Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

Official Journal L 201 of 31/07/2002 p. 0037 – 0047

Directive 2002/58/EC of the European Parliament and of the Council

of July 12, 2002

concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty establishing the European Community, and in particular Article 95 thereof,

Having regard to the proposal from the Commission(1),

Having regard to the opinion of the Economic and Social Committee(2),

after consulting the Committee of the Regions,

Acting in accordance with the procedure laid down in Article 251 of the Treaty(3),

considering the following:

(1) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(4) requires Member States to protect the rights and freedoms of individuals with regard to the processing of personal data, and in particular their right to privacy, in order to ensure the free movement of personal data within the Community.

(2) This Directive seeks to respect fundamental rights and observes the principles recognized in particular by the Charter of Fundamental Rights of the European Union. In particular, it aims to ensure full respect for the rights set out in Articles 7 and 8 of the Charter.

(3) The confidentiality of communications is guaranteed in accordance with international human rights instruments, in particular the European Convention for the Protection of Human Rights and Fundamental Freedoms and the constitutions of the Member States.

(4) Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector(5) translated the principles set out in Directive 95/46/EC into specific rules applicable to the telecommunications sector. Directive 97/66/EC must be adapted to developments in the markets and technologies for electronic communications services in order to guarantee an equal level of protection of personal data and privacy for users of publicly available electronic communications services, regardless of the technologies used. That Directive should therefore be repealed and replaced by this Directive.

(5) New advanced digital technologies are being introduced into the Community’s public communications networks, which place specific demands on the protection of users’ personal data and privacy. The development of the information society is characterized by the introduction of new electronic communications services. Access to digital mobile networks has opened up to a wide public, at affordable conditions. These digital networks offer great capacities and possibilities for processing personal data. The successful cross-border development of these services depends in part on users’ confidence that these services will not infringe on their privacy.

(6) The Internet is overturning traditional business structures by offering a common global infrastructure for the provision of a whole range of electronic communications services. Publicly accessible electronic communications services on the Internet open up new possibilities for users, but also present new dangers for their personal data and privacy.

(7) In the case of public communications networks, specific legislative, regulatory and technical provisions should be adopted to protect the fundamental rights and freedoms of natural persons and the legitimate interests of legal persons, particularly in view of the increased capacity for automated storage and processing of subscriber and user data.

(8) The laws, regulations and technical provisions adopted by the Member States concerning the protection of personal data, privacy and the legitimate interests of legal persons in the electronic communications sector should be harmonized in order to avoid creating obstacles to the internal market for electronic communications in accordance with Article 14 of the Treaty. Harmonization should be limited to the requirements necessary to ensure that the promotion and development of new electronic communications services and networks between Member States is not hindered.

(9) Member States, suppliers and users concerned, as well as the competent Community institutions, should cooperate in the design and development of relevant technologies where this is necessary to implement the safeguards provided for in this Directive, taking particular account of the objectives of minimizing the processing of personal data and using anonymous or pseudonymous data where possible.

(10) In the electronic communications sector, Directive 95/46/EC applies in particular to all aspects of the protection of fundamental rights and freedoms which are not expressly covered by this Directive, including the obligations of the controller of personal data and individual rights. Directive 95/46/EC applies to non-public electronic communications services.

(11) Like Directive 95/46/EC, this Directive does not deal with issues of protection of fundamental rights and freedoms relating to activities which are not governed by Community law. It therefore does not alter the existing balance between the right of individuals to privacy and the possibility for Member States to take measures such as those referred to in Article 15(1) of this Directive, which are necessary for the protection of public security, defence, State security (including the economic well-being of the State in the case of activities connected with State security) and the enforcement of criminal law. Consequently, this Directive is without prejudice to the right of Member States to carry out lawful interception of electronic communications or to adopt other measures if necessary to achieve any of the above aims, in compliance with the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the European Court of Human Rights in its judgments. Such measures must be appropriate, strictly proportionate to the aim pursued and necessary in a democratic society. They should also be subject to appropriate safeguards, in compliance with the European Convention for the Protection of Human Rights and Fundamental Freedoms.

(12) Subscribers to a publicly accessible electronic communications service may be natural or legal persons. By supplementing Directive 95/46/EC, this Directive aims to protect the fundamental rights of natural persons, and in particular their right to privacy, as well as the legitimate interests of legal persons. This Directive does not impose any obligation on Member States to extend the application of Directive 95/46/EC to the protection of the legitimate interests of legal persons, which is guaranteed under existing Community and national legislation.

(13) The contractual relationship between a subscriber and a service provider may provide for periodic payment or a one-off payment for the service provided or to be provided. Prepaid cards are also considered as a contract.

