Accessibility Tools

- D -

Data controller 

Under Regulation (EC) 45/2001, the data controller is the institution or body that determines the purposes and means of the processing of personal data. In particular, the controller has the duties of ensuring the quality of data and, in the case of the EU institutions and bodies, of notifying the processing operation to the data protection officer (DPO). In addition, the data controller is also responsible for the security measures protecting the data.

The controller is also the entity that receives requests from data subjects to exercise their rights.

The controller must co-operate with the DPO, and may consult him or her for an opinion on any data protection related question.

See also: Q&A on Controller

Data minimization 

The principle of “data minimization” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfil that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.

The data minimization principle derives from Article 6.1(b) and (c) of Directive 95/46/EC and Article 4.1(b) and (c) of Regulation EC (No) 45/2001, which provide that personal data must be "collected for specified, explicit and legitimate purposes" and must be "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed".

Data mining

Data mining is the process of analysing data from different perspectives and summarising it into useful new information. Data mining software is one of a number of tools for interrogating data. It allows users to analyse data from many different dimensions or angles, categorise it, and summarise the relationships identified. Technically, data mining is the process of finding correlations or patterns among dozens of fields in large relational databases. It is commonly used in a wide range of profiling practices, such as marketing, surveillance, fraud detection and scientific discovery. Obviously, for data mining to be effective it is necessary to analyse large amounts of previously collected data.

Data protection authority 

A data protection authority is an independent body which is in charge of:

  • monitoring the processing of personal data within its jurisdiction (country, region or international organization);
  • providing advice to the competent bodies with regard to legislative and administrative measures relating to the processing of personal data;
  • hearing complaints lodged by citizens with regard to the protection of their data protection rights.

According to Article 28 of Directive 95/46/EC, each Member State shall establish in its territory at least one data protection authority, which shall be endowed with investigative powers (such as access to data, collection of information, etc.), effective powers of intervention (power to order the erasure of data, to impose a ban on a processing, etc.), and the power to start legal proceedings when data protection law has been violated.

National data protection authorities have been established in almost all European countries, as well as in many other countries worldwide.

List of data protection authorities

Data protection coordinator 

In addition to the data protection officer foreseen by Regulation (EC) No 45/2001, some EU-institutions have appointed a data protection coordinator in order to coordinate all data protection aspects in the relevant DG, Departments or Units.

► List of data protection coordinators

Data Protection Directive 95/46/EC 

Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (also known as "Data Protection Directive") is the centrepiece legislation at EU level in the field of data protection.

The Directive is a framework law, meaning that it is implemented in EU Member States through national laws.

It aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when the processing is lawful. The guidelines mainly relate to:

The Directive also sets out principles for the transfer of personal data to third countries and provides for the establishment of data protection authorities in each EU Member State.

Data Protection Day 

The Member States of the Council of Europe and the European institutions celebrate Data Protection Day each year on 28 January.

This date marks the anniversary of the Council of Europe's Convention 108, the first legally binding international instrument related to data protection.

The EDPS usually takes part in the celebration of the event by setting up an information stand in the main EU institutions.

Data protection officer 

Each Community institution and body shall, in order to comply with Regulation (EC) 45/2001, have a data protection officer (DPO). The DPO shall ensure the internal application of the Regulation and that the rights and freedoms of the data subjects are not likely to be adversely affected by the processing operations.

The DPO shall also keep a register of processing operations that have been notified by the controllers of the institution or body where he or she works.

List of data protection officers

Data quality 

Data quality refers to a set of principles laid down in Article 6 of Directive 95/46/EC and Article 4 of Regulation (EC) No 45/2001. Data quality means that personal data must be:

  • processed fairly and lawfully;
  • collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing for historical, statistical or scientific purposes shall not be considered incompatible provided that appropriate safeguards have been provided by the controller;
  • adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
  • accurate and where necessary kept up to date; and
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they were collected or further processed. If data are stored for longer periods for historical, statistical or scientific use, they should be kept either in anonymous form only or, if not possible, only with the identity of the data subjects encrypted.

Data retention

See: Retention

Data security 

According to Article 22 of Regulation (EC) No 45/2001, the data controller shall implement appropriate technical and organisational measures to ensure an appropriate level of security in relation to the risks represented by the processing and the nature of the personal data to be protected.

Such measures provide for the prevention of any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and any other unlawful form of processing.

Data subject 

The data subject is the person whose personal data are collected, held or processed.

Data transfer 

Data transfer refers to the transmission / communication of data to a recipient in whatever way.

Transfers of personal data within or between Community institutions or bodies or to recipients in EU countries are subject to certain conditions according to Articles 7 and 8 of Regulation (EC) No 45/2001. For instance, such transfer should be necessary for the legitimate performance of the public tasks involved.

Transfers are subject to specific safeguards when the recipient is located in a country outside the EU / European Economic Area (EEA) according to Articles 25-26 of Directive 95/46/EC and Article 9 of Regulation (EC) No 45/2001. See for instance the conditions for the transfer of PNR data or relating to the Safe Harbour scheme.

  • 25 March 2017

    60th anniversary of the Rome Treaties. Giovanni Buttarelli to participate in the meeting of the 27 EU heads of state and heads of European Union institutions in Rome, Italy.

  • 15 March 2017

    Data Protection and the EU institutions. Read the latest blogpost by Giovanni Buttarelli and the EDPS Opinion.

  • 15 March 2017

    EDPS sees opportunity for stronger consumer and data protection. Read the EDPS Opinion and the press release.

  • 13 March 2017

    2018 International Conference of Data Protection and Privacy Commissioners to be hosted in Brussels. Read the press statement.

  • 07 March 2017

    EDPS calls for consistent improvements in the approach to EU border policy. Read the EDPS Opinion and the press release.

  • 28 March 2017

    Giovanni Buttarelli meeting with Greg Nojeim, Senior Counsel and Director, Freedom, Security and Technology Project, Center for Democracy & Technology (CDT), Brussels, Belgium

  • 28 March 2017

    Giovanni Buttarelli meeting with Cornelia Ernst, MEP, Brussels, Belgium

  • 27 March 2017

    Processing of personal data  by the Union institutions, bodies, offices and agencies, Study group meeting, EESC, Participation of Giovanni Buttarelli, Brussels Belgium

  • 25 March 2017

    60th anniversary of the Rome Treaties, Participation of Giovanni Buttarelli in the meeting of the 27 EU heads of state and heads of European Union institutions, Rome, Italy

  • 23 March 2017

    Forum on International Privacy Law, Participation of Wojciech Wiewiórowski, Königstein, Germany

  • 23 March 2017

    Participation of Giovanni Buttarelli in DAPIX, Brussels, Belgium

  • 23 March 2017

    Concurrences Review, Law & Economics Workshop: Big Data, Speech by Giovanni Buttarelli, Brussels, Belgium

  • 13 March 2017

    Regulating Privacy through Ethical Standards and Accountability Principles in the era of Big Data, Keynote speech of Wojciech Wiewiórowski: Towards a new digital ethics – data, dignity and technology: How to ensure accountability in personal data management?, Brussels, Belgium