data protection in the european...

Fl

ash

Eur

obar

omet

er 1

47 -

Tay

lor

Nel

son

Sof

res.

Coo

rdin

atio

n –

EO

S G

allu

p E

urop

e

This survey was re

This document does no

Flash Eurobarometer

Data Protection in the European Union
Fieldwork 15 September - 03 October 2003
Publication December 2003

quested by Directorate General “Internal Market” and coDirectorate General Press and Communication

t represent the point of view of the European Commission. The interpretati

contained in it are solely those of the authors.

European Commission

ordinated by

ons and opinions

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 1

PRESENTATION ........................................................................................3 1. Perception of the current legislation ................................................5

1.1 Data controllers’ assessment of the legislation ...........................5

1.1.1 Level of protection offered by the national data protection law ........................................................................................5

1.1.2 The current legislation and the amount of personal information being exchanged.................................................8

1.2 Attitudes towards the requirements of the data protection law. 11 1.3. Views on the implementation of the legislation ....................... 18

2. In-house practices and company experiences with data protection 22

2.1. The usage of privacy enhancing technologies........................... 22 2.2. Transfer of personal data outside the EU / EEA ........................ 25 2.3. The type of personal data transferred to other countries ......... 27 2.4. Type of information made available to data subjects................ 29 2.5 Companies’ experience of access requests and complaints ....... 46

2.5.1 Access requests.................................................................. 46 2.5.2 Reception of complaints ..................................................... 49

3. How data controllers perceive the non-respect of the legislation ... 51

3.1. Reasons why the legislation is not applied correctly ................ 51 3.2. Respondent’s perception of practices in other companies ........ 54

4. The future of the legal framework on data protection..................... 63

4.1. Improvements and simplifications of the implementation of the

legal framework ....................................................................... 63 4.2. Personal databases and the fight against terrorism ................. 66

CONCLUSION..........................................................................................69 ANNEXES TECHNICAL NOTE QUESTIONNAIRES


PRESENTATION

The appearance of the information society through the widespread usage of the Internet, and the development of the European Union into a frontier free Internal Market have led to an increase in the flow of personal information. This free flow of personal information throughout the EU seems essential for the efficient conduct of almost any economic activity on an EU-wide basis. However, the increase of this data traffic within the Internal Market, and on a global level, has brought with it major risks to the privacy of data subjects. The principle of openness and the public’s right of access to documents are not always guaranteed. Added to this, economic activities throughout the EU are not fully benefiting from the advantages of the Internal Market with regard to data transfers, because important divergences between the Member States’ data protection laws remain. The 1995 Data Protection Directive aimed at tackling these problems. Its goal was to harmonise data protection legislation throughout the Member States in order to allow Europe’s companies to fully benefit of the Directive and the Internal Market, and to ensure a strong protection for privacy while facilitating the flow of personal data within the EU. Nevertheless, several problems remain unsolved, due mainly to the late implementation of this directive by certain Member States and differences in the application of the directive at national levels. In this context, the Directorate-General MARKT of the European Commission wished to conduct a survey among persons responsible for data protection issues within companies throughout the European Union, in order to further understand these data controllers’ perceptions and understandings of the current legislation on data protection, as well as the experiences companies based in the EU have faced with regard to this issue. From the 15th of September to the 3rd of October 2003, the EOS Gallup Europe network conducted a survey among 3013 data protection officers or persons responsible for data protection issues within companies employing 20 persons and more throughout all of the 15 European Union Member States. The main objective of this survey is to analyse the data protection awareness and the general perception of data controllers within the European Union. The following topics will be studied:

- The perception of the current legislation - In-house practices and company experiences with data protection - How data controllers perceive the non-respect of the legislation - The future of the legal framework on data protection

This report presents the main results obtained. We will analyse the average results of the 15 European Union Member States, as well as the results of each separate country. A breakdown by company category will also be presented in this report, showing results by sector of activity, size of company and the respondent’s status in the company. Finally, it is important to emphasise the fact that the results of this survey are considered as representative of the European Union and its Member States based

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 4 on a scientifically selected sample. Indeed, the surveyed population reflects the reality of the European Union universe of companies. The methodology used is that of Flash Eurobarometer. The European Commission has defined the targets for this Flash Eurobarometer as all companies – agriculture excluded – employing 20 persons or more, installed in the European Union. The persons who have been interviewed in each company are responsible for data protection issues (Data protection officer, IT manager, Human Resources manager, Marketing manager). During interviews, the interviewer checks the identity of this person, at the same time as he/she controls the accuracy of the enterprise characteristics, namely the number of employed persons and the sectors of activity. Using a highly updated database of lists of companies, a sample has been drawn according to three criteria: the country, the size of the company, and the activity sector. Small countries as well as the larger businesses have been intentionally “over-sampled” in order to get significant results for each of these levels of analysis. However, the total results presented are representative of the total universe examined thanks to, on one hand, the real weight of each company category in each country and, on the other hand, the weight of each country within the European Internal Market. A technical note pertaining to the way the 15 EOS Gallup Europe institutes conducted interviews is included at the end of this report. It provides further details on interviewing methods as well as statistical margins of error.


1. Perception of the current legislation

In this first part, we will analyse respondents’ views on the current data protection legislation in three manners: through the respondents’ assessment of the legislation, their attitude towards the requirements of the legislation and finally, their perception of the implementation of the legislation.

1.1 Data controllers’ assessment of the legislation

1.1.1 Level of protection offered by the national data protection law - A clear majority of respondents throughout the European Union rate the level of protection offered by their respective national data protection laws as ‘medium’ -

FI

DK

IR

Q1. Would you say that the level of protection offered by the (NATIONALITY) Data Protection Law is...?

27%

50%

45%

38%

33%

33%

29%

28%

27%

27%

23%

22%

22%

20%

19%

8%

54%

42%

40%

48%

47%

51%

53%

42%

62%

61%

53%

55%

62%

63%

56%

59%

10%

4%

7%

7%

4%

11%

11%

10%

12%

13%

14%

7%

4%

10%

20%

8%

8%

11%

7%

13%

13%

8%

18%

10%

8%

9%

14%

16%

14%

0% 20% 40% 60% 80% 100%

EU 15

N

L

NL

UK

D

L

EL

I

E

A

F

S

B

P

High M edium Low [DK&NA]

Persons responsible for data protection issues within companies throughout the EU were asked to rate the level of protection offered by their respective national data protection laws. Results show that on average, a majority of respondents in the European Union, with 54%, consider their respective level of protection as ‘medium’. 27% of respondents believe this level of protection is ‘high’, while only 10% indicate that it is low.

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 6 Results by country show important disparities between the different Member States. In Finland, a majority of respondents (50%) indicate that the level of protection offered by the Finnish data protection law is high. This rate is 23 percentage points above the European Union average (27%). Furthermore, 42% believe this level is medium, and surprisingly, none of the Finnish respondents indicated that it is low. Luxembourg follows, with a rate of 45% of respondents believing their data protection law offers a high level of protection, while 40% indicate that it is medium. On the contrary, the country with the lowest rate of respondents believing the level of protection is high in their country is Portugal, where a minority of 8% is of this opinion. This rate is 19 percentage points below the European Union average (27%). Portuguese respondents also have the highest rate to believe that their national data protection law offers a low level of protection, at 20%. This rate is 10 percentage points above the EU average (10%). Finally, the country with the highest rate of non-response rates is Ireland with 18%, a rate 10 percentage points above the EU average (8%). This high rate could be an indication of the lack of information on data protection issues in this country.

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 7 Breakdown by company category: M

Q1. Would you say that the level of protection offered by the (NATIONALITY) Data Protection Law is...?

27%

15%

27%

29%

31%

46%

26%

24%

35%

28%

28%

24%

23%

54%

64%

56%

49%

53%

45%

55%

56%

51%

53%

55%

59%

57%

10%

10%

10%

9%

6%

10%

11%

7%

10%

9%

8%

16%

8%

8%

8%

11%

7%

4%

9%

9%

8%

9%

5%

13%

7%

9%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction

Industrie / Industry

Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249

STATUT-STATUS

Resp. de la prot.des don/ Resp. for data prot. iss.

Resp. IT/ IT manager

Dir. RH/ HR manager

Dir. M arketing/ arketing manager

High Medium Low [DK&NA]

Results by sector of activity show that respondents working in the services sector have the highest rate indicating that the level of protection of the national data protection law is high, at 31%. This rate is 4 percentage points above the EU average (27%). Results from the trade sector (29%) and the industry sector (27%) follow with slightly lower rates. On the contrary, the lowest rate among theses categories is found in the construction sector, where only 15% of respondents have the same opinion. This rate is 12 percentage points below the EU average (27%). As for the size of company, the largest companies have a higher perception of the level of protection in their country than the small and medium sized companies. The rate for the largest companies (46%) is 19 percentage points above the European Union average (27%). Results by the status of respondents in their company show us that persons responsible for data protection issues and IT managers respond with a somewhat higher rate than Human Resources managers or marketing managers, to the fact that that the level of protection is high (respectively 28% against 24% and 23%). We can also note that Marketing managers tend to have a higher rate than the EU average (10%) indicating that the level of protection is low (16%).


1.1.2 The current legislation and the amount of personal information being exchanged

- A majority of respondents believe the existing legislation on data protection is

unsuited to cope with the increasing amount of personal information being exchanged -

IR

FI

Q4. The existing legislation on data protection is … to cope with the increasing amount of personal information being exchanged

9%

7%

7%

5%

5%

4%

4%

3%

3%

39%

27%

27%

34%

41%

46%

42%

59%

39%

38%

32%

26%

68%

58%

30%

42%

40%

33%

29%

30%

30%

32%

33%

29%

36%

44%

35%

43%

23%

24%

42%

45%

14%

19%

15%

9%

11%

8%

13%

5%

15%

11%

21%

21%

5%

16%

27%

8%

6%

13%

22%

20%

12%

9%

7%

3%

7%

3%

10%

10%

3%

5%

0% 20% 40% 60% 80% 100%

EU 15

A

S

DK

L

B

L

NL

UK

F

E

P

N

EL

I

D

Very well suited Rather well suited Rather unsuited Not suited at all [DK&NA]

In order to further analyse the assessments of the data protection law, respondents were asked to indicate how well this legislation is suited to cope with the increasing amount of personal information being exchanged. Results show that a majority of respondents in the European Union believe the existing legislation is unsuited (rather unsuited 40%, or not suited at all 14%), with a total rate of 54%. Results by country show that in only 4 countries out of the 15 Member States does a majority of respondents indicate that the existing legislation on data protection is very well or rather well suited. Among these, Finland has the highest rate, with a total of 69%. This rate is 28 percentage points above the EU average (41%). The Netherlands (63%), Greece (59%) and Belgium (51%) also have a majority of respondents believing the existing legislation is suited.

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 9 On the contrary, the lowest rates of respondents who believe the existing legislation is suited to cope with the increasing amount of personal information being exchanged are found in Portugal (28%) and Italy (31%). Portugal’s rate is 10 percentage points below the EU average. Breakdown by company category:

Q4. The existing legislation on data protection is … to cope with the increasing amount of personal information being exchanged

3%

4%

39%

34%

36%

38%

42%

45%

38%

37%

41%

38%

39%

38%

38%

40%

45%

42%

37%

38%

40%

40%

39%

40%

39%

41%

40%

37%

14%

15%

16%

13%

13%

7%

14%

15%

13%

14%

12%

12%

19%

6%

5%

5%

9%

5%

3%

6%

7%

4%

6%

5%

5%

8%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249

STATUT-STATUS

Resp. for data prot. issues IT manager

HR manager

M arketing manager

Very well suited Rather well suited Rather unsuited Not suited at all [DK&NA]

Regardless of the sector of activity they work in, a majority of respondents express their belief that the current legislation in their respective countries is unsuited to cope with the increasing amount of personal information being exchanged. Results by size of company show that the largest companies, with over 250 employees, have by far the highest rate of respondents believing the existing legislation is suited, with a total rate of 49%. Results by status in the company do not show any significant differences. We can note that Marketing managers have a somewhat higher rate (19%) indicating that the existing legislation is not suited at all to cope with the increasing amount of personal information being exchanged. This rate is 5 percentage points above the EU average (14%).

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 10 Cross-tabulating: By cross-tabulating two questions∗ we would like to see whether the level of protection corresponds to the ability of the national data protection law to cope with the increasing amount of personal data being exchanged?

