2002 58 EC

From La Quadrature du Net

DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL
of 12 July 2002
concerning the processing of personal data and the protection of privacy in the electronic communications sector

[highlighting the amendments proposed by the European Commission in its 2007 Reform Proposals dated 13 November 2007]


[as amended]

a

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty establishing the European Community, and in particular Article 95 thereof,
Having regard to the proposal from the Commission
1
,
Having regard to the opinion of the Economic and Social Committee
2

,
Having consulted the Committee of the Regions,
Acting in accordance with the procedure laid down in Article 251 of the Treaty
3
,
Whereas:
(1) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard
to the processing of personal data and on the free movement of such data
4

requires Member States to ensure the rights and
freedoms of natural persons with regard to the processing of personal data, and in particular their right to privacy, in order to ensure
the free flow of personal data in the Community.
(2) This Directive seeks to respect the fundamental rights and observes the principles recognised in particular by the Charter of
fundamental rights of the European Union. In particular, this Directive seeks to ensure full respect for the rights set out in Articles
(3) Confidentiality of communications is guaranteed in accordance with the international instruments relating to human rights, in
particular the European Convention for the Protection of Human Rights and Fundamental Freedoms, and the constitutions of the
Member States.

(4) Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal
data and the protection of privacy in the telecommunications sector
5
translated the principles set out in Directive 95/46/EC into
specific rules for the telecommunications sector. Directive 97/66/EC has to be adapted to developments in the markets and
technologies for electronic communications services in order to provide an equal level of protection of personal data and privacy
for users of publicly available electronic communications services, regardless of the technologies used. That Directive should
therefore be repealed and replaced by this Directive.

(5) New advanced digital technologies are currently being introduced in public communications networks in the Community, which
give rise to specific requirements concerning the protection of personal data and privacy of the user. The development of the
information society is characterised by the introduction of new electronic communications services. Access to digital mobile
networks has become available and affordable for a large public. These digital networks have large capacities and possibilities for
processing personal data. The successful cross-border development of these services is partly dependent on the confidence of users
that their privacy will not be at risk.
(6) The Internet is overturning traditional market structures by providing a common, global infrastructure for the delivery of a wide
range of electronic communications services. Publicly available electronic communications services over the Internet open new
possibilities for users but also new risks for their personal data and privacy.

(7) In the case of public communications networks, specific legal, regulatory and technical provisions should be made in order to
protect fundamental rights and freedoms of natural persons and legitimate interests of legal persons, in particular with regard to the
increasing capacity for automated storage and processing of data relating to subscribers and users.

OJ C 365 E, 19.12.2000, p. 223.
OJ C 123, 25.4.2001, p. 53.
Opinion of the European Parliament of 13 November 2001 [OJ C 140 E, 13.06.2002, p. 132], Council Common Position of 28 January 2002 [OJ C 113 E,

OJ L 281, 23.11.1995, p. 31.
OJ L 24, 30.1.1998, p. 1.
(8) Legal, regulatory and technical provisions adopted by the Member States concerning the protection of personal data, privacy and
the legitimate interest of legal persons, in the electronic communication sector, should be harmonised in order to avoid obstacles to
the internal market for electronic communication in accordance with Article 14 of the Treaty. Harmonisation should be limited to
requirements necessary to guarantee that the promotion and development of new electronic communications services and networks
between Member States are not hindered.
(9) The Member States, providers and users concerned, together with the competent Community bodies, should cooperate in

introducing and developing the relevant technologies where this is necessary to apply the guarantees provided for by this Directive
and taking particular account of the objectives of minimising the processing of personal data and of using anonymous or
pseudonymous data where possible.
(10) In the electronic communications sector, Directive 95/46/EC applies in particular to all matters concerning protection of
fundamental rights and freedoms, which are not specifically covered by the provisions of this Directive, including the obligations
on the controller and the rights of individuals. Directive 95/46/EC applies to non-public communications services.
(11) Like Directive 95/46/EC, this Directive does not address issues of protection of fundamental rights and freedoms related to
activities which are not governed by Community law. Therefore it does not alter the existing balance between the individual's right
to privacy and the possibility for Member States to take the measures referred to in Article 15(1) of this Directive, necessary for the

