Δευτέρα, Δεκεμβρίου 01, 2008

Μικροσκόπιο e-lawyer: Η απόφαση - πλαίσιο των Υπουργών Δικαιοσύνης της ΕΕ για τα προσωπικά δεδομένα στην αστυνομική - δικαστική συνεργασία


Σύμφωνα με το επίσημο δελτίο τύπου του Συμβουλίου υπουργών δικαιοσύνης της ΕΕ, στην τελευταία συνεδρίασή της θεσπίστηκε η Απόφαση - Πλαίσιο για την προστασία των προσωπικών δεδομένων στον τομέα της αστυνομικής και δικαστικής συνεργασίας των κρατών μελών σε ποινικές υποθέσεις (προστασία δεδομένων στον Τρίτο Πυλώνα ΕΕ). Το κείμενο βρίσκεται διαθέσιμο και στα αγγλικά.


Για το γενικότερο νομοθετικό υπόβαθρο αυτής της νομοθεσίας, μπορείτε να διαβάσετε σχετικό κείμενό μου εδώ.

Σχολιάζω ενδιάμεσα με κόκκινο την Απόφαση - Πλαίσιο για την προστασία προσωπικών δεδομένων στο πλαίσιο της αστυνομικής και δικαστικής συνεργασίας των κρατών μελών της ΕΕ σε ποινικές υποθέσεις.


THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on European Union, and in particular Articles 30, 31 and 34 (2)(b)

thereof,


Εδώ είναι το Προοίμιο της Απόφασης - Πλαίσιο. Είναι η πρώτη φορά που θεσμοθετείται νομοθεσία - πλαίσιο στον τρίτο πυλώνα της ΕΕ για την προστασία προσωπικών δεδομένων. Η γνωστή Οδηγία 95/46 αφορά μόνο τον πρώτο πυλώνα (Ενιαία Εσωτερική Αγορά - κοινοτικές ελευθερίες μετακίνησης προσώπων, κεφαλαίων, προϊόντων και υπηρεσιών). Με την απόφαση υλοποιείται η επιταγή της Συνθήκης για θέσπιση προστασίας δεδομένων και στην Κοινή Αστυνομική και Δικαστική Συνεργασία σε Ποινικές Υποθέσεις. (Μέχρι τώρα είχαμε ειδικά καθεστώτα μόνο για τα δεδομενα που επεξεργάζεται η Europol και η Eurojust).


Having regard to the proposal from the Commission,

Having regard to the opinion of the European Parliament,


Whereas:

(1) The European Union has set itself the objective of maintaining and developing the Union

as an area of freedom, security and justice in which a high level of safety is to be provided

by common action among the Member States in the fields of police and judicial

cooperation in criminal matters.


Βρισκόμαστε λοιπόν στην περιοχή οικοδόνησης μιας περιοχής Ελευθερίας, Ασφάλειας και Δικαιοσύνης, έναν τομέα που διαφεύγει των αρμοδιοτήτων της παλιάς Ευρωπαϊκής Οικονομικής Κοινότητας και της σημερινής Ευρωπαϊκής Κοινότητας (κοινοτικό δίκαιο). Η Απόφαση - πλαίσιο αποτελεί ενωσιακό δίκαιο.


(2) Common action in the field of police cooperation under Article 30(1)(b) of the Treaty on

European Union and common action on judicial cooperation in criminal matters under

Article 31(1)(a) of the Treaty on European Union imply a need to process the relevant

information which should be subject to appropriate provisions on the protection of personal

data.


Η ίδια η Συνθήκη επιβάλλει την εφαρμογή "κατάλληλων διατάξεων προστασίας δεδομένων" όσον αφορά την Αστυνομική και Δικαστική Συνεργασία των Κρατών σε Ποινικές Υποθέσεις. Αυτές οι διατάξεις περιέχονται στην παρούσα Απόφαση - Πλαίσιο.



(3) Legislation falling within the scope of Title VI of the Treaty on European Union should

foster police and judicial cooperation in criminal matters with regard to its efficiency as

well as its legitimacy and compliance with fundamental rights, in particular the right to

privacy and to the protection of personal data. Common standards regarding the processing

and protection of personal data processed for the purpose of preventing and combating

crime contribute to the achieving of both aims.


Η Απόφαση μνημονεύει ρητά την υποχρέωση της ΕΕ να σέβεται τα θεμελιώδη δικαιώματα και υπογραμμίζει ιδίως το δικαίωμα της ιδιωτικότητας και της προστασίας των προσωπικών δεδομένων. Το ζήτημα είναι να βρεθούν τα "κοινά πρότυπα" βάσει των οποίων θα πραγματώνονται αυτά τα δικαιώματα στο πλαίσιο της Αστυνομικής και Δικαστικής Συνεργασίας σε ποινικές υποθέσεις. 



(4) The Hague Programme on strengthening freedom, security and justice in the

European Union, adopted by the European Council on 4 November 2004, stressed the need

for an innovative approach to the cross-border exchange of law-enforcement information

under the strict observation of key conditions in the area of data protection and invited the

Commission to submit proposals in this regard by the end of 2005 at the latest. This was

reflected in the Council and Commission Action Plan implementing the Hague Programme

on strengthening freedom, security and justice in the European Union1.



(5) The exchange of personal data within the framework of police and judicial cooperation in

criminal matters, notably under the principle of availability of information as laid down in

the Hague Programme, should be supported by clear rules enhancing mutual trust between

the competent authorities and ensuring that the relevant information is protected in a way

that excludes any discrimination in respect of such cooperation between the Member States

while fully respecting fundamental rights of individuals. Existing instruments at the

European level do not suffice; Directive 95/46/EC of the European Parliament and of the

Council of 24 October 1995 on the protection of individuals with regard to the processing

of personal data and on the free movement of such data does not apply to the processing of

personal data in the course of an activity which falls outside the scope of Community law,

such as those provided for by Title VI of the Treaty on European Union, nor, in any case,

to processing operations concerning public security, defence, state security or the activities

of the State in areas of criminal law.


Αναγνωρίζεται λοιπόν ότι η Οδηγία 95/46 ως κοινοτικό νομοθέτημα δεν εφαμρμόζεται στον τρίτο πυλώνα και γι' αυτό χρειαζόμαστε ένα νέο νομοθέτημα.


(6) This Framework Decision applies only to data gathered or processed by competent

authorities for the purpose of the prevention, investigation, detection or prosecution of

criminal offences or the execution of criminal penalties. This Framework Decision should

leave it to Member States to determine more precisely at national level which other

purposes are to be considered as incompatible with the purpose for which the personal data

were originally collected. In general, further processing for historical, statistical or

scientific purposes should not be considered as incompatible with the original purpose of

the processing.


Η Απόφαση - Πλαίσιο δίνει ορισμένες κατευθύνσεις (όπως οι Οδηγίες του πρώτου πυλώνα) αφήνοντας τα κράτη μέλη ελεύθερα να τις υλοποιήσουν με τα ειδικά εσωτερικά νομοθετικά μέτρα που θα λάβουν. Εδώ όμως αναφέρεται ότι η Απόφαση - Πλαίσιο επιτρέπει στα Κράτη να οριοθετήσουν την "Αρχή του Σκοπού", δηλαδή σε ποια έκταση τα δεδομένα που συλλέγονται για έναν αρχικό σκοπό δεν επιτρέπεται να χρησιμοποιούνται για δευτερεύοντες σκοπούς.



(7) The scope of this Framework Decision is limited to the processing of personal data

transmitted or made available between Member States. No conclusions should be inferred

from this limitation regarding the competence of the Union to adopt acts relating to the

collection and processing of personal data at national level or the expediency for the Union

to do so in the future.