Do you think that the existing legislation on data protection is suited or not to cope with the increasing

amount of personal information being exchanged? (Total “very well suited/rather well suited” and “rather unsuited/ not

suited at all”)

Level of the data protection law in the country (EU average)

Suited Unsuited DK/NA

High 53% 43% 4%

Medium 41% 55% 4%

Low 12% 82% 6%

Results show that a majority of respondents who rate their respective national data law as ‘High’ believe that this legislation on data protection is also suited to cope with the increasing amount of personal information being exchanged. We must however note that this population only represents a minority of the persons responsible for data protection issues (27% of the total number of respondents - see graph Q.1 p. 5). Those who indicate that the level of protection of their national data protection law is ‘Medium’, are a majority to answer that this legislation is unsuited to cope with the increasing amount of personal information, with a rate of 55%. We must note that this category of respondents represents a majority of the surveyed population (54% of the total number of respondents). Finally, persons who responded that the level of their national data protection law is ‘Low’, are a vast majority (82%) to admit that this legislation is unsuited to cope with the increasing amount of personal data being exchanged. Furthermore we can add that among this majority, 35% even indicate that the legislation is not at all suited to cope with this issue. This cross-analysis leads us to believe that a (high) level of data protection in a country is a sign of its adaptability to cope with the increasing amount of personal data being exchanged. This is more than ever the case in Finland (which ranked first in the results of question 1 concerning the level of protection of the national data protection law) where, among those who consider that the Finnish data protection law is ‘high’ (50%), 79% express their faith in this data protection law to cope with the ever increasing amount of personal data being exchanged.

∗ Question 1: “Would you say that the level of protection offered by the (NATIONALITY) Data Protection Law is High, Medium or Low?” crossed with Question 4: “In your opinion, do you think that the existing legislation on data protection is suited or not to cope with the increasing amount of personal information being exchanged?”


1.2 Attitudes towards the requirements of the data protection law

- Important disparities between respondents in different countries concerning the

requirements of the data protection law - The persons responsible for data protection issues in their company were asked to indicate their agreement or not with three statements concerning the requirements of the data protection law:

Q2. From your business perspective and in general terms, would you rather agree or rather disagree w ith each of the following requirements of the data

protection law?

91%

37%

34%

8%

58%

64%

5%

0% 20% 40% 60% 80% 100%

a) The requirements of the data protection law are necessary in order to respect a high level

o f protection for consumers and the fundamental rights o f citizens

b) The requirements of the data protection law are too strict in certain respects

c) The requirements of the data protection law are not necessary except for certain sectors o f activity

Rather agree Rather disagree [DK&NA]


“ The requirements of the data protection law are necessary in order to respect a high level of protection for consumers and the fundamental

rights of citizens”: An overwhelming majority of respondents throughout the European Union indicate that they rather agree with the above-mentioned statement, at a rate of 91%. Only 8% of respondents have an opposite opinion. Results by country do not show any significant differences although the rates of agreement in Denmark (84%), Italy (86%) and Germany (88%) are below the 90% mark. Furthermore, Ireland and Spain have the highest rates, with both 97% agreeing with this statement. Q2. a) The requirements of the data protection law are necessary in order to

respect a high level of protection

91%

97%

97%

96%

96%

95%

95%

95%

94%

94%

94%

91%

90%

88%

86%

84%

8%

4%

6% 6% 6%

7% 7% 12%

14% 3% 13%

4%

4%

0% 20% 40% 60% 80% 100%

EU 15

IRL E F

NL A B P

EL L

UK FIN

S D I

DK

Rather agree Rather disagree [ [DK&NA]

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 13 Breakdown by company category:

Q2. a) The requirements of the data protection law are necessary in order to respect a high level of protection

91%

91%

90%

90%

94%

93%

92%

91%

94%

92%

95%

88%

85%

8%

7%

8%

6%

8%

4%

11%

11%

8%

5%

9%

9%

9%

4%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249

STATUT-STATUS

Resp. de la prot.des don/ Resp. for data prot. Iss.


Dir. RH/ HR manager

Dir. M arketing/ M arketing manager


The results of the breakdown by company category do not show any significant discrepancies since agreement rates throughout all categories vary between 90% and 94%. An exception can be made for the Human resources managers and the Marketing managers who indicate slightly lower rates of agreement to the fact that requirements of the data protection law are necessary in order to respect a high level of protection, at respectively 88% and 85%.


“ The requirements of the data protection law are too strict in certain

respects”:

- A majority of respondents throughout the EU do not believe that the requirements of the data protection law are too strict -

Q2.b) The requirements of the data protection law are too strict in certain respects

37%

66%

42% 42%

38% 38%

36% 34%

32% 32% 31% 31%

30%

21% 20%

18%

58%

34% 39%

51%

58%

60%

56%

59%

65%

61%

62%

55%

65%

65%

61%

74%

5%

18% 8%

4%

9% 7%

4% 7% 7%

15% 5%

14% 19%

8% 0% 20% 40% 60% 80% 100%

EU 15

I P

NL F

EL E

FIN D L B S

UK IRL DK

A


This statement shows a major assessment of the national data law and represents the opinion of companies on the strictness of the legislation’s requirements. Surprisingly enough, a majority of respondents (58%) think that the requirements of the data protection law are not too strict. This result gives, to some extent, a good indication of how companies acknowledge the requirements that the data protection laws impose on them. Results by country show that Italy has by far the highest rate of agreement, with 66%. This rate is 29 percentage points above the EU average of respondents agreeing (37%). On the opposite side of the graph, respondents in Austria, Denmark and Ireland have the lowest rates of agreement, with respectively 18%, 20% and 21%. Austria’s rate is 19 percentage points below the European Union average (37%). These important differences confirm that although a European Directive created a unique framework on this issue, differences remain concerning the requirements and interpretations, which are applied differently in each country.


M

Q2.b) The requirements of the data protection law are too strict in certain

respects

37%

35% 43%

35% 35%

47%

37% 36%

39%

38% 37% 39%

29%

58%

61%

53%

58%

60%

49%

58%

58%

57%

56%

59%

57%

64%

5%

4% 7% 6%

4% 5% 6% 4%

6% 4% 4%

7%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR Construction

Industrie / Industry Commerce / Trade

Services TAILLE - SIZE

Major 250+ SME Total SME 20-49

SME 50-249 STATUT-STATUS

Resp. de la prot.des don/ Resp. for data prot. Iss. Resp. IT/ IT manager

Dir. RH/ HR manager Dir. Marketing/

arketing manager


Results by sector of activity show that respondents in the industry sector are more numerous than in the other 3 sectors to consider that the requirements of the data protection law are too strict. Could this reflect a specificity related to the industry sector? Results by size of company show that respondents in the largest companies have a higher rate of agreement (47%) with the above-mentioned statement than respondents in the small (36%) and medium sized companies (39%).

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 16 “ The requirements of the data protection law are not necessary except

for certain sectors of activity”:

- Two thirds of respondents disagree with the fact that the requirements of the legislation are not necessary except for certain sectors of activity -

Q2. c) The requirements of the data protection law are not necessary except for

certain sectors of activity

34%

50% 48%

38% 36% 36%

34% 34%

33%

29%

29%

27% 27%

19% 17%

11%

64%

49%

52%

60%

62%

63%

58%

60%

66%

71%

69%

69%

70%

81%

77%

72%

8% 7%

4% 4%

6% 17%

0% 20% 40% 60% 80% 100%

EU 15

EL I

B UK

F P S D L E

FIN A

NL IRL DK


This third statement proposed to respondents provides another evaluation of the requirements of the data protection law. A clear majority of respondents does not believe that the requirements of the data protection law are unnecessary. Again, this positive assessment at the level of the European Union shows that managers and those responsible for data protection issues are not reluctant to this legislation. On the contrary, they seem to give a wide recognition to it. When observing results for the average of the European Union, we can note that a clear majority of respondents rather disagrees with this statement, at 64% against only 34% rather agreeing. We find the same ranking of countries as in the precedent question, which confirms that the differences of national interpretation of this legislation lead to different perceptions of this issue. In Greece, a slight majority of respondents rather agrees with this statement (50% against 49% disagreeing).

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 17 In Italy we can also observe a similarly high rate (48%) of respondents agreeing, although those who disagree represent the majority (52%). As in the previous question, the lowest rate of agreement can be observed among Danish and Irish respondents, with a rate of 11% and 7%. The highest rate of disagreement can be observed in the Netherlands, where 81% of respondents indicate that they disagree with the statement that the requirements of the data protection law are not necessary except for certain sectors of activity. This rate is 17 percentage points above the EU average (64%). Breakdown by company category: Q2. c) The requirements of the data protection law are not necessary except for

certain sectors of activity

34%

39%

34%

38%

31%

27%

35%

36%

31%

36%

32%

38%

22%

64%

59%

64%

60%

68%

72%

63%

62%

67%

62%

65%

61%

74% 5%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249

STATUT-STATUS

Resp. de la prot.des données/ Resp. for data prot. Iss.


Dir. RH/ HR manager



The agreement on the necessity of the requirement of the data protection law is fairly identical in the 4 main sectors of activity. Only the companies dealing with services are slightly more numerous (68%) to express their disagreement to the proposed statement. As for the company size, the biggest companies seem to be more aware of the necessity of the requirement of the data protection law, as they express in higher percentages (72%) their disagreement to the proposed statement.


1.3. Views on the implementation of the legislation

- Harmonisation within the EU is not sufficient -

In order to analyse how respondents perceive the implementation of their respective national data protection laws compared to other Member States, they have been asked to indicate their rate of agreement with two statements concerning this issue.

“ There is sufficient harmonisation of Member States’ data protection laws to consider that personal data can be moved freely within the

European Union.” Q3. a) There is sufficient harmonisation of Member States' data protection laws

to consider that personal data can be moved freely w ithin the EU.

38%

61%

54%

49%

48%

47%

41%

39%

37%

34%

33%

30%

30%

29%

28%

14%

44%

31%

38%

33%

42%

32%

40%

43%

43%

57%

42%

36%

40%

16%

57%

33%

19%

8%

9%

18%

10%

21%

19%

19%

21%

9%

25%

34%

30%

55%

15%

52%

0% 20% 40% 60% 80% 100%

EU 15

I

FIN

NL

F

IRL

EL

B

P

L

UK

A

E

S

D

DK

Total d'accord / Total agree Total pas d'accord / Total disagree [NSP&SR] / [DK&NA]

The harmonisation of Member States’ data protection laws seems insufficient for most respondents, to allow a free movement of personal data within the European Union. This is expressed by 44% of them. The overall (EU average) opinion on this issue is, however, divided: there is no clear difference between respondents agreeing (38%) and disagreeing (44%) to the statement proposed. Only a few percentage points separate these two. The overall results are, however, not reflected in the national results, where major differences exist between countries. Here again, the explanation of these discrepancies could be found in the interpretation or application differences of the European Directive at a national level.

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 19 Italy has the highest rate of agreement (61%) with the statement that “there is sufficient harmonisation of Member States’ data protection laws to consider that personal data can be moved freely within the European Union”. This rate is 23 percentage points above the EU average (38%). Finland follows with a rate of 54% agreeing. Italy and Finland are the only countries among the EU Member States to have a majority of respondents agreeing with this statement. The lowest rate of agreement with this statement can be observed in Denmark, where only 14% of respondents indicate that they agree that there is sufficient harmonisation among the Member States laws. The highest rates of disagreement are found among respondents in Luxembourg and Germany, with a rate of 57% in both countries. This rate is 13 percentage points above the EU average (44%). Breakdown by company category: Q3. a) There is sufficient harmonisation of Member States' data protection laws to

consider that personal data can be moved freely w ithin the EU.

38%

36%

38%

37%

38%

40%

38%

37%

40%

37%

35%

41%

47%

44%

47%

45%

41%

43%

44%

44%

44%

43%

44%

47%

40%

39%

19%

17%

17%

22%

19%

16%

19%

19%

18%

20%

18%

18%

14%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249

STATUT-STATUSResp. de la prot.des données/

Resp. for data pro t. Iss.


Dir. RH/ HR manager Dir. M arketing/

M arketing manager

Agree Disagree [DK&NA]

Results by sector of activity or size of company do not show any significant differences among the categories. The rates of agreement are almost identical among these. We can note that the rate of disagreement among respondents in the construction sector (47%) is 6 percentage points higher than the rate of those in the trade sector (41%). As for respondents by status in the company, Marketing managers (47%) have a wider belief in the harmonisation of the Member States’ data protection laws than their colleagues in the Human Resources department (41%), IT managers (35%) or persons responsible for data protection issues (37%).


“ The data protection law in [Our Country] is interpreted and applied more rigorously than in other Member States”

- Application and interpretation of the law is perceived differently among

Member States -

Q3. b) The data protection law in [OUR COUNTRY] is interpreted and applied more rigorously than in other Member States

42%

77%

55%

52%

51%

45%

45%

43%

39%

36%

31%

22%

21%

17%

14%

12%

26%

13%

24%

27%

11%

13%

4%

35%

25%

14%

41%

30%

41%

30%

62%

56%

33%

10%

21%

20%

38%

42%

51%

22%

36%

50%

28%

49%

39%

53%

25%

32%

0% 20% 40% 60% 80% 100%

EU 15

FIN

D

F

NL

UK

S

L

B

DK

IRL

A

I

E

EL

P


Where harmonisation appeared to be more divided, the opinions on interpretation and application of the data protection law are more distinct: 42% of persons responsible for data protection issues agree that the legislation on data protection in their respective country is interpreted and applied more rigorously than in other Member States. Only 26% of respondents disagree with this statement. Country results show that Finland has by far the highest rate of respondents who believe that the Finnish data protection law is interpreted and applied more rigorously than elsewhere in the European Union, with a rate of 77%. This rate is 35 percentage points above the EU average (42%). The Finnish results are an indication that the respondents do not see the rigorous interpretation and application as a negative point. It is important to note that the Finnish companies were the ones to believe the most that their data protection law was suited to cope with the increasing amount of personal information being exchanged (Question 4). A majority of respondents in Germany (55%), France (52%) and the Netherlands (51%) also have the same opinion that their respective national data protection laws are applied more rigorously.