(14) By “location data” we mean the latitude, longitude and altitude of the location of the user’s terminal equipment, the direction of movement, the degree of accuracy of the location information, the identification of the network cell where the terminal equipment is located at any given time, and the time at which the location information was recorded.

(15) A communication can include any information consisting of a name, number or address, provided by the person sending the communication or the person using a connection to make the communication. Traffic data can include any translation of such information carried out by the network over which the communication is transmitted in order to carry out the transmission. Traffic data can include, among other things, data concerning routing, the duration, time or volume of a communication, the reference protocol, the location of the sender’s or recipient’s terminal equipment, the network from which the communication originates or terminates, or the start, end or duration of a connection. They can also represent the format in which the communication was routed through the network.

(16) Information which forms part of a broadcasting service provided over a public communications network is intended for a virtually unlimited number of listeners and/or viewers and does not constitute a communication within the meaning of this Directive. On the other hand, where it is possible to identify the individual subscriber or user receiving the information, as, for example, in the case of the provision of video-on-demand services, the information conveyed falls within the definition of “communication” within the meaning of this Directive.

(17) For the purposes of this Directive, the consent of a user or subscriber, whether a natural or legal person, should have the same meaning as the consent of the data subject as defined and further specified by Directive 95/46/EC. Consent may be given by any appropriate means enabling the user to indicate his or her wishes freely, specifically and in an informed manner, including by ticking a box when visiting a website.

(18) Value-added services may, for example, include advice on the most advantageous fare packages or route guidance, information on traffic conditions, weather forecasts or tourist information.

(19) The application of certain requirements relating to the presentation and restriction of calling and connected line identification and to automatic call forwarding to subscriber lines connected to analog exchanges should not be made mandatory in specific cases where such application would prove technically impossible or would require a disproportionate economic effort. It is important that interested parties are informed of such cases, and member states should therefore communicate them to the Commission.

(20) Service providers should take appropriate measures to ensure the security of their services, if necessary in conjunction with the network provider, and should inform subscribers of the particular risks associated with a breach of network security. Such risks can affect electronic communications services provided over an open network, such as the Internet or analog mobile telephony. It is particularly important that subscribers and users of these services are fully informed by their service provider of existing security risks against which the latter has no means of action. Service providers offering publicly available electronic communications services over the Internet should inform users and subscribers of the measures they can take to secure their communications, for example by using specific types of software or encryption techniques. A service provider’s obligation to inform subscribers of certain security risks does not exempt it from immediately taking appropriate measures to remedy any new unforeseeable security risk and restore the normal level of security of the service, at its own expense. Subscriber information on security risks should be free of charge, except for nominal charges that a subscriber may incur when receiving or collecting information, for example by downloading an e-mail message. Safety is assessed in the light of Article 17 of Directive 95/46/EC.

(21) Measures should be taken to prevent unauthorized access to communications in order to protect the confidentiality of communications by means of public communications networks and publicly available electronic communications services, including their content and any data relating to such communications. The national legislation of some Member States prohibits only intentional unauthorized access to communications.

(22) The prohibition of the storage of communications and related traffic data by persons other than the users or without the users’ consent is not intended to prohibit any automatic, intermediate and transitory storage of such information if such storage takes place for the sole purpose of effecting transmission in the electronic communications network, provided that the information is not stored for a longer period than is necessary for the transmission and management of traffic and that during the storage period the confidentiality of the information remains guaranteed. Insofar as it is necessary for the more efficient transmission of publicly available information to other recipients of the service at their request, this Directive shall not prevent such information from being stored for a longer period, provided that it is accessible to the public in any case and without any restriction and that any data relating to individual subscribers or users requesting it is deleted.

(23) Confidentiality of communications should also be ensured in lawful commercial transactions. If necessary, and subject to legal authorization, communications may be recorded to serve as proof of a commercial transaction. Directive 95/46/EC applies in such cases. Parties to communications should be informed of the recording before it takes place, of the reason(s) for which the communication is being recorded and of the duration of the recording storage. The recorded communication should be deleted as soon as possible and, in any case, on expiry of the legal deadline for appealing against the transaction.

(24) The terminal equipment of the user of an electronic communications network, and any information stored on that equipment, is part of the user’s private life, which must be protected under the European Convention for the Protection of Human Rights and Fundamental Freedoms. However, spyware, web bugs, hidden identifiers and similar devices can penetrate the user’s terminal without their knowledge in order to access information, store hidden information or track the user’s activities, and can seriously infringe the user’s privacy. The use of such devices should only be authorized for legitimate purposes, and should be brought to the attention of the user concerned.