protection of public security, defence, State security (including the economic well-being of the State when the activities relate to
State security matters) and the enforcement of criminal law. Consequently, this Directive does not affect the ability of Member
States to carry out lawful interception of electronic communications, or take other measures, if necessary for any of these purposes
and in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by
the rulings of the European Court of Human Rights. Such measures must be appropriate, strictly proportionate to the intended
purpose and necessary within a democratic society and should be subject to adequate safeguards in accordance with the European
Convention for the Protection of Human Rights and Fundamental Freedoms.
(12) Subscribers to a publicly available electronic communications service may be natural or legal persons. By supplementing Directive
well as the legitimate interests of legal persons. This Directive does not entail an obligation for Member States to extend the

application of Directive 95/46/EC to the protection of the legitimate interests of legal persons, which is ensured within the
framework of the applicable Community and national legislation.
(13) The contractual relation between a subscriber and a service provider may entail a periodic or a one-off payment for the service
provided or to be provided. Prepaid cards are also considered as a contract.
(14) Location data may refer to the latitude, longitude and altitude of the user's terminal equipment, to the direction of travel, to the
level of accuracy of the location information, to the identification of the network cell in which the terminal equipment is located at
a certain point in time and to the time the location information was recorded.
(15) A communication may include any naming, numbering or addressing information provided by the sender of a communication or
the user of a connection to carry out the communication. Traffic data may include any translation of this information by the

network over which the communication is transmitted for the purpose of carrying out the transmission. Traffic data may, inter alia,
consist of data referring to the routing, duration, time or volume of a communication, to the protocol used, to the location of the
terminal equipment of the sender or recipient, to the network on which the communication originates or terminates, to the
beginning, end or duration of a connection. They may also consist of the format in which the communication is conveyed by the
network.
(16) Information that is part of a broadcasting service provided over a public communications network is intended for a potentially
unlimited audience and does not constitute a communication in the sense of this Directive. However, in cases where the individual
subscriber or user receiving such information can be identified, for example with video-on-demand services, the information
conveyed is covered within the meaning of a communication for the purposes of this Directive.

(17) For the purposes of this Directive, consent of a user or subscriber, regardless of whether the latter is a natural or a legal person,
should have the same meaning as the data subject's consent as defined and further specified in Directive 95/46/EC. Consent may be
given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking
a box when visiting an Internet website.
(18) Value added services may, for example, consist of advice on least expensive tariff packages, route guidance, traffic information,
weather forecasts and tourist information.
(19) The application of certain requirements relating to presentation and restriction of calling and connected line identification and to
automatic call forwarding to subscriber lines connected to analogue exchanges should not be made mandatory in specific cases
where such application would prove to be technically impossible or would require a disproportionate economic effort. It is

important for interested parties to be informed of such cases and the Member States should therefore notify them to the
Commission.
(20) Service providers should take appropriate measures to safeguard the security of their services, if necessary in conjunction with the
provider of the network, and inform subscribers of any special risks of a breach of the security of the network. Such risks may
especially occur for electronic communications services over an open network such as the Internet or analogue mobile telephony. It
is particularly important for subscribers and users of such services to be fully informed by their service provider of the existing
security risks which lie outside the scope of possible remedies by the service provider. Service providers who offer publicly
available electronic communications services over the Internet should inform users and subscribers of measures they can take to
protect the security of their communications for instance by using specific types of software or encryption technologies. The

requirement to inform subscribers of particular security risks does not discharge a service provider from the obligation to take, at
its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security
level of the service. The provision of information about security risks to the subscriber should be free of charge except for any
nominal costs which the subscriber may incur while receiving or collecting the information, for instance by downloading an
electronic mail message. Security is appraised in the light of Article 17 of Directive 95/46/EC.
(21) Measures should be taken to prevent unauthorised access to communications in order to protect the confidentiality of
communications, including both the contents and any data related to such communications, by means of public communications
networks and publicly available electronic communications services. National legislation in some Member States only prohibits
intentional unauthorised access to communications.

(22) The prohibition of storage of communications and the related traffic data by persons other than the users or without their consent is
not intended to prohibit any automatic, intermediate and transient storage of this information in so far as this takes place for the
sole purpose of carrying out the transmission in the electronic communications network and provided that the information is not
stored for any period longer than is necessary for the transmission and for traffic management purposes, and that during the period
of storage the confidentiality remains guaranteed. Where this is necessary for making more efficient the onward transmission of
any publicly accessible information to other recipients of the service upon their request, this Directive should not prevent such
information from being further stored, provided that this information would in any case be accessible to the public without
restriction and that any data referring to the individual subscribers or users requesting such information are erased.
(23) Confidentiality of communications should also be ensured in the course of lawful business practice. Where necessary and legally

authorised, communications can be recorded for the purpose of providing evidence of a commercial transaction. Directive
its purpose and the duration of its storage. The recorded communication should be erased as soon as possible and in any case at the
latest by the end of the period during which the transaction can be lawfully challenged.
(24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the
private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and
Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal
without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and
may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with
the knowledge of the users concerned.