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 21 We must draw attention to the high non-response rate, which leads us to think that, although this matter of data protection law was initiated at a European level (Directive 1995), the awareness of respondents may not cross national borders. There is certainly knowledge of their respective national data protection laws among data controllers, but there is also a visible lack of knowledge of other Member States’ legislations on data protection. Breakdown by company category: Q3. b) The data protection law in [OUR COUNTRY] is interpreted and

applied more rigorously than in other Member States

42%

37%

41%

42%

44%

54%

41%

40%

46%

41%

45%

40%

39%

26%

32%

27%

23%

25%

22%

26%

26%

26%

23%

28%

27%

44%

33%

31%

33%

36%

30%

23%

33%

34%

29%

36%

27%

33%

16%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249

STATUT-STATUS



Dir. RH/ HR manager



The application and interpretation of the data protection law is perceived identically by companies regardless of their sector of activity. One could only note the relatively “hesitant” opinion on this issue from respondents in the construction sector where no clear majority is seen: 37% agree with the statement, against 32% who disagree. Respondents in the services sector have the highest rate of agreement (44%) with the fact that the data protection law in their respective country is interpreted and applied more vigorously than in other Member States. Whereas the size of companies seems to have a clearer correlation on the evaluation of the interpretation and application of the data protection law, results by size of company show that respondents in the largest sized companies (54%) have a significantly higher rate of agreement with the statement than those in medium (46%) and small-sized companies (40%). The rate of non-responses is also far lower among the largest sized companies (23%), at a rate 10 percentage points below the EU average (33%).


2. In-house practices and company experiences with data protection

In this second part, we will analyse how companies deal with the issue of data protection. Five issues will be observed:

- the usage of privacy enhancing technologies - the transfer of personal data outside the EU or the EEA - the type of data transferred to other countries - the type of information made available to data subjects - companies’ experience of access requests and complaints

2.1. The usage of privacy enhancing technologies

- Less than a third of respondents admit using privacy enhancing technologies

in their company –

Q5. Do you use any technology or software products that enhance privacy

protection of databases in your company...?

32%

47%

45%

44%

42%

38%

35%

34%

33%

33%

32%

28%

25%

23%

20%

16%

38%

30%

25%

41%

33%

41%

32%

47%

28%

32%

29%

50%

32%

40%

35%

41%

28%

22%

26%

14%

23%

20%

33%

19%

38%

35%

29%

22%

43%

33%

41%

43%

5%

3%

10%

4%

4%

0% 20% 40% 60% 80% 100%

EU 15

NL

FIN

E

B

D

I

A

DK

L

S

P

EL

IRL

UK

F

Yes No, but I have heard of them No and I have never heard of them [DK&NA]

Respondents were asked whether they use “Privacy Enhancing Technologies” in their company, meaning any kind of technology or software products that enhance privacy protection of databases.

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 23 Results show that a clear majority, representing 66% of respondents in the European Union, do not use any such technologies or software products to enhance privacy protection of databases. It is interesting to note that among these respondents, 28% have not even heard of such technology. Results by country show that the Netherlands has the highest rate of respondents indicating the usage of privacy enhancing technologies, with 47%. Finland (45%), Spain (44%) and Belgium (42%) follow with significantly higher rates than the EU average (32%). The highest rates of respondents who indicate not using these technologies are found in France, with a rate of 84%. This rate is 18 percentage points above the EU average (66%). The United Kingdom and Ireland follow with respectively 76% and 73%.


Q5. Do you use any technology or software products that enhance privacy protection of databases in your company...?

32%

23%

35%

29%

36%

41%

32%

29%

41%

30%

40%

30%

37%

38%

44%

38%

40%

35%

36%

38%

40%

34%

38%

42%

33%

34%

28%

34%

25%

31%

27%

19%

29%

30%

23%

31%

18%

33%

27%

2%

2%

3%

2%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249

STATUT-STATUSResp. de la prot.des don/ Resp. for data prot. Iss.Resp. IT/ IT manager


arketing manager

Yes No, but I have heard of them No and I have never heard of them [DK&NA]

The use of Privacy Enhancing Technologies is more widespread in the industry and services sectors, with respectively 35% and 36% of respondents expressing this usage. These technologies prove to be more of need to the biggest companies than the smallest (20-49 employees). In fact, the small-sized companies have a significantly lower rate of respondents who indicate that they use such technologies, at 29%. 12 percentage points separate this category from the two others mentioned above. Results by company status of respondents show that IT managers (40%) and Marketing managers (37%) have higher rates of agreement than Human Resources managers (30%) of the persons responsible for data protection issues (30%). We can also note that the rate of non-responses (18%) is significantly lower than in the other categories, and is 10 percentage points below the EU average (28%). The technologies are certainly more easily understood and used by the IT manager than by the others.


2.2. Transfer of personal data outside the EU / EEA

- Only one in ten respondents indicates that his/her company transfers

personal data outside of the EU/EEA -

Q6. Does your company transfer personal data to countries outside the European Union/ European Economic Area?

10%

15%

13%

13%

12%

12%

11%

10%

10%

8%

8%

7%

7%

6%

6%

4%

90%

85%

87%

86%

88%

88%

88%

90%

89%

92%

92%

93%

93%

93%

94%

94% 3%

0% 20% 40% 60% 80% 100%

EU 15

I

P

B

D

L

A

DK

IRL

F

NL

E

S

UK

EL

FIN

Yes No [DK&NA]

Respondents were asked whether their company transfers personal data to countries outside the European Union or the European Economic Area. Results show that a huge majority of the persons in charge of data protection issues in the EU indicate that their company does not transfer personal data to any country outside of these areas, with 90% against only 10% who indicate that their company does. This result leads us to believe that data transfer is in most cases either a national or an EU concern for companies. Country results do not show any significant discrepancies. Italy has the highest rate of respondents who indicate that their company does transfer personal data outside of the EU/EEA, with 15%. This rate is 5 percentage points above the European Union average (10%). On the opposite side, Finland has the lowest rate of respondents answering ‘Yes’, at only 4%. This rate is 6 percentage points below the European Union average (10%).



10%

16%

10%

8%

20%

9%

9%

12%

9%

12%

8%

17%

90%

98%

84%

90%

92%

80%

90%

91%

88%

91%

88%

92%

82%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249

STATUT-STATUS



Dir. RH/ HR manager


Yes No [DK&NA]

When observing the results of the breakdown by company category, we can note several significant disparities between certain categories. The sector of activity reveals that the industry sector is more inclined to transfer personal data to countries outside of the EU/EEA in a significantly higher rate (16%) than in the other categories. This rate is 6 percentage points above the EU average (10%). The lowest rate is found among respondents in the construction sector (2%). The size of the company shows us that respondents in the largest sized companies have the highest rate indicating that such data is transferred outside the EU/EEA, with 20%. The more international perspective of big companies compared to the SME’s may well explain this result.


2.3. The type of personal data transferred to other countries

- Clients’ or consumers’ data for commercial purposes is the type of personal data

that is mostly transferred by companies to other countries - In order to better evaluate the “type of data that the company transfers to other countries, we processed the results of question 7 to represent only the respondents whose company do transfer personal data to other countries. Among companies that do transfer personal data to other countries, a majority of respondents (52%) indicates that this data mostly concerns clients’ or consumers’ data for commercial purposes. 21% of those respondents answer that the type of personal data their company transfers mostly to other countries is human resources data for Human resources purposes. Only 10% indicate that their company mostly transfers data collected in the EU that is meant to be sold or licensed to data controllers in other countries. Finally, 9% of respondents indicated other answers, while 8% did not know or refused to answer.

Q7. Type of personal data transferred to other countries, EU 15 – source Q.7

52%10%

9%8%

21%

Clients' or consumers' data for commercial purposesHuman resources data for HR purposesData collected in the EU that is meant to be sold or licensed to data controllers in other countries [Other] [DK&NA]


Q.7 What type of personal data does your company transfer to other countries, mostly?

21%

18%

19%

20%

24%

35%

20%

20%

20%

21%

21%

26%

16%

52%

59%

60%

56%

39%

53%

52%

51%

53%

56%

51%

44%

44%

10%

10%

6%

14%

11%

12%

7%

8%

6%

10%

32%

9%

8%

8%

9%

10%

9%

9%

11%

6%

10%

15%

8%

8%

14%

3%

9%

13%

8%

8%

8%

8%

9%

11%

5%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249



arketing manager

Human resources data for HR purposes Clients' or consumers' data for commercial purposesData co llected in the EU that is meant to be so ld or licensed to data contro llers in o ther countries

[Other] [DK&NA]

When observing results from breakdown by company category, we can note several important disparities between the different categories. It is important to indicate that the graph above also represents respondents whose companies do transfer data to other countries. Respondents whose companies do not transfer such data abroad have not been represented. Results by sector of activity show us that respondents in the industry sector indicating that their company transfers personal data to other countries mostly transfer data related to commercial purposes (‘client or consumer data’) Results by size of company show us that the largest companies, with 250 employees and more that have by far the highest rate of respondents who indicate that their company transfers personal data to other countries (Q.6) mostly transfer clients’ or consumers’ data for commercial purposes (56%), followed by human resources data (35%).


2.4. Type of information made available to data subjects

- Much information remains unavailable to data subjects –

Respondents were asked to indicate what sort of information is made available to data subjects when personal data is collected. Eight different types of information were presented to the respondents. T

Q9. Could you please indicate whether or not you make each of the following information available to the data subject for each collection of personal data?

48%

46%

38%

37%

37%

31%

15%

10%

28%

27%

33%

40%

37%

32%

57%

66%

20%

23%

24%

19%

21%

28%

13%

11%

4%

4%

5%

4%

6%

10%

15%

13%

0% 20% 40% 60% 80% 100%

The existence of the right to access and the right to rectify the data concerning the data subjects

he purpose of the processing for which the data are intended

The recipients or categories of recipients of the data

The physical or electronic address of a person within theorganisation directly responsible for data protection matters

The identity o f the data contro ller or its representative

The obligation or non-obligation of replying and the possibleconsequences of failure to reply

The indication whether the recipient country provides (or not) anadequate level o f data protection

The possible transfer o f the data to non-EU countries

Yes No It depends [DK&NA]

The availability of each information type is analysed by country and company category in the following pages.


“The existence of the right to access and the right to rectify the data concerning the data subjects”

The information, which is made most available, is “the existence of the right to access and the right to rectify the data concerning the data subjects”, with a relative majority of 48% of respondents among the EU average answering positively to the question.

Q9f) Do you make "The existence of the right to access and the right to rectify the data concerning the data subjects" available to the data subject for each collection

of personal data?

48%

80%

64%

64%

61%

59%

58%

57%

54%

53%

49%

44%

43%

38%

32%

28%

28%

17%

21%

13%

28%

18%

34%

33%

33%

26%

24%

32%

36%

35%

35%

28%

20%

13%

10%

10%

21%

4%

10%

16%

25%

22%

6%

31%

38%

4%

13%

4%

7%

5%

18%

21%

6%

0% 20% 40% 60% 80% 100%

EU 15

I

FIN

P

E

L

A

L

F

S

B

D


EL

NL IR UK DK

Results by country show us that Italy has by far the highest rate (80%) among EU countries indicating that this specific information is made available to data subjects. This rate is 32 percentage points above the European Union average. Greece (64%), Finland (64%) and the Netherlands (61%) follow with rates above the 60 % mark. On the other side of the graph, we can note that companies in Germany are the least to inform data subjects of the existence of the right to access and the right to rectify the data concerning the data subjects. This result is 20 percentage points below the EU average. Belgium (32%) and Denmark (38%) also have very low rates.


Q9f) Do you make "The existence of the right to access and the right to rectify the data concerning the data subjects" available to the data subject for each

collection of personal data?