Αυτό το σημείο αποτέλεσε αφορμή για σοβαρές αντιπαραθέσεις: κατά πόσον οι διατάξεις της Απόφασης - Πλαίσιο θα δεσμεύουν τα κράτη και στον τρόπο που μεταχειρίζονται οι αστυνομίες και οι δικαστικές υπηρεσίες τους "εσωτερικά" τα προσωπικά δεδομένα ή κατά πόσον η Απόφαση - Πλαίσιο θα αφορά μόνο τα δεδομένα που "ανταλλάσσονται" μεταξύ κρατών - μελών. Τελικά αποφασίστηκε ότι η Απόφαση - Πλαίσιο δεν έχει εσωτερική εφαρμογή και αφορά μόνο το επίπεδο της συνεργασίας των κρατών μελών. Αυτό έχει σοβαρές επιπτώσεις στην ποιότητα της προστασίας των προσωπικών δεδομένων όμως: άλλα standards έχει η Ελλάδα κι άλλα λ.χ. η Μεγάλη Βρετανία. Πως είναι δυνατόν να θεωρείται ότι βελτιώνουμε την συνεργασία σε ποινικές υποθέσεις όταν άλλος βαθμός ακρίβειας επιβάλλεται από τη νομοθεσία μίας χώρας κι άλλος βαθμός ακρίβειας από την νομοθεσία άλλης χώρας; Είναι ένα θέμα που έχει επισημάνει και ο Ευρωπαίος Επόπτης Προστασίας Δεδομένων. Ωστόσο, ο αντίλογος λέει ότι η Απόφαση - Πλαίσιο ανήκει στον Τρίτο Πυλώνα, όπου δεν έχουμε τόσο στενή επέμβαση των Ευρωπαϊκών νομοθετών στα εσωτερικά των χωρών (μιλάμε για τον τομέα της δημόσιας ασφάλειας, παραδοσιακό πυρήνα της εθνικής κυριαρχίας) όσο στην παραδοσιακή Κοινοτική έννομη τάξη (όπου τα θέματα είναι εμπορικά, εργασιακά και κοινωνικοασφαλιστικά).


(8) In order to facilitate data exchanges within the Union, Member States intend to ensure that

the standard of data protection achieved in national data-processing matches that provided

for in this Framework Decision. With regard to national data processing, this Framework

Decision does not preclude Member States from providing safeguards for the protection of

personal data higher than those established in this Framework Decision.



Αυτή είναι μια σημαντική διάταξη, η οποία δεν υπάρχει με ρητή διατύπωση στην Οδηγία 95/46: τα κράτη μέλη μπορούν να θεσπίζουν αυστηρότερες εγγυήσεις για την προστασία προσωπικών δεδομένων από αστυνομίες και δικαστικές υπηρεσίες. Άρα οι διατάξεις της Απόφασης - Πλαίσιο αποτελούν ένα minimum. Θεωρώ ότι ο αριθμός (8) είναι ουσιαστικά ένα αντιστάθμισμα του αριθμού (7): η Απόφαση δεν εφαρμόζεται "εσωτερικά", αλλά στο εσωτερικό τα κράτη μέλη έχουν ουσιαστικά ως σημείο minimum προστασίας το πρότυπο της Απόφασης.


(9) This Framework Decision should not apply to personal data which a Member State has

obtained within the scope of this Framework Decision and which originated in that

Member State.

(10) The approximation of Member States' laws should not result in any lessening of the data

protection they afford but should, on the contrary, seek to ensure a high level of protection

within the Union.


Και αυτή η σκέψη είναι πολύ σημαντική: τίποτα στην Απόφαση - Πλαίσιο  δεν πρέπει να ερμηνεύεται ως υποσκάπτον το επίπεδο προστασίας προσωπικών δεδομένων που ήδη υπάρχει στα κράτη μέλη.




(11) It is necessary to specify the objectives of data protection within the framework of police

and judicial activities and to lay down rules concerning the lawfulness of processing of

personal data in order to ensure that any information that might be exchanged has been

processed lawfully and in accordance with fundamental principles relating to data quality.

At the same time the legitimate activities of the police, customs, judicial and other

competent authorities should not be jeopardised in any way.


(12) The principle of accuracy of data is to be applied taking account of the nature and purpose

of the processing concerned. For example, in particular in judicial proceedings data are

based on the subjective perception of individuals and in some cases are totally unverifiable.

Consequently, the requirement of accuracy cannot appertain to the accuracy of a statement

but merely to the fact that a specific statement has been made.


Εδώ αναγνωρίζεται ότι η αρχή της ακρίβειας των δεδομένων θα πρέπει να προσαρμοστεί στις ανάγκες της αστυνομικής και δικαστικής πρακτικής: άλλος είναι ο βαθμός ακρίβειας που μπορεί να έχουν δεδομένα που βασίζονται σε καταγραφές πραγματικών περιστατικών κι άλλος ο βαθμός ακρίβειας που μπορεί να έχουν δεδομένα που βασίζονται σε δηλώσεις.



(13) Archiving in a separate data set should be permissible only if the data are no longer

required and used for the prevention, investigation, detection or prosecution of criminal

offences or the execution of criminal penalties. Archiving in a separate data set should also

be permissible if the archived data are stored in a database with other data in such a way

that they can no longer be used for the prevention, investigation, detection or prosecution

of criminal offences or the execution of criminal penalties. The appropriateness of the

archiving period should depend on the purposes of archiving and the legitimate interests of

the data subjects. In the case of archiving for historical purposes a very long period may be

envisaged.



(14) Data may also be erased by destroying the data medium.


(15) As regards inaccurate, incomplete or no longer up-to-date data transmitted or made

available to another Member State and further processed by quasi-judicial authorities,

meaning authorities with powers to make legally binding decisions, its rectification,

erasure or blocking should be carried out in accordance with national law.


(16) Ensuring a high level of protection of the personal data of individuals requires common

provisions to determine the lawfulness and the quality of data processed by competent

authorities in other Member States.


(17) It is appropriate to lay down at the European level the conditions under which competent

authorities of the Member States should be allowed to transmit and make available

personal data received from other Member States to authorities and private parties in

Member States. In many cases the transmission of personal data by the judiciary, police or

customs to private parties is necessary to prosecute crime or to prevent an immediate and

serious threat to public security or to prevent serious harm to the rights of individuals, for

example, by issuing alerts concerning forgeries of securities to banks and credit

institutions, or, in the area of vehicle crime, by communicating personal data to insurance

companies in order to prevent illicit trafficking in stolen motor vehicles or to improve the

conditions for the recovery of stolen motor vehicles from abroad. This is not tantamount to

the transfer of police or judicial tasks to private parties.


(18) The rules in this Framework Decision regarding the transmission of personal data by the

judiciary, police or customs to private parties do not apply to the disclosure of data to

private parties (such as defence lawyers and victims) in the context of criminal

proceedings.


Εδώ υπάρχει ένας σημαντικός ερμηνευτικός κανόνας: οι περιορισμοί ανακοίνωσης δεδομένων σε ιδιώτες δεν επηρεάζουν τις ισχύουσες διατάξεις της ποινικής δικονομίας. Οι δικηγόροι και τα θύματα έχουν τις δυνατότητες που προβλέπει το ποινικό δίκαιο κι αυτά δεν μεταβάλλονται από την Απόφαση - Πλαίσιο. Να μία σημαντική διάταξη που λείπει από την Οδηγία 95/46 (και τον Ν.2472/1997), αν και συνάγεται με λίγη ερμηνευτική βία.



(19) The further processing of personal data received from, or made available by, the competent

authority of another Member State, in particular the further transmission of or making

available such data, should be subject to common rules at European level.


(20) Where personal data may be further processed after the Member State from which the data

were obtained has given its consent, each Member State should be able to determine the

modalities of such consent, including, for example, by means of a general consent for

categories of information or categories of further processing.


(21) Where personal data may be further processed for administrative proceedings, these

proceedings also include activities by regulatory and supervisory bodies.


(22) The legitimate activities of the police, customs, judicial and other competent authorities

may require that data are sent to authorities in third States or international bodies that have

obligations for the prevention, investigation, detection or prosecution of criminal offences

or the execution of criminal penalties.


(23) Where personal data are transferred from a Member State to third States or international

bodies, these data should, in principle, benefit from an adequate level of protection.


