Directive 2002/58/EC of the European Parliament and of the Council.

dated July 12, 2002

concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty establishing the European Community, in particular Article 95,

Having regard to the proposal of the Commission(1),

Having regard to the opinion of the Economic and Social Committee(2),

After consulting the Committee of the Regions,

Under the procedure of Article 251 of the Treaty(3),

Whereas:

(1) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(4) requires Member States to protect the rights and freedoms of natural persons with regard to the processing of personal data, and in particular to ensure the protection of privacy in order to ensure the free flow of personal data in the Community.

(2) This Directive seeks to respect the fundamental rights and principles expressed, in particular, in the Charter of Fundamental Rights of the European Union. In particular, this Directive seeks to ensure full respect for the rights set out in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

(3) Confidentiality of communications shall be ensured in accordance with international instruments relating to human rights, in particular the European Convention for the Protection of Human Rights and Fundamental Freedoms, and the constitutions of the Member States.

(4) Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector(5) translated the principles set out in Directive 95/46/EC into specific rules for the telecommunications sector. Directive 97/66/EC should be adapted to developments in the markets and technologies for electronic communications services in order to provide an equal level of protection of personal data and privacy for users of publicly available electronic communications services, regardless of the technologies used. Directive 97/66/EC should therefore be repealed and replaced by this Directive.

(5) New advanced digital technologies are currently being introduced in public communications networks in the Community which impose specific requirements with regard to the protection of personal data and user privacy. The development of the information society is characterized by the introduction of new electronic communication services. Access to digital mobile networks has become available and affordable to a wide public. These digital networks have great capacities and possibilities for processing personal data. The successful cross-border development of these services depends in part on the confidence of users that their privacy will be respected.

(6) The Internet is replacing traditional market structures by providing a common, global infrastructure for the delivery of a wide range of electronic communications services. Widely available electronic communication services over the Internet offer users new opportunities, but also pose new risks to the protection of their personal data and privacy.

(7) Specific legal, regulatory and technical provisions should be adopted for public communications networks in order to protect the fundamental rights and freedoms of natural persons and the legitimate interests of legal persons from, in particular, the ever-increasing possibilities associated with the automated storage and processing of data relating to subscribers and users.

(8) Legal, regulatory and technical provisions adopted by the Member States concerning the protection of personal data, privacy and the legitimate interests of legal persons in the electronic communications sector should be harmonized in order to avoid obstacles to the establishment of the internal market for electronic communications, in accordance with Article 14 of the Treaty. Harmonization should be limited to requirements necessary to ensure that the promotion and development of new electronic communications services and networks between Member States are not hindered.

(9) The Member States, providers and users concerned, as well as the competent Community bodies, should cooperate in introducing and developing the necessary technologies where this is necessary to achieve the safeguards provided by this Directive, taking into account, in particular, the objective of limiting the processing of personal data to the greatest extent possible and of using anonymous or pseudonymous data wherever possible.

(10) In the electronic communications sector, Directive 95/46/EC applies, in particular to all matters concerning protection of fundamental rights and freedoms which are not specifically covered by the provisions of this Directive, including the obligations on the controller and the rights of individuals. Directive 95/46/EC applies to non-public communication services.

(11) Nor does this Directive apply Directive 95/46/EC to matters relating to the protection of fundamental rights and freedoms related to activities which are not governed by Community law. Accordingly, it does not alter the existing balance between the right of individuals to privacy and the possibility for Member States to take the measures referred to in Article 15(1) of this Directive, which are necessary for the protection of public security, defense, State security (including the economic well-being of the State when the activity relates to State security) and the enforcement of criminal law. Consequently, this Directive does not affect the possibility for Member States to carry out lawful interception of electronic communications or to adopt other measures when necessary for any of the above purposes, provided that in doing so they respect the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted in the rulings of the European Court of Human Rights. Such measures shall be appropriate for, and strictly proportionate to, the intended purpose and necessary in a democratic society and shall contain adequate safeguards in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms.

(12) Subscribers to a publicly available electronic communications service may be natural or legal persons. This Directive, which complements Directive 95/46/EC, seeks to protect the fundamental rights of natural persons, and in particular their right to privacy, as well as the legitimate interests of legal persons. It does not oblige Member States to extend the scope of Directive 95/46/EC to the protection of the legitimate interests of legal persons, which protection is ensured under existing Community and national law.