(25) However, devices of this type, such as cookies, can be a legitimate and useful tool, for example to evaluate the effectiveness of a site’s design and advertising, as well as to control the identity of users carrying out on-line transactions. Where devices of the kind referred to above, such as cookies, are intended for legitimate purposes, for example to facilitate the provision of information society services, their use should be permitted on condition that users are given clear and precise information, in accordance with Directive 95/46/EC, about the purpose of cookies or similar devices so that they are aware of the information placed on the terminal equipment they are using. Users should be able to refuse to have a cookie or similar device placed on their terminal equipment. This is particularly important in cases where users other than the original user have access to the terminal equipment and therefore to the sensitive private data stored on it. Information relating to the use of several devices to be installed on the user’s terminal equipment, as well as the right to refuse these devices, may be offered on a one-off basis during a single connection, and also cover future use that may be made of these devices during subsequent connections. Methods of communicating information, offering a right of refusal or seeking consent should be as user-friendly as possible. Access to the content of a specific site may, however, be conditional on your knowingly accepting the installation of a cookie or similar device, if used for legitimate purposes.

(26) Subscriber data processed in electronic communications networks to establish connections and transmit information contains information about the private lives of individuals and affects the right to secrecy of their correspondence, as well as the legitimate interests of legal entities. This data may only be stored to the extent necessary for the provision of the service, billing and interconnection payments, and for a limited period of time. Any other processing of such data that the provider of the publicly available electronic communications service may wish to carry out for the marketing of electronic communications services or for the provision of value-added services may only be authorized if the subscriber has given his consent on the basis of precise and complete information provided by the provider of the publicly available electronic communications service on the nature of the other processing that he intends to carry out, as well as on the subscriber’s right not to give his consent to such processing or to withdraw his consent. Traffic data used for the marketing of communications services or for the provision of value-added services should also be erased or made anonymous once the services in question have been provided. Service providers should always keep their subscribers informed of the types of data they process, the purposes of such processing and the duration of such processing.

(27) The exact point at which transmission of a communication ends, after which traffic data must be deleted except for billing purposes, may depend on the type of electronic communications service provided. Thus, in the case of a voice telephony call, transmission ceases as soon as either of the users breaks the connection, and in the case of an e-mail, transmission ends as soon as the recipient retrieves the message, usually from his or her service provider’s server.

(28) The obligation to erase or anonymize traffic data when it is no longer required for the purpose of transmitting a communication does not conflict with procedures used on the Internet, such as caching, in the domain name system, for IP addresses or for links between an IP address and a physical address, or the use of connection information to control the right of access to networks or services.

(29) Where necessary, and on a case-by-case basis, a service provider may process traffic data relating to subscribers or users in order to detect a technical fault or error in the transmission of communications. Traffic data required for billing purposes may also be processed by a service provider in order to detect and stop fraudulent use of an electronic communications service without payment.

(30) Systems developed for the provision of electronic communications networks and services should be designed to limit the amount of personal data required to a strict minimum. Any activity that is part of the provision of an electronic communications service and goes beyond the simple transmission of a communication or its billing should be based on globalized traffic data that cannot be attributed to individual subscribers or users. If this activity cannot be based on globalized data, it should be considered a value-added service, for which the subscriber’s consent is required.

(31) Whether consent is required from the user or the subscriber before personal data can be processed to provide a given value-added service will depend not only on the data to be processed and the type of service to be provided, but also on whether or not it is technically, procedurally and contractually possible to distinguish the individual using an electronic communications service from the natural or legal person who has subscribed to it.

(32) Where the provider of an electronic communications service or value-added service subcontracts the processing of personal data necessary for the provision of such services, such subcontracting and the resulting data processing should fully comply with the requirements of Directive 95/46/EC as regards those responsible for the control and processing of personal data. Where, to enable the provision of a value-added service, traffic or location data are transmitted by an electronic communications service provider to a value-added service provider, the subscribers or users to whom such data relate should also be fully informed of such transmission before consenting or not to the processing of such data.

(33) The introduction of itemized billing has improved the subscriber’s ability to check the accuracy of the amounts billed by the service provider, but at the same time risks compromising the privacy of users of publicly available electronic communications services. Therefore, in order to protect the privacy of users, Member States should encourage the development, in the field of electronic communications services, of options such as new payment formulas allowing anonymous or strictly private access to publicly available electronic communications services, e.g. calling cards and credit card payment facilities. For the same purpose, Member States may require operators to offer their subscribers another type of itemized bill on which a certain number of call digits have been removed.

