According to Article 2 (g) of Regulation (EC) No 45/2001, a recipient shall mean "a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients."
Notifications of processing operations have to comprise information on the recipients of the personal data. A recipient can be a third party (with the exception of authorities which in the framework of a particular inquiry receive data - in such cases, they shall only be regarded as a third party).
An illustrative example may be salary payments of officials of the EU institutions and bodies. The salary slip does not only go to the employee, but also to the institution or body where he or she works, and Eurostat receive the data (compiled).
See also: Q&A on Transfer of personal data
Regulation (EC) No 45/2001 regulates the protection of individuals with regard to the processing of personal data by Community institutions and bodies.
The Regulation implements Article 286 of the Treaty establishing the European Communities which requires the application of data protection rules to Community institutions and bodies, as well as the establishment of an independent supervisory authority.
The data protection rules in the Regulation are based on the existing Community rules on data protection which apply to the Member States, in particular the Data Protection Directive 95/46/EC and the E-privacy Directive 2002/58/EC. The Regulation regroups the rights of the data subjects and the obligations of those responsible for the processing into one legal instrument.
It also establishes the European Data Protection Supervisor as an independent supervisory authority with the responsibility of monitoring the processing of personal data by the Community institutions and bodies.
Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes.
The Data Retention Directive (Directive 2006/24/EC (pdf)) contains an obligation for providers of electronic communications to retain traffic and location data of communications through telephone, e-mail, etc. The retention takes place for the purpose of the investigation, detection and prosecution of serious crime.
See also Council framework Decision 2008/977/JHA.
RFID stands for Radio Frequency IDentification. It is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders.
An RFID tag is an object that can be applied to or incorporated into a product, an animal or a person for the purpose of identification or remote tracking through the use of radio waves.
The EDPS released an opinion (pdf) on the issue in December 2007, in which he underlines that RFID systems could play a key role in the development of the European information society, but also that the wide acceptance of RFID technologies should be facilitated by the benefits of consistent data protection safeguards.
The right of access is the right for any data subject to obtain from the controller of a processing [glossary] operation the confirmation that data related to him/her are being processed, the purpose(s) for which they are processed, as well as the logic involved in any automated decision process concerning him or her.
This right also allows the data subject to receive communication in an intelligible form of the data undergoing processing and of information regarding the processing.
This right can be exercised without constraint, at any time within three months from the receipt of the request, and is free of charge (Article 13 of Regulation (EC) No 45/2001).
Everyone has the right to know that their personal data are processed and for which purpose. The right to be informed is essential because it determines the exercise of other rights.
The right of information refers to the information which shall be provided to a data subject whether or not the data have been obtained from the data subject.
The information which must be provided relates to the identity of the controller, the purpose(s) of the processing, the recipients, as well as the existence of the right of access to data and the right to rectify the data.
The right of information for the person concerned is limited in some cases, such as for public safety considerations or for the prevention, investigation, identification and prosecution of criminal offences, including the fight against money laundering.
In the context of processing operations within the EC institutions (see Articles 11 and 12 of Regulation (EC) No 45/2001), this right is often fulfilled by a privacy statement.
To exercise the right of rectification, the data subject usually has to write to the controller of the processing operation. By way of illustration, if you need to change your personal address or if you find that information about you is inaccurate, you should exercise your right of rectification by contacting the controller who holds these data.
The right to object has two meanings. First, it is the general right of any data subject to object to the processing of data relating to him or her, except in certain cases such as a specific legal obligation. Where there is a justified objection based on legitimate grounds relating to his or her particular situation, the processing in question may no longer involve those data (see Article 14 sub (a) of Directive 95/46/EC and Article 18 sub (a) of Regulation (EC) No 45/2001).
It also refers to the specific right of any data subject to be informed, free of charge, before personal data are first disclosed to third parties or before they are used on their behalf for the purposes of direct marketing, and to object to such use without justification (see Article 14 sub (b) of Directive 95/46/EC and Article 18 sub (b) of Regulation (EC) No 45/2001).
The right to object can be exercised at the moment of the collection of the data (for instance while completing a form), or at a later stage, by contacting the controller. The right to object is free of charge to the person who exercises it.
The GDPR rulebook will apply from 25 May 2018: let's prepare for it to strengthen rights of online generation. Please consult the final texts of the Directive and the Regulation.
GDPR requires DPOs: EU institutions leading by example. Read the latest blogpost by Wojciech Wiewiórowski.
Counterterrorism and Data Privacy: A European Perspective. Read the speech by Giovanni Buttarelli given at to the symposium on Governing Intelligence: Transnational Approaches to Oversight and Security, hosted by the Center on Law and Security and the Woodrow Wilson International Center for Scholars.
Ethics at the Root of Privacy and as the Future of Data Protection. Read the address by Giovanni Buttarelli given at event hosted by Berkman Center for Internet and Society at Harvard University and the MIT Internet Policy Initiative and the MIT Media Lab.
Giovanni Buttarelli gives a lecture at KU Leuven for IT and IP Law, Leuven, Belgium
Giovanni Buttarelli visits Datatilsynet, the Danish Data Protection Authority, Copenhagen, Denmark
Privacy: The Competitive Advantage, Speech by Wojciech Wiewiórowski, London, UK
Conference on General Data Protection Regulation, Speech by Giovanni Buttarelli (via video), Copenhagen, Denmark
39th DPO meeting hosted by Eurofound, Introductory speech by Wojciech Wiewiórowski, Dublin, Ireland
European Data Protection Days, Keynote by Giovanni Buttarelli on Enduring values and sustainable solutions: The GDPR as a catalyst for individual digital rights across the globe and participation in a discussion on Chances, challenges and the latest developments in international data protection, Berlin, Germany
Intelligence Oversight Conference, New York University School of Law, Speech by Giovanni Buttarelli, New York, USA
Giovanni Buttarelli visits the Congress, Washington, D.C., USA