(13) The contractual relationship between a subscriber and a service provider may involve periodic or one-time payment for the service provided or to be provided. Prepaid cards are also considered a contract.

(14) Location data may refer to the width, length and height of the user's terminal equipment, the direction of travel, the degree of accuracy of the location data, the identification of the network cell in which the terminal equipment is located at a given time, and the time at which the location data is stored.

(15) A communication may include naming, numbering or addressing data provided by the sender of a communication or by the user of a connection to establish the communication. When these data are transformed by the network over which the communication is transmitted to establish the transmission, they are also included in traffic data. Traffic data may include data relating to the routing, duration, time or volume of a communication, the protocol used, the location of the terminal equipment of the sender or receiver, the network on which the communication begins or ends, the beginning, end or duration of the connection; it may also exist in the format in which a communication is transmitted by the network.

(16) Information from a broadcasting service transmitted over a public communications network is intended for a potentially unlimited audience and does not constitute a communication within the meaning of this Directive. However, in cases where the individual subscriber or user receiving such information can be identified, for example in the case of video-on-demand services, the information conveyed falls within the definition of communication for the purposes of this Directive.

(17) In this Directive, "consent of a user or subscriber", regardless of whether the latter is a natural or legal person, should have the same meaning as "consent of the data subject" as defined and further specified in Directive 95/46/EC. Consent may be given by any means enabling the user to freely give a specific and informed indication of his wishes, including by clicking on a box when visiting an Internet website.

(18) Value-added services may include, for example, advice on the cheapest fare packages, route guidance, traffic information, weather reports, tourist information.

(19) The application of certain requirements relating to the presentation and restriction of calling and connected line identification and the automatic call forwarding of calls from subscriber numbers connected to analogue exchanges should not be made mandatory in specific cases where this proves to be technically impossible and requires a disproportionate economic effort. Given the interest of interested parties to be informed of such cases, Member States should notify them to the Commission.

(20) Service providers should take the necessary measures to ensure the security of their services, if necessary together with the network provider, and should inform subscribers of any particular risks concerning the breach of network security. Such risks may arise in particular for electronic communications services over an open network such as the Internet or analog mobile telephony. It is particularly important for subscribers and users of such services to be fully informed by their service provider of existing security risks that are of such a nature that the service provider cannot remedy them themselves. Service providers offering publicly available electronic communications services over the Internet should inform users and subscribers of measures they can take to protect the security of their communications, for example by using specific types of software or encryption technologies. The requirement to notify subscribers of particular security risks does not relieve a service provider of the obligation to take, at its own expense, appropriate and immediate measures to avoid new unforeseen security risks and restore the usual level of security of the service. The provision of security risk information to the subscriber should be free of charge, apart from any minor costs borne by the subscriber for receiving or collecting the information, for example by downloading an electronic message. Security is assessed in the light of Article 17 of Directive 95/46/EC.

(21) Measures should be taken to prevent unauthorized access to communications in order to protect the confidentiality of communications by means of public communications networks and publicly available electronic communications services, both with regard to the contents themselves and to data relating to those communications. The national legislation of some Member States prohibits only intentional unauthorized access to communications.

(22) The prohibition of storage of communications and the related traffic data by persons other than the users or without their consent is not intended to prohibit any automatic, intermediate and transient storage of this information in so far as this storage is for the sole purpose of carrying out the transmission in the electronic communications network and provided that the information is not stored for any period longer than is necessary for the transmission and for traffic management purposes, and that during the period of storage the confidentiality remains guaranteed. Where this is necessary for making more efficient the onward transmission of publicly accessible information to other recipients of the service upon their request, this Directive shall not prevent such information from being stored for longer periods, provided that, in any event, it is accessible to the public without restriction and that data concerning the individual subscribers or users requesting such information are erased.

(23) Confidentiality of communications must also be ensured in legitimate business dealings. Where necessary and permitted by law, communications may be recorded as evidence of a commercial transaction. Directive 95/46/EC applies to such processing. The parties to the communication should be informed of the recording, its purpose and the duration of storage prior to recording. The stored communication should be deleted as soon as possible, but in any case after the end of the period during which the transaction may be challenged in court.