(34) With regard to calling line identification, it is necessary to protect the caller’s right to prevent the presentation of the identification of the line from which the call is made, as well as the called party’s right to refuse calls from unidentified lines. In specific cases, it is justified to prevent the presentation of calling line identification from being suppressed. Some subscribers, particularly help lines and similar organizations, have an interest in guaranteeing the anonymity of their callers. With regard to the identification of the connected line, it is necessary to protect the right and legitimate interest of the called party to prevent the presentation of the identification of the line to which the caller is actually connected, particularly in the case of forwarded calls. Providers of publicly available electronic communications services should inform their subscribers of the existence of calling and connected line identification on the network, as well as of all services offered on the basis of calling and connected line identification and of the possibilities offered for the protection of privacy. This will enable subscribers to make an informed choice about the privacy options available to them. The privacy options available for each line do not have to be available as an automatic network service, but can be obtained on request from the provider of the publicly available electronic communications service.

(35) In mobile communications networks, location data indicating the geographical position of the mobile user’s terminal equipment is processed to enable communications transmission. These data are traffic data covered by Article 6 of this Directive. However, mobile digital networks may also have the capacity to process location data that is more precise than is required for the transmission of communications, and which is used for the provision of value-added services such as personalized traffic information and driver guidance services. The processing of such data for the provision of value-added services should only be permitted where subscribers have given their consent. Even then, subscribers should have a simple way of temporarily prohibiting the processing of location data, free of charge.

(36) Member States may provide for a limitation of the user’s or subscriber’s right to privacy with regard to calling line identification where this is necessary to determine the origin of malicious calls and with regard to calling line identification and location data where this is necessary to enable the emergency services to intervene as effectively as possible. For these purposes, Member States may adopt specific measures authorizing electronic communications service providers to make available calling line identification and location data without the prior consent of the user or subscriber concerned.

(37) It is important to protect subscribers from any inconvenience caused by the automatic forwarding of calls by other people. In addition, in such cases, subscribers must be able to stop the transfer of forwarded calls to their terminals simply by sending a request to the provider of the publicly available electronic communications service.

(38) Directories of subscribers to electronic communications services are widely distributed and publicly available. In order to protect the privacy of natural persons and the legitimate interests of legal entities, subscribers must be able to determine whether their personal data should be published in a directory, and if so, which data should be made public. Suppliers of public directories should inform the subscribers who will be included in these directories of the purposes for which they are drawn up and of any particular use which may be made of electronic versions of public directories, in particular by means of search functions integrated into the software, such as reverse search functions which enable users of a directory to find the name and address of a subscriber from a simple telephone number.

(39) The party collecting personal data from subscribers should be responsible for informing them of the purposes for which public directories containing their personal data are drawn up. If such data may be transmitted to one or more third parties, the subscriber should be informed of this possibility and of the recipients or categories of recipients. Such transmission should only be possible if it is guaranteed that the data cannot be used for purposes other than those for which they were collected. If the party who collected the data from the subscriber or any third party to whom it has been transmitted wishes to use it for other purposes, said party or said third party must again obtain the subscriber’s consent.

(40) It is important to protect subscribers against any violation of their privacy by unsolicited communications made for the purposes of direct marketing, in particular by means of automatic calling machines, faxes and e-mails, including short messages (SMS). While these forms of unsolicited commercial communication may be relatively easy and inexpensive to send, they can impose a burden and/or cost on the recipient. What’s more, in some cases their sheer volume can pose a problem for electronic communications networks and terminal equipment. In the case of these forms of unsolicited communications for the purposes of direct marketing, it is justified to require the sender to obtain the recipient’s prior consent before sending them. The single market calls for a harmonized approach in this area, so that companies and users alike can benefit from simple, Community-wide rules.

(41) In the context of an existing customer-supplier relationship, it is reasonable to authorize the company which, in accordance with Directive 95/46/EC, obtained the electronic contact details, and only that company, to use these electronic contact details to offer the customer similar products or services. When electronic contact details are collected, customers should be clearly and distinctly informed of their subsequent use for direct marketing purposes, and given the option of objecting to such use. This option should continue to be offered with every subsequent direct marketing message, free of charge apart from the cost of transmitting the refusal.

(42) There are other forms of direct marketing which are more onerous for the sender and impose no financial burden on the subscriber or user, such as personal telephone calls, and which could justify the establishment of a system enabling subscribers and users to indicate that they do not wish to receive such calls. In order not to lower existing levels of privacy protection, Member States should nevertheless be allowed to maintain national systems and only authorize calls to subscribers or users who have given their prior consent.

