Italy: Privacy Challenges in Marketing Practices: European (Over)Ruling of the Use of Personal Data?*

Last Updated: 4 March 2011

Article by Felix Hofer1,2

1. In order to promote their products and services effectively marketers need extensive information about the subjects they're dealing with or they'd like to target for future business. Technical progress requires such information to be more and more sophisticated: in order to perform a successful campaign it's crucial to know as much as possible and in detail about targeted companies, individuals, categories, industry sectors, shopping habits, consumer profiles, gender, race, age, location, financial capacity and health conditions.

That's the reason why nowadays 'data' has become the most valuable 'raw material' in the modern economy. That is also the reason why marketers' techniques for approaching target subjects have become extremely complex and rely on top level technology.

Marketers' business nowadays involves practices such as behavioral-, contextual-, location- and mobile marketing; it extends way beyond (earlier) traditional media, reaching out to the on-line communities (virtual worlds, social networks, blogs, discussion forums, etc.) and makes use of advanced technological tools – especially in the area of neuromarketing - such as Radio Frequency Identification (RFID), Functional Magnetic Resonance Imaging (fMRI), Steady State Topography (SST), Facial Coding and Galvanic Skin Response3. And yes, cookies are still immensely popular and widely used.

2. Practices that dwell so deep into an individual's personal sphere, do monitor his habits and profile many aspects of his personality, are also capable to cause data subject's annoyance and opposition.

More and more frequently we find reports in the news – both in Europe as well as in other geographic regions around the world - about clashes between aggressive marketing techniques and privacy concerns. Nevertheless I feel that the exact dimension and the real terms of this problem are still not correctly perceived. Any time I mention this issue among my colleagues and friends in the US, I face a rather annoyed reaction, usually accompanied by the objection that the 'sacrifice' of giving up a bit of privacy is largely compensated by the multiple benefits one receives from allowing the processing of personal data. When I try to insist and to make my point, my interlocutor generally labels me as 'one of those consumer protection advocates'.

This personal experience is an illuminating example of a patent misperception of a problem, which – if not correctly assessed - could put marketers into serious trouble.

3. First of all, foreign companies not familiar with the European approach to processing of personal data and with the laws and regulations governing such practice need to realize that on this side of the Atlantic 'privacy' has little to do with consumer protection: the issue at stake (and the interest considered by legislation) is not that of avoiding "harm" to consumers, but that of granting individuals a fundamental right, which benefits from protection at a maximum (i. e. constitutional) level.

The Charter of Fundamental Rights of the European Union4 clearly states (in Article 8 on 'Protection of personal data') that "1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority".

Well ahead of the Treaty of Lisbon many countries, members to the European Union, had in their national Constitutions identical or similar provisions, meant to assure adequate protection to an individual's private sphere5. The reasons for such an approach are to be found in the historical context surrounding World Wars I and II. In other terms, the 'fundamental right reference' puts the guarantees for an individual's personal data in the same league as freedom of speech and First Amendment protection. Therefore no surprise that infringement of some of the most relevant provisions governing the processing of personal data are sanctioned not just by fines, but also under criminal law.

Any time marketers processing personal information do not give adequate consideration to this aspect and its implications, they may easily find themselves exposed to critical situations and to significant risks for their business practices.

There are a few things marketers ought to bear in mind when crossing the Ocean and addressing the EU's plus 550 million consumers market. Without pretending to result exhaustive and just focusing on the very basic aspects the following comments try to summarize some of the most significant legal implications for companies doing business on an international level.

4. The starting point for a correct privacy policy are clearly the principles laid down in the so-called 'Data Protection Directive'6. While recognizing the importance of data-processing systems and of data-flow without excessive obstacles, these principles also claim that handling of an individuals' personal information has to "respect their fundamental rights and freedoms, notably the right to privacy".

Accordingly the Directive requires7 all personal data to be:

  • processed fairly and lawfully,
  • collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes,
  • adequate, relevant and not excessive in relation to the purposes for which they are collected,
  • accurate and, where necessary, kept up to date,
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected, and

Establishes8 that personal data may be processed legitimately only if the data subject has unambiguously given his consent, or processing is necessary:

  • for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or
  • for compliance with a legal obligation to which the controller is subject, or
  • in order to protect the vital interests of the data subject, or
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed, or
  • for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1.