(25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the
effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such
devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society
services, their use should be allowed on condition that users are provided with clear and precise information in accordance with
Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being
placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device
stored on their terminal equipment. This is particularly important where users other than the original user have access to the
terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and

the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the
same connection and also covering any further use that may be made of those devices during subsequent connections. The methods
for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to
specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used
for a legitimate purpose.
(26) The data relating to subscribers processed within electronic communications networks to establish connections and to transmit
information contain information on the private life of natural persons and concern the right to respect for their correspondence or
concern the legitimate interests of legal persons. Such data may only be stored to the extent that is necessary for the provision of
the service for the purpose of billing and for interconnection payments, and for a limited time. Any further processing of such data

which the provider of the publicly available electronic communications services may want to perform, for the marketing of
electronic communications services or for the provision of value added services, may only be allowed if the subscriber has agreed
to this on the basis of accurate and full information given by the provider of the publicly available electronic communications
services about the types of further processing it intends to perform and about the subscriber's right not to give or to withdraw
his/her consent to such processing. Traffic data used for marketing communications services or for the provision of value added
services should also be erased or made anonymous after the provision of the service. Service providers should always keep
subscribers informed of the types of data they are processing and the purposes and duration for which this is done.
(27) The exact moment of the completion of the transmission of a communication, after which traffic data should be erased except for
billing purposes, may depend on the type of electronic communications service that is provided. For instance for a voice telephony

call the transmission will be completed as soon as either of the users terminates the connection. For electronic mail the
transmission is completed as soon as the addressee collects the message, typically from the server of his service provider.
(28) The obligation to erase traffic data or to make such data anonymous when it is no longer needed for the purpose of the transmission
of a communication does not conflict with such procedures on the Internet as the caching in the domain name system of IP
addresses or the caching of IP addresses to physical address bindings or the use of log-in information to control the right of access
to networks or services.
(29) The service provider may process traffic data relating to subscribers and users where necessary in individual cases in order to
detect technical failure or errors in the transmission of communications. Traffic data necessary for billing purposes may also be
processed by the provider in order to detect and stop fraud consisting of unpaid use of the electronic communications service.

(30) Systems for the provision of electronic communications networks and services should be designed to limit the amount of personal
data necessary to a strict minimum. Any activities related to the provision of the electronic communications service that go beyond
the transmission of a communication and the billing thereof should be based on aggregated, traffic data that cannot be related to
subscribers or users. Where such activities cannot be based on aggregated data, they should be considered as value added services
for which the consent of the subscriber is required.
(31) Whether the consent to be obtained for the processing of personal data with a view to providing a particular value added service
should be that of the user or of the subscriber, will depend on the data to be processed and on the type of service to be provided and
on whether it is technically, procedurally and contractually possible to distinguish the individual using an electronic
communications service from the legal or natural person having subscribed to it.

(32) Where the provider of an electronic communications service or of a value added service subcontracts the processing of personal
data necessary for the provision of these services to another entity, such subcontracting and subsequent data processing should be
in full compliance with the requirements regarding controllers and processors of personal data as set out in Directive 95/46/EC.
Where the provision of a value added service requires that traffic or location data are forwarded from an electronic
communications service provider to a provider of value added services, the subscribers or users to whom the data are related should
also be fully informed of this forwarding before giving their consent for the processing of the data.
(33) The introduction of itemised bills has improved the possibilities for the subscriber to check the accuracy of the fees charged by the
service provider but, at the same time, it may jeopardise the privacy of the users of publicly available electronic communications
services. Therefore, in order to preserve the privacy of the user, Member States should encourage the development of electronic

communication service options such as alternative payment facilities which allow anonymous or strictly private access to publicly
available electronic communications services, for example calling cards and facilities for payment by credit card. To the same end,
Member States may ask the operators to offer their subscribers a different type of detailed bill in which a certain number of digits
of the called number have been deleted.
(34) It is necessary, as regards calling line identification, to protect the right of the calling party to withhold the presentation of the
identification of the line from which the call is being made and the right of the called party to reject calls from unidentified lines.
There is justification for overriding the elimination of calling line identification presentation in specific cases. Certain subscribers,
in particular help lines and similar organisations, have an interest in guaranteeing the anonymity of their callers. It is necessary, as
regards connected line identification, to protect the right and the legitimate interest of the called party to withhold the presentation

