CENTRUM FÖR RÄTTVISA v. SWEDEN JUDGMENT
authorities, and businesses whose core activities centre around regular or
systematic processing of personal data, are required to employ a data
protection officer (DPO), who is responsible for managing compliance with
the GDPR. Businesses must report any data breaches within 72 hours if they
have an adverse effect on user privacy.
96. The Privacy and Electronic Communications Directive (Directive
2002/58/EC concerning the processing of personal data and the protection
of privacy in the electronic communications sector), adopted on
12 July 2002, states, in recitals 2 and 11:
“(2) This Directive seeks to respect the fundamental rights and observes the
principles recognised in particular by the Charter of fundamental rights of the
European Union. In particular, this Directive seeks to ensure full respect for the rights
set out in Articles 7 and 8 of that Charter.
(11) Like Directive 95/46/EC, this Directive does not address issues of protection of
fundamental rights and freedoms related to activities which are not governed by
Community law. Therefore it does not alter the existing balance between the
individual’s right to privacy and the possibility for Member States to take the
measures referred to in Article 15(1) of this Directive, necessary for the protection of
public security, defence, State security (including the economic well-being of the
State when the activities relate to State security matters) and the enforcement of
criminal law. Consequently, this Directive does not affect the ability of Member
States to carry out lawful interception of electronic communications, or take other
measures, if necessary for any of these purposes and in accordance with the European
Convention for the Protection of Human Rights and Fundamental Freedoms, as
interpreted by the rulings of the European Court of Human Rights. Such measures
must be appropriate, strictly proportionate to the intended purpose and necessary
within a democratic society and should be subject to adequate safeguards in
accordance with the European Convention for the Protection of Human Rights and
Fundamental Freedoms.”
The Directive further provides, in so far as relevant:
Article 1 – Scope and aim
“1. This Directive harmonises the provisions of the Member States required to
ensure an equivalent level of protection of fundamental rights and freedoms, and in
particular the right to privacy, with respect to the processing of personal data in the
electronic communication sector and to ensure the free movement of such data and of
electronic communication equipment and services in the Community.
2. The provisions of this Directive particularise and complement Directive
95/46/EC for the purposes mentioned in paragraph 1. Moreover, they provide for
protection of the legitimate interests of subscribers who are legal persons.
3. This Directive shall not apply to activities which fall outside the scope of the
Treaty establishing the European Community, such as those covered by Titles V and
VI of the Treaty on European Union, and in any case to activities concerning public
security, defence, State security (including the economic well-being of the State when
the activities relate to State security matters) and the activities of the State in areas of
criminal law.”
27