(24) Terminal equipment of users of electronic communications networks and information stored in such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web taps, hidden identifiers and other similar software can enter the user's terminal without the user's knowledge in order to access information, store hidden information or trace the user's activities and may seriously intrude on the privacy of those users. The use of such software should only be allowed for legitimate purposes with the knowledge of the users concerned.

(25) However, such software, for instance so-called cookies, can be a legitimate and useful tool, for example, for investigating the effectiveness of website design and advertising, and for determining the identity of users engaged in on-line transactions. Where such devices, for example cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information, in accordance with Directive 95/46/EC, about the purposes of cookies or similar devices, which ensures that the user is aware that information is being placed on the terminal equipment he is using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important in situations where other users also have access to the terminal equipment and thus to data stored on that equipment that contains privacy-sensitive information. The information and the right of refusal may be provided once during the same connection for the use of the various software intended to be installed on users' terminal equipment and then also applies to any further use of that software during subsequent connections. The manner in which information is given, a right of refusal is offered or permission is requested shall be as user-friendly as possible. Access to specific content of a website may still be conditional on knowingly accepting a cookie or similar device, if used for a legitimate purpose.

(26) Subscriber data processed in electronic communications networks to establish connections and transfer information contain information about the private lives of natural persons and concern the right to respect for their correspondence or the legitimate interests of legal persons. Such data may be stored only to the extent necessary for providing the service, for billing and for interconnection payments, and only for a limited time. Any further processing of such data that the provider of the publicly available electronic communications service may wish to perform for the purpose of marketing its electronic communications services or for the provision of value-added services is only permissible if the subscriber has consented thereto on the basis of precise and full information from the provider of the publicly available electronic communications service as to the further processing it intends to perform on the data and as to the subscriber's right not to allow such processing or to withdraw consent thereto. Traffic data used for marketing communications services or for the provision of value-added services must also be erased or anonymized after the provision of the service. Service providers must always inform their subscribers of the types of data they process, what they do it for and for how long.

(27) The exact time of the completion of the transmission of a communication, after which traffic data - except for billing purposes - must be erased, may depend on the type of electronic communications service provided. For example, for a voice call the transmission is completed as soon as one of the users terminates the connection, for electronic mail as soon as the addressee collects the message, usually from the server or its service provider.

(28) The obligation to erase or anonymize traffic data when it is no longer needed for the transmission of communications is not incompatible with similar procedures on the Internet, such as caching in the domain name system of IP addresses, caching of IP addresses to physical addresses, or the use of log in information to control the right of access to networks or services.

(29) The service provider may process traffic data relating to subscribers and users where necessary in individual cases in order to detect technical defects or errors in the transmission of communications. Traffic data necessary for billing purposes may also be processed by the provider to detect and stop fraud in the form of non-payment for the use of the electronic communications service.

(30) Systems for electronic communications networks and services should be designed in such a way as to limit personal data to the minimum necessary. Activities related to the provision of electronic communications services beyond the transmission of communications and their billing should be based on aggregated traffic data that cannot be associated with subscribers or users. If these activities cannot be based on aggregated data, they should be classified as value-added services requiring subscriber consent.

(31) Whether consent for the processing of personal data with a view to offering a particular value-added service must be obtained from the user or from the subscriber depends on the data to be processed, the service to be offered, and the technical, procedural and contractual possibility of distinguishing between a person using an electronic communications service and a natural or legal person who is a subscriber.

(32) Where the provider of an electronic communications service or a value added service subcontracts to another entity the processing of personal data necessary for the provision of such services, such subcontracting and the resulting data processing should be carried out in accordance with the rules laid down in Directive 95/46/EC with respect to the controllers and processors of personal data. Where the provision of a value added service requires traffic or location data to be forwarded by an electronic communications service provider to a provider of value added services, the subscribers or users to whom the data relate should also be fully informed of this forwarding before giving their consent for the processing of the data.

(33) The introduction of itemized billing offers subscribers better possibilities to verify the accuracy of the amounts charged by the service provider, but may at the same time threaten the privacy of the users of publicly available electronic communications services. Therefore, in order to safeguard the privacy of users, Member States should encourage the development of electronic communications services to which are attached options such as alternative payment facilities guaranteeing anonymous or strictly personal access to publicly available electronic communications services, for example telephone cards and credit card payment options. For the same purpose, Member States may require service providers to offer their subscribers a different type of itemized bill in which some digits of the called number are omitted.