48%

41%

53%

46%

47%

61%

47%

45%

53%

49%

49%

43%

46%

28%

31%

30%

27%

25%

20%

28%

30%

21%

29%

25%

26%

27%

20%

24%

15%

22%

22%

15%

21%

20%

22%

18%

20%

29%

24%

4%

4%

3%

5%

6%

4%

4%

4%

4%

4%

6%

4%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249



arketing manager


Certain important disparities can be noted among the sector and size of the companies concerning this type of information. Among the different sectors, we can note that companies in the industry sector are a majority (53%) to indicate that the existence of the right to access and the right to rectify the data concerning the data subjects is made available to data subjects. Companies in the construction sector on the other hand, have a far lower rate, at 41% indicating that this information is made available. The size of the company shows us that the largest-sized companies have a far higher rate (61%) indicating that this information is made available to data subjects than the smallest-sized companies (45%).


“The purpose of the processing for which the data are intended” The information concerning “the purpose of the processing for which the data are intended”, closely follows the first type of information analysed above, with a rate of 46% at the EU average. IR UK

FI

NL

DK

Q9c) Do you make "The purpose of the processing for which the data are intended" available to the data subject for each collection of personal data?

46%

75%

66%

65%

60%

58%

56%

55%

54%

54%

53%

35%

35%

31%

25%

11%

27%

21%

27%

24%

26%

25%

12%

34%

22%

23%

21%

24%

24%

24%

44%

52%

23%

7%

11%

14%

17%

10%

5%

21%

6%

40%

40%

40%

31%

35%

4%

6%

4%

15%

19%

20%

5%

0% 20% 40% 60% 80% 100%

EU 15

I

L

E

EL

N

A

S

L

P

D

F

B


According to the 1995 European Directive, companies, in order to comply with their respective national data protection law, are obliged to make the purpose of the processing for which the data are intended available to all data subjects. Results by country show us that companies in Italy have once again the highest rate (75%) indicating that “the purpose of the processing for which the data are intended” is indeed made available to data subjects. Ireland (66%), Spain (65%) and Greece (60%) also have high rates indicating that they make such information available. On the contrary, Belgium is the country where companies make this information the least available to data subjects, with a rate of 11%. Companies in France follow with a rate of 25%. Other countries where a minority of companies make this information available are Germany (31%), Portugal (35%) and Luxembourg (35%).


Q9c) Do you make "The purpose of the processing for which the data are intended" available to the data subject for each collection of personal data?

46%

39%

48%

45%

48%

62%

45%

44%

51%

48%

44%

41%

48%

27%

27%

29%

28%

25%

16%

28%

29%

23%

28%

28%

23%

25%

23%

30%

21%

22%

24%

20%

24%

24%

23%

21%

24%

32%

26%

4%

5%

2%

4%

3%

3%

4%

4%

4%

3%

5%

4%

1%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249



arketing manager


The breakdown by company category shows us that there are once again discrepancies among the sector and size categories of companies. Among the different sectors, companies in the construction sector are the least to indicate the purpose of the processing, for which the data are intended, with a rate of 39%. The size of the company reveals that 62% of the largest sized companies inform data subjects of the purpose of the processing for which the data are intended. This rate is far higher than that of the smallest sized companies (44%). The middle-sized companies, although at a lower rate, are nevertheless a majority (51%) to indicate that they make such information available to data subjects.


“ The recipients or categories of recipients of the data”

Q9d) Do you make "the recipients or categories of recipients of the data" available to the data subject for each collection of personal data?

38%

71%

58%

54%

44%

44%

41%

40%

40%

39%

38%

35%

33%

26%

25%

9%

33%

24%

29%

35%

34%

43%

34%

22%

41%

38%

32%

24%

27%

31%

38%

52%

24%

5%

9%

17%

8%

6%

22%

11%

19%

5%

38%

37%

38%

35%

36%

5%

4%

10%

6%

5%

19%

16%

8%

4%

25%

6%

0% 20% 40% 60% 80% 100%

EU 15

I

EL

L

E

S

N

A

L

P

D

F

B


IR UK

FI

NL

DK

Although at a lower rate, a relative majority of respondents indicates that the information concerning the recipients or categories of recipients of the data is made available to data subjects, at an EU average rate of 38%. Results by country show that companies in Italy are those that make this information the most available to data subjects, with a rate of 71%. Greece (58%) an Ireland (54%) follow with rates equally representing a majority of companies. On the other side of the graph, we can once again observe that Belgium is by far the country where companies make this information the least available to data subjects, since only 9% admit doing so. This rate is 29 percentage points below the European Union average. France (25%) and Germany (26%) also have very low rates compared to the EU average.


Q9d) Do you make "the recipients or categories of recipients of the data" available to the data subject for each collection of personal data?

38%

31%

39%

38%

39%

49%

37%

37%

38%

39%

38%

35%

40%

33%

36%

36%

34%

30%

21%

34%

35%

31%

35%

34%

28%

31%

24%

29%

21%

23%

25%

26%

24%

24%

24%

22%

22%

34%

27%

5%

5%

5%

5%

5%

4%

5%

5%

7%

5%

6%

3%

2%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249



arketing manager


The only notable discrepancy can be observed in the size category of companies, where the largest companies (49%) are clearly ahead of the small (37%) and middle-sized companies (38%) when it comes to making the information concerning the recipients of the data available to data subjects.


“ The physical or electronic address of a person within the organisation

directly responsible for data protection matters” EU

Q9b) Do you make "The physical or electronic address of a person within the organisation directly responsible for data protection matters" available to the

data subject for each collection of personal data?

37%

62%

52%

50%

46%

43%

42%

40%

37%

36%

34%

33%

28%

27%

23%

22%

40%

35%

38%

40%

38%

29%

49%

54%

49%

39%

33%

30%

35%

46%

48%

49%

19%

8%

13%

28%

7%

4%

12%

6%

31%

24%

32%

25%

4%

27%

4%

7%

4%

18%

14%

6%

24%

0% 20% 40% 60% 80% 100%

15

I

EL

IRL

UK

L

A

E

NL

S

P

FIN

D

F

DK

B


Only 37% of companies reveal the physical or electronic address of a person within the organisation directly responsible for data protection matters to data subjects when their personal data is collected. Country results show us that only in Italy (62%), Greece (52%) and Ireland (50%) do a majority of companies make such information available. Belgium (22%) and Denmark (23%), on the other hand, are the countries where such information is made the least available throughout the EU Member States.


Q9b) Do you make "The physical or electronic address of a person within the organisation directly responsible for data protection matters" available to the

data subject for each collection of personal data?

37%

29%

40%

37%

39%

47%

37%

35%

42%

38%

38%

34%

42%

40%

45%

41%

42%

36%

35%

40%

42%

34%

42%

39%

36%

32%

19%

21%

16%

17%

21%

16%

19%

18%

20%

17%

17%

28%

17%

4%

6%

2%

5%

5%

2%

4%

4%

4%

3%

6%

3%

9%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249



arketing manager


The breakdown by company category shows us that there are disparities between companies by sector and by size. Among the different sectors, companies in the construction sector are the ones to have the lowest rate (29%) indicating that they make the physical or electronic address of a person within the organisation directly responsible for data protection matters available to data subjects when their personal data is collected. Companies in the industry sector have the highest rate, with 40% indicating that they make such information available. The company size shows us that there is an important disparity between the largest and the smallest companies. While 47% of the largest companies indicate that they make this information available to data subjects, only 35% of the smallest companies do the same.


“The identity of the data controller or its representative” Q9a) Do you make "The identity of the data controller or its

representative" available to the data subject for each collection of personal data?

37%

79%

56%

51%

47%

44%

41%

41%

37%

36%

32%

32%

29%

27%

19%

17%

37%

19%

26%

37%

31%

41%

26%

38%

28%

47%

56%

27%

37%

41%

40%

40%

21%

17%

17%

14%

29%

4%

31%

9%

7%

28%

30%

6%

32%

39%

6%

12%

5%

4%

18%

4%

9%

5%

14%

4%

26%

9%

4%

0% 20% 40% 60% 80% 100%

EU 15

I

EL

IRL

UK

NL

L

S

P

A

E

FIN

F

DK

D

B


As seen earlier, the data protection Directive foresees that this type of information is obligatory and must be made available to data subjects. For this information, companies at an EU level seem to be divided as to whether it is made available to respondents or not, with 37% of respondents saying it is made available and the same percentage expressing the opposite. Country results show us that, yet again, companies in Italy are those, which make the identity of the data controller or its representative the most available to data subjects, with a rate of 79%. This rate is 42 percentage points above the EU average. Companies in Greece and Ireland are also a majority to indicate their compliance to this principle. On the contrary, companies in Belgium and Germany are the ones that make this information the least available to data subjects, with respectively 17% and 19%. We can conclude through these results that compliance with the 1995 European Directive is far from being achieved in most of the European Union, since in only three countries out of the European Union do a majority of companies declare to make this information available to data subjects.


Q9a) Do you make "The identity of the data controller or its representative" available to the data subject for each collection of personal data?

37%

33%

45%

34%

34%

50%

36%

35%

40%

38%

35%

36%

35%

37%

37%

33%

38%

38%

29%

37%

38%

33%

37%

38%

31%

40%

21%

23%

17%

21%

22%

18%

21%

20%

22%

19%

20%

26%

21%

6%

7%

5%

7%

6%

4%

6%

7%

5%

6%

7%

7%

4%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249



arketing manager


The breakdown by company category shows us that there are once again discrepancies in the sector of activity category and the company size category. Companies in the industry sector have a significantly higher rate indicating their compliance with the obligation to reveal the identity of the data controller or its representative, with a rate of 45% compared to only 33% in the construction sector and 34% in both the trade and services sector. Once again, the largest-sized companies have a somewhat higher rate than the smallest companies (35%) or the middle-sized companies (40%) concerning this information. In fact, a majority (50%) of large companies indicate that they make this information available to data subjects.


“ The obligation or non-obligation of replying and the possible consequences of failure to reply”

IR UK DK

NL FI

Q9e) Do you make "The obligation or non-obligation of replying and the possible consequences of failure to reply" available to the data subject for each collection

of personal data?

31%

56%

42%

41%

37%

37%

37%

33%

33%

28%

27%

26%

26%

22%

22%

20%

32%

37%

41%

42%

29%

25%

34%

50%

29%

41%

29%

38%

32%

22%

38%

34%

28%

7%

14%

22%

36%

15%

6%

4%

24%

22%

7%

35%

45%

36%

39%

10%

4%

14%

13%

15%

11%

35%

7%

23%

28%

7%

11%

4%

7%

0% 20% 40% 60% 80% 100%

EU 15

I

EL

L

L

A

E

N

S

P

D

F

B


When observing the EU average, we can note that only 31% of companies indicate the information concerning the obligation or non-obligation of replying and the possible consequences of failure to reply to data subjects. Country results show us that Italy is the only country where a majority of companies (56%) make this information available to data subjects. Greece and Ireland follow, with respectively 41% and 42%. Countries where respondents indicated the least that this information is made available by their companies are Belgium (20%), France (22%) and Germany (22%).


Q9e) Do you make "The obligation or non-obligation of replying and the possible consequences of failure to reply" available to the data subject for each collection

of personal data?

31%

24%

35%

30%

31%

40%

30%

29%

34%

31%

29%

37%

26%

32%

34%

34%

33%

29%

24%

32%

34%

26%

33%

36%

20%

37%

28%

34%

23%

27%

30%

25%

28%

28%

28%

26%

24%

38%

31%

10%

9%

8%

11%

10%

11%

9%

9%

12%

10%

11%

6%

6%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249



arketing manager


When observing the breakdown by company category, we can once again note that both companies in the industry sector (35%) and the largest-sized companies (40%) have somewhat higher rates indicating that they make the information concerning the obligation or the non-obligation of replying and the possible consequences of failure to reply available to data subjects for each collection of personal data. The status of the respondent in the company also shows us that Human Resources managers have a somewhat higher rate (37%) than the other status categories indicating that their company makes such information available to the data subject.


“The indication whether the recipient country provides (or not) an

adequate level of data protection” IR FI

UK

NL DK

Q9h) Do you make "The indication whether the recipient country provides (or not) an adequate level of data protection" available to the data subject for each


15%

41%

29%

27%

25%

22%

17%

17%

16%

15%

14%

13%

12%

9%

8%

7%

57%

39%

46%

39%

37%

73%

59%

27%

62%

54%

67%

54%

45%

46%

35%

80%

13%

15%

18%

12%

12%

10%

18%

30%

8%

7%

22%

15%

5%

25%

16%

26%

13%

47%

5%

12%

26%

22%

42%

55%

13%

0% 20% 40% 60% 80% 100%

EU 15

L

L

P

A

I

EL

N

F

B

D

S

E


When observing the average result for the European Union, we can note that a majority of companies (57%) does not indicate to the data subject whether the recipient country provides (or not) an adequate level of data protection. Results by country show us that only Luxembourg has a relative majority (41%) of companies providing such information to data subjects. In all other countries, only a minority of companies make this information available. The countries where this information is made the least available are Spain (7%), Denmark (8%) and Sweden (9%).