Εδώ τίθεται το ακανθώδες ζήτημα της αποστολής προσωπικών δεδομένων που αφορούν ποινικές υποθέσεις σε τρίτα κράτη (λ.χ. ΗΠΑ) ή σε διεθνείς οργανισμούς. Η αναφορά μάλλον γενική: θα πρέπει να τυγχάνουν "ικανοποιητικού επιπέδου προστασίας".


(24) Where personal data are transferred from a Member State to third States or international

bodies, such transfer should, in principle, take place only after the Member State from

which the data were obtained has given its consent to the transfer. Each Member State

should be able to determine the modalities of such consent, including, for example, by

means of a general consent for categories of information or for specified third States.


Ο βασικός κανόνας για την αποστολή προσωπικών δεδομένων σε τρίτες χώρες ή οργανισμούς είναι η συγκατάθεση. Θα πρέπει όμως να προσδιορίζονται οι "περιστάσεις" της συγκατάθεσης, δηλαδή κατά πόσον ήταν ατομική ή γενική και τι ποσοστό πληροφορία δόθηκε στους ενδιαφερόμενους πριν παράσχουν την συγκατάθεσή τους.


(25) The interests of efficient law enforcement cooperation require that where the nature of a

threat to the public security of a Member State or a third State is so immediate as to render

it impossible to obtain prior consent in good time, the competent authority should be able

to transfer the relevant personal data to the third State concerned without such prior

consent. The same could apply where other essential interests of a Member State of equal

importance are at stake, for example where the critical infrastructure of a Member State

could be the subject of an immediate and serious threat or where a Member State's

financial system could be seriously disrupted.


Μετά την καθιέρωση του κανόνα της "συγκατάθεσης", το ζητούμενο είναι πόσο υψηλά είναι τα standards των εξαιρέσεων που επιτρέπουν επεξεργασία δεδομένων χωρίς συγκατάθεση. Εδώ η Απόφαση μιλάει για την φύση της απειλής στην δημόσια ασφάλεια του κράτους μέλους ή  τ ρ ί τ ο υ  κ ρ ά τ ο υ ς. Ένα δεύτερο κριτήριο που συνέχεται με το πρώτο είναι ο χρόνος: αν πιέζει υπέρμετρα σε σχέση με τη λήψη της συγκατάθεσης, τα δεδομένα αποστέλλονται χωρίς χρονοτριβές. 


(26) It may be necessary to inform data subjects regarding the processing of their data, in

particular where there has been particularly serious encroachment on their rights as a result

of secret data collection measures, in order to ensure that data subjects can have effective

legal protection.




(27) Member States should ensure that the data subject is informed that the personal data could

be or are being collected, processed or transmitted to another Member State for the purpose

of prevention, investigation, detection, and prosecution of criminal offences or the

execution of criminal penalties. The modalities of the right of the data subject to be

informed and the exceptions thereto should be determined by national law. This may take a

general form, for example, through the law or through the publication of a list of the

processing operations.


Η ενημέρωση του προσώπου για την τύχη των δεδομένων του αποτελεί θεμελιώδη συνιστώσα στο δίκαιο των προσωπικών δεδομένων. Η Απόφαση αναγνωρίζει ότι αυτή η ενημέρωση μπορεί να προκύπτει από το ίδιο το κείμενο του νόμου ή από μια δημοσιευμένη λίστα επεξεργασιών δεδομένων.


(28) In order to ensure the protection of personal data without jeopardising the interests of

criminal investigations, it is necessary to define the rights of the data subject.


(29) Some Member States have provided for the right of access of the data subject in criminal

matters through a system where the national supervisory authority, in place of the data

subject, has access to all the personal data related to the data subject without any restriction

and may also rectify, erase or update inaccurate data. In such a case of indirect access, the

national law of those Member States may provide that the national supervisory authority

will inform the data subject only that all the necessary verifications have taken place.

However, those Member States also provide for possibilities of direct access for the data

subject in specific cases, such as access to judicial records, in order to obtain copies of own

criminal records or of documents relating to own hearings by the police services.


(30) It is appropriate to establish common rules on confidentiality and security of processing, on

liability and penalties for unlawful use by competent authorities and on judicial remedies

available to the data subject. It is, however, for each Member State to determine the nature

of its tort rules and of the penalties applicable to violations of domestic data protection

provisions.


(31) This Framework Decision allows the principle of public access to official documents to be

taken into account when implementing the principles set out in this Framework Decision.


Εδώ υπάρχει μια πολύ σημαντική οδηγία προς τον εθνικό νομοθέτη: τα κράτη πρέπει να λάβουν υπόψη όταν νομοθετήσουν την προστασία δεδομένων στον αστυνομικό τομέα ότι πρέπει να την συγκεράσουν με την αρχή της πρόσβασης στα δημόσια έγγραφα. Έτσι, από τη νομοθεσία για την προστασία προσωπικών δεδομένων, εισάγονται εμμέσως και εκ του αντιστρόφου τα δικαιώματα για πρόσβαση στα δημόσια έγγραφα. Δικαιώματα που  καταπατούνται από τον Δημόσιο Τομέα στη χώρα μας μέχρι να πεις "διαφάνεια".



(32) When necessary to protect personal data in relation to processing which by scale or by type

holds specific risks for fundamental rights and freedoms, for example processing by means

of new technologies, mechanisms or procedures, it is appropriate to ensure that the

competent national supervisory authorities are consulted prior to the establishment of filing

systems aimed at the processing of these data.


Σημαντικός κανόνας που απηχεί διάταξη της Σύστασης του 1987 του Συμβουλίου της Ευρώπης: όταν οι αστυνομίες εισάγουν νέες τεχνικές παρακολούθησης (λ.χ. κάμερες), πρέπει να έχουν προηγούμενη έγκριση από την Αρχή Προστασίας Προσωπικών Δεδομένων.




(33) The establishment in Member States of supervisory authorities, exercising their functions

with complete independence, is an essential component of the protection of personal data

processed within the framework of police and judicial cooperation between the

Member States.


Κι αυτός ο κανόνας απηχεί διάταξη της Σύστασης 1987. Στην Ελλάδα όμως, με τον Ν.3625/2007, αφαιρέθηκαν από την Αρχή Προστασίας Προσωπικών Δεδομένων οι αρμοδιότητές της ως προς την αστυνομία και τις δικαστικές υπηρεσίες. Τώρα, με την Απόφαση - Πλαίσιο, η ελληνική αυτή πρωτοτυπία θα πρέπει να καταργηθεί. Ευτυχώς που έχουμε και την Ευρωπαϊκή Ενωση να μας προστατεύει από τις νομοθετικές πρωτοτυπίες...



(34) The supervisory authorities already established in Member States under

Directive 95/46/EC should also be able to assume responsibility for the tasks to be

performed by the national supervisory authorities to be established under this

Framework Decision.


Η ίδια λοιπόν Ανεξάρτητη Αρχή που είναι αρμόδια για τα προσωπικά δεδομένα, θα πρέπει να αναγνωριστεί ως αρμόδια και για τις διατάξεις που προβλέπονται από την Απόφαση - Πλαίσιο. 


(35) Such supervisory authorities should have the necessary means to perform their duties,

including powers of investigation and intervention, particularly in cases of complaints from

individuals, or powers to engage in legal proceedings. These supervisory authorities should

help to ensure transparency of processing in the Member States within whose jurisdiction

they fall. However, their powers should not interfere with specific rules set out for criminal

proceedings or the independence of the judiciary.


Εδώ μνημονεύεται και η αρχή της διάκρισης των λειτουργιών: οι ανεξάρτητες αρχές δεν θα πρέπει να υπεισέρχονται στην περιοχή της ποινικής διαδικασίας ή να παρεμβαίνουν στο έργο της δικαιοσύνης. Αυτό όμως δεν σημαίνει πλήρη αποψίλωση των αρμοδιοτήτων των Ανεξάρτητων Αρχών στον τομέα της αστυνομίας και της δικαιοσύνης, αλλά σαφή διαχωρισμό αρμοδιοτήτων και σαφή τήρηση του ελεγκτικού ρόλου κάθε οργάνου. Το σίγουρο είναι ότι η ορθή διαχείριση των προσωπικών δεδομένων δεν μπορεί να ανατίθεται στο ίδιο πρόσωπο που προβαίνει στην επεξεργασία των δεδομένων, διότι η σύγχυση αρμοδιοτητων καταστρατηγεί τον προστατευτικό σκοπό του ευρωπαίου νομοθέτη.