5. This initial framework was then completed by the ePrivacy Directive9 (amended and integrated in year 200910), which extends the requirements set by the '95 Directive to "publicly available electronic communications services in public communications networks". This additional Directive clarifies that "Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms"11 and enlightens about the limits of legitimate use of cookies12. Finally, it gives indications as to the collection, use and storage both of 'traffic data' as well as of 'location data'13 and provides for measures specifically aimed at granting data security and confidentiality of communications14.

Under the provisions of this Directive companies making use of cookies were held to: (a) provide targeted subjects with clear in-advance indications about the installation of cookies on user's terminal as well as about their function and purposes, (b) achieve users' consent for placing cookies, and (c) inform them about their possibility to refuse cookies' placement on their terminal and about the browser settings apt to exercise such blocking right15.

6. This earlier 'notice and choice' regime for the use of cookies is now subject to changes introduced by the so-called 'cookie' Directive16, which is due to be implemented by the EU member states no later than by May 25th, 2011.

The amending provisions contain several rather challenging principles and recommendations to providers as well as binding provisions apt to significantly affect marketing practices.

As to the first aspect the amending Directive no. 136 of 2009:

  • claims for proper notice to customers with respect to their rights concerning information contained in subscriber directories (and the purposes of such directories) and for adequate measures in order to safeguard the personal information of (fixed and mobile) end users collected in databases17,
  • reminds that 'traffic data', if "controlled" by providers of security technologies and services, are subject to the requirements of Directive no. 46 of 199518 ,
  • while acknowledging the importance and the unquestionable benefits of "new applications based on devices for data collection and identification" such as Radio Frequency Identification Devices, requires that their use has to result 'acceptable' to the targeted individuals and must ensure individual's fundamental rights, inclusive that to privacy and data protection19,
  • insists20on the fact that all providers of publicly available electronic communications services should immediately report any data breach they become aware of and notify without delay all subscribers and individuals adversely affected by such breach,
  • alerts21 about the risks involved by the use of "software surreptitiously monitoring actions of the user or subverting the operation of the user's terminal equipment to the benefit of a third party (spyware)" and therefore calls for a "a high and equal level of protection of the private sphere of users ... to be ensured, regardless of whether unwanted spying programmes or viruses are inadvertently downloaded via electronic communications networks or are delivered and installed in software distributed on other external data storage media, such as CDs, CD-ROMs or USB keys",
  • informs third parties wishing ".. to store information on the equipment of a user, or to gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses)" that they need to provide users ".. with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access"22, and finally
  • feels23 that "safeguards provided for subscribers against intrusion into their privacy by unsolicited communications for direct marketing purposes by means of electronic mail should also be applicable to SMS, MMS and other kinds of similar applications",

As to the binding provisions the most worrying aspect appears to be the "opt-in" mechanism apparently contained in the amended version of Section 5/324 of the previous Directive no. 58 of 2002. The new wording seems to present marketers with a true nightmare scenario: under the earlier version of the Directive it was possible to place a cookie and then to seek for consent, according to a strict reading of the amended text now placement of a cookie should be allowed only after having obtained targeted subject's (informed) in-advance consent25.

The only exception to this general rule would be permitted when storage of (or access to) personal information:

  1. is performed exclusively in order to carry out the transmission of a communication over an electronic communications network; or
  2. results necessary for providing an information society service specifically requested by the subscriber or user.

It goes without saying that a strictly opt-in oriented requirement for placing cookies would determine simply "devastating" effects not just for the marketing industry, but to websites in general (commercial and non-commercial ones), almost all relying on (and making use of) cookies.

7. With respect to data processing the direct marketing industry needs to consider also some additional aspects.

7.1. Already back in year 2008 the Article 29 Working Party26 had reminded27 Internet companies operating search engines that in its view the provisions of the Data Protection Directive no. 46 of 1995 did "apply to the processing of personal data by search engine providers in many cases, even when their headquarters are outside the EEA" and that multinational search engine providers were subject to the national laws governing the handling of personal information (aside from the case where they had an 'establishment' in a country member to the EU), when a "company makes use of equipment, automated or otherwise on the territory of that Member State, for the purposes of processing personal data (for example, the use of a cookie)" 28. A further confirmation of the Working Party's position may be found in Opinion 1/200929 informing search engines, once more, about its convincement that:

  • "beyond all doubt that the processing of traffic data falls within the scope of the Data Protection Directive",
  • unless a service provider "is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side" (reference is to "additional identifiers such as cookies").