Q9h) Do you make "The indication whether the recipient country provides (or not) an adequate level of data protection" available to the data subject for each


15%

10%

16%

12%

16%

20%

14%

13%

19%

13%

18%

18%

13%

57%

62%

57%

60%

54%

55%

57%

60%

47%

58%

57%

54%

60%

13%

15%

12%

10%

15%

12%

13%

13%

14%

13%

10%

15%

17%

15%

14%

15%

18%

15%

13%

16%

14%

20%

17%

15%

11%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249



arketing manager


In all company categories, only a minority of respondents answer that their company makes the indication available to the data subject whether the recipient country of the collected personal data provides (or not) an adequate level of data protection. Among sectors of activity, we can note that companies in the industry sector and the services sector make this information somewhat more available (both at 16%) while those in the industry and construction sector have lower rates.

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 44 “ The possible transfer of the data to non-EU countries” IR

NL

EL

DK

UK

Q9g) Do you make "The possible transfer of the data to non-EU countries" available to the data subject for each collection of personal data?

10%

22%

20%

15%

14%

13%

12%

12%

11%

10%

10%

9%

8%

8%

7%

6%

66%

59%

59%

60%

50%

61%

62%

61%

40%

50%

79%

71%

69%

39%

59%

84%

11%

7%

9%

13%

20%

18%

6%

19%

22%

10%

17%

13%

19%

19%

17%

27%

13%

6%

10%

48%

37%

4%

43%

16%

8%

0% 20% 40% 60% 80% 100%

EU 15

L

I

A

L

P

S

F

B

FIN

D

E


For this final information category, we can note that a strong majority of companies (66%) among the European Union do not make the information concerning the possible transfer of the data to non-EU countries available to data subjects. Country results show us that in all Member States, only a minority of companies supply such information to data subjects. We can however note that companies in Ireland and in Italy have somewhat higher rates, with respectively 22% and 20%. The countries where this information is made the least available to data subjects are Spain (6%), Germany (7%), Finland (8%), Belgium (8%) and France (9%). We can also observe abnormally high rates of respondents who did not know or who refused to answer, namely in Denmark (48%), Finland (43%) and Sweden (37%). This leads us to assume that the awareness on such an issue of data protection is very low in these three countries.


Q9g) Do you make "The possible transfer of the data to non-EU countries" available to the data subject for each collection of personal data?

10%

5%

14%

9%

10%

22%

10%

9%

13%

11%

10%

9%

13%

66%

75%

63%

68%

63%

59%

66%

68%

61%

67%

65%

63%

62%

11%

7%

12%

9%

14%

8%

11%

11%

13%

9%

14%

14%

12%

13%

13%

11%

14%

13%

11%

13%

13%

13%

13%

11%

13%

14%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249

STATUT-STATUS

Resp. de la prot.des don/ Resp. for data prot. Iss.Resp. IT/ IT manager

Dir. RH/ HR manager



The breakdown by company category for this final information type concerning the possible transfer of the data to non-EU countries reveals only one notable discrepancy among the different categories, namely the rate for the largest-sized companies. Indeed, companies employing 250 persons and over have a significantly higher rate of respondents answering that their company makes such information available to data subjects, with 22% against only 9% for the smallest-sized companies.


2.5 Companies’ experience of access requests and complaints

2.5.1 Access requests

- A relative majority of respondents indicate that their company received less than ten access requests during the year 2002 -

In order to analyse the experiences of companies with access requests by data subjects, respondents throughout the European Union were asked how many access requests their company had received during 2002.

Q.11 Approximate number of access requests received by your company during the year 2002?

49%

6%

23%

1%5%2%

14%

M oins de 10 / Less than 10 Entre 10 et 50 / Between 10 and 50

Entre 51 et 100 / Between 51 and 100 Entre 101 et 500 / Between 101 and 500

Plus de 500 / M ore than 500 [Jamais reçu de demande] / [Never received any request]

[NSP&SR] / [DK&NA]

Results for the average of the European Union show us that almost half of the respondents (49%) indicate that their company has received less than 10 access requests during 2002. 14% indicate that their company has received between 10 and 50 requests. Only 8% of respondents indicate that their company has received 51 or more access requests in 2002. On average, one in four companies of the EU indicate that they did not receive any access requests during the year 2002.


Q11. Could you indicate the approximate number of access requests received by your company during the year 2002?

49%

62%

61%

57%

57%

53%

53%

51%

49%

44%

44%

40%

38%

38%

30%

24%

14%

5%

8%

11%

12%

15%

20%

22%

10%

7%

22%

12%

12%

10%

8%

12%

5%

4%

9%

4%

4%

4%

3%

3%

3%

6%

23%

25%

22%

17%

18%

9%

7%

17%

33%

36%

16%

31%

33%

30%

47%

58%

6%

6%

5%

11%

5%

19%

8%

4%

10%

5%

10%

7%

18%

9%

1%3%

4%

5% 4%

3%

3%

4%

0% 20% 40% 60% 80% 100%

EU 15

S

UK

NL

F

B

D

IRL

EL

DK

P

L

E

FIN

A

I

Less than 10 Between 10 and 50 Between 51 and 100

Between 101 and 500 M ore than 500 [Never received any request]

[DK&NA]

When observing the highest rate of access requests received by country, we can note that Germany has the highest rate (85%) of respondents in this country indicating that their company received access request during the year 2002. Portugal and Ireland follow with both 79% having received access requests in 2002. The countries where companies have the lowest rate of access requests in 2002 are Italy and Austria with respectively 41% and 44%. Results by country further show us that in most of the Member States, a majority of companies received less than 10 access requests during the year 2002. This is especially the case for companies in Sweden (62%) and in the United Kingdom (61%).

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 48 Breakdown by company category: R R R D

Q11. Approximate number of access requests received by your company during the year 2002?

49%

46%

49%

49%

49%

49%

49%

51%

43%

14%

17%

15%

13%

13%

15%

14%

14%

12%

14%

11%

17%

18%

5%

4%

4%

6%

6%

5%

4%

8%

4%

6%

5%

6%

3%

4%

3%

3%

4%

3%

3%

4%

23%

25%

27%

22%

20%

14%

23%

25%

20%

25%

20%

20%

21%

6%

5%

6%

7%

7%

12%

6%

5%

8%

5%

10%

4%

5%

49%

53%

46%

46%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249

STATUT-STATUS

esp. de la prot.des don/esp. for data prot. Iss.

esp. IT/ IT manager

ir. RH/ HR manager


M oins de 10 / Less than 10 Entre 10 et 50 / Between 10 and 50 Entre 51 et 100 / Between 51 and 100 Entre 101 et 500 / Between 101 and 500

Plus de 500 / M ore than 500 [Jamais reçu de demande] / [Never received any request][NSP&SR] / [DK&NA]

Results for the different categories of companies do not show any significant discrepancies. The number of access requests received by companies is identical regardless of their size or the sector of activity. We can merely note that in the trade sector, the rate of respondents indicating that their company received less than 10 access requests in 2002 (53%), is somewhat higher than in all other categories, and is 4 percentage points above the European Union average (49%). The status in the company shows us that while persons responsible for data protection issues (49%), IT managers (49%) and Human Resources managers (51%) indicate similar rates of access requests as the EU average (49%), Marketing managers tend to have a lower rate, with 43% indicating that less than 10 access requests were received by their company during 2002.


2.5.2 Reception of complaints

- The vast majority of companies has not received any complaints from people

whose data is being currently processed -

Q12. Has your company received complaints from people whose data is being currently processed?

4%

7%

6%

4%

4%

4%

3%

3%

3%

96%

91%

94%

95%

92%

95%

94%

97%

94%

97%

97%

95%

99%

92%

99%

97%

3%

4%

3%

3%

3%

7%

0% 20% 40% 60% 80% 100%

EU 15

NL

UK

D

P

B

IRL

E

S

A

F

L

I

FIN

EL

DK

Yes No [DK&NA]

In order to analyse whether companies deal with complaints from data subjects, respondents were asked whether their company has received complaints from people whose data is being currently processed. Results for the average of the European Union show that 95% of respondents indicate that their company has not received any complaints from people whose data is being currently processed. Only 4% answered that their company has received such complaints. Results by country show us that the rate of respondents who indicate that their company has received such complaints is only somewhat higher than the EU average in the Netherlands and the United Kingdom, with respectively 7% and 6%. There are no significant disparities between the rates in the different countries.



4%

3%

6%

10%

3%

3%

5%

3%

3%

8%

96%

98%

97%

96%

93%

87%

96%

97%

94%

96%

95%

98%

90%

3%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249

STATUT-STATUS



Dir. RH/ HR manager


Yes No [DK&NA]

The only significant result we can observe among the different company categories is that of the largest sized companies. The rate of respondents in this category (10%) indicating that their company has received complaints from people whose data is being currently processed, is significantly higher than the EU average (4%), with a difference of 6 percentage points.


3. How data controllers perceive the non-respect of the legislation

In this third part, we will analyse the way respondents explain the best the non-respect of the data protection law and how it is applied in other companies.

3.1. Reasons why the legislation is not applied correctly

- A lack of knowledge of the data protection law best explains why certain data

controllers do not fully respect this legislation - Q8. In your opinion, what could explain the best the fact that some data

controllers do not fully respect the provisions and requirements of the [NATIONALITY] data protection law… ?

39%

62%

56%

52%

47%

46%

46%

46%

38%

37%

34%

34%

33%

31%

29%

22%

28%

11%

13%

16%

26%

18%

21%

29%

26%

33%

28%

50%

28%

32%

42%

43%

17%

13%

19%

14%

16%

19%

9%

10%

17%

15%

25%

6%

24%

25%

10%

10%

9%

4%

5%

12%

8%

9%

6%

7%

12%

6%

8%

11%

9%

12%

7%

20%

3%

3%

3%

4%

5%

7%

5%

3%

6%

15%

4%

7%

8%

5%

5%

10%

4%

0% 20% 40% 60% 80% 100%

EU 15

S

IRL

UK

FIN

E

DK

NL

B

D

L

EL

F

I

A

P

Lack of knowledge of the legislationToo limit. contr. by the [NAT.] data protect. auth., risk being caught lowAdapt. o f the comp. to the new requir. o f the data protect. law is time consum.Lack of flexibility o f the law [Other] [DK&NA]

Respondents were asked what explained best why some data controllers do not fully respect the data protection law in their respective countries. When looking at results for the European Union average, we can note that a relative majority of respondents (39%) believes it is the lack of knowledge of the legislation that can best explain why certain data controllers do not respect the data protection law.

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 52 28% of respondents explain that this disrespect is due to the too limited control by the respective national data protection authorities in each country, and for this reason, the lack of being caught is low. Some (17%) believe it is due to the fact that the adaptation of the company to the new requirements of the data protection law is very time consuming. Only a few (9%) of respondents indicate that it can be explained by the lack of flexibility of the law. The lack of information is more spread in Sweden where 62% of respondents cited it as the main reason for not fully respecting the data protection law. This rate is 23 percentage points above the European Union average (39%). Ireland (56%) and the United Kingdom (52%) also have a majority of respondents indicating this same reason. The rate of those who believe it is due to a too limited control by the national data protection authority is the highest in Greece (50%), where a majority seems to think this way. Greece’s rate is 22 percentage points above the EU average (28%). Rates in Portugal (43%) and Austria (42%) also have high levels of similar opinions. The rate of respondents who indicate that the adaptation of the company to the new requirements of the data protection law is very time consuming, are highest in Luxembourg (25%), Italy (25%) and France (24%).


Q8. In your opinion, what could explain the best the fact that some data controllers do not fully respect the provisions and requirements of the

[NATIONALITY] data protection law… ?

39%

35%

36%

41%

42%

38%

39%

40%

37%

39%

41%

39%

31%

28%

30%

31%

25%

26%

26%

28%

28%

27%

27%

28%

28%

33%

17%

17%

18%

17%

17%

22%

17%

16%

19%

16%

17%

19%

17%

9%

9%

9%

11%

8%

7%

9%

9%

11%

10%

7%

9%

12%

5%

8%

4%

5%

5%

4%

5%

5%

4%

5%

6%

5%

6%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249



arketing manager

Lack of knowledge of the legislationToo limited contro l by the [NAT.] data protection authority, risk of being caught is very lowAdaptation of the company to the new requirements of the data pro tection law is time consumingLack o f flexibility o f the law

[Other] [DK&NA]

When observing results by company category, there are only few notable differences. Although respondents in all sectors mostly indicate the lack of knowledge of the legislation, we can nevertheless say that these rates are higher in the Services (42%) and Trade sector (41%) than in the Industry (36%) and Construction sector (35%). The only notable result by size of company is found among the largest sized companies. 22% of respondents in this category believe that data controllers do not fully respect the data protection law because the adaptation of the company to the new requirements of this legislation is time consuming. This rate is 5 percentage points above the European Union average (17%). The status in the company shows us that persons responsible for data protection issues (39%), IT managers (41%) and Human resources managers (39%) have similar rates compared to the European Union average (39%), indicating that the lack of knowledge best explains that some data controllers do not fully respect the legislation. This is not the case for Marketing managers, who seem to have a better knowledge level of the data protection law as they express a rather lower rate than the EU average, with a difference of 8 percentage points (31%). On the other hand, these same Marketing managers indicate a higher rate (33%) believing the disrespect of the legislation is due to a too limited control by the national data protection authorities, and that that the risk of being caught is low. This rate is 5 percentage points above the EU average.