(36) Article 47 of the Treaty on European Union stipulates that nothing in it is to affect the

Treaties establishing the European Communities or the subsequent Treaties and Acts

modifying or supplementing them. Accordingly, this Framework Decision does not affect

the protection of personal data under Community law, in particular as provided for in

Directive 95/46/EC, in Regulation (EC) No 45/2001 of the European Parliament and of the

Council of 18 December 2000 on the protection of individuals with regard to the

processing of personal data by the Community institutions and bodies and on the free

movement of such dataand in Directive 2002/58/EC of the European Parliament and of

the Council of 12 July 2002 concerning the processing of personal data and the protection

of privacy in the electronic communications sector (Directive on privacy and electronic

communications).


Με αυτή τη διατύπωση καθίσταται σαφές ότι η Απόφαση δεν τροποποιεί το θεσμικό πλαίσιο της προστασίας προσωπικών δεδομένων που έχει ήδη θεσμοθετηθεί στον πρώτο πυλώνα της ΕΕ.



(37) This Framework Decision is without prejudice to the rules pertaining to illicit access to

data laid down in Council Framework Decision 2005/222/JHA of 24 February 2005 on

attacks against information systems1.


(38) This Framework Decision is without prejudice to existing obligations and commitments

incumbent upon Member States or upon the Union by virtue of bilateral and/or multilateral

agreements with third States. Future agreements should comply with the rules on

exchanges with third States.


(39) Several acts, adopted on the basis of Title VI of the Treaty on European Union, contain

specific provisions on the protection of personal data exchanged or otherwise processed

pursuant to those acts. In some cases these provisions constitute a complete and coherent

set of rules covering all relevant aspects of data protection (principles of data quality, rules

on data security, regulation of the rights and safeguards of data subjects, organisation of

supervision and liability) and they regulate these matters in more detail than this

Framework Decision. The relevant set of data protection provisions of those acts, in

particular those governing the functioning of Europol, Eurojust, the Schengen Information

System (SIS) and the Customs Information System (CIS), as well as those introducing

direct access for the authorities of Member States to certain data systems of other Member

States, should not be affected by this Framework Decision. The same applies in respect of

the data protection provisions governing the automated transfer between Member States of

DNA profiles, dactyloscopic data and national vehicle registration data pursuant to the

Council Decision 2008/…/JHA of ....on the stepping up of cross-border cooperation,

particularly in combating terrorism and cross-border crime.



(40) In other cases the provisions on data protection in acts, adopted on the basis of Title VI of

the Treaty on European Union, are more limited in scope. They often set specific

conditions for the Member State receiving information containing personal data from other

Member States as to the purposes for which it can use those data, but refer for other aspects

of data protection to the Council of Europe Convention for the Protection of Individuals

with regard to Automatic Processing of Personal Data of 28 January 1981 or to national

law. To the extent that the provisions of those acts imposing conditions on receiving

Member States as to the use or further transfer of personal data are more restrictive than

those contained in the corresponding provisions of this Framework Decision, the former

provisions should remain unaffected. However, for all other aspects the rules set out in this

Framework Decision should be applied.


Με βάση αυτή τη ρήτρα, στις ειδικές περιοχές του Schengen, του Customs Information System, της Europol και της Eurojust, οι αυστηρότεροι κανόνες προστασίας δεδομένων που προβλέπονται από αυτά τα καθεστώτα κατισχύουν. Σε όλες τις υπόλοιπες περιστάσεις, κατισχύουν οι κανόνες της Απόφασης - Πλαίσιο.



(41) This Framework Decision does not affect the Council of Europe Convention for the

Protection of Individuals with regard to Automatic Processing of Personal Data, the

Additional Protocol to that Convention of 8 November 2001 or the Council of Europe

conventions on judicial cooperation in criminal matters.



Ερμηνευτική, αλλά χρήσιμη ρήτρα: η Απόφαση Πλαίσιο δεν καταργεί την Ευρωπαϊκή Σύμβαση για την προστασία προσωπικών δεδομένων, το Πρόσθετο Πρωτόκολλό της και τις συμβάσεις του Συμβουλίου της Ευρώπης για ποινικές υποθέσεις. Ισορροπία ανάμεσα σε ΕΕ και Συμβούλιο Ευρώπης.




(42) Since the objective of this Framework Decision, namely the determination of common

rules for the protection of personal data processed in the framework of police and judicial

cooperation in criminal matters, cannot be sufficiently achieved by the Member States, and

can therefore, by reason of the scale and effects of the action, be better achieved at the

Union level, the Union may adopt measures in accordance with the principle of

subsidiarity as set out in Article 5 of the Treaty establishing the European Community and

referred to in Article 2 of the Treaty on European Union. In accordance with the principle

of proportionality as set out in Article 5 of the Treaty establishing the European

Community, this Framework Decision does not go beyond what is necessary to achieve

that objective.


(43) The United Kingdom is taking part in this Framework Decision, in accordance with

Article 5 of the Protocol integrating the Schengen acquis into the framework of the

European Union annexed to the Treaty on European Union and to the Treaty establishing

the European Community, and Article 8(2) of Council Decision 2000/365/EC of

29 May 2000 concerning the request of the United Kingdom of Great Britain and

Northern Ireland to take part in some of the provisions of the Schengen acquis.


Η γνωστή - άγνωστη σχέση του Ηνωμένου Βασιλείου με το κεκτημένο Schengen...


(44) Ireland is taking part in this Framework Decision in accordance with Article 5

of the Protocol integrating the Schengen acquis into the framework of the

European Union annexed to the Treaty on European Union and to the Treaty establishing

the European Community, and Article 6(2) of Council Decision 2002/192/EC of

28 February 2002 concerning Ireland's request to take part in some of the provisions of the

Schengen acquis1.


(45) As regards Iceland and Norway, this Framework Decision constitutes a development of

provisions of the Schengen acquis within the meaning of the Agreement concluded by the

Council of the European Union and the Republic of Iceland and the Kingdom of Norway

concerning the association of those two States with the implementation, application and

development of the Schengen acquis2, which fall within the area referred to in Article 1,

points H and I of Council Decision 1999/437/EC of 17 May 1999 on certain arrangements

for the application of that Agreement3.


(46) As regards Switzerland, this Framework Decision constitutes a development of the

provisions of the Schengen acquis within the meaning of the Agreement concluded

between the European Union, the European Community and the Swiss Confederation

concerning the association of the Swiss Confederation with the implementation,

application and development of the Schengen acquis1, which fall within the area referred to

in Article 1, point H and I of Council Decision 1999/437/EC of 17 May 1999 read in

conjunction with Article 3 of Council Decision 2008/149/ECof 28 January 2008 on the

conclusion of that Agreement on behalf of the European Union.


(47) As regards Liechtenstein, this Framework Decision constitutes a development of the

provisions of the Schengen acquis within the meaning of the Protocol signed between the

European Union, the European Community, the Swiss Confederation and the Principality

of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement

between the European Union, the European Community and the Swiss Confederation on

the Swiss Confederation's association with the implementation, application and

development of the Schengen acquis, which fall within the area referred to in Article 1,

point H and I of Decision 1999/437/EC read in conjunction with Article 3 of Council

Decision 2008/262/EC of 28 February 2008 on the signature of that Protocol on behalf of

the European Union3.


(48) This Framework Decision respects the fundamental rights and observes the principles

recognised in particular by the Charter of Fundamental Rights of the European Union.