of the identification of the line to which the calling party is actually connected, in particular in the case of forwarded calls. The
providers of publicly available electronic communications services should inform their subscribers of the existence of calling and
connected line identification in the network and of all services which are offered on the basis of calling and connected line
identification as well as the privacy options which are available. This will allow the subscribers to make an informed choice about
the privacy facilities they may want to use. The privacy options which are offered on a per-line basis do not necessarily have to be
available as an automatic network service but may be obtainable through a simple request to the provider of the publicly available
electronic communications service.
(35) In digital mobile networks, location data giving the geographic position of the terminal equipment of the mobile user are processed
to enable the transmission of communications. Such data are traffic data covered by Article 6 of this Directive. However, in

addition, digital mobile networks may have the capacity to process location data which are more precise than is necessary for the
transmission of communications and which are used for the provision of value added services such as services providing
individualised traffic information and guidance to drivers. The processing of such data for value added services should only be
allowed where subscribers have given their consent. Even in cases where subscribers have given their consent, they should have a
simple means to temporarily deny the processing of location data, free of charge.
(36) Member States may restrict the users' and subscribers' rights to privacy with regard to calling line identification where this is
necessary to trace nuisance calls and with regard to calling line identification and location data where this is necessary to allow
emergency services to carry out their tasks as effectively as possible. For these purposes, Member States may adopt specific
provisions to entitle providers of electronic communications services to provide access to calling line identification and location

data without the prior consent of the users or subscribers concerned.
(37) Safeguards should be provided for subscribers against the nuisance which may be caused by automatic call forwarding by others.
Moreover, in such cases, it must be possible for subscribers to stop the forwarded calls being passed on to their terminals by simple
request to the provider of the publicly available electronic communications service.
(38) Directories of subscribers to electronic communications services are widely distributed and public. The right to privacy of natural
persons and the legitimate interest of legal persons require that subscribers are able to determine whether their personal data are
published in a directory and if so, which. Providers of public directories should inform the subscribers to be included in such
directories of the purposes of the directory and of any particular usage which may be made of electronic versions of public
directories especially through search functions embedded in the software, such as reverse search functions enabling users of the

directory to discover the name and address of the subscriber on the basis of a telephone number only.
(39) The obligation to inform subscribers of the purpose(s) of public directories in which their personal data are to be included should
be imposed on the party collecting the data for such inclusion. Where the data may be transmitted to one or more third parties, the
subscriber should be informed of this possibility and of the recipient or the categories of possible recipients. Any transmission
should be subject to the condition that the data may not be used for other purposes than those for which they were collected. If the
party collecting the data from the subscriber or any third party to whom the data have been transmitted wishes to use the data for an
additional purpose, the renewed consent of the subscriber is to be obtained either by the initial party collecting the data or by the
third party to whom the data have been transmitted.
(40) Safeguards should be provided for subscribers against intrusion of their privacy by unsolicited communications for direct

marketing purposes in particular by means of automated calling machines, telefaxes, and e-mails, including SMS messages. These
forms of unsolicited commercial communications may on the one hand be relatively easy and cheap to send and on the other may
impose a burden and/or cost on the recipient. Moreover, in some cases their volume may also cause difficulties for electronic
communications networks and terminal equipment. For such forms of unsolicited communications for direct marketing, it is
justified to require that prior explicit consent of the recipients is obtained before such communications are addressed to them. The
single market requires a harmonised approach to ensure simple, Community-wide rules for businesses and users.
(41) Within the context of an existing customer relationship, it is reasonable to allow the use of electronic contact details for the offering
of similar products or services, but only by the same company that has obtained the electronic contact details in accordance with
Directive 95/46/EC. When electronic contact details are obtained, the customer should be informed about their further use for

direct marketing in a clear and distinct manner, and be given the opportunity to refuse such usage. This opportunity should
continue to be offered with each subsequent direct marketing message, free of charge, except for any costs for the transmission of
this refusal.
(42) Other forms of direct marketing that are more costly for the sender and impose no financial costs on subscribers and users, such as
person-to-person voice telephony calls, may justify the maintenance of a system giving subscribers or users the possibility to
indicate that they do not want to receive such calls. Nevertheless, in order not to decrease existing levels of privacy protection,
Member States should be entitled to uphold national systems, only allowing such calls to subscribers and users who have given
their prior consent.
(43) To facilitate effective enforcement of Community rules on unsolicited messages for direct marketing, it is necessary to prohibit the