(34) With regard to calling line identification, it is necessary to protect the right of the calling party to withhold the presentation of calling line identification and the right of the called party to reject unidentified calls. The elimination of the elimination of calling number identification in specific cases is justified. Certain subscribers, such as helplines and similar entities, have an interest in ensuring the anonymity of callers. It is necessary, as far as calling line identification is concerned, to protect the right and legitimate interests of the called party to block the presentation of the identification of the number with which the caller is connected, in particular in the case of forwarded calls. The providers of publicly available electronic communications services must inform their subscribers of the existence of calling and connected line identification in the network, as well as of all services offered on the basis of calling and connected line identification, and of the privacy options available. Users can then make an informed choice as to which privacy protection options they wish to use. The privacy options offered on a per-line basis need not necessarily be available as an automatic network service, but must be obtainable upon ordinary request to the provider of the publicly available electronic communications service.

(35) In digital mobile networks, location data relating to the geographical position of the mobile user's terminal equipment are processed to enable the transmission of communications. Such data are traffic data, which are addressed in Article 6 of this Directive. In addition, however, digital mobile networks may have the ability to process location data that are more precise than necessary for the transmission of communications and are used for the provision of value-added services, such as services providing individualized traffic information and driver guidance services. The processing of such data for value-added services should be allowed only when subscribers have given their consent. Even when subscribers have given their consent, they should have a simple method to temporarily disable the processing of location data free of charge.

(36) Member States may restrict the rights of users and subscribers to privacy regarding calling line identification where it is necessary to trace nuisance calls and regarding calling line identification and location data where it is necessary to allow emergency services to perform their functions as effectively as possible. For these purposes, Member States may adopt specific provisions authorizing providers of electronic communications services to provide access to calling line identification and location data without the prior consent of the users or subscribers concerned.

(37) Safeguards should be provided for subscribers against the nuisance that may be caused by automatic call forwarding by others, and in such cases subscribers should be able to ensure, by simple request to the provider of the publicly available electronic communications service, the blocking of forwarded calls to their terminal equipment.

(38) Directories of subscribers to electronic communications services are widely distributed and publicly available. The right to privacy of natural persons and the legitimate interests of legal persons means that subscribers should be able to determine themselves whether their personal data are included in a directory and, if so, which ones. Providers of public directories should inform subscribers to be included in such directories of the purposes of the directory and of any particular use that can be made of electronic versions of public directories, in particular through search functions included in the software, such as reverse search functions that allow users to find the name and address of a subscriber on the basis of the telephone number only.

(39) The obligation to inform subscribers of the purposes of public directories in which their personal data will be included rests with the party collecting the data for inclusion. If the data may be transmitted to one or more third parties, the subscriber should be informed of this possibility and of the recipient or categories of possible recipients. Any transmission must be conditional on the data not being used for purposes other than those for which it was collected. If the party collecting the subscriber's data or a third party to whom the data have been transmitted wishes to use the data for a different purpose, the consent of the subscriber must again be obtained, either by the party originally collecting the data or by the third party to whom the data have been transmitted.

(40) Safeguards should be provided to subscribers against invasion of their privacy by unsolicited communications for the purposes of direct marketing, in particular by means of automated calling machines, faxes and e-mails, including SMS messages. The transmission of such unsolicited commercial communications can be relatively easy and inexpensive and, on the other hand, impose a burden and/or cost on the recipient. Sometimes the volume of such communications may also create difficulties for electronic communications networks and terminal equipment. With regard to such unsolicited communications for direct marketing, it is justified that recipients must first give their explicit consent before such communications are addressed to them. The internal market requires a harmonized approach to provide simple, Community-wide rules for businesses and users.

(41) Within the context of an existing customer relationship, it is reasonable to allow the use of electronic data for offering similar products or services, but only by the undertaking which has obtained such data, in accordance with Directive 95/46/EC. Where electronic data are obtained, the customer should be clearly and separately informed about their use for direct marketing and given the opportunity to prohibit such use. That opportunity should continue to be given to the customer free of charge, excluding any costs for communicating his prohibition, with each subsequent direct marketing message.

(42) Other forms of direct marketing which are more costly for the sender and impose no financial costs on subscribers and users, such as person-to-person voice telephony calls, may justify the maintenance of a system allowing subscribers or users to indicate that they do not wish to receive such calls. Nevertheless, in order to avoid compromising the current level of privacy protection, Member States should have the right to maintain national systems under which such calls may only be made to subscribers and users who have given their prior consent.