3.2. Respondent’s perception of practices in other companies

Respondents were asked to give their opinion on several propositions concerning the situation in most of the companies in their country with regard to the application of the data protection law. The aim being to better understand the companies’ practices in complying with requirements of the data protection law, propositions have been ranked by the respondents’ rate of agreement.

Q10. For each of the following propositions, please tell me whether or not you think they correspond to the situation in most of the companies

in your country...

67%

51%

36%

34%

16%

30%

38%

44%

12%

17%

22%

18%

5%

4%

4%

0% 20% 40% 60% 80% 100%

Companies receive fewcomplaints so they do notregard full compliance with

the law as a priority

Responding to requests fromindividuals wanting to access

their data invo lves animportant effort for

companies

Companies inform datasubjects o f the purposes of

the processing beforecollecting their personal data

When data no longer servesthe purpose of the co llection,

data is deleted



“ Companies receive few complaints so they do not regard full

compliance with the law as a priority”:

- For most respondents, companies do not respect the data protection law fully

because they receive few complaints -

Q.10 c) Companies receive few complaints so they do not regard full compliance w ith the law as a priority

67%

82%

81%

76%

76%

74%

73%

69%

64%

64%

60%

60%

58%

58%

58%

47%

15%

12%

9%

21%

13%

18%

16%

10%

15%

20%

22%

27%

18%

21%

21%

25%

12%

4%

8%

3%

7%

17%

16%

3%

11%

23%

8%

9%

18%

5%

4%

15%

12%

13%

4%

6%

4%

4%

10%

13%

3%

8%

0% 20% 40% 60% 80% 100%

EU 15

N

E

I

L

A

D

B

L

EL

F

S

P

Yes No It depends [DK/NA]

FI

NL

IR DK

UK

A clear majority (67%) of respondents throughout the European Union believe that companies do not regard full compliance with the data protection law as a priority, as they receive few complaints relating to it. Country results show us that Finland (82%) and Spain (81%) have the highest rates of respondents agreeing with this proposition. Finland’s rate is 15 percentage points above the EU average. On the contrary, Portugal has the lowest rate (47%), which is 20 percentage points below the EU average. The rate in this country is the only one among the 15 Member States to not represent a majority of companies agreeing with this statement. In all other Member States a majority of companies seem to not regard full compliance with the data protection law as a priority due to the low number of complaints.


Q.10 c) Companies receive few complaints so they do not regard full compliance w ith the law as a priority

67%

72%

67%

69%

65%

65%

67%

68%

66%

67%

72%

61%

66%

15%

12%

17%

13%

17%

17%

15%

15%

17%

16%

12%

17%

16%

12%

13%

11%

11%

14%

15%

12%

12%

13%

11%

12%

15%

14%

5%

4%

5%

7%

5%

3%

5%

5%

5%

6%

4%

4%

6%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR -SECTOR

construction

industrie/ industry

commerce / trade

services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20 - 49

SM E 50 - 249

STATUT - STATUSResp. de la prot. des données/

Resp. for data prot.iss. Resp. IT / IT manager

Dir. RH / HR manager Dir. M arketing/

M arketing manager


The breakdown by company category does not show any major discrepancies among the different categories for this statement. The only notable difference is found among the different sectors of activity where companies in the construction sector (72%) have a slightly higher rate than companies in other sectors, namely those in the services sector (65%).


“Responding to requests from individuals wanting to access their data

involves an important effort for companies”:

- Half of the respondents agree that it represents an important effort for companies to respond to access requests -

IR DK FI

Q.10 d) Responding to requests from individuals wanting to access their data involves an important effort for companies

51%

76%

60%

59%

56%

56%

56%

51%

48%

48%

46%

46%

45%

44%

42%

30%

30%

15%

27%

37%

35%

22%

29%

26%

30%

32%

40%

39%

38%

26%

44%

58%

16%

7%

8%

21%

14%

22%

7%

4%

12%

11%

29%

7%

7%

3%

11%

7%

19%

3%

5%

5%

6%

6%

12%

3%

0% 20% 40% 60% 80% 100%

EU 15

L

UK

I

EL

F

L

P

B

S

NL

A

D

E

N


Although most of companies receive few (or even none) access requests (page 46, question 11), they still believe that responding to requests from individuals wanting to access their data involves an important effort: A majority (51%) of respondents throughout the EU admit that responding to requests from individuals wanting to access their data involves an important effort for companies. There are significant differences by country to this practice: Ireland has by far the highest rate of respondents who agree with the proposition (76%). This rate is 25 percentage points above the European Union average (51%). The United Kingdom follows, with 60% of respondents agreeing. On the contrary, Finland has the lowest rate (30%) of respondents agreeing access requests involve an important effort for companies.


Q.10 d) Responding to requests from individuals wanting to access their data involves an important effort for companies

51%

49%

53%

50%

49%

48%

51%

51%

49%

50%

54%

46%

51%

30%

28%

32%

31%

30%

29%

31%

29%

35%

32%

29%

30%

24%

16%

21%

13%

14%

20%

21%

16%

17%

12%

15%

15%

21%

25%

3%

4%

3%

3%

3%

3%

3%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR -SECTOR

construction

industrie/ industry

commerce / trade

services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20 - 49

SM E 50 - 249




M arketing manager


There are no distinctive discrepancies found among results of the breakdown by company category. Only Human Resources managers have a slightly lower rate (46%) than the EU average believing that responding to requests from individuals wanting to access their data involves an important effort for companies, while as the IT managers are a clear majority (54%) to agree with this statement.


“Companies do not think that most controllers inform data subjects of the purposes of the processing before collecting their personal data”

- Companies do not inform data subjects of the purposes of the processing before

collecting their personal data - FI IR

Q.10 a) Companies inform data subjects of the purposes of the processing before collecting their personal data

36%

52%

47%

46%

42%

42%

38%

37%

37%

35%

35%

34%

30%

29%

28%

21%

38%

34%

30%

45%

35%

32%

51%

33%

52%

47%

51%

33%

41%

42%

45%

36%

22%

11%

8%

22%

17%

8%

21%

6%

10%

28%

26%

26%

24%

42%

4%

12%

9%

3%

9%

3%

4%

3%

12%

9%

0% 20% 40% 60% 80% 100%

EU 15

EL

S

I

N

UK

A

B

L

DK

E

D

L

NL

P

F


Although it seems as an important requirement, only one third of companies inform data subjects of the purposes of the processing before collecting their personal data. Average results for the 15 EU Member States show us that only 36% of respondents agree with this proposition, while a representative majority equalling 38% of respondents disagrees. Country results show important discrepancies among the EU member States concerning this proposition. In Greece, a majority of 52% of companies inform data subjects of the purposes of processing before collecting personal data, followed by Sweden and Italy with respectively 47% and 46%. On the contrary, countries where companies inform data subjects the least are France (21%), Portugal (28%), the Netherlands (29% and Luxembourg (30%). In the case of France, we must however note that a relative majority of respondents (42%) indicated that it depends on the situation whether companies inform data subjects of the purposes of the processing or not.


Q.10 Companies inform data subjects of the purposes of the processing before collecting their personal data

36%

37%

35%

37%

34%

39%

35%

35%

36%

35%

34%

39%

44%

38%

35%

43%

36%

36%

30%

38%

39%

37%

39%

38%

34%

39%

22%

24%

17%

21%

26%

27%

22%

21%

23%

22%

25%

23%

14%

4%

4%

5%

6%

3%

4%

4%

4%

5%

5%

4%

4%

4%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR -SECTOR

construction

industrie/ industry

commerce / trade

services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20 - 49

SM E 50 - 249




M arketing manager


There are no major disparities to be found among the results of the breakdown by company. Results for the sectors of activity show almost identical rates among companies agreeing with the fact that they inform data subjects of the purposes of the processing before collecting their personal data. The only difference is found among respondents of companies in the industry sector who are a relative majority (43%) to indicate that their company does not inform data subjects of these purposes.


“Companies do not think that when data no longer serves the purpose of the collection, data is deleted by most controllers”

- Almost half of the companies do not believe that most companies delete data

when it no longer serves the purpose of the collection - IR

DK FI

Q.10 b) When data no longer serves the purpose of the collection, data is deleted.

34%

48%

45%

44%

43%

37%

37%

33%

31%

31%

30%

29%

29%

28%

25%

24%

44%

37%

40%

35%

32%

52%

53%

39%

57%

61%

40%

50%

58%

32%

58%

59%

18%

7%

18%

25%

6%

4%

26%

7%

20%

15%

9%

38%

14%

11%

3%

6%

10%

3%

6%

9%

5%

6%

1%

4%

0%

2%

0%

6%

0% 20% 40% 60% 80% 100%

EU 15

UK

S

EL

L

E

L

D

I

P

B

A

F

NL

N


A relative majority of respondents throughout the European Union (44%) indicate that their companies do not delete data. Countries, where rates of agreement with this statement are the highest are the United Kingdom (48%), Sweden (45%), Greece (44%) and Luxembourg (43%), where a relative majority of companies indicate that when data no longer serves the purpose of the collection, it is deleted.


Q.10 b) When data no longer serves the purpose of the collection, data is deleted.

34%

35%

33%

37%

33%

29%

35%

35%

33%

35%

29%

40%

34%

44%

45%

46%

43%

42%

45%

44%

44%

43%

42%

51%

38%

50%

18%

18%

16%

16%

21%

23%

18%

17%

21%

18%

19%

19%

14%

3%

2%

4%

4%

3%

3%

4%

4%

3%

4%

2%

2%

4%

0% 20% 40% 60% 80% 100%

EU 15

SECTEUR -SECTOR

construction

industrie/ industry

commerce / trade

services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20 - 49

SM E 50 - 249




M arketing manager


The breakdown by company category shows several discrepancies by size of company and by status in the company: In the size category, we can note that the largest companies (29%) are less numerous to delete data when it no longer serves the purpose of the collection than the small (35%) or middle sized companies (35%). The status in the company shows us that Human Resource managers (40%) tend to agree more with this statement than other respondents, namely the IT managers (29%). 11 percentage points separate these two groups of respondents.


4. The future of the legal framework on data protection

In this final chapter, we will analyse which actions respondents would favour the most in order to improve and simplify the implementation of the legal framework on data protection. Furthermore, we will see whether respondents tolerate intrusions into personal databases by national or international authorities in order to help the fight against international terrorism.

4.1. Improvements and simplifications of the implementation of the legal framework

- Further clarifications on the European Directive and national laws are requested

by most respondents -

Q13. Please indicate which of the following actions you would most favour to improve and simplify the implementation of the legal framework on data protection? Firstly? &

Secondly?

45%

55%55%

47%47%46%

44%39%

38%37%

37%36%

32%28%25%

24%

37%

43%30%

38%45%

26%46%

30%43%

44%18%33%

40%47%

29%17%

35%

34%39%

27%35%

55%25%

25%35%

44%40%

34%44%

32%27%

44%

35%

31%33%

35%41%

32%41%

45%36%

27%19%

48%35%

39%33%

30%

33%

34%29%

41%30%19%

31%49%

43%32%

32%30%

43%44%

24%52%

5%

4%

5%19%

4%

18%8%

EU 15

ID

IRLEL

FINUK

L

FNLDK

E

BPS

A

Further clarification on the practical application of some of the key definitions and concepts of the European Directive and national laws

Aim at a better balance between the right to data protection and the freedom of expression and information

M ore uniformity between the national laws as regards the information to be provided to data subjects

Data protection legislation specific to each sector o f activity

M ore harmonised rules on security measures

[Other: specify]

[DK&NA]

Respondents were asked to indicate their most favoured actions in order to improve and simplify the implementation of the legal framework on data protection. Among a list of 5 actions, respondents were asked to choose their first and second choice. In order to analyse which actions are the most favoured we have totalised the first and second choices allowing us to observe which actions are most favoured. The action most favoured in order to improve and simplify the implementation of the legal framework on data protection is a further clarification on the practical

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 64 application of some of the key definitions and concepts of the European Directive and national laws. This action is chosen by 45% of the respondents. All other actions seem to have almost identical rates.:

- 37% of respondents cite “the aim at a better balance between the right to data protection and the freedom of expression and information”.

- 35% would like to see more uniformity between the national laws - 35% indicate a preference for data protection legislation specific to each

sector of activity. Finally, 33% indicate there should be more harmonised rules on security measures.