use of false identities or false return addresses or numbers while sending unsolicited messages for direct marketing purposes.
(44) Certain electronic mail systems allow subscribers to view the sender and subject line of an electronic mail, and also to delete the
message, without having to download the rest of the electronic mail's content or any attachments, thereby reducing costs which
could arise from downloading unsolicited electronic mails or attachments. These arrangements may continue to be useful in certain
cases as an additional tool to the general obligations established in this Directive.
(45) This Directive is without prejudice to the arrangements which Member States make to protect the legitimate interests of legal
persons with regard to unsolicited communications for direct marketing purposes. Where Member States establish an opt-out
register for such communications to legal persons, mostly business users, the provisions of Article 7 of Directive 2000/31/EC of
the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular

electronic commerce, in the internal market (Directive on electronic commerce)
6
are fully applicable.
(46) The functionalities for the provision of electronic communications services may be integrated in the network or in any part of the
terminal equipment of the user, including the software. The protection of the personal data and the privacy of the user of publicly
available electronic communications services should be independent of the configuration of the various components necessary to
provide the service and of the distribution of the necessary functionalities between these components. Directive 95/46/EC covers
any form of processing of personal data regardless of the technology used. The existence of specific rules for electronic

communications services alongside general rules for other components necessary for the provision of such services may not
facilitate the protection of personal data and privacy in a technologically neutral way. It may therefore be necessary to adopt
measures requiring manufacturers of certain types of equipment used for electronic communications services to construct their
product in such a way as to incorporate safeguards to ensure that the personal data and privacy of the user and subscriber are
protected. The adoption of such measures in accordance with Directive 1999/5/EC of the European Parliament and of the Council

OJ L 178, 17.7.2000, p. 1.
of 9 March 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity

7

will ensure that the introduction of technical features of electronic communication equipment including software for data protection
purposes is harmonised in order to be compatible with the implementation of the internal market.
(47) Where the rights of the users and subscribers are not respected, national legislation should provide for judicial remedies. Penalties
should be imposed on any person, whether governed by private or public law, who fails to comply with the national measures taken
under this Directive.
(48) It is useful, in the field of application of this Directive, to draw on the experience of the Working Party on the Protection of
Individuals with regard to the Processing of Personal Data composed of representatives of the supervisory authorities of the

Member States, set up by Article 29 of Directive 95/46/EC.
(49) To facilitate compliance with the provisions of this Directive, certain specific arrangements are needed for processing of data
already under way on the date that national implementing legislation pursuant to this Directive enters into force,
HAVE ADOPTED THIS DIRECTIVE:
Scope and aim
This Directive harmonises the provisions of the Member States required to ensure an equivalent level of protection of fundamental
rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic
communication sector and to ensure the free movement of such data and of electronic communication equipment and services in
the Community.

The provisions of this Directive particularise and complement Directive 95/46/EC for the purposes mentioned in paragraph 1.
Moreover, they provide for protection of the legitimate interests of subscribers who are legal persons.
This Directive shall not apply to activities which fall outside the scope of the Treaty establishing the European Community, such as
those covered by Titles V and VI of the Treaty on European Union, and in any case to activities concerning public security,
defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the
activities of the State in areas of criminal law.
Definitions
Save as otherwise provided, the definitions in Directive 95/46/EC and in Directive 2002/21/EC of the European Parliament and of the
Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework

Directive)
8
shall apply.
The following definitions shall also apply:
(a) "user" means any natural person using a publicly available electronic communications service, for private or business purposes,
without necessarily having subscribed to this service;
(b) "traffic data" means any data processed for the purpose of the conveyance of a communication on an electronic communications

network or for the billing thereof;
(c) "location data" means any data processed in an electronic communications network, indicating the geographic position of the
terminal equipment of a user of a publicly available electronic communications service;
(d) "communication" means any information exchanged or conveyed between a finite number of parties by means of a publicly
available electronic communications service. This does not include any information conveyed as part of a broadcasting service to
the public over an electronic communications network except to the extent that the information can be related to the identifiable

subscriber or user receiving the information;
(e) "call" means a connection established by means of a publicly available telephone service allowing two-way communication
;
(f) "consent" by a user or subscriber corresponds to the data subject's consent in Directive 95/46/EC;

OJ L 91, 7.4.1999, p. 10.