7.2. A few month later the Working Party, while offering its contribution30 to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, took the view that "The technological developments have strengthened the risks for individuals' privacy and data protection and to counterbalance these risks, the principle of 'Privacy by Design' should be introduced in the new framework: privacy and data protection should be integrated into the design of Information and Communication Technologies" 31 and claimed that privacy should 'become embedded in ICT', while additionally stressing that "Under the Lisbon Treaty, data protection has gained significant importance. Not only has the Charter of Fundamental Rights of the European Union become binding but – also Article 16 of the Treaty on the Functioning of the European Union (TFEU) was introduced as a new legal basis for data protection applicable to all processing of personal data, in the private and in the public sector, including the processing in the area of police and judicial cooperation and common foreign and security policy".

7.3. In year 2009 social networks have also come under the Working Party's scrutiny. In an Opinion32 dedicated to sector specific problems the Working Party offered its comments (and guidelines) on how and to which extent social networks are affected by the principles laid down in the Data Protection Directives, on which requirements and obligations social networks are held to comply with33 and on which user rights have to be adequately granted by the platform providers34. A special section of the WP's opinion is dedicated to direct marketing35, recognized as "an essential part of the SNS business model", but also required to "comply with relevant provisions of both Data Protection and ePrivacy Directive".

7.4. To round off the issue it should be mentioned that back in 2010 the Working Party had issued an extensive Opinion36 on the topic of online behavioral advertising (resulting in user tracking mechanisms and profile construction37) and its privacy implications. While the paper does not question the multiple advantages and economic benefits offered by such practice, it does flag serious concern about the possibility of such practice being performed "at the expense of individual's rights to privacy and protection of personal data".

In order to provide harmonized guidance to network providers making use of behavioral targeting the Opinion offers a number of indications, according to which:

  • both, placing of cookies or similar devices on users' terminal equipment as well as obtaining information through such devices may legitimately occur only on 'user's informed consent',
  • current browser settings and op-out systems may not adequately fulfill such consent requirement (especially when bypassing users' choice is possible),
  • network providers should put in place proper in-advance opt-in mechanism "requiring an affirmative action by the subjects indicating their willingness to receive cookies and similar devices and the subsequent monitoring of their surfing behavior for the purpose of serving tailored advertising",
  • consent to cookie placement may imply users' acceptance of its reading and of the monitoring their browsing habits,
  • for keeping users' aware about monitoring being performed providers should: "(i) limit in time the scope of consent, (ii) offer the possibility of revoke it easily, and (iii) create visible tools where the monitoring takes place" 38.

On the premise that behavioral advertising implies the use of 'identifiers' capable of elaborating "very detailed user profiles, which in most cases will be deemed personal data", the Working Party:

  • reminds providers that profiles achieved may easily result subject to the provisions of the Data Protection Directive no. 95/46 and specifically to those relating to adequate in-advance notice about processing purposes, access to and rectification, erasure and retention of data,
  • takes the position that, given the nature and characteristics of such practice, it's essential to targeted individuals having adequate transparency requirements granted.39

7.5. The fact that the European Data Protection Supervisor40 has addressed all the aspects mentioned above on several occasions clearly shows how intense the focus of the EU Institutions is on privacy implications.

In a speech delivered at Future Internet Assembly41 the EDPS highlighted the "privacy implications of ICT and new services: social networks, search engines, RFID tags, browsers, targeted advertising, cloud computing.." and voiced his concern about potential negative structural effects likely to be derived – if not timely and properly addressed – in the context of ".. more complex environments, such as the collection of data through Internet, mobile devices, RFID, etc"42.

8. To conclude this excursus on privacy regulations in Europe a few comments on some critical aspects foreign companies should bear in mind when directing their business and promotional strategies towards Europe.