(43) In order to make the Community rules on unsolicited communications for direct marketing more effective, the use of false identities or false return addresses or numbers when sending unsolicited communications for direct marketing should be prohibited.

(44) A number of electronic mail systems allow subscribers to view and delete the sender and subject matter of their electronic mail without having to download the rest of the content of the electronic mail or attachments, thereby reducing the costs that could result from downloading unsolicited electronic mail or attachments. These modalities may remain useful in certain cases as a complementary tool to the general obligations established by this Directive.

(45) This Directive is without prejudice to arrangements made by Member States to protect the legitimate interests of legal persons with respect to unsolicited communications for direct marketing purposes. Where Member States establish an opt-out register for such communications to legal persons, primarily business users, the provisions of Article 7 of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce)(6) are fully applicable.

(46) The functions for the provision of electronic communications services may be integrated in the network or in (part of) the user's terminal equipment, including software. The protection of the personal data and privacy of the user of publicly available electronic communications services should be independent of the configuration of the various components necessary for the provision of the service and of the way in which the necessary functions are distributed between those components. Directive 95/46/EC covers all forms of processing of personal data, regardless of the technology used. The existence of specific rules for electronic communications services alongside general rules for other components necessary for the provision of such services may hamper the protection of personal data and privacy in a technologically neutral way. It may therefore be necessary to adopt measures to require manufacturers of certain types of electronic communications services equipment to make their product to incorporate safeguards that ensure that the personal data and privacy of the user and subscriber are protected. The adoption of such measures in accordance with Directive 1999/5/EC of the European Parliament and of the Council of 9 March 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity(7) will ensure that the introduction of technical characteristics of electronic communication equipment, including software, for the purpose of data security is done in a harmonized way, so as to be compatible with the implementation of the internal market.

(47) Where the rights of users and subscribers are not respected, national legislation should provide for judicial remedies. Penalties should be provided for all persons, whether governed by public or private law, who fail to comply with national measures taken under this Directive.

(48) It is appropriate for the scope of this Directive to draw on the experience of the Working Party on the Protection of Individuals with regard to the Processing of Personal Data composed of representatives of the supervisory authorities of the Member States set up by Article 29 of Directive 95/46/EC.

(49) In order to facilitate compliance with the provisions of this Directive, certain specific arrangements are required for the processing of data already under way on the date on which the national implementing provisions adopted pursuant to this Directive enter into force,

HAVE ADOPTED THE FOLLOWING GUIDELINE:

Article 1

Scope and objective

1. This Directive harmonizes Member States' regulations necessary to ensure an equivalent level of protection of fundamental rights and freedoms - in particular the right to privacy - with respect to the processing of personal data in the electronic communications sector and to ensure the free movement of such data and of electronic communications equipment and services in the Community.

2. For the purposes of paragraph 1, the provisions of this Directive specify and complement Directive 95/46/EC. Moreover, they provide for protection of the legitimate interests of subscribers who are legal persons.

3. This Directive shall not apply to activities which are not covered by the EC Treaty, such as those referred to in Titles V and VI of the Treaty on European Union, and in any case to activities related to public security, defense, State security (including the economic well-being of the State when the activity is related to State security) and the activities of the State in the area of criminal law.

Article 2

Definitions

Unless otherwise provided, the definitions in Directive 95/46/EC of the European Parliament and of the Council and Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)(8) shall apply.

In addition, the following terms are used in this guideline:

(a) "user" means a natural person who uses a publicly available electronic communications service for private or business purposes without necessarily subscribing to that service;

(b) "traffic data" means data processed for the transmission of communications over an electronic communications network or for billing purposes;

(c) "location data" means data processed in an electronic communications network that indicates the geographic position of the terminal equipment of a user of a publicly available electronic communications service;

(d) "Communication" means information exchanged or transmitted between a finite number of parties by means of a publicly available electronic communications service. This does not include information transmitted over an electronic communications network by means of a broadcasting service, except where the information can be related to the identifiable subscriber or user receiving the information;

(e) "call" means a connection established by means of a publicly available telephone service that allows two-way communication in real time;

(f) "consent" of a user or subscriber means consent of the data subject within the meaning of Directive 95/46/EC;

(g) "value-added service" means a service that requires the processing of traffic data or location data other than traffic data, beyond what is necessary for the transmission of a communication or its billing;

(h) "e-mail" means a text, voice, sound or image message sent over a public communications network that may be stored in the network or in the recipient's terminal equipment until retrieved by the recipient.

