Showing results for 
Search instead for 
Did you mean: 
No ratings
Archer Employee
Archer Employee

The European Union (EU) Privacy Directives were inacted for the protection of individuals with regard to the processing of personal data and on the free movement of such data. These directives, which began adoption in 1995, regulate the processing of personal data within the EU.


The following authoritative sources are available as a part of the content library:


Data Protection Act of 1998

The Data Protection Act of 1998 enacted by the European Parliament outlines eight basic principles to protect individuals with regards to the processing, storage, destruction and free movement of personal data. The eight principles are included below from Schedule 1 of the Data Protection Act of 1998. The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. The Act works in two ways. First, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection


The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records. Should an individual or organization feel they are being denied access to personal information they are entitled to, or feel their information has not been handled according to the eight principles, they can contact the Information Commissioner's Office for help. Complaints are usually dealt with informally, but if handling the situation informally is not possible, enforcement action can be taken.


European Union Directive 2002/58/EC

European Union Directive 2002/58/EC on Privacy and Electronic Communications harmonizes through its Articles 6 and 9 the personal data protection rules which are applicable to the processing of traffic and location data generated by the use of electronic communications services. Such data must be erased or made anonymous when no longer needed for the purpose of the transmission, except for the data necessary for billing or interconnection payments.


Subject to consent, certain data may also be processed for marketing purposes and the provision of value added services. Article 15(1) stipulates that member states may provide for restrictions of the scope of (among others) Articles 5, 6 and 9 when such restrictions constitute a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defense, public security and the prevention, investigation, detection and prosecution of criminal offenses.


European Union Data Protection Directive 95/46/EC

The European Union Data Protection Directive 95/46/EC of 1995 requires that "Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data." The EU privacy directive forbids any transfer of personal data outside the EU countries that do guarantee or do not have in place adequate safeguards for such data. The directive requires that EU member states (countries) protect the privacy of personal information that is processed using equipment in the member state, whether the processing is done by government agencies, businesses or other organizations. "Personal data" includes, but is not limited to, name, address, phone numbers, email addresses, ethnicity, religion, gender, sexual orientation, birth dates, employment, and financial account numbers. The responsibility for compliance with the directive rests with the "controller," which is the person, group of people, public authority, agency or other body that determines the purposes and means of processing personal data.



This content is available in English only.



Control standard mappings are not available for this authoritative source.



Licensing Restrictions

The EU Privacy Directives authoritative source content is available with the use of the RSA Archer Policy Program Management, RSA Archer IT Policy Program Management, and/or RSA Archer Authorization and Assessment use cases. No additional license is required.


For More Information

To learn more about the European Union Privacy Directives Authoritative Source Content:


For Additional Support

To learn more about this content, please contact your Account Rep for additional details. For technical support questions, please open a support case.

Was this article helpful? Yes No
Version history
Last update:
‎2021-08-19 05:17 PM
Updated by: