Accessibility Tools


In the 1990s, protection of personal data was regulated by non-harmonised laws in the Member States. Although based on the same basic principles laid down in the Council of Europe Convention No. 108 on data protection, these laws differed considerably in detail. Because this was considered to influence competition and thus the well functioning of EU's internal market, pressure increased for a more harmonised environment. Developments in the ICT-field added to the need for a common set of data protection rules, specifying the Council of Europe Convention.
This led to the adoption in 1995 of Directive 95/46/EC. It is the central piece of legislation on the protection of personal data in Europe. The Directive stipulates general rules on the lawfulness of personal data processing and rights of the people whose data are processed (‘data subjects’). The Directive also provides that at least one independent supervisory authority in each Member State shall be responsible for monitoring its implementation.
Two years later, a Directive on privacy and electronic communications was adopted. Updated in 2002 as Directive 2 002/58/EC, it regulates areas which were not sufficiently covered by Directive 95/46/EC, such as confidentiality, billing and traffic data, rules on spam, etc.
These two directives created a general and technology neutral system of data protection in all EU Member States. However, protection on the level of the European institutions and bodies was not guaranteed. To remedy this, Article 286 of the EC Treaty was adopted.
Article 286 of the EC Treaty stipulates that the European institutions and bodies shall protect personal data and provides for the establishment of an independent supervisory authority. It was implemented in Regulation (EC) No 45/2001.

Combining the relevant features of Directives 95/46/EC and 2002/58/EC, Regulation (EC) No 45/2001 regroups the rights of the data subjects and the obligations of those responsible for the processing into one legal instrument. It also establishes the EDPS as an independent supervisory authority with the responsibility to monitor the processing of personal data by the Community institutions and bodies (see also Decision 1247/2002).

In November 2008, the Council of the European Union adopted the Framework Decision on the protection of personal data in the field of police and judicial cooperation in criminal matters. It is the first general data protection instrument in the EU third pillar.

Regulation (EC) No 45/2001

Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8, 12.01.2001, p. 1


Decision No 1247/2002/EC

Decision No 1247/2002/EC of 1 July 2002 on the regulations and general conditions governing the performance of the European Data protection Supervisor's duties, OJ L 183, 12.07.2002, p. 1


Directive 95/46/EC

Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31


Directive 2002/58/EC

Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.07.2002, p. 37


Directive 2009/136/EC

Directive 2009/136/EC of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, OJ L 337, 18.12.2009, p. 11


Council framework Decision 2008/977/JHA

Council framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ L 350, 30.12.2008, p. 60


Council of Europe Convention No. 108 on data protection

Convention for the protection of individuals with regard to automatic processing of personal data (ETS No. 108, 28.01.1981)

Other international instruments

OECD Guidelines governing the protection of privacy and transborder flows of personal data (July 2013)


OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy (2007)

Privacy and data protection - two separate fundamental rights
Protection of personal data is a right which is separate, but closely linked to the right to privacy:
Respect for private life was established in 1950 with the adoption of the European Convention of Human Rights - in the framework of the Council of Europe. Put in short terms, the right to privacy may be described as a right which prevents public authorities from measures which are privacy invasive, unless certain conditions have been met.
The right to data protection was introduced in the 1980s as a consequence of technical developments. Put in short terms, data protection principles aim to establish conditions under which it is legitimate and lawful to process personal data. Data protection legislation obliges those responsible to respect a set of rules and empowers the people concerned by granting them rights. Finally, it provides for supervision by independent authorities.

  • 17 August 2016

    The EDPS, in collaboration with European consumer organisation BEUC, is hosting a joint conference on Big Data: individual rights and smart enforcement. The conference will take place in Brussels on 29 September 2016. For more information on the conference and how to register, visit the EDPS Events page.

  • 05 August 2016

    Our IT services are undergoing scheduled maintenance from 12 to 15 August. Please note that, for technical reasons, we cannot guarantee that the complaints and annexed files submitted during this period will reach us - despite a possible acknowledgement of receipt. Should you not receive any acknowledgement of receipt within 10 working days from submitting your complaint, please do let us know.

  • 25 July 2016

    ePrivacy rules should be smarter, clearer, stronger. Read the EDPS opinion and the press release.

  • 18 July 2016

    Data protection and Whistleblowing in the EU Institutions. Please read the EDPS guidelines and the press release.

  • 15 July 2016

    The EDPS’ free app, EU Data Protection, has been updated! You can now consult the texts of General Data Protection Regulation (REG) 2016/679 and the Directive 2016/680 for the police and criminal justice sector alongside the texts they replace.

  • 26 July 2016

    Fablab on GDPR, Participation of Wojciech Wiewiórowski and Giovanni Buttarelli, Brussels, Belgium

  • 25 July 2016

    Extraordinary Plenary Session of the Article 29 Working Party, Participation of Giovanni Buttarelli, Brussels, Belgium

  • 21 July 2016

    45th Asia Pacific Privacy Authorities Forum, Participation and speeches of Giovanni Buttarelli on Update on EU GDPR and Calibrating Privacy Principles to a Big Data and Digital Society, Singapore

  • 14 July 2016

    Launch of EU Data Protection Whitepaper, British Chamber of Commerce in Denmark, Keynote speech by Giovanni Buttarelli, Brussels, Belgium

  • 07 July 2016

    Marketing and profiling in the European Union, participation and speeches by Giovanni Buttarelli and Wojciech Wiewiórowski, Brussels, Belgium

  • 06 July 2016

    Privacy Laws & Business Annual International Conference, Wojciech Wiewiórowski in panels on Privacy terms and conditions and How data protection rules should be enforced in tandem with competition and consumer policy, Cambridge, UK

  • 06 July 2016

    Confindustria Radio Televisioni General Assembly 2016, Giovanni Buttarelli in a panel on Authority, Markets and Rights, Rome, Italy

  • 30 June 2016

    Reframing Data Transparency, Wojciech Wiewiórowski in a Roundtable Discussion organised by the Centre for Information Policy Leadership and Telefónica, London, UK