8.1. Up till now in the context of the discussion about the opt-in requirement for cookies it seems to have gone somehow unnoticed that the new text of Section 5/3 of the ePrivacy Directive43 refers to 'information' about users, which is clearly a different – and much broader - definition than that of 'personal data'. Section 5/3 therefore seems to result in a sort of 'general provision' meant to cover (and protect) an area of users' private sphere extending beyond the context of the rights and guarantees typically reserved to an individual's personal data.

8.2. There is an additional aspect which deserves proper attention: user monitoring and profiling essentially do originate from information collected by placing cookies or similar devices on an end-users' terminal. This means that 'processing' of data is performed (at least partially) in the place where user's technical equipment is located. From such premise derive necessarily several interesting – and highly worrying – effects and consequences as to jurisdiction and applicable law.

8.3. Advertisers usually display their commercial campaigns on their own websites and have mechanisms in place allowing click-through analysis. Based on elaborating information about surfing behavior, they then frequently perform in 'profiling' and determining interest groups, segments or sector specific information (those fond of country music, teenagers aged between X and Y loving a certain product or service, minors being already parents of children, etc.). Under European privacy regulations advertisers, by elaborating and categorizing information in such a way, easily may found themselves considered as 'data controllers' (as such subject to a range of provisions contained in the EU Directive no. 95/46). They'll be better off by knowing exactly which requirements and prescriptions they should comply with, especially when profiling results on 'categorizing' with respect to sensitive personal data.

Network providers or online publishers will also be held as 'data controllers' any time they perform in elaborating on their platforms the personal information collected from third parties.

8.4. One should also bear in mind that the EU Directive no. 95/46 establishes a basic principle according to which personal data legitimately collected for certain purposes may not destined to 'secondary uses'. Ad networks typically tend to perform multiple services among companies part to the group. In addition, frequently such networks come up with new services or application for which information collected in the context of behavioral advertising is immensely valuable. Unfortunately, in most cases sharing such information – and integrating and adapting it – for new services or application without fulfillment of the in-advance notice and consent requirements will result in an illicit practice.

The same goes for excessive data storage: data retention over the period and the purposes covered by the initial (legitimate) collection is not allowed.


* This paper was prepared as a handout to the audience the Advertising Law & Public Policy Conference 2011 organized by the Association of National Advertisers - ANA in Washington DC, on March 15th & 16th, 2011.

1. Felix Hofer is a named and founding partner of the Italian law firm Studio Legale Associato Hofer Lösch Torricelli, in Firenze (50132), via Giambologna 2/rosso; he may be reached through the following contact details: Phone +39.055.5535166, Fax +39.055.578230 – e-mail: (personal) or (firm e-mail).

2. Member for Italy of the Global Advertising Lawyers Alliance (GALA),

3. To tell it right, most of the technology has been around and tested for decades; what's changed is their use in the area of marketing and the quality both, of the technical devices as well as of the software applications used to the purpose.

4. In its current version the Treaty of Lisbon entered into force on 1 December 2009.

5. The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data signed on January 28th, 1981 in Strasbourg by the member States of the Council of Europe already anticipated - and addressed – some of the issues currently in discussion.

6. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.

7. See Section no. 6/1 of the Directive.

8. See Section no. 7 of the Directive.

9. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

10. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009.

11. So Recital 24 of the Premises of Directive no. 58 of 2002, where it's also stated that "So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned".

12. According to Recital 25 "... such devices, for instance so-called 'cookies', can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose".

13. See Sections nos. 6 and 9 of Directive no. 58 of 2002.

14. See Sections nos. 4 and 5 of Directive no. 58 of 2002.

15. Section 5/3 of the ePrivacy Directive no. 58 of 2002 rules that "Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."

16. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector.

17. So Recitals nos. 33 and 38. According to Recital 59 all data controllers should implement ".. appropriate technical and organisational protection measures against, for example, loss of data".

18. Implying an obligation of "preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service' attacks and damage to computer and electronic communication systems" (Recital 53).

19. Additionally, "when such devices are connected to publicly available electronic communications networks or make use of electronic communications services as a basic infrastructure, the relevant provisions of Directive 2002/58/EC (Directive on privacy and electronic communications), including those on security, traffic and location data and on confidentiality, should apply" (Recital 56).