Article 3

Services involved

1. This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services over public communications networks in the Community.

2. Articles 8, 10 and 11 shall apply to subscriber lines connected to digital exchanges and, where technically feasible and not requiring disproportionate economic resources, to subscriber lines connected to analogue exchanges.

3. Cases in which it is technically infeasible or requires disproportionate economic resources to comply with the requirements of Articles 8, 10 and 11 shall be notified by the Member States to the Commission.

Article 4

Security

1. The provider of a publicly available electronic communications service shall take appropriate technical and organizational measures to safeguard the security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. These measures shall ensure a level of security appropriate to the risk presented, taking into account the state of the art and the cost of their implementation.

2. Where there is a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service shall inform subscribers of that risk and, if the risk necessitates measures other than those which the service provider is obliged to take, of the means, if any, to counter that risk, including an indication of the expected costs.

Article 5

Confidentiality of communications

1. Member States shall ensure through national legislation the confidentiality of communications and the related traffic data by means of public communications networks and publicly available electronic communications services. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so, in accordance with Article 15(1). This paragraph is without prejudice to the technical storage necessary for the transmission of information, without prejudice to the principle of confidentiality.

2. Paragraph 1 shall not affect the recording of communications and related traffic data authorized by law, when carried out in the lawful course of business for the purpose of proving a commercial transaction or any other business communication.

3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network or, where strictly necessary, the provision of an information society service explicitly requested by the subscriber user.

Article 6

Traffic data

1. Traffic data relating to subscribers and users processed and stored by the provider of a public electronic communications network or service shall, when no longer needed for the purpose of the transmission of communications, be erased or made anonymous, without prejudice to paragraphs 2, 3 and 5 as well as Article 15(1).

2. Traffic data necessary for the purpose of subscriber billing and interconnection payments may be processed. Such processing is permitted only until the end of the period during which the bill may be challenged in court or payment enforced.

3. The provider of a publicly available electronic communications service may process, for the purpose of marketing electronic communications services or for the provision of value added services, the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his consent. Users or subscribers may withdraw their consent to the processing of traffic data at any time.

4. The service provider must inform the subscriber or user of the types of traffic data being processed and the duration of the processing for the purposes referred to in paragraph 2 and, prior to obtaining his consent, for the purposes referred to in paragraph 3.

5. Processing of traffic data in accordance with paragraphs 1 to 4 may only be carried out by persons acting under the authority of the providers of the public communications networks or services for billing or traffic management, handling of customer enquiries, fraud detection and marketing of the provider's electronic communications services or the provision of value-added services, and shall be limited to what is necessary to carry out those activities.

6. Paragraphs 1, 2, 3 and 5 shall apply without prejudice to the possibility for the competent bodies to be notified of traffic data in accordance with applicable legislation with a view to settling disputes, in particular interconnection and billing disputes.

Article 7

Itemized billing

1. Subscribers have the right to receive unspecified invoices.

2. Member States shall apply national provisions in order to reconcile the rights of subscribers receiving itemized bills with the right to privacy of calling users and called subscribers, for example by ensuring that sufficient alternative privacy-enhancing means of communication or payment are available to such users and subscribers.

Article 8

Display and restriction of calling and called number identification

1. Where presentation of calling line identification is offered as a service, the service provider must offer the calling user the possibility, in a simple manner and free of charge, of preventing the presentation of the calling line identification for each individual call. This possibility must be available to the calling subscriber for each individual line.

2. Where presentation of calling line identification is offered as a service, the service provider shall offer the called subscriber the possibility, in a simple and, in case of reasonable use of this facility, free of charge, to prevent the presentation of calling line identification of incoming calls.

3. Where the presentation of calling number identification is offered as a service and such identification is displayed prior to connection being established, the service provider must provide the called subscriber with the ability to easily reject incoming calls where the presentation of calling number identification has been prevented by the calling user or subscriber.

4. Where the presentation of called number identification is offered as a service, the service provider must offer the called subscriber the possibility to prevent, in a simple and free way, the transmission of the called number identification to the calling user.