This Framework Decision seeks to ensure full respect for the rights to privacy and the

protection of personal data reflected in Articles 7 and 8 of the Charter,


HAS ADOPTED THIS FRAMEWORK DECISION:


Article 1


Purpose and scope


1. The purpose of this Framework Decision is to ensure a high level of protection of the

fundamental rights and freedoms of natural persons, and in particular their right to privacy,

with respect to the processing of personal data in the framework of police and judicial

cooperation in criminal matters, provided for by Title VI of the Treaty on European Union,

while guaranteeing a high level of public safety.


2. In accordance with this Framework Decision, Member States shall protect the fundamental

rights and freedoms of natural persons, and in particular their right to privacy when, for the

purpose of the prevention, investigation, detection or prosecution of criminal offences or

the execution of criminal penalties, personal data:


(a) are or have been transmitted or made available between Member States;


(b) are or have been transmitted or made available by Member States to authorities or to

information systems established on the basis of Title VI of the Treaty on European

Union; or


(c) are or have been transmitted or made available to the competent authorities of the

Member States by authorities or information systems established on the basis of the

Treaty on European Union or the Treaty establishing the European Community.


Άρα, δεν εφαρμόζεται σε εξ αρχής εσωτερικά προσωπικά δεδομένα που τηρούν οι αστυνομίες και οι δικαστικές υπηρεσίες, αλλά πρέπει  να έχουν τύχει -ή να επίκειται για αυτά-  κάποιας μορφής διάδοση στο πλαίσιο της συνεργασίας κρατών μελών ΕΕ σε ποινικές υποθέσεις. Για τα "εσωτερικά προσωπικά δεδομένα", εξακολουθούν να ισχύουν οι εθνικές νομοθεσίες και η Ευρωπαϊκή Σύμβαση για την προστασία προσωπικών δεδομένων του 1981.



3. This Framework Decision shall apply to the processing of personal data wholly or partly

by automatic means, and to the processing otherwise than by automatic means, of personal

data which form part of a filing system or are intended to form part of a filing system.


4. This Framework Decision is without prejudice to essential national security interests and

specific intelligence activities in the field of national security.


Επομένως, δεν εφαρμόζονται οι διατάξεις στις Εθνικές Υπηρεσίες Πληροφοριών.



5. This Framework Decision shall not preclude Member States from providing, for the

protection of personal data collected or processed at national level, higher safeguards than

those established in this Framework Decision.


'Αρα, οι εθνικές νομοθεσίες μπορούν να είναι καλύτερες από την Απόφαση - Πλαίσιο.



Article 2


Definitions


For the purposes of this Framework Decision:


(a) "personal data" mean any information relating to an identified or identifiable natural

person ("data subject"); an identifiable person is one who can be identified, directly or

indirectly, in particular by reference to an identification number or to one or more factors

specific to his physical, physiological, mental, economic, cultural or social identity;



(b) "processing of personal data" and "processing" mean any operation or set of operations

which is performed upon personal data, whether or not by automatic means, such as

collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation,

use, disclosure by transmission, dissemination or otherwise making available, alignment or

combination, blocking, erasure or destruction;


(c) "blocking" means the marking of stored personal data with the aim of limiting their

processing in future;


(d) "personal data filing system" and "filing system" mean any structured set of personal data

which are accessible according to specific criteria, whether centralised, decentralised or

dispersed on a functional or geographical basis;


(e) "processor" means any body which processes personal data on behalf of the controller;


(f) "recipient" means any body to which data are disclosed;


(g) "the data subject's consent" means any freely given specific and informed indication of his

wishes by which the data subject signifies his agreement to personal data relating to him

being processed;


Όλα τα παραπάνω είναι αντιγραφές των ορισμών της Οδηγίας 95/46: διατηρούνται οι ίδιες έννοιες για τα προσωπικά δεδομένα, την επεξεργασία δεδομένων, το αρχείο προσωπικών δεδομένων κλπ.




(h) "competent authorities" mean agencies or bodies established by legal acts adopted by the

Council pursuant to Title VI of the Treaty on European Union, as well as police, customs,

judicial and other competent authorities of the Member States that are authorised by

national law to process personal data within the scope of this Framework Decision;



(i) "controller" means the natural or legal person, public authority, agency or any other body

which alone or jointly with others determines the purposes and means of the processing of

personal data;


(j) "referencing" means the marking of stored personal data without the aim of limiting their

processing in future;


(k) "to make anonymous" means to modify personal data in such a way that details of personal

or material circumstances can no longer or only with disproportionate investment of time,

cost and labour be attributed to an identified or identifiable natural person.



Article 3


Principles of lawfulness, proportionality and purpose


1. Personal data may be collected by the competent authorities only for specified, explicit and

legitimate purposes in the framework of their tasks and may be processed only for the

same purpose for which data were collected. Processing of the data shall be lawful and

adequate, relevant and not excessive in relation to the purposes for which they are

collected.


2. Further processing for another purpose shall be permitted insofar as:


(a) it is not incompatible with the purposes for which the data were collected;


(b) the competent authorities are authorised to process such data for such other purpose in accordance with the applicable legal provisions; and


(c) processing is necessary and proportionate to that other purpose.



Η αρχή του δεσμευτικά καθορισμένου σκοπού της επεξεργασίας γνωρίζει μια πολύ σημαντική προσαρμογή στις ανάγκες της αστυνομικής και δικαστικής δράσης σε ποινικές υποθέσεις. Τα δεδομένα μπορούν να επαναχρησιμοποιηθούν για σκοπούς διαφορετικούς από αυτούς της συλλογής τους. Τίθεται όμως το αυστηρό κριτήριο: ο δευτερεύων σκοπός δεν πρέπει να είναι ασύμβατος με τον αρχικό, το επιτρέπει ο νόμος και η περαιτέρω επεξεργασία είναι αναγκαία και κατάλληλη για την εξυπηρέτηση του άλλου σκοπού. 



The competent authorities may also further process the transmitted personal data for historical,

statistical or scientific purposes, provided that Member States provide appropriate safeguards, such as making the data anonymous.





Article 4


Rectification, erasure and blocking


1. Personal data shall be rectified if inaccurate and, where this is possible and necessary,

completed or updated.


2. Personal data shall be erased or made anonymous when they are no longer required for the

purposes for which they were lawfully collected or are lawfully further processed.

Archiving of those data in a separate data set for an appropriate period in accordance with

national law shall not be affected by this provision.


3. Personal data shall be blocked instead of erased if there are reasonable grounds to believe

that erasure could affect the legitimate interests of the data subject. Blocked data shall be

processed only for the purpose which prevented their erasure.


Εδώ εισάγεται η αρχή της "δέσμευσης" έναντι της αρχής της διαγραφής των δεδομένων που δεν είναι πλέον αναγκαία. Τα δεδομένα διατηρούνται σε μια μορφή περιορισμένης προσβασιμότητας και περιορισμένης χρήσης για την περίπτωση που ενδέχεται να χρειαστεί η επανεπεξεργασίας τους. Πρέπει να υπάρχει όμως έννομο συμφέρον του υποκειμένου των δεδομένων.



4. When the personal data are contained in a judicial decision or record related to the issuance

of a judicial decision, the rectification, erasure or blocking shall be carried out in accordance with national rules on judicial proceedings.




Article 5

Establishment of time-limits for erasure and review


Appropriate time-limits shall be established for the erasure of personal data or for a periodic review of the need for the storage of the data. Procedural measures shall ensure that these time-limits are observed.


Πολύ σημαντική διάταξη που δεν έχουμε στο εσωτερικό δίκαιο -για την αστυνομία. Δεν είναι δυνατόν τα δεδομένα να τηρούνται σε φακέλους επ' άπειρον. Θα πρέπει να διαγράφονται μετά την παρέλευση χρονικού σιαστήματος.





Article 6

Processing of special categories of data


The processing of personal data revealing racial or ethnic origin, political opinions, religious or

philosophical beliefs or trade-union membership and the processing of data concerning health or

sex life shall be permitted only when this is strictly necessary and when the national law provides adequate safeguards.