OJ L 108, 24.4.2002, p. 33.
(g) "value added service" means any service which requires the processing of traffic data or location data other than traffic data beyond
what is necessary for the transmission of a communication or the billing thereof;
(h) "electronic mail" means any text, voice, sound or image message sent over a public communications network which can be stored
in the network or in the recipient's terminal equipment until it is collected by the recipient.

Services concerned
This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic
communications services in public communications networks in the Community
, including public communications networks
supporting data collection and identification devices
.

Security
of processing

The provider of a publicly available electronic communications service must take appropriate technical and organisational
measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network
with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall
ensure a level of security appropriate to the risk presented.
In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic
communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the
measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.

3.
In case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or
access to personal data transmitted, stored or otherwise processed in connection with the provision of publicly available
communications services in the Community, the provider of publicly available electronic communications services shall, without
undue delay, notify the subscriber concerned and the national regulatory authority of such a breach. The notification to the
subscriber shall at least describe the nature of the breach and recommend measures to mitigate its possible negative effects. The
notification to the national regulatory authority shall, in addition, describe the consequences of and the measures taken by the
provider to address the breach.
4.

In order to ensure consistency in implementation of the measures referred to in paragraphs 1, 2 and 3, the Commission may,
following consultation with the European Electronic Communications Market Authority (hereinafter referred to as “the
Authority”), and the European Data Protection Supervisor, adopt technical implementing measures concerning inter alia the
circumstances, format and procedures applicable to information and notification requirements referred to in this Article.
Those measure designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance
with this regulatory procedure with scrutiny referred to in Article 14a(2). On imperative grounds of urgency, the Commission
may use the urgency procedure referred to in Article 14a(3).

Confidentiality of the communications
Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications
network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit
listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons
other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article
prejudice to the principle of confidentiality.
Paragraph 1 shall not affect any legally authorised recording of communications and the related traffic data when carried out in the
course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business

communication.
Member States shall ensure that the
storing of information or
gain
ing
access to information
already
stored

,
in the terminal equipment of a subscriber or user is only allowed on condition that the
subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter
and is offered the right to refuse such processing by the data controller. This shall not
prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over
an electronic communications network, or as strictly necessary in order to provide an information society service explicitly
requested by the subscriber or user.

Traffic data
Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly
available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the
transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1).
Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is
permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.
For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a
publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the
duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his/her consent. Users

or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.

The service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of such
processing for the purposes mentioned in paragraph 2 and, prior to obtaining consent, for the purposes mentioned in paragraph 3.
Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of
providers of the public communications networks and publicly available electronic communications services handling billing or
traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added
service, and must be restricted to what is necessary for the purposes of such activities.
Paragraphs 1, 2, 3 and 5 shall apply without prejudice to the possibility for competent bodies to be informed of traffic data in

conformity with applicable legislation with a view to settling disputes, in particular interconnection or billing disputes.
Itemised billing
Subscribers shall have the right to receive non-itemised bills.
Member States shall apply national provisions in order to reconcile the rights of subscribers receiving itemised bills with the right
to privacy of calling users and called subscribers, for example by ensuring that sufficient alternative privacy enhancing methods of
communications or payments are available to such users and subscribers.
Presentation and restriction of calling and connected line identification
Where presentation of calling line identification is offered, the service provider must offer the calling user the possibility, using a
simple means and free of charge, of preventing the presentation of the calling line identification on a per-call basis. The calling

subscriber must have this possibility on a per-line basis.
Where presentation of calling line identification is offered, the service provider must offer the called subscriber the possibility,
using a simple means and free of charge for reasonable use of this function, of preventing the presentation of the calling line
identification of incoming calls.
Where presentation of calling line identification is offered and where the calling line identification is presented prior to the call
being established, the service provider must offer the called subscriber the possibility, using a simple means, of rejecting incoming
calls where the presentation of the calling line identification has been prevented by the calling user or subscriber.
Where presentation of connected line identification is offered, the service provider must offer the called subscriber the possibility,
using a simple means and free of charge, of preventing the presentation of the connected line identification to the calling user.

