number or e-mail, you have to tell them how you plan to use that information:
“We’re going to incorporate your information in our client files and use your imformatiopn to do whatever it is that you’ve contracted/asked us to do. We’re also going to include your information in our publicity data store which may be used to market you our services or for publicity”
The person is informed that they can delete their personal information when they feel like it (usually in writing)
Examples of violations:
A hotel chain which receives a resume from someone looking for a job and passes it from one hotel of their chain to another (which has vacant posts) and calls up the job seeker to offer them a job is in violation.
A business that hasn’t told their clients that they may receive publicity via mail or e-mail and then sends out Christmas cards is in violation.
E-mails sent to the wrong address with personal data are in violation.
E-mail with addresses of other people in the CC field are in violation.
Fines range from 600€ to 600,000€
You can see how convoluted it gets…