(43) To facilitate the effective implementation of Community rules on unsolicited direct marketing messages, it is important to prohibit the sending of unsolicited direct marketing messages under a false identity, a false reply address or a false number.

(44) Some e-mail systems allow subscribers to view the sender’s name and the subject of an e-mail message, as well as to delete the message without having to download the rest of the contents of the message or any attachments, thus reducing the cost of downloading an unsolicited e-mail or attachment. In some cases, such arrangements may continue to prove useful as a complementary tool to the general requirements set out in this directive.

(45) This Directive is without prejudice to the provisions which the Member States adopt to protect the legitimate interests of legal persons with regard to unsolicited communications for the purposes of direct marketing. Where Member States establish an opt-out register for the communications in question addressed to legal entities, primarily professional users, the provisions of Article 7 of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce)(6) apply in full.

(46) Functionalities enabling the provision of electronic communications services may be integrated into the network or into any element of the user’s terminal equipment, including software. The protection of the personal data and privacy of the user of publicly available electronic communications services should be independent of the configuration of the different elements necessary for the provision of the service and the distribution of the required functionalities between these elements. Directive 95/46/EC applies to all forms of personal data processing, whatever the technology used. The existence of rules specific to electronic communications services alongside general rules applying to other elements necessary for the provision of these services may not facilitate the protection of personal data and privacy in a technologically neutral way. It may therefore be necessary to adopt measures requiring manufacturers of certain types of equipment used for electronic communications services to incorporate safeguards in their products to ensure the protection of personal data and the privacy of users and subscribers. The adoption of such measures in accordance with Directive 1999/5/EC of the European Parliament and of the Council of March 9, 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity(7) will ensure that the introduction of certain technical features of electronic communications equipment, including software, to ensure data protection is harmonized to be compatible with the implementation of the internal market.

(47) Where the rights of users and subscribers are not respected, national legislation should provide for judicial remedies. Penalties should be imposed on any person, whether governed by private or public law, who fails to comply with the national measures taken pursuant to this Directive.

(48) It is useful, within the scope of this Directive, to draw on the experience gained by the Working Party on the Protection of Individuals with regard to the Processing of Personal Data, composed of representatives of the supervisory authorities designated by each Member State, set up by Article 29 of Directive 95/46/EC.

(49) In order to facilitate compliance with this Directive, certain specific provisions are necessary for the processing of data in progress on the date of entry into force of the national provisions transposing this Directive into the domestic law of the Member States,

HAVE ADOPTED THIS DIRECTIVE:

Article 1

Scope and purpose

1. This Directive harmonizes the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communications sector and the free movement of such data and of electronic communications equipment and services within the Community.

2. The provisions of this Directive shall specify and supplement Directive 95/46/EC for the purposes set out in paragraph 1. They also provide for the protection of the legitimate interests of subscribers who are legal entities.

3. This Directive shall not apply to activities which do not fall within the scope of the Treaty establishing the European Community, such as those referred to in Titles V and VI of the Treaty on European Union, and, in any event, to activities concerning public security, defence, State security (including the economic well-being of the State when the activities relate to State security) or the activities of the State in areas of criminal law.

Article 2

Definitions

Unless otherwise specified, the definitions set out in Directive 95/46/EC and in Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)(8) shall apply for the purposes of this Directive.

The following definitions also apply:

a) “user”: any natural person using a publicly available electronic communications service for private or business purposes without necessarily being a subscriber to that service;

b) “traffic data”: all data processed for the purpose of routing a communication via an electronic communications network or for billing purposes;

c) “location data” means any data processed in an electronic communications network indicating the geographical position of the terminal equipment of a user of a publicly available electronic communications service;

d) “communication”: any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include information that is conveyed as part of a broadcasting service to the public via an electronic communications network, except to the extent that a link can be established between the information and the identifiable subscriber or user receiving it;

e) “call”: a connection established by means of a publicly available telephone service enabling two-way communication in real time;

f) the “consent” of a user or subscriber corresponds to the “consent of the data subject” in Directive 95/46/EC;

g) “value-added service”: any service which requires the processing of traffic or location data, excluding data which is not essential for the transmission of a communication or its billing;

h) “electronic mail”: any message in the form of text, voice, sound or image sent via a public communications network which may be stored on the network or in the recipient’s terminal equipment until retrieved by the recipient.

Article 3

Services concerned

1. This Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community.

2. Articles 8, 10 and 11 apply to subscriber lines connected to digital exchanges and, where this is technically possible and does not require a disproportionate economic effort, to subscriber lines connected to analog exchanges.