Article 7

Automated individual decisions


A decision which produces an adverse legal effect for the data subject or significantly affects him

and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to the data subject shall be permitted only if authorised by a law which also lays down measures to safeguard the data subject's legitimate interests.


Aυτή η διάταξη απέχει σημαντικά από το σχετικό κεκτημένο του άρθρου 15 της Οδηγίας 95/46. Ενώ το κοινοτικό δίκαιο λέει ότι το πρόσωπο έχει δικαίωμα ένστασης σε αποφάσεις που λαμβάνονται με πλήρως αυτοματοποιημένη επεξεργασία δεδομένων του, η Απόφαση - πλαίσιο λέει ότι τα κράτη μέλη "θα θεσπίσουν διαδικασίες που να εγγυώνται τα έννομα συμφέροντα" των προσώπων. Δηλαδή αοριστίες που απέχουν σημαντικά από το κοινοτικό κεκτημένο. Κανονικά θα έπρεπε να υπάρχει κι εδώ απευθείας δικαίωμα ένστασης σε αυτοματοποιημένες αποφάσεις.




Article 8


Verification of quality of data that are transmitted or made available


1. The competent authorities shall take all reasonable steps to provide that personal data

which are inaccurate, incomplete or no longer up to date are not transmitted or made

available. To that end, the competent authorities shall, as far as practicable, verify the

quality of personal data before they are transmitted or made available. As far as possible,

in all transmissions of data, available information shall be added which enables the

receiving Member State to assess the degree of accuracy, completeness, up-to-dateness and

reliability. If personal data were transmitted without request the receiving authority shall

verify without delay whether these data are necessary for the purpose for which they were

transmitted.


Εξαιρετικά σημαντικός κανόνας: τα δεδομένα που μεταδίδονται πρέπει να συνοδεύονται από ενδείξεις για την εγκυρότητά τους και την τελευταία επικαιροποίηση.



2. If it emerges that incorrect data have been transmitted or data have been unlawfully

transmitted, the recipient must be notified without delay. The data must be rectified,

erased, or blocked without delay in accordance with Article 4.


Εδώ είναι ο δούρειος ίππος: η Απόφαση επιτρέπει κατ' ουσίαν την παράνομη μετάδοση προσωπικών δεδομένων, αλλά υποχρεώνει τις αρμόδιες αρχές να επισημαίνουν ότι αυτό έγινε παράνομα. Κατ' αποτέλεσμα, μπορούν "σαν κύριοι" να μεταδίδουν παράνομα προσωπικά δεδομένα! Απαράδεκτο.



Article 9


Time-limits


1. Upon transmission or making available of the data, the transmitting authority may in line

with the national law and in accordance with Articles 4 and 5, indicate the time-limits for

the retention of data, upon the expiry of which the recipient must erase or block the data or

review whether or not they are still needed. This obligation shall not apply if, at the time of

the expiry of these time-limits, the data are required for a current investigation, prosecution

of criminal offences or enforcement of criminal penalties.


Αυτο σημαίνει όμως ότι η εθνική νομοθεσία θα πρέπει να προβλέπει χρονικά διαστήματα επιτρεπόμενης επεξεργασίας δεδομένων. Κανόνας που σήμερα δεν ισχύει για την αστυνομία. Συνεπώς, καλοδεχούμενη η διάταξη της Απόφασης - Πλαίσιο, αλλά πως να εφαρμοστεί αφού το Προοίμιο λέει ότι οι διατάξεις δεν αφορούν τα "εσωτερικά προσωπικά δεδομενα";




2. Where the transmitting authority has not indicated a time-limit in accordance with

paragraph 1, the time-limits referred to in Articles 4 and 5 for the retention of data

provided for under the national law of the receiving Member State shall apply.


Κι εδώ υπάρχει δούρειος ίππος: αν η αποστέλλουσα κρατική υπηρεσία δεν έχει γνωστοποιήσει χρονική διάρκεια επιτρεπόμενης επεξεργασίας, εφαρμόζονται οι διατάξεις του κράτους - αποδέκτη. Δηλαδή αν η Ελλάδα στείλει στην Μ.Βρετανία, θα εφαρμοστούν οι διατάξεις της δεύτερης, επειδή εμείς ΔΕΝ ΕΧΟΥΜΕ time-limit διάταξη!!!



Article 10


Logging and documentation


1. All transmissions of personal data are to be logged or documented for the purposes of

verification of the lawfulness of the data processing, self-monitoring and ensuring proper

data integrity and security.


Ανεκτίμητης σημασίας κανόνας: τίποτε δεν αποστέλλεται αν δεν έχει προηγηθεί πρωτοκόλληση και καταγραφή των στοιχείων της αποστολής! Τέρμα δηλαδή στις off the record επικοινωνίες και διαβιβάσεις προσωπικών δεδομένων.



2. Logs or documentation prepared under paragraph 1 shall be communicated on request to

the competent supervisory authority for the control of data protection. The competent

supervisory authority shall use this information only for the control of data protection and

for ensuring proper data processing as well as data integrity and security.


Η τήρηση της διάταξης αυτής ανατίθεται στην Αρχή Προστασίας Προσωπικών Δεδομένων (competent supervisory authority for the control of data protection). Άρα, θα πρέπει να καταργηθούν οι διατάξεις του Ν.3625/2007 που εξαιρούν το πεδίο αρμοδιοτήτων της Αρχής από την αστυνομία και τις εισαγγελίες.




Article 11


Processing of personal data received from or made available by another Member State


Personal data received from or made available by the competent authority of another Member State may, in accordance with the requirements of Article 3(2), be further processed only for the

following purposes other than those for which they were transmitted or made available:


(a) the prevention, investigation, detection or prosecution of criminal offences or the execution

of criminal penalties other than those for which they were transmitted or made available;


(b) other judicial and administrative proceedings directly related to the prevention,

investigation, detection or prosecution of criminal offences or the execution of criminal

penalties;


(c) the prevention of an immediate and serious threat to public security; or



Αυτές οι τρεις κατηγορίες απόκλισης από την αρχή του δεσμευτικά καθορισμένου σκοπού επιτρέπονται χωρίς την συγκατάθεση του υποκειμένου των δεδομένων.



(d) any other purpose only with the prior consent of the transmitting Member State or with the

consent of the data subject, given in accordance with national law.


Εδώ όμως ανοίγει ένα διάπλατο παράθυρο για γενική μεταβολή του σκοπού με βάση τη συγκατάθεση!




The competent authorities may also further process the transmitted personal data for historical,

statistical or scientific purposes, provided that Member States provide appropriate safeguards, such as, for example, making the data anonymous.




Article 12


Compliance with national processing restrictions


1. Where, under the law of the transmitting Member State, specific processing restrictions

apply in specific circumstances to data exchanges between competent authorities within

that Member State, the transmitting authority shall inform the recipient of such restrictions.

The recipient shall ensure that these processing restrictions are met.


2. When applying paragraph 1, Member States shall not apply restrictions regarding data

transmissions to other Member States or to agencies or bodies established pursuant to

Title VI of the Treaty on European Union other than those applicable to similar national

data transmissions.



Article 13


Transfer to competent authorities in third States or to international bodies


1. Member States shall provide that personal data transmitted or made available by the

competent authority of another Member State may be transferred to third States or

international bodies only if:


(a) it is necessary for the prevention, investigation, detection or prosecution of criminal

offences or the execution of criminal penalties;


(b) the receiving authority in the third State or receiving international body is responsible for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;


(c) the Member State from which the data were obtained has given its consent to transfer

in compliance with its national law; and


(d) the third State or international body concerned ensures an adequate level of protection for the intended data processing.


2. Transfer without prior consent in accordance with paragraph 1(c) shall be permitted only if

transfer of the data is essential for the prevention of an immediate and serious threat to

public security of a Member State or a third State or to essential interests of a Member

State and the prior consent cannot be obtained in good time. The authority responsible for

giving consent shall be informed without delay.