20. See Recital 61.

21. So Recital 65

22. See Recital 66, also recommending that "The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application".

23. So Recital 67.

24. Article 5(3) shall be replaced by the following: "3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

25. Where 'informed consent' means that users have also to be provided with comprehensive and easy to understand information about all the purposes which collected data will be processed for. Subsequently, if a purpose changes for whatever reason, an additional consent will have to be sought.

26. An independent EU Advisory Body (set up by Directive 95/46/EC) for providing expert opinion from member state level to the EU Commission on questions of data protection, promoting harmonized application of the general principles of the Directives in all Member States through co-operation between data protection supervisory authorities, advising the EU Commission on any Community measures affecting the rights and freedoms of natural persons with regard to the processing of personal data and privacy.

27. So Opinion 1/2008 – WP 148 - on data protection issues related to search engines adopted on April 4th, 2008.

28. In previous Opinion 4/2007 - WP 136 - of 20th June 2007 (on the concept of 'personal data') it had already made clear that an individual's search history, IP addresses and cookies had to be considered as "data relating to an identifiable person" any time identification is possible by relying on reasonable means likely to be used.

29. WP 159, issued on February 10th, 2009 with respect to the draft text of Directive no. 136/2009.

30. WP 168 of December 1st, 2009.

31. Where "the application of such principle would emphasize the need to implement privacy enhancing technologies (PETs), 'privacy by default' settings and the necessary tools to enable users to better protect their personal data (e.g., access controls, encryption). It should be a crucial requirement for products and services provided to third parties and individual customers (e g. WiFi-Routers, social networks and search engines). In turn, it would give DPAs more powers to enforce the effective implementation of such measures" (see page 13, point no. 48).

32. Opinion 5/2009 – WP 163 - on on-line social networking, adopted on 12 June 2009.

33. E. g. as to indications about providers' identity, information about purposes and ways of data uses, warnings about privacy risks related to data posting, availability of privacy-friendly default settings, copyright and minors' protection, respect of other data subjects' rights, handling of abandoned accounts.

34. Among them inclusive an easy-to-use complaint handling procedure and user's possibility of adopting pseudonyms.

35. Section 3.7, which addresses contextual, segmented and behavioral marketing. I restrain from reporting extensively on the legal issues referring to social networks as this was dealt with in a paper prepared for the ANA Advertising Law & Public Policy Conference 2010; the paper is available on my law firm's website (at the URL:, in the "News" Section.

36. Opinion 2/2010 - WP 171 – adopted on June 22nd, 2010.

37. The Working Party describing such practices offers the following as its definition of 'profiling mechanism': "Whereas contextual advertising and segmented advertising use 'snap shots' of what data subjects view or do on a particular web site or known characteristics of the users, behavioural advertising potentially gives advertisers a very detailed picture of a data subject's online life, with many of the websites and specific pages they have viewed, how long they viewed certain articles or items, in which order, etc.", see Introduction, Section no. 2 of the Opinion no. 2/2010.

38. See Executive Summary on page 3 of Opinion no. 2/2010.

39. The Working Party makes the assumption that "in the context of behavioural advertising users may not know or understand the technology that supports behavioural advertising or even that such types of advertising are being targeted at them" and therefore holds that "it is therefore of paramount importance to ensure that sufficient and effective information is provided in a way that will reach internet users. Only if data subjects are informed, will they be in a position to exercise their choices" (so Opinion no. 2/2010, page 17, Section 4.2.

40. The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. It does so by: monitoring the EU administration's processing of personal data, advising on policies and legislation that affect privacy, and co-operating with similar authorities to ensure consistent data protection.

41. In Ghent, on December 16th, 2010.

42. The views of the EDPS are also explained in a recent article "Data protection in the information society", authored by the Chair of the Institution, Mr. Peter J. Hustinx, and published in the collection "Massificatie in het privaatrecht", Essays marking the bicentenary of the society Iustitia et Amicitia, Deventer, 2010, pp. 77-91. In addition I'd suggest checking the Opinion issued by the EDPS on January 14th, 2011. All documents may be accessed on the EDPS website at the URL:

43. Directive no. 58 of 2002, as amended by Directive no. 136 of 2009.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Mondaq Advice Centre (MACs)
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.