3. Where it is technically impossible to comply with the requirements of Articles 8, 10 and 11 or where this would require a disproportionate economic effort, Member States shall inform the Commission.

Article 4

Security

1. The provider of a publicly available electronic communications service shall take appropriate technical and organizational measures to ensure the security of its services, where necessary in conjunction with the provider of the public communications network as regards network security. Given the latest technical possibilities and the cost of their implementation, these measures guarantee a level of safety appropriate to the existing risk.

2. Where there is a specific risk of a breach of network security, the provider of a publicly available electronic communications service shall inform subscribers of that risk and, if the measures that can be taken by the provider of the service do not enable the risk to be averted, of any possible means of remedying it, including an indication of the likely cost.

Article 5

Confidentiality of communications

1. Member States shall ensure, through national legislation, the confidentiality of communications by means of a public communications network and publicly available electronic communications services, as well as the confidentiality of related traffic data. In particular, they prohibit anyone other than users from listening to, intercepting, storing communications and related traffic data, or subjecting them to any other means of interception or surveillance, without the consent of the users concerned, except where that person is legally authorized to do so, in accordance with Article 15(1). This paragraph does not prevent the technical storage necessary for the routing of a communication, without prejudice to the principle of confidentiality.

2. Paragraph 1 shall not affect the legally authorized recording of communications and related traffic data, when carried out in the context of lawful business practice, in order to provide evidence of a commercial transaction or any other commercial communication.

3. Member States shall ensure that the use of electronic communications networks to store information or to access information stored in the terminal equipment of a subscriber or user is permitted only on condition that the subscriber or user is provided, in compliance with Directive 95/46/EC, with clear and comprehensive information, inter alia, on the purposes of the processing, and that the subscriber or user has the right to refuse such processing by the data controller. This provision does not prevent technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication via an electronic communications network, or as strictly necessary for the provision of an information society service expressly requested by the subscriber or user.

Article 6

Traffic data

1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when they are no longer required for the transmission of a communication without prejudice to paragraphs 2, 3 and 5, this Article and Article 15(1).

2. Traffic data required for subscriber invoicing and interconnection payments may be processed. Such processing is permitted only until the end of the period during which the invoice can be legally contested or legal action taken to obtain payment.

3. In order to market its electronic communications services or to provide value-added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for the provision or marketing of those services, provided that the subscriber or user to whom the data relate has given his consent. Users or subscribers may withdraw their consent to the processing of traffic data at any time.

4. The service provider must inform the subscriber or user of the types of traffic data processed and the duration of such processing for the purposes referred to in paragraph 2 and, before obtaining their consent, for the purposes referred to in paragraph 3.

5. The processing of traffic data carried out in accordance with the provisions of paragraphs 1, 2, 3 and 4 must be restricted to persons acting under the authority of providers of public communications networks and publicly available electronic communications services who are responsible for billing or traffic management, responding to customer requests, detecting fraud and marketing electronic communications services or providing a value-added service; such processing must be limited to what is necessary for such activities.

6. Paragraphs 1, 2, 3 and 5 shall apply without prejudice to the possibility for the competent bodies to have traffic data communicated to them in accordance with the legislation in force for the purpose of settling disputes, in particular concerning interconnection or billing.

Article 7

Detailed billing

1. Subscribers have the right to receive non-itemized invoices.

2. Member States shall apply national provisions in order to reconcile the rights of subscribers receiving itemized bills with the right to privacy of calling users and called subscribers, for example by ensuring that such users and subscribers have sufficient additional privacy-enhancing arrangements for communications or payments.

Article 8

Presentation and restriction of calling and connected line identification

1. Where presentation of calling line identification is offered, the service provider must provide the calling user with a simple means, free of charge, of preventing the presentation of calling line identification on a call-by-call basis. The calling subscriber must have this option for each line.

2. In cases where presentation of calling line identification is offered, the service provider must offer the called subscriber, by a simple means and free of charge for reasonable use of this function, the possibility of preventing presentation of calling line identification for incoming calls.

3. In cases where presentation of calling line identification is offered and where calling line identification is presented before the call is established, the service provider must offer the called subscriber, by a simple means, the possibility of refusing incoming calls when the calling user or subscriber has prevented the presentation of calling line identification.

4. Where presentation of the connected line identification is offered, the service provider must offer the called subscriber, by a simple means and free of charge, the possibility of preventing the presentation of the connected line identification to the calling user.

5. Paragraph 1 shall also apply to calls from the Community to third countries. Paragraphs 2, 3 and 4 also apply to incoming calls from third countries.