5. Paragraph 1 shall also apply to calls from the Community to third countries. Paragraphs 2, 3 and 4 shall also apply to incoming calls from third countries.

6. Member States shall ensure that where presentation of calling and/or connected line identification is offered as a service, the providers of publicly available electronic communications services inform the public of these services and of the options set out in paragraphs 1, 2, 3 and 4.

Article 9

Location data other than traffic data

1. Where location data other than traffic data relating to users or subscribers of electronic communications networks or services may be processed, such data may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service. The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data other than traffic data that will be processed, of the purposes and duration of such processing, and whether the data will be transmitted to a third party for the purpose of providing the value added service. Users or subscribers may withdraw their consent to the processing of location data other than traffic data at any time.

2. Where the users or subscribers have consented to the processing of location data other than traffic data, the user or subscriber shall retain the ability to temporarily refuse the processing of such data for any connection to the network or for any transmission of communications, in a simple and free of charge manner.

3. Processing of location data other than traffic data in accordance with paragraphs 1 and 2 must be restricted to persons acting under the authority of the provider of the public electronic communications network or publicly available electronic communications service or the third party providing the value-added service, and must be limited to what is necessary for the provision of the value-added service.

Article 10

Exceptions

Member States shall ensure that there are transparent procedures defining how the provider of a public communications network and/or a publicly available electronic communications service may override the following service elements:

(a) the elimination of the presentation of calling line identification, on a temporary basis, upon request of a subscriber seeking to trace malicious or nuisance calls. In this case, the calling subscriber identification data shall be stored and made available by the provider of a public communications network and/or a publicly available electronic communications service in accordance with national legislation;

(b) the elimination of the display of calling line identification and the temporary denial or absence of consent of the subscriber or user regarding the processing of location data on a per-line basis, for organizations handling emergency calls and recognized as such by a Member State, including law enforcement agencies and ambulance and fire departments, for the purpose of responding to such calls.

Article 11

Automatic call forwarding

Member States shall ensure that any subscriber may, free of charge and in a simple manner, stop automatic call forwarding by a third party to the subscriber's terminal.

Article 12

Subscriber lists

1. Member States shall ensure that subscribers are informed, free of charge and before they are included in the directory, about the purpose(s) of printed or electronic directories of subscribers available to the public or obtainable through directory enquiry services, in which their personal data may be included and of any further usage possibilities based on search functions embedded in electronic versions of the directory.

2. Member States shall ensure that subscribers are given the opportunity to determine for themselves whether personal data are included in a public directory, and if so which, to the extent that such data are relevant for the purposes of the directory as determined by the provider of the directory, and to verify, correct or withdraw such data. Not being included in a public subscriber list or the verification, correction or deletion of personal data from such lists shall not entail any cost.

3. Member States may require that the separate consent of subscribers must also be obtained for purposes of a public directory other than the search for contact details of a person on the basis of that person's name and, where appropriate, a minimum of other identifying information.

4. Paragraphs 1 and 2 shall apply to subscribers who are natural persons. Member States shall also ensure, in the framework of Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons with regard to their entry in public directories are sufficiently protected.

Article 13

Unwanted communication

1. The use of automated calling systems without human intervention (automatic calling machines), fax or e-mail for the purpose of direct marketing may be permitted only with respect to subscribers who have given their prior consent.

2. Notwithstanding paragraph 1, where a natural or legal person obtains from its customers electronic contact details for electronic mail in the context of the sale of a product or a service, in accordance with Directive 95/46/EC, a natural or legal person may use such electronic contact details for direct marketing of its own similar products or services provided that customers are clearly and explicitly given the opportunity to object, free of charge and in a convenient manner, to the use of such electronic contact details at the time of their collection and, in the event that the customer has not initially objected to such use, with each message.

3. Member States shall take appropriate measures to ensure that, free of charge to the subscriber, unsolicited communications for the purposes of direct marketing, in cases other than those referred to in paragraphs 1 and 2, are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive such communications, the choice between these options to be determined by national legislation.

4. In any case, it shall be prohibited to send electronic mail for the purpose of direct marketing that masks or conceals the identity of the sender on whose behalf the communication is made or without providing a valid address to which the recipient may send a request to terminate such communication.

5. Paragraphs 1 and 3 shall apply to subscribers who are natural persons. Member States shall also ensure, in the framework of Community law and applicable national law, that the legitimate interests of subscribers other than natural persons with regard to unsolicited communications are sufficiently protected.