Paragraph 1 shall also apply with regard to calls to third countries originating in the Community. Paragraphs 2, 3 and 4 shall also
apply to incoming calls originating in third countries.
Member States shall ensure that where presentation of calling and/or connected line identification is offered, the providers of
publicly available electronic communications services inform the public thereof and of the possibilities set out in paragraphs 1, 2, 3
and 4.
Location data other than traffic data
Where location data other than traffic data, relating to users or subscribers of public communications networks or publicly
available electronic communications services, can be processed, such data may only be processed when they are made anonymous,
or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added

service. The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data
other than traffic data which will be processed, of the purposes and duration of the processing and whether the data will be
transmitted to a third party for the purpose of providing the value added service. Users or subscribers shall be given the possibility
to withdraw their consent for the processing of location data other than traffic data at any time.
Where consent of the users or subscribers has been obtained for the processing of location data other than traffic data, the user or
subscriber must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of
such data for each connection to the network or for each transmission of a communication.
Processing of location data other than traffic data in accordance with paragraphs 1 and 2 must be restricted to persons acting under
the authority of the provider of the public communications network or publicly available communications service or of the third

party providing the value added service, and must be restricted to what is necessary for the purposes of providing the value added
service.
Exceptions
Member States shall ensure that there are transparent procedures governing the way in which a provider of a public communications
network and/or a publicly available electronic communications service may override:
(a) the elimination of the presentation of calling line identification, on a temporary basis, upon application of a subscriber requesting
the tracing of malicious or nuisance calls. In this case, in accordance with national law, the data containing the identification of the
calling subscriber will be stored and be made available by the provider of a public communications network and/or publicly
available electronic communications service;

(b) the elimination of the presentation of calling line identification and the temporary denial or absence of consent of a subscriber or
user for the processing of location data, on a per-line basis for organisations dealing with emergency calls and recognised as such
by a Member State, including law enforcement agencies, ambulance services and fire brigades, for the purpose of responding to
such calls.
Automatic call forwarding
Member States shall ensure that any subscriber has the possibility, using a simple means and free of charge, of stopping automatic call
forwarding by a third party to the subscriber's terminal.
Directories of subscribers
Member States shall ensure that subscribers are informed, free of charge and before they are included in the directory, about the

purpose(s) of a printed or electronic directory of subscribers available to the public or obtainable through directory enquiry
services, in which their personal data can be included and of any further usage possibilities based on search functions embedded in
electronic versions of the directory.
Member States shall ensure that subscribers are given the opportunity to determine whether their personal data are included in a
public directory, and if so, which, to the extent that such data are relevant for the purpose of the directory as determined by the
provider of the directory, and to verify, correct or withdraw such data. Not being included in a public subscriber directory,
verifying, correcting or withdrawing personal data from it shall be free of charge.
Member States may require that for any purpose of a public directory other than the search of contact details of persons on the
basis of their name and, where necessary, a minimum of other identifiers, additional consent be asked of the subscribers.

Paragraphs 1 and 2 shall apply to subscribers who are natural persons. Member States shall also ensure, in the framework of
Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons with
regard to their entry in public directories are sufficiently protected.
Unsolicited communications
The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or
electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior
consent.
Notwithstanding paragraph 1, where a natural or legal person obtains from its customers their electronic contact details for
electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46/EC, the same natural or legal

person may use these electronic contact details for direct marketing of its own similar products or services provided that customers
clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact
details when they are collected and on the occasion of each message in case the customer has not initially refused such use.
Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct
marketing, in cases other than those referred to in paragraphs 1 and 2, are not allowed either without the consent of the subscribers
concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be
determined by national legislation.
In any event, the practice of sending electronic mail for purposes of direct marketing disguising or concealing the identity of the
sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such

communications cease, shall be prohibited.
Paragraphs 1 and 3 shall apply to subscribers who are natural persons. Member States shall also ensure, in the framework of
Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons with
regard to unsolicited communications are sufficiently protected.

6.
Without prejudice to any administrative remedy for which provision may be made, inter alia under Article 15(a)(2), Member States

shall ensure that any individual or legal person having a legitimate interest in combating infringements of national provisions
adopted pursuant to this Article, including an electronic communications service provider protecting its legitimate business
interests or the interests of their customers, may take legal action against such infringements before the courts.

Technical features and standardisation
In implementing the provisions of this Directive, Member States shall ensure, subject to paragraphs 2 and 3, that no mandatory
requirements for specific technical features are imposed on terminal or other electronic communication equipment which could
impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.
Where provisions of this Directive can be implemented only by requiring specific technical features in electronic communications

networks, Member States shall inform the Commission in accordance with the procedure provided for by Directive 98/34/EC of the
European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of
technical standards and regulations and of rules on information society services
9
.
Where required, measures may be adopted to ensure that terminal equipment is constructed in a way that is compatible with the
right of users to protect and control the use of their personal data, in accordance with Directive 1999/5/EC and Council Decision
87/95/EEC of 22 December 1986 on standardisation in the field of information technology and communications
10

.