6. Member States shall ensure that, where presentation of calling and/or connected line identification is offered, providers of publicly available electronic communications services inform the public of this fact and of the possibilities provided for in paragraphs 1, 2, 3 and 4.

Article 9

Location data other than traffic data

1. Where location data, other than traffic data, relating to users or subscribers of public communications networks or publicly available electronic communications services or subscribers to such networks or services may be processed, they shall only be processed after they have been rendered anonymous or with the consent of the users or subscribers, to the extent and for the duration necessary for the provision of a value-added service. The service provider must inform users or subscribers, before obtaining their consent, of the type of location data other than traffic data that will be processed, the purposes and duration of such processing, and whether or not the data will be transmitted to a third party for the purpose of providing the value-added service. Users or subscribers may withdraw their consent to the processing of location data other than traffic data at any time.

2. Where users or subscribers have given their consent to the processing of location data other than traffic data, they must retain the possibility of temporarily prohibiting the processing of such data for each connection to the network or for each communication transmission, by a simple means and free of charge.

3. The processing of location data other than traffic data in accordance with paragraphs 1 and 2 must be restricted to persons acting under the authority of the provider of the public communications network or publicly available electronic communications service or of the third party providing the value-added service, and must be limited to what is necessary to ensure the provision of the value-added service.

Article 10

Exemptions

Member States shall ensure that transparent procedures govern the means by which the provider of a public communications network or a publicly available electronic communications service may override them:

a) the elimination of the presentation of calling line identification, on a temporary basis, when a subscriber requests the identification of malicious or nuisance calls; in this case, in accordance with domestic law, the data allowing the identification of the calling subscriber will be retained and made available by the provider of a public communications network and/or a publicly available electronic communications service;

b) the elimination of the presentation of calling line identification and the temporary prohibition or lack of consent of a subscriber or user with regard to the processing of location data, on a per-line basis, for organizations in charge of handling emergency calls and recognized as such by a Member State, including police, ambulance and fire departments, for the purpose of responding to such calls.

Article 11

Call forwarding

Member States shall ensure that any subscriber has the possibility, by a simple means and free of charge, of stopping the automatic forwarding of calls by a third party to his terminal.

Article 12

Subscriber directories

1. Member States shall ensure that subscribers are informed, free of charge and prior to registration, of the purposes of printed or electronic directories of subscribers available to the public or consultable via directory enquiry services, in which their personal data may be included, and of any other possibility of use based on search functions integrated into electronic versions of directories.

2. Member States shall ensure that subscribers are given the opportunity to decide whether and which of their personal data should be included in a public directory, insofar as such data are relevant to the function of the directory in question as established by the directory provider. They also ensure that subscribers can check, correct or delete this data. Non-inclusion in a public subscriber directory, verification, correction or deletion of personal data in such a directory is free of charge.

3. Member States may require that the consent of subscribers also be required for any public directory purpose other than the simple search for a person’s contact details on the basis of his name and, if necessary, a limited number of other parameters.

4. Paragraphs 1 and 2 apply to subscribers who are natural persons. Member States shall also ensure, within the framework of Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons are sufficiently protected as regards their entry in public directories.

Article 13

Unsolicited communications

1. The use of automated calling systems without human intervention (automatic calling machines), fax machines or electronic mail for the purposes of direct marketing may only be authorized if it is aimed at subscribers who have given their prior consent.

2. Notwithstanding paragraph 1, where, in compliance with Directive 95/46/EC, a natural or legal person has, in the context of the sale of a product or service, obtained directly from its customers their electronic contact details with a view to sending them an electronic mail, the said natural or legal person may use these electronic contact details for the purposes of direct canvassing for similar products or services that it provides, provided that the said customers are clearly and expressly given the option of objecting, free of charge and in a simple manner, to such use of the electronic contact details when they are collected and at the time of each message, in the event that they have not refused such use from the outset.

3. Member States shall take appropriate measures to ensure that, at no cost to the subscriber, unsolicited communications for the purposes of direct marketing, in cases other than those referred to in paragraphs 1 and 2, are not authorized either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive such communications, the choice between these two solutions being governed by national legislation.

4. In all cases, it is forbidden to send electronic messages for the purposes of direct marketing by disguising or concealing the identity of the sender in whose name the communication is made, or without indicating a valid address to which the recipient may send a request that such communications cease.

5. Paragraphs 1 and 3 apply to subscribers who are natural persons. Member States shall also ensure, within the framework of Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons are sufficiently protected with regard to unsolicited communications.