When analysing the results by country for each action separately, we can note that Italy and Germany have the highest rate of respondents who cite “further clarification on the practical application of some of the key definitions and concepts of the European Directive and national laws” as the most favoured action in order to simplify and improve the implementation of the legal framework on data protection. Aiming at a better balance between the right to data protection and the freedom of expression and information has the highest preference rate in Portugal (47%) and the United Kingdom (46%). A high rate of respondents in Finland (55%) would like to see more uniformity between the national laws as regards the information to be provided to data subjects. This rate is 20 percentage points above the European Union average (35%). A demand for data protection legislation specific to each sector of activity has a high rate of preference in Spain (48%) and Luxembourg (45%). The need for more harmonised rules on security measures is expressed by a significant rate of respondents in Austria (52%) and in Luxembourg (49%).


Q13. Please indicate which of the following actions you would most favour to improve and simplify the implementation of the legal framework on data protection? Firstly? &

Secondly?

45%

45%

43%

44%

48%

53%

45%

44%

48%

43%

45%

51%

56%

37%

38%

37%

41%

35%

37%

37%

38%

35%

39%

32%

40%

31%

35%

39%

33%

32%

37%

34%

35%

36%

32%

35%

33%

38%

38%

35%

33%

34%

33%

40%

30%

36%

35%

39%

37%

36%

26%

34%

33%

29%

39%

36%

29%

36%

33%

33%

34%

31%

38%

35%

37%

4%

3%

4%

3%

4%

3%

3%

3%

3%

3%

4%

3%

EU 15

SECTEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249



M arketing manager

Further clarification on the practical application of some of the key definitions and concepts of the European Directive and national laws

Aim at a better balance between the right to data protection and the freedom of expression and information

M ore uniformity between the national laws as regards the information to be provided to data subjects

Data protection legislation specific to each sector o f activity

M ore harmonised rules on security measures

[Other: specify]

[DK&NA]

Results by sector of activity and company size do not show any significant differences compared to the European Union average as to the actions respondents most favour to improve and simplify the implementation of the legal framework on data protection. Few observations can nevertheless be made. In the industry sector, 39% of respondents express a better interest in more harmonised rules on security measures, compared to the other sectors. Respondents in large companies have a far higher need (53%) than smaller companies for further clarification on the practical application of some of the key definitions and concepts of the European Directive and national laws.


4.2. Personal databases and the fight against terrorism

- A proportionate intrusion in personal databases in order to help the fight against

terrorism is accepted by a vast majority - FI

DK

IR

Q14. Some consider that the fight against international terrorism makes it necessary to tolerate intrusions by national or international authorities in personal databases. Yourself, would you accept the intrusion in personal

databases in that case?

10%

22%

18%

17%

17%

15%

14%

9%

9%

7%

7%

5%

5%

4%

3%

27%

25%

33%

33%

29%

32%

31%

45%

27%

23%

14%

24%

29%

20%

16%

20%

43%

18%

37%

28%

36%

37%

32%

31%

49%

46%

47%

43%

50%

52%

24%

47%

18%

29%

12%

21%

18%

16%

20%

13%

14%

21%

31%

28%

15%

25%

57%

31%

5%

3%

3%

0% 20% 40% 60% 80% 100%

EU 15

S

UK

N

I

L

NL

D

E

A

P

L

F

EL

B

Yes, in all cases

Yes, but only in a proportionate and necessary manner in order to track only those clearly suspected of terrorist activitiesYes, but only if the intrusion takes place with the supervision of a judge or a similar guarantees in the M ember States

No, fundamental rights and freedoms of individuals should prevent these databases from being intruded

[DK&NA]

Results for the European Union show that 80% of respondents indicate that they would tolerate the intrusion into personal databases if it were to help the fight against terrorism. However, a relative majority (43%) among this population specifies that such intrusions would only be tolerated if they would take place with the supervision of a judge or similar guarantees in the Member States. We can note that only 18% of respondents would not accept such intrusions in any case for the sake of fundamental rights and freedoms of individuals. When observing results by country, we can note that the United Kingdom has the highest rate of respondents indicating that they would tolerate intrusions into personal databases (88%), with a difference of 8 percentage points compared to the EU average (80%). The Netherlands and Luxembourg follow, with respectively 85% and 84%. Greece has by far the lowest rate of respondents indicating that they would tolerate such intrusions, with only 43%. This rate is 37 percentage points below

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 67 the European Union average. Indeed, a clear majority in this country (57%) believes intrusions into personal databases should not be tolerated for any reasons in order to respect the fundamental rights and freedoms of individuals. Breakdown by company category: SEC

Q14. Some consider that the fight against international terrorism makes it necessary to tolerate intrusions by national or international authorities in personal databases. Yourself, would you accept the intrusion in personal databases in that

case?

10%

10%

11%

12%

10%

5%

11%

12%

8%

12%

6%

11%

13%

27%

33%

26%

26%

26%

29%

27%

27%

27%

27%

21%

35%

24%

43%

41%

42%

41%

46%

48%

43%

43%

43%

42%

47%

40%

44%

18%

14%

21%

21%

16%

18%

18%

18%

20%

17%

24%

14%

18%

0% 20% 40% 60% 80% 100%

EU 15

TEUR - SECTOR

Construction


Commerce / Trade

Services

TAILLE - SIZE

M ajor 250+

SM E Total

SM E 20-49

SM E 50-249



M arketing manager

Yes, in all cases

Yes, but only in a proportionate and necessary manner in order to track only those clearly suspected of terrorist activities

Yes, but only if the intrusion takes place with the supervision of a judge or a similar guarantees in the M ember StatesNo, fundamental rights and freedoms of individuals should prevent these databases from being intruded

[DK&NA]

Results by sector of activity and size of company show only insignificant discrepancies. However, we can note that large companies are much less willing than small companies to accept intrusion into personal databases in all cases (5% against 12%), and stress the fact that these intrusions can only be done under specific conditions, namely under the supervision of a judge or a similar guarantees in the Member States (48% against 43%). When observing results for the status in the company, we can note that IT managers are significantly less tolerant to any kind of intrusions into personal databases, with 24% indicating that they would not tolerate such intrusions. This rate is 6 percentage points above the EU average (18%).


CONCLUSION

This survey has allowed us to analyze data controller’s perceptions and opinions on the current data protection laws in the European Union, as well as their opinions and expectations on future implementation of a legal framework for data protection. In general, the main finding was that among the Member States of the European Union, there are differences in the implementation and the application of the data protection law. The way the different national laws are appreciated and respected vary significantly between countries. The perception of the level of protection of the current legislation is seen as ‘Medium’ among Member States. However, in Finland, a majority of respondents seems to consider the national data protection legislation as having a high level of protection. When asked how adapted the existing national legislation on data protection is to cope with the increasing amount of personal information being exchanged, (mostly due to the expansion of Internet usage), respondents among Member States react differently. In Finland, persons responsible for data protection issues seem very confident in their national legislation. This is also the case in the Netherlands and Greece. However, respondents in Portugal, Sweden, Austria, Italy and Spain, believe their national data protection laws are not adapted enough to cope with this issue. When observing results by size of company, we can note that the largest companies seem far more confident than the smallest companies in the level of protection of the national data protection law and its capability to cope with the increasing amount of data being exchanged. An overwhelming majority of companies established in the EU regard data protection requirements positively. Indeed, a vast majority of respondents rather agree that data protection requirements are necessary in order to respect a high level of protection for consumers and the fundamental rights of citizens. Furthermore, they do not believe that the requirements of the data protection law are too strict in certain respects. An exception can be made for respondents in Italy who are a vast majority to believe that the requirements are in fact too strict. Finally, respondents in the European Union do not believe that the requirements of the data protection law are unnecessary regardless of the sector of activity. Here again, we can note an exception for Italy and Greece where respondents seem divided on this issue. Concerning the views on the implementation of the European Data Protection Directive, respondents in the Member States seem divided. Although, at an EU average, a relative majority of companies do not believe that there is sufficient harmonization of Member States data protection laws to consider that personal data can be moved freely within the EU, respondents in Italy and Finland are a majority to agree that there is sufficient harmonization, while those in Germany and Luxembourg are on the contrary a majority to disagree. Once again, these results show the difference in the implementation of the Data protection Directive among the different Member States. As to the interpretation and application of national data protection laws, companies believe that it is done more rigorously in their country than in other Member States. This is especially the case for a vast majority of companies in Finland.

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 70 This survey has also allowed us to analyze the experience of companies with regard to the protection of personal data. We can observe that the usage of privacy enhancing technologies is not at all widespread among the Member States of the EU. Only one third of respondents admitted using such technologies. Results also show that a vast majority of companies does not transfer personal data to other countries. Among companies that do transfer personal data abroad, the majority of data transferred concerns client’s or consumer’s data for commercial purposes. As for the types of information made available to data subjects, here again we can note the differences in the implementation of the European Directive on data protection and the compliance of the data protection law, since response rates vary significantly between Member States. Furthermore, the reasons given for a lack of compliance by data controllers of the Data protection law vary among Member States. Although a majority of respondents in the EU countries indicate the lack of knowledge of the legislation as the main reason for the non-compliance by data controllers of the data protection law (namely Sweden, Ireland, the United Kingdom Finland, Spain, Denmark, and the Netherlands), certain respondents in other Member States explain it with the fact that there is a too limited control by the national data protection authorities, and that the risk of being caught is very low. This is namely the case for respondents in Greece, Portugal and Austria. Finally, an important proportion of respondents in Luxembourg, Italy and France also bring forth the fact that the adaptation of the company to new requirements of the data protection law is time consuming, and for this reason, the legislation is not fully respected by data controllers. Finally, the perception of most respondents is that it is because they receive few complaints that companies do not regard full compliance with the law as a priority. This is especially the case for a vast majority of respondents in Finland and Spain. Concerning actions that should be taken in the future in order to improve and simplify the implementation of the legal framework on data protection throughout the Member States, respondents seem divided by the different actions that should be taken. However, the need for further clarification on the practical application of some of the key definitions and concepts of the European Directive and national laws seems to be the most favoured action to improve and simplify the implementation of the legal framework on data protection Finally, a vast majority of respondents would accept intrusion in personal databases in order to help the fight against terrorism. However, a large proportion of respondents would tolerate such intrusions as long as they take place with the supervision of a judge or similar guarantees in the Member States. Results by company size have shown us that perceptions and applications of the data protection law are different among large and small companies. The biggest companies, with over 250 employees, seem more exposed to the issues of data protection than medium or small sized companies. This is most probably due to their wider exposure to international business, and therefore the awareness of the Data protection legislation and the necessity of a harmonized implementation of the Data protection Directive on an EU-wide basis.

EOS Gallup Europe - FLASH EB N°147 «Data protection in the European Union » - Report p. 71 Although the Directive has achieved its goal of ensuring the free movement of personal data throughout the European Union, while guaranteeing the protection of citizens’ privacy, the main difficulty that remains is the general perception among data controllers that important divergences remain between the Member States’ laws and the ways that they are applied in practice. This is likely to have an impact on the smooth functioning of the Internal Market and should therefore be carefully assess.

ANNEXES

BASE Elevé / High Moyen / Medium Faible / Low [NSP&SR] / [DK&NA]

UE 15 3013 27% 54% 10% 8%

BELGIQUE 200 19% 56% 10% 16%DANMARK 200 33% 51% 4% 13%DEUTSCHLAND 300 29% 53% 11% 8%ELLAS 100 27% 62% 10% 0%ESPANA 300 23% 53% 13% 10%FRANCE 300 22% 62% 7% 9%IRELAND 100 28% 42% 11% 18%ITALIA 300 27% 61% 12% 0%LUXEMBOURG 100 45% 40% 4% 11%NEDERLAND 210 38% 48% 7% 7%OSTERREICH 200 22% 55% 14% 8%PORTUGAL 100 8% 59% 20% 14%FINLAND 102 50% 42% 0% 8%SWEDEN 200 20% 63% 4% 14%UNITED KINGDOM 300 33% 47% 7% 13%

Secteur / SectorConstruction 375 15% 64% 13% 8%industrie / Industry 892 27% 56% 10% 8%Commerce / Trade 701 29% 49% 10% 11%Services 1045 31% 53% 9% 7%Taille / Size250 + 156 46% 45% 6% 4%SME Total 2857 26% 55% 10% 9%SME 20-49 2180 24% 56% 11% 9%SME 50-249 677 35% 51% 7% 7%Statut / StatusResp. de la prot.des don / Resp. for data prot. iss. 1737 28% 53% 10% 9%

Resp. IT / IT manager 684 28% 55% 9% 9%Dir. RH / HR manager 413 24% 59% 8% 9%Dir. Marketing / Marketing manager 178 23% 57% 16% 5%

Q1. Diriez-vous que le niveau de protection offert par la Loi (NATIONALITE) de Protection des Données est…?

Q1. Would you say that the level of protection offered by the (NATIONALITY) Data Protection Law is…?

