< compliance
EU Data Protection Directive 95/46/EC

EU Directive

This directive is designed to protect the privacy and protection of all personal data collected for or about citizens of the European Union.

EU Directive: Compliant and Secure Hosting

Directive 95/46/EC is a regulatory framework, which balances the free movement of personal data and a high level of protection for the privacy of individuals within the European Union (EU). To do so, the Directive sets stringent limitations on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the supervision of any activity linked to the processing of personal data.


EU Data Protection Directive (Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data. Directive 95/46/EC encompasses all key elements from Article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life, as well as in the home and in personal correspondence. The Directive is based on the 1980 OECD "Recommendations of the Council Concerning guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data."

These recommendations are founded on seven principles, since enshrined in EU Directive 94/46/EC:

  1. Notice — Data subjects should be given notice when their data is being collected.
  2. Purpose — Data should only be used for the purpose stated and not for any other purposes.
  3. Consent — Data should not be disclosed without the data subject’s consent.
  4. Security — Collected data should be kept secure from any potential abuses.
  5. Disclosure — Data subjects should be informed as to who is collecting their data.
  6. Access — Data subjects should be allowed to access their data and make corrections to any inaccurate data.
  7. Accountability — Data subjects should have a method available to them to hold data collectors accountable for not following the above principles.

To evaluate CenturyLink's alignment with EU Data Directive criteria, customers can refer to CenturyLink's CSA CAIQ version 3.0.1 where the EU Data Directive requirements have been mapped against the CSA CCM's control framework.

Data Directive's Article 29 Working Party

Article 29 of the EU Directive establishes a "Working Party on the Protection of Individuals with regard to the processing of Personal Data." It is generally known as the “Article 29 Working Party," made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the EU Commission acting in an independent and advisory capacity. The Working Party seeks to harmonize the application of data protection rules throughout the EU, and publishes opinions and recommendations on various data protection topics. It also advises the EU Commission on the adequacy of data protection standards in non-EU countries.

The Working Party negotiated with U.S. representatives about the protection of personal data and the Safe Harbor Principles were the result. According to critics, the Safe Harbor Principles do not provide for an adequate level of protection because they contain fewer obligations for the controller and allow the contractual waiver of certain rights.

In October 2015 the European Court of Justice ruled that the Safe Harbor regime was invalid as a result of an action brought by an Austrian privacy campaigner in relation to the export of subscribers' data by Facebook's European business to Facebook in the USA. The US and European Authorities have been working on a replacement version of the Safe Harbor for 2 years but no agreement has yet been reached. Until a new Safe Harbor is agreed, model contract clauses or binding corporate rules may be used as an alternative method of ensuring that data transferred from the European Economic Area (EEA) to the USA is protected.

The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract nor to add other clauses as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects.

EU "Model Contract"

The Council and the European Parliament have given the Commission of the European Community the power to decide, on the basis of Article 26 (4) of directive 95/46/EC, that certain standard contractual clauses offer sufficient safeguards as required by Article 26 (2), that is, they provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.

A 'model contract' is a general type of contract that includes specific provisions dealing with data protection, and that has been approved either by the EU Commission or by the Data Protection Commissioner. The EU-approved model contracts are in the form of blank templates, which can be filled in with the appropriate details (names of the organizations, types of personal data etc.) The EU's model contracts are available from the EU Commission website.

There are two different types of model contracts:

  • A contract to facilitate a transfer of personal data between a data controller in the EEA, and a data controller outside the EEA
  • A contract to facilitate transfer of personal data between a data controller in the EEA, and an agent or subcontractor — referred to as a 'data processor' — located outside the EEA.

The data controller located in the EEA is referred to in the contracts as a data exporter; the other party, located outside the EEA, is termed a data importer.

CenturyLink is willing to agree to the Model Clauses, subject to a review process conducted by the sales support teams. This review process allows us to vet the services in consideration for compliance, and prepare the Appendix that describes the security controls CenturyLink agrees to have in place.


Data Controller: The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. Article 2(d) of the Data Protection Directive.

Being a controller carries with it serious legal responsibilities, so an organization which processes personal data should be quite clear if these responsibilities apply to it. In practice, to find out who controls the contents and use of personal information kept, an organization should ask itself the following questions:

  • Who decides what personal information is going to be kept?
  • Who decides the use and purpose to which the information will be put?
  • Who decides on the means of processing of personal data?

Data Exporter / Importer: The data controller located in the EEA is referred to in the contracts as a data exporter; the other party, located outside the EEA, is termed a data importer.

Data Processor: The natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the controller. Article 2(e) of the Data Protection Directive. If an organization holds or processes personal data, but does not exercise responsibility for or control over the personal data, then this organization is a "processor." Examples of processors include payroll companies, accountants, and market research companies, and call centers of telecom or financial companies, all of which could hold or process personal information on behalf of someone else.

Personal Data: Any information relating to an identified or identifiable natural person (also referred to as the data subject). For in-house counsel normally familiar with the more US-centric concept of identifying an individual, it is critical to understand that, under the Directive, an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, or social identity.

Processing: Processing of personal data is any operation or set of operations that is performed on personal data, whether by automatic means or not, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination blocking, erasure, or destruction. In practical terms, this is anything that an organization does with data.

Related Products

Cloud Servers

Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.

Managed Services

Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.

Managed Security

A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.

Managed Hosting

Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.

Managed Storage & Backups

Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.