Article 14a
Committee
1.
The Commission shall be assisted by the Communications Committee set up by Article 22 of Directive 2002/21/EC (Framework
Directive).
2.

Where reference is made to this paragraph, Articles 5a(1) to (4) and 7 of Decision 1999/468/EC shall apply, having regard to the
provision [sic] of Article 8 thereof.

OJ L 204, 21.7.1998, p. 37. Directive as amended by Directive 98/48/EC (OJ L 217, 5.8.1998, p. 18).
OJ L 36, 7.2.1987, p. 31. Decision as last amended by the 1994 Act of Accession.
3.

Where reference is made to this paragraph, Article 5a(1), (2), (4) and (6), and Article 7 of Decision 1999/468/EC shall apply,
having regard to the provisions of Article 8 thereof.

Application of certain provisions of Directive 95/46/EC
Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6,
Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and
proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and
the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic
communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt

legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All
the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those
referred to in Article 6(1) and (2) of the Treaty on European Union.
communications services or of public communications networks [OJ L 105, 13.4.2006, p. 54] to be retained for the purposes
referred to in Article 1(1) of that Directive.
The provisions of Chapter III on judicial remedies, liability and sanctions of Directive 95/46/EC shall apply with regard to national
provisions adopted pursuant to this Directive and with regard to the individual rights derived from this Directive.
The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of
Directive 95/46/EC shall also carry out the tasks laid down in Article 30 of that Directive with regard to matters covered by this

Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications
sector.

Article 15a
Implementation and Enforcement
1.
Member States shall lay down the rules on penalties applicable to infringements of the national provisions adopted pursuant to this
Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective,
proportionate and dissuasive. The Member States shall notify those provisions to the Commission by the <time limit for

implementation of the amending act> at the latest and shall notify it without delay of any subsequent amendment affecting them.
2.
Without prejudice to any judicial remedy which might be available, Member States shall ensure that the national regulatory
authority has the power to order the cessation of the infringements referred to in paragraph 1.
3.
Member States shall ensure that national regulatory authorities have all the investigative powers and resources necessary, including
the possibility to obtain any relevant information they might need to monitor and enforce national provisions adopted pursuant to
this Directive.

4.
In order to ensure effective cross-border co-operation in the enforcement of the national laws adopted pursuant to this Directive
and to create harmonised conditions for the provision of services involving cross-border data flows, the Commission may adopt
technical implementing measures, following consultation with the Authority and the relevant regulatory authorities.
The measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with
the regulatory procedure with scrutiny referred to in Article 14a(2). On imperative grounds of urgency, the Commission may use
the urgency procedure referred to in Article 14a(3).

Transitional arrangements

Article 12 shall not apply to editions of directories already produced or placed on the market in printed or off-line electronic form
before the national provisions adopted pursuant to this Directive enter into force.
Where the personal data of subscribers to fixed or mobile public voice telephony services have been included in a public subscriber
directory in conformity with the provisions of Directive 95/46/EC and of Article 11 of Directive 97/66/EC before the national
provisions adopted in pursuance of this Directive enter into force, the personal data of such subscribers may remain included in this
public directory in its printed or electronic versions, including versions with reverse search functions, unless subscribers indicate
otherwise, after having received complete information about purposes and options in accordance with Article 12 of this Directive.
Transposition
Before 31 October 2003 Member States shall bring into force the provisions necessary to comply with this Directive. They shall

forthwith inform the Commission thereof.
When Member States adopt those provisions, they shall contain a reference to this Directive or be accompanied by such a reference
on the occasion of their official publication. The methods of making such reference shall be laid down by the Member States.
Member States shall communicate to the Commission the text of the provisions of national law which they adopt in the field
governed by this Directive and of any subsequent amendments to those provisions.
Review
The Commission shall submit to the European Parliament and the Council, not later than three years after the date referred to in Article
provisions on unsolicited communications, taking into account the international environment. For this purpose, the Commission may
request information from the Member States, which shall be supplied without undue delay. Where appropriate, the Commission shall

submit proposals to amend this Directive, taking account of the results of that report, any changes in the sector and any other proposal it
may deem necessary in order to improve the effectiveness of this Directive.
Repeal
Directive 97/66/EC is hereby repealed with effect from the date referred to in Article 17(1).
References made to the repealed Directive shall be construed as being made to this Directive.
Entry into force
This Directive shall enter into force on the day of its publication in the Official Journal of the European Communities.
Addressees
This Directive is addressed to the Member States.