BASEPlutôt d’accord /

Rather agreePlutôt pas d’accord

/ Rather disagree[NSP&SR] /

[DK&NA]

UE 15 3013 91% 8% 1%

BELGIQUE 200 95% 4% 1%DANMARK 200 84% 3% 13%DEUTSCHLAND 300 88% 12% 0%ELLAS 100 94% 6% 0%ESPANA 300 97% 3% 1%FRANCE 300 96% 2% 1%IRELAND 100 97% 1% 1%ITALIA 300 86% 14% 0%LUXEMBOURG 100 94% 6% 0%NEDERLAND 210 96% 3% 1%OSTERREICH 200 95% 3% 2%PORTUGAL 100 95% 2% 4%FINLAND 102 91% 7% 2%SWEDEN 200 90% 7% 4%UNITED KINGDOM 300 94% 6% 1%SECTEUR -SECTOR constr 375 91% 9% 0%industrie 892 90% 9% 1%trade 701 90% 9% 1%services 1045 94% 5% 1%TAILLE - SIZE250 et + 156 93% 7% 0%SME Tot 2857 92% 8% 1%20 à 49 2180 91% 8% 1%50 à 249 677 94% 6% 1% STATUT - FONCTION Resp, de la pr 1737 92% 8% 1%Responsable in 684 95% 4% 1%Directeur d 413 88% 11% 1%Directeur d 178 85% 11% 4%

Q2. From your business perspective and in general terms, would you rather agree or rather disagree with each of the following requirements of the data protection law?

a) The requirements of the data protection law are necessary in order to respect a high level of protection for consumers and the fundamental rights of citizens

Q2. D'après votre expérience commerciale et de façon générale, seriez-vous plutôt d'accord ou plutôt pas d'accord avec chacune des propositions suivantes ?

a) Les exigences de la Loi de Protection des Données sont nécessaires afin de respecter un niveau élevé de protection des consommateurs ainsi que les droits fondamentaux des citoyens




[DK&NA]

UE 15 3013 37% 58% 5%

BELGIQUE 200 31% 62% 7%DANMARK 200 20% 61% 19%DEUTSCHLAND 300 32% 65% 4%ELLAS 100 38% 60% 2%ESPANA 300 36% 56% 9%FRANCE 300 38% 58% 4%IRELAND 100 21% 65% 14%ITALIA 300 66% 34% 0%LUXEMBOURG 100 32% 61% 7%NEDERLAND 210 42% 51% 8%OSTERREICH 200 18% 74% 8%PORTUGAL 100 42% 39% 18%FINLAND 102 34% 59% 7%SWEDEN 200 31% 55% 15%UNITED KINGDOM 300 30% 65% 5%

Secteur / SectorConstruction 375 35% 61% 4%industrie / Industry 892 43% 53% 4%Commerce / Trade 701 35% 58% 7%Services 1045 35% 60% 6%Taille / Size250 + 156 47% 49% 4%SME Total 2857 37% 58% 5%SME 20-49 2180 36% 58% 6%SME 50-249 677 39% 57% 4%Statut / StatusResp. de la prot.des don / Resp. for data prot. iss. 1737 38% 56% 6%

Resp. IT / IT manager 684 37% 59% 4%Dir. RH / HR manager 413 39% 57% 4%Dir. Marketing / Marketing manager 178 29% 64% 7%

b) Les exigences de la Loi de Protection des Données sont trop strictes à certains égards

b) The requirements of the data protection law are too strict in certain respects






[DK&NA]

UE 15 3013 34% 64% 2%




c) The requirements of the data protection law are not necessary except for certain sectors of activity


c) Les exigences de la Loi de Protection des Données ne sont pas nécessaires sauf pour certains secteurs d'activités


BASETout à fait d’accord

/ Totally agreePlutôt d’accord /


/ Rather disagree

Pas du tout d’accord / Totally

disagree[NSP&SR] /

[DK&NA]d'accord /

agreepas d'accord /

disagree

UE 15 3013 6% 32% 32% 12% 19% 38% 44%

BELGIQUE 200 2% 36% 28% 15% 19% 39% 43%DANMARK 200 2% 12% 19% 15% 52% 14% 33%DEUTSCHLAND 300 4% 24% 46% 11% 15% 28% 57%ELLAS 100 6% 35% 28% 12% 19% 41% 40%ESPANA 300 3% 27% 28% 13% 30% 30% 40%FRANCE 300 6% 42% 25% 17% 10% 48% 42%IRELAND 100 5% 42% 25% 7% 21% 47% 32%ITALIA 300 9% 52% 27% 4% 8% 61% 31%LUXEMBOURG 100 8% 26% 40% 16% 9% 34% 57%NEDERLAND 210 9% 40% 24% 9% 18% 49% 33%OSTERREICH 200 10% 20% 20% 15% 34% 30% 36%PORTUGAL 100 10% 27% 25% 17% 21% 37% 43%FINLAND 102 11% 43% 22% 15% 9% 54% 38%SWEDEN 200 10% 20% 4% 12% 55% 29% 16%UNITED KINGDOM 300 8% 25% 25% 17% 25% 33% 42%

Secteur / SectorConstruction 375 5% 31% 37% 11% 17% 36% 47%industrie / Industry 892 6% 32% 32% 13% 17% 38% 45%Commerce / Trade 701 5% 32% 29% 12% 22% 37% 41%Services 1045 7% 31% 31% 13% 19% 38% 43%Taille / Size250 + 156 7% 33% 32% 12% 16% 40% 44%SME Total 2857 6% 32% 31% 12% 19% 38% 44%SME 20-49 2180 5% 32% 31% 13% 19% 37% 44%SME 50-249 677 8% 32% 32% 11% 18% 40% 43%Statut / StatusResp. de la prot.des don / Resp. for data prot. iss. 1737 5% 32% 30% 14%

20% 37% 44%Resp. IT / IT manager 684 6% 30% 36% 11% 18% 35% 47%Dir. RH / HR manager 413 10% 32% 32% 8% 18% 41% 40%Dir. Marketing / Marketing manager 178 8% 39% 30% 9%

14% 47% 39%

a) Il y a une harmonisation suffisante de la Loi de Protection des Données des Etats Membres pour considérer que les données personnelles peuvent circuler librement au sein de l'UE

a) There is sufficient harmonisation of Member States' data protection laws to consider that personal data can be moved freely within the European Union

Q3. Pour chacune des propositions suivantes, dites-moi si vous êtes tout à fait d'accord, plutôt d'accord, plutôt pas d'accord ou pas du tout d'accord avec elles ?

Q3. For each of the following propositions, please tell me if you totally agree, rather agree, rather disagree or totally disagree with it?

BASETout à fait d’accord

/ Totally agreePlutôt d’accord /


/ Rather disagree

Pas du tout d’accord / Totally

disagree[NSP&SR] /

[DK&NA]d'accord /

agreepas d'accord /

disagree

UE 15 3013 14% 28% 20% 5% 33% 42% 26%




16% 39% 44%

b) The data protection law in [OUR COUNTRY] is interpreted and applied more rigorously than in other Member States

Q3. For each of the following propositions, please tell me if you totally agree, rather agree, rather disagree or totally disagree with it?

b) La Loi de Protection des Données en [NOTRE PAYS] est interprétée et appliquée de façon plus rigoureuse que dans les autres Etats Membres

Q3. Pour chacune des propositions suivantes, dites-moi si vous êtes tout à fait d'accord, plutôt d'accord, plutôt pas d'accord ou pas du tout d'accord avec elles ?

BASE Tout à fait adaptée / Very well suited

Plutôt bien adaptée / Rather well suited

Plutôt mal adaptée / Rather unsuited

Pas du tout adaptée / Not suited at all

[NSP&SR] / [DK&NA]

UE 15 3013 2% 39% 40% 14% 6%

BELGIQUE 200 5% 46% 32% 8% 9%DANMARK 200 7% 34% 30% 9% 20%DEUTSCHLAND 300 1% 42% 45% 8% 5%ELLAS 100 1% 58% 24% 16% 1%ESPANA 300 2% 32% 35% 21% 10%FRANCE 300 3% 38% 44% 11% 3%IRELAND 100 5% 41% 30% 11% 12%ITALIA 300 1% 30% 42% 27% 1%LUXEMBOURG 100 4% 42% 33% 13% 7%NEDERLAND 210 4% 59% 29% 5% 3%OSTERREICH 200 9% 27% 33% 19% 13%PORTUGAL 100 2% 26% 43% 21% 10%FINLAND 102 1% 68% 23% 5% 3%SWEDEN 200 7% 27% 29% 15% 22%UNITED KINGDOM 300 3% 39% 36% 15% 7%

Secteur / SectorConstruction 375 2% 34% 45% 15% 5%industrie / Industry 892 2% 36% 42% 16% 5%Commerce / Trade 701 3% 38% 37% 13% 9%Services 1045 2% 42% 38% 13% 5%Taille / Size250 + 156 4% 45% 40% 7% 3%SME Total 2857 2% 38% 40% 14% 6%SME 20-49 2180 2% 37% 39% 15% 7%SME 50-249 677 2% 41% 40% 13% 4%Statut / StatusResp. de la prot.des don / Resp. for data prot. iss. 1737 2% 38% 39% 14%

6%Resp. IT / IT manager 684 2% 39% 41% 12% 5%Dir. RH / HR manager 413 2% 38% 40% 12% 8%Dir. Marketing / Marketing manager 178 1% 38% 37% 19%

5%

Q4. Selon vous, pensez-vous que la législation existante sur la protection des données est adaptée ou non à faire face à la quantité grandissante d'échanges d'informations personnelles, par exemple transférées via Internet?

Q4. In your opinion, do you think that the existing legislation on data protection is suited or not to cope with the increasing amount of personal information being exchanged, for example transferred over the Internet?

BASE Oui / Yes

Non, mais j’en ai entendu parler / No, but I have heard of

them

Non et je n’en ai jamais entendu parler / No and I

have never heard of them

[NSP&SR] / [DK&NA]

UE 15 3013 32% 38% 28% 2%




Q5. Do you use any technology or software products that enhance privacy protection of databases in your company (for example, cookie killers or anonymisation software), also called 'Privacy Enhancing Technologies'?

Q5. Utilisez-vous des technologies ou des logiciels, aussi appelés 'technologies de renforcement de la protection de la vie privée', assurant la protection des bases de données de votre entreprise lorsqu'elles contiennent des informations sur la vie

privée (par exemple, les tueurs de cookies ou les logiciels assurant l'anonymat)?

BASE Oui / Yes Non / No[NSP&SR] /

[DK&NA]

UE 15 3013 10% 90% 0%




Q6. Votre entreprise transfère-t-elle des données personnelles vers des pays hors Union européenne/Espace Economique européen?


BASE

Données sur le personnel pour les besoins de gestion

des ressources

humaines / Human resources data for Human resources

purposes

Données sur les clients ou les

consommateurs pour

un usage commercial / Clients’ or

consumers’ data for commercial purposes

Données recueillies au sein de l’Union européenne pourêtre vendues ou

louées à des contrôleurs de données dans d’autres pays

/ Data collected in the European Union that is meant to be

sold or licensed to data

controllers in other countries

[Autre: spécifiez] / [Other specify]

[L’entreprise ne transfère pas de données

personnelles vers

d’autre pays] / - [The company

does not transfer

personal data to other

countries][NSP&SR] /

[DK&NA]

UE 15 3013 5% 12% 2% 2% 77% 2%

BELGIQUE 200 3% 9% 0% 6% 82% 0%DANMARK 200 11% 9% 0% 1% 79% 0%DEUTSCHLAND 300 6% 16% 3% 3% 69% 3%ELLAS 100 5% 7% 3% 1% 84% 0%ESPANA 300 2% 4% 0% 1% 92% 1%FRANCE 300 7% 12% 1% 2% 76% 1%IRELAND 100 5% 28% 3% 0% 63% 0%ITALIA 300 3% 18% 7% 3% 70% 0%LUXEMBOURG 100 14% 14% 0% 0% 71% 1%NEDERLAND 210 9% 9% 0% 1% 80% 2%OSTERREICH 200 3% 13% 1% 0% 68% 16%PORTUGAL 100 5% 9% 3% 0% 83% 1%FINLAND 102 3% 7% 1% 1% 88% 0%SWEDEN 200 6% 5% 0% 1% 82% 7%UNITED KINGDOM 300 3% 8% 2% 1% 85% 1%

Secteur / SectorConstruction 375 2% 8% 0% 1% 87% 2%industrie / Industry 892 6% 18% 3% 2% 70% 1%Commerce / Trade 701 4% 11% 1% 2% 80% 2%Services 1045 6% 9% 3% 2% 76% 3%Taille / Size250 + 156 14% 21% 1% 1% 60% 3%SME Total 2857 5% 12% 2% 2% 77% 2%SME 20-49 2180 4% 11% 3% 2% 78% 2%SME 50-249 677 5% 13% 2% 3% 75% 2%Statut / StatusResp. de la prot.des don / Resp. for data prot. iss. 1737 4% 