Article 14

Technical specifications and standardization

1. When implementing the provisions of this Directive, Member States shall ensure, subject to paragraphs 2 and 3, that no requirements relating to specific technical characteristics are imposed on terminals or other electronic communications equipment if they would impede the placing of equipment on the market and the free movement of such equipment within and between Member States.

2. Where provisions of this Directive can be implemented only by imposing specific technical characteristics on electronic communications networks, Member States shall inform the Commission in accordance with the procedures laid down in Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services(9).

3. Where necessary, measures may be adopted to ensure that terminal equipment is constructed in a manner compatible with the right of users to protect and control the use of their personal data, in accordance with Directive 1999/5/EC and Council Decision 87/95/EEC of 22 December 1986 on standardization in the field of information technology and telecommunications(10).

Article 15

Application of certain provisions of Directive 95/46/EC

1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Articles 5 and 6, Article 8(1), (2), (3) and (4) and Article 9 of this Directive where such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society, to safeguard national security – i.e. State security – defence and public safety, or to ensure the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communications system, as provided for in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period where this is justified on one of the grounds set out in this paragraph. All measures referred to in this paragraph shall be taken in compliance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.

2. The provisions of Chapter III of Directive 95/46/EC on judicial remedies, liability and sanctions shall apply to the national provisions adopted pursuant to this Directive and to the individual rights resulting from this Directive.

3. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data, set up by Article 29 of Directive 95/46/EC, shall also perform the tasks referred to in Article 30 of that Directive as regards matters covered by this Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications sector.

Article 16

Transitional provisions

1. Article 12 shall not apply to editions of directories which have already been produced or marketed in paper or off-line electronic form before the entry into force of the national provisions adopted pursuant to this Directive.

2. If personal data relating to subscribers to fixed or mobile public voice telephony services have been included in a public subscriber directory in accordance with the provisions of Directive 95/46/EC and Article 11 of Directive 97/66/EC before the entry into force of the provisions of national law adopted by the Member States to comply with this Directive, the personal data of such subscribers may continue to appear in such public directory in its paper or electronic version, including versions with reverse search functions, unless such subscribers, after having been fully informed of their rights and of the purposes for which the directory is established, in accordance with Article 12 of this Directive, object.

Article 17

Transposition

1. Member States shall bring into force the provisions necessary to comply with this Directive by 31 October 2003. They shall immediately inform the Commission.

When Member States adopt these provisions, they shall contain a reference to this Directive or shall be accompanied by such reference on the occasion of their official publication. The details of this reference are decided by the Member States.

2. Member States shall communicate to the Commission the text of the provisions of national law which they adopt in the field covered by this Directive and of any subsequent amendments to those provisions.

Article 18

Review

No later than three years after the date referred to in Article 17(1), the Commission shall submit a report to the European Parliament and the Council on the application of this Directive and its impact on economic operators and consumers, in particular as regards the provisions on unsolicited communications, taking into account the international environment. To this end, the Commission may request information from the Member States, which must be supplied without undue delay. Where appropriate, the Commission shall submit proposals to amend this Directive, taking into account the conclusions of the above report, any changes in the sector and any other proposals it may deem necessary in order to improve the effectiveness of this Directive.

Article 19

Repeal

Directive 97/66/EC is repealed with effect from the date referred to in Article 17(1).

References to the repealed Directive shall be construed as references to this Directive.

Article 20

Entry into force

This Directive shall enter into force on the day of its publication in the Official Journal of the European Communities.

Article 21

Recipients

This Directive is addressed to the Member States.

Brussels, 12 July 2002.

For the European Parliament

The Chairman

P. Cox

By the Board

The Chairman

T. Pedersen

(1) OJ C 365 E, 19.12.2000, p. 1. 223.

(2) OJ C 123, 25.4.2001, p. 1. 53.

(3) Opinion of the European Parliament of November 13, 2001 (not yet published in the Official Journal), Council Common Position of January 28, 2002 (OJ C 113 E, 14.5.2002, p. 39) and Decision of the European Parliament of May 30, 2002 (not yet published in the Official Journal). Council decision of June 25, 2002.

(4) OJ L 281, 23.11.1995, p. 1. 31.

(5) OJ L 24, 30.1.1998, p. 1. 1.

(6) OJ L 178, 17.7.2000, p. 1. 1.

(7) OJ L 91, 7.4.1999, p. 1. 10.

(8) OJ L 108, 24.4.2002, p. 1. 33.

(9) OJ L 204, 21.7.1998, p. 1. 37. Directive amended by Directive 98/48/EC (OJ L 217, 5.8.1998, p. 18).

(10) OJ L 36, 7.2.1987, p. 1. 31. Decision last amended by the 1994 Act of Accession.