Article 14

Technical characteristics and standardization

1. In implementing the provisions of this Directive, Member States shall ensure, subject to paragraphs 2 and 3, that no mandatory requirements for specific technical features are imposed on terminal or other electronic communication equipment which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.

2. Where provisions of this Directive can be applied only by requiring specific technical characteristics of electronic communications networks, Member States shall inform the Commission in accordance with the procedure provided for by Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services(9).

3. Where necessary, measures may be adopted to ensure that terminal equipment is constructed in a manner consistent with the right of users to protect and control the use of their personal data, in accordance with Directive 1995/5/EC and Council Decision 87/95/EEC of 22 December 1986 on standardization in the field of information technology and telecommunications(10).

Article 15

Application of certain provisions of Directive 95/46/EC

1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Articles 5 and 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, reasonable and proportionate measure within a democratic society to safeguard national security, i.e. State security, defence, public security, or the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures to retain data for a limited period of time for the reasons set out in this paragraph. All measures referred to in this paragraph shall comply with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.

2. The provisions of Chapter III of Directive 95/46/EC on judicial remedies, liability and penalties shall apply to the national provisions adopted pursuant to this Directive and with regard to the individual rights derived from this Directive.

3. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall also carry out the tasks laid down in Article 30 of that Directive with regard to matters covered by this Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications sector.

Article 16

Transitional provisions

1. Article 12 shall not apply to editions of directories already produced or marketed in paper or off-line electronic form before the date of entry into force of the national provisions adopted pursuant to this Directive.

2. Where the personal data of subscribers to public fixed or mobile voice telephony services have been included in a public subscriber directory in accordance with Directive 95/46/EC and Article 11 of Directive 97/66/EC prior to the entry into force of national provisions adopted pursuant to this Directive, the personal data of such subscribers may continue to be included in that printed or electronic public directory, including reverse search versions, unless subscribers indicate, after having received complete information about purposes and options in accordance with Article 12 of this Directive, that they do not want them to be included.

Article 17

Transposition into domestic law

1. Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive before 31 October 2003. They shall forthwith inform the Commission thereof.

When Member States adopt those provisions, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States.

2. Member States shall communicate to the Commission the text of the provisions of national law which they adopt in the field covered by this Directive and of any subsequent amendments to those provisions.

Article 18

Overview

The Commission shall submit to the European Parliament and the Council, not later than three years after the date referred to in Article 17(1), a report on its implementation and its impact on operators and consumers, in particular as regards the provisions on unsolicited communications, taking into account the international environment. For this purpose, the Commission may request information from Member States, which shall be supplied without undue delay. Where appropriate, the Commission shall submit proposals to amend this Directive, taking into account the results of this report, changes in the sector and any other proposal it may deem necessary in order to improve the effectiveness of this Directive.

Article 19

Withdrawal

Directive 97/66/EC is repealed from the date referred to in Article 17(1).

References to the repealed Directive 97/66/EC shall be construed as references to this Directive.

Article 20

Entry into force

This Directive shall enter into force on the day of its publication in the Official Journal of the European Communities.

Article 21

Addressees

This directive is addressed to the member states.

Done at Brussels, July 12, 2002.

For the European Parliament

The President

P. Cox

For the Council

The President

T. Pedersen

(1) OJ C 365 E, 19.12.2000, p. 223.

(2) OJ C 123, 25.4.2001, p. 53.

(3) Opinion of the European Parliament of 13 November 2001 (not yet published in the Official Journal), Council Common Position of 28 January 2002 (OJ C 113 E, 14.5.2002, p. 39) and Decision of the European Parliament of 30 May 2002 (not yet published in the Official Journal). Council Decision of 25 June 2002.

(4) OJ L 281, 23.11.1995, p. 31.

(5) OJ L 24, 30.1.1998, p. 1.

(6) OJ L 178, 17.7.2000, p. 1.

(7) OJ L 91, 7.4.1999, p. 10.

(8) OJ L 108, 24.4.2002, p. 33.

(9) OJ L 204, 21.7.1998, p. 37. Directive as last amended by Directive 98/48/EC (OJ L 217, 5.8.1998, p. 18).

(10) OJ L 36, 7.2.1987, p. 31. Decision as last amended by the 1994 Act of Accession.