3. By way of derogation from paragraph 1(d), personal data may be transferred if:


(a) the national law of the Member State transferring the data so provides because of:


(i) legitimate specific interests of the data subject; or


(ii) legitimate prevailing interests, especially important public interests; or


(b) the third State or receiving international body provides safeguards which are deemed

adequate by the Member State concerned according to its national law.


4. The adequacy of the level of protection referred to in paragraph 1(d) shall be assessed in

the light of all the circumstances surrounding a data transfer operation or a set of data

transfer operations. Particular consideration shall be given to the nature of the data, the

purpose and duration of the proposed processing operation or operations, the State of

origin and the State or international body of final destination of the data, the rules of law,

both general and sectoral, in force in the third State or international body in question and

the professional rules and security measures which apply.


Αυτή θα είναι η νομική βάση για μετάδοση δεδομένων απο κράτη της ΕΕ προς κράτη εκτός ΕΕ, όπως λ.χ. οι ΗΠΑ. Απομένει να εκτιμηθεί κατά πόσον το επίπεδο προστασίας δεδομένων στις ΗΠΑ είναι επαρκές με "ευρωπαϊκούς" όρους, στο επίπεδο της αστυνομικής και δικαστικής πρακτικής.




Article 14

Transmission to private parties in Member States


1. Member States shall provide that personal data received from or made available by the

competent authority of another Member State may be transmitted to private parties only if:


(a) the competent authority of the Member State from which the data were obtained has consented to transmission in compliance with its national law;


(b) no legitimate specific interests of the data subject prevent transmission; and


(c) in particular cases transfer is essential for the competent authority transmitting the

data to a private party for:


(i) the performance of a task lawfully assigned to it;


(ii) the prevention, investigation, detection or prosecution of criminal offences or

the execution of criminal penalties;


(iii) the prevention of an immediate and serious threat to public security; or


(iv) the prevention of serious harm to the rights of individuals.


2. The competent authority transmitting the data to a private party shall inform the latter of

the purposes for which the data may exclusively be used.



Επιτρέπεται και η μετάδοση προσωπικών δεδομένων σε ιδιώτες. Αυτοί οι κανόνες ωστόσο δεν τροποποιούν τους ισχύοντες κανόνες ποινικής δικονομίας για τους δικηγόρους και τα θύματα, όπως αναφέρεται στο Προοίμιο της Απόφασης.



Article 15


Information on request of the competent authority


The recipient shall, on request, inform the competent authority which transmitted or made available the personal data about their processing.



Article 16


Information for the data subject


1. Member States shall ensure that the data subject is informed regarding the collection or

processing of personal data by their competent authorities, in accordance with national law.


Αυτή η διάταξη επιβάλλει επίσης την κατάργηση των διατάξεων του Ν.3625/2007 περί μη ερφαρμογής της προστασίας δεδομένων σε δικαστικές και αστυνομικές αρχές. Τα υποκείμενα πρέπει να ενημερώνονται ότι οι αστυνομίες συλλέγουν κι επεξεργάζονται προσωπικά τους δεδομένα!



2. When personal data have been transmitted or made available between Member States, each

Member State may, in accordance with the provisions of its national law referred to in

paragraph 1, ask that the other Member State does not inform the data subject. In such case

the latter Member state shall not inform the data subject without the prior consent of the

other Member State.


Εδώ υπάρχει και η εξαίρεση, η οποία όμως αφήνει εντελώς έξω τις ανεξάρτητες αρχές. Αυτή η διάταξη θα πρέπει να τροποποιηθεί, βάζοντας ρητά την αρμοδιότητα της προηγούμενης άδειας εκ μέρους της ανεξάρτητης αρχής.


Article 17


Right of access


1. Every data subject shall have the right to obtain, following requests made at reasonable

intervals, without constraint and without excessive delay or expense:


(a) at least a confirmation from the controller or from the national supervisory authority

as to whether or not data relating to him have been transmitted or made available and

information on the recipients or categories of recipients to whom the data have been

disclosed and communication of the data undergoing processing; or


(b) at least a confirmation from the national supervisory authority that all necessary

verifications have taken place.


2. The Member States may adopt legislative measures restricting access to information

pursuant to paragraph 1(a), where such a restriction, with due regard for the legitimate

interests of the person concerned, constitutes a necessary and proportional measure:


(a) to avoid obstructing official or legal inquiries, investigations or procedures;


(b) to avoid prejudicing the prevention, detection, investigation and prosecution of

criminal offences or for the execution of criminal penalties;


(c) to protect public security;


(d) to protect national security;


(e) to protect the data subject or the rights and freedoms of others.


3. Any refusal or restriction of access shall be set out in writing to the data subject.

At the same time, the factual or legal reasons on which the decision is based shall also

be communicated to him. The latter communication may be omitted where a reason under

paragraph 2(a) to (e) exists. In all of these cases the data subject shall be advised that he

may appeal to the competent national supervisory authority, a judicial authority or to a

court.


Ιδιαίτερα σημαντική διάταξη, για το δικαίωμα πρόσβασης του υποκειμένου στα δεδομένα που το αφορούν. Ένα δικαίωμα το οποίο αποστέρησε επίσης ο Ν.3625/2007.




Article 18


Right to rectification, erasure or blocking


1. The data subject shall have the right to expect the controller to fulfil its duties in

accordance with Articles 4, 8 and 9 concerning the rectification, erasure or blocking of

personal data which arise from this Framework Decision. Member States shall lay down

whether the data subject may assert this right directly against the controller or through the

intermediary of the competent national supervisory authority. If the controller refuses

rectification, erasure or blocking, the refusal must be communicated in writing to the data

subject who must be informed of the possibilities provided for in national law for lodging a

complaint or seeking judicial remedy. Upon examination of the complaint or judicial

remedy, the data subject shall be informed whether the controller acted properly or not.

Member States may also provide that the data subject shall be informed by the competent

national supervisory authority that a review has taken place.


2. If the accuracy of an item of personal data is contested by the data subject and its accuracy

or inaccuracy cannot be ascertained, referencing of that item of data may take place.


Το δικαίωμα διόρθωσης, διαγραφής ή δέσμευσης των δεδομένων αποτελεί επίσης ένα θεμελιώδες στοιχείο αυτοπροστασίας των προσωπικών δεδομένων καθενός. Κι αυτό τσεκουρώθηκε από τον Ν.3625/2007 και τώρα είναι ευκαιρία να επανέλθει. Αναρωτιέμαι βέβαια κατά πόσον αυτές οι διατάξεις είναι δυνατόν να εφαρμόζονται μόνο στα "ανταλλασσόμενα" προσωπικά δεδομένα και όχι στα "εσωτερικά" προσωπικά δεδομένα. Σκέψη, η οποία επαναφέρει το μέγα ζήτημα της εσωτερικής εφαρμογής των διατάξεων της απόφασης, όπως ζητά ο Ευρωπαίος Επόπτης Προστασίας Δεδομένων.



Article 19


Right to compensation


1. Any person who has suffered damage as a result of an unlawful processing operation or of

any act incompatible with the national provisions adopted pursuant to this Framework

Decision shall be entitled to receive compensation for the damage suffered from the

controller or other authority competent under national law.


2. Where a competent authority of a Member State has transmitted personal data, the

recipient cannot, in the context of its liability vis-à-vis the injured party in accordance with

national law, cite in its defence that the data transmitted were inaccurate. If the recipient

pays compensation for damage caused by the use of incorrectly transmitted data, the

transmitting competent authority shall refund to the recipient the amount paid in damages,

taking into account any fault that may lie with the recipient.


Σημαντική πρόβλεψη για το δικαίωμα αποζημίωσης των προσώπων που θίγονται τα προσωπικά τους δεδομένα από παράβαση των διατάξεων της απόφασης.


Article 20


Judicial remedies


Without prejudice to any administrative remedy for which provision may be made prior to referral

to the judicial authority, the data subject shall have the right to a judicial remedy for any breach of

the rights guaranteed to him by the applicable national law.



Article 21


Confidentiality of processing


1. Any person who has access to personal data which fall within the scope of this Framework

Decision may process such data only if that person is a members of, or acts on instructions

of, the competent authority, unless he is required to do so by law.


2. Persons working for a competent authority of a Member State shall be bound by all the

data protection rules which apply to the competent authority in question.


Article 22


Security of processing


1. Member States shall provide that the competent authorities must implement appropriate

technical and organisational measures to protect personal data against accidental or

unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in

particular where the processing involves the transmission over a network or the making

available by granting direct automated access, and against all other unlawful forms of

processing, taking into account in particular the risks represented by the processing and the

nature of the data to be protected. Having regard to the state of the art and the cost of their

implementation, such measures shall ensure a level of security appropriate to the risks

represented by the processing and the nature of the data to be protected.


2. In respect of automated data processing each Member State shall implement measures

designed to:


(a) deny unauthorised persons access to data processing equipment used for processing

personal data (equipment access control);


(b) prevent the unauthorised reading, copying, modification or removal of data media

(data media control);


(c) prevent the unauthorised input of data and the unauthorised inspection, modification

or deletion of stored personal data (storage control);


(d) prevent the use of automated data processing systems by unauthorised persons using

data communication equipment (user control);


(e) ensure that persons authorised to use an automated data-processing system only have

access to the data covered by their access authorisation (data access control);


(f) ensure that it is possible to verify and establish to which bodies personal data have

been or may be transmitted or made available using data communication equipment

(communication control);


(g) ensure that it is subsequently possible to verify and establish which personal data

have been input into automated data processing systems and when and by whom the

data were input (input control);


(h) prevent the unauthorised reading, copying, modification or deletion of personal data

during transfers of personal data or during transportation of data media

(transport control);


(i) ensure that installed systems may, in case of interruption, be restored (recovery);


(j) ensure that the functions of the system perform, that the appearance of faults in the

functions is reported (reliability) and that stored data cannot be corrupted by means

of a malfunctioning of the system (integrity).


3. Member States shall provide that processors may be designated only if they guarantee that

they observe the requisite technical and organisational measures under paragraph 1 and

comply with the instructions under Article 21. The competent authority shall monitor the

processor in those respects.


4. Personal data may be processed by a processor only on the basis of a legal act or a written

contract.


Article 23

Prior consultation


Member States shall ensure that the competent national supervisory authorities are consulted prior to the processing of personal data which will form part of a new filing system to be created where:


(a) special categories of data referred to in Article 6 are to be processed; or


(b) the type of processing, in particular using new technologies, mechanism or procedures,

holds otherwise specific risks for the fundamental rights and freedoms, and in particular

the privacy, of the data subject.


Εδώ επιβεβαιώνεται ο σημαντικός ελεγκτικός ρόλος των Ανεξάρτητων Αρχών Προστασίας Προσωπικών Δεδομένων, τις οποίες πρέπει να συμβουλεύονται οι αστυνομικές και δικαστικές αρχές στο πλαίσιο της συνεργασίας των κρατών μελών. Δεν συνιστά λοιπόν η διαδικασία της συνεννόησης "επέμβαση" στην ανεξαρτησία της Δικαιοσύνης!


Article 24


Penalties


Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Framework Decision and shall in particular lay down effective, proportionate and dissuasive penalties to be imposed in case of infringements of the provisions adopted pursuant to this Framework Decision.


Article 25

Νational supervisory authorities


1. Each Member State shall provide that one or more public authorities are responsible for

advising and monitoring the application within its territory of the provisions adopted by the

Member States pursuant to this Framework Decision. These authorities shall act with

complete independence in exercising the functions entrusted to them.


2. Each authority shall in particular be endowed with:


(a) investigative powers, such as powers of access to data forming the subject-matter of

processing operations and powers to collect all the information necessary for the

performance of its supervisory duties;


(b) effective powers of intervention, such as, for example, that of delivering opinions

before processing operations are carried out, and ensuring appropriate publication of

such opinions, of ordering the blocking, erasure or destruction of data, of imposing a

temporary or definitive ban on processing, of warning or admonishing the controller,

or that of referring the matter to national parliaments or other political institutions;


(c) the power to engage in legal proceedings where the national provisions adopted

pursuant to this Framework Decision have been infringed or to bring this

infringement to the attention of the judicial authorities. Decisions by the supervisory

authority which give rise to complaints may be appealed against through the courts.


3. Each supervisory authority shall hear claims lodged by any person concerning the

protection of his rights and freedoms in regard to the processing of personal data. The

person concerned shall be informed of the outcome of the claim.


4. Member States shall provide that the members and staff of the supervisory authority are

bound by the data protection provisions applicable to the competent authority in question

and, even after their employment has ended, are to be subject to a duty of professional

secrecy with regard to confidential information to which they have access.


Αυτό το άρθρο είναι αντίστοιχο με το άρθρο 28  της Οδηγίας 95/46 που υποχρεώνει τα κράτη της ΕΕ να έχουν Αρχή Προστασίας Προσωπικών Δεδομένων. Σε αυτήν την Αρχή ανατίθενται τώρα και τα  ελεγκτικά καθήκοντα που προβλέπονται από την Απόφαση Πλαίσιο.




Article 26


Relationship to Agreements with third States


This Framework Decision is without prejudice to any obligations and commitments incumbent upon Member States or upon the Union by virtue of bilateral and/or multilateral agreements with third States existing at the time of adoption of this Framework Decision.


In the application of these agreements, the transfer to a third State of personal data obtained from

another Member State, shall be carried out while respecting Article 13(1)(c) or (2), as appropriate.


Article 27


Evaluation


1. Member States shall report to the Commission by …. on the national measures they have

taken to ensure full compliance with this Framework Decision, and particularly with regard

to those provisions that already have to be complied with when data is collected. The

Commission shall examine in particular the implications of those provisions for the scope

of this Framework Decision as laid down in Article 1(2).


2. The Commission shall report to the European Parliament and the Council within one year

on the outcome of the evaluation referred to in paragraph 1, and shall accompany its report

with any appropriate proposals for amendments to this Framework Decision.



Article 28

Relationship to previously adopted acts of the Union

Where in acts, adopted under Title VI of the Treaty on European Union prior to the date of entry

into force of this Framework Decision and regulating the exchange of personal data between

Member States or the access of designated authorities of Member States to information systems

established pursuant to the Treaty establishing the European Community, specific conditions have been introduced as to the use of such data by the receiving Member State, these conditions shall take precedence over the provisions of this Framework Decision on the use of data received from or made available by another Member State.


Article 29


Implementation


1. Member States shall take the necessary measures to comply with the provisions of this

Framework Decision before ......*.

2. By the same date Member States shall transmit to the General Secretariat of the Council

and to the Commission the text of the provisions transposing into their national law the

obligations imposed on them under this Framework Decision, as well as information on the

supervisory authorities referred to in Article 25. On the basis of a report established using

this information by the Commission, the Council shall, before …**, assess the extent to

which Member States have complied with the provisions of this Framework Decision.

OJ: Please insert date two years after the adoption of this Framework Decision.

** OJ: Please insert date three years after the adoption of this Framework Decision.


Επομένως, η ΕΕ μας δίνει 2 χρόνια για να ενσωματώσουμε την Απόφαση - Πλαίσιο στο εσωτερικό δίκαιο, εισάγοντας ειδική νομοθεσία για την προστασία προσωπικών δεδομένων στο πλαίσιο της αστυνομικής / δικαστικής συνεργασίας κρατών ΕΕ σε ποινικές υποθέσεις.


Θα προλάβουμε σε 2 χρόνια;




Article 30


Entry into force


This Framework Decision shall enter into force on the twentieth day following that of its

publication in the Official Journal of the European Union.


Done at Brussels,


For the Council


The President

Δεν υπάρχουν σχόλια:

Καταδίκη για εξύβριση στο Instagram

“Fuck you rapist bastard”, έγραψε κάποιος ως σχόλιο στο Instagram κάτω από τη φωτογραφία ενός γνωστού μπλόγκερ της Ισλανδίας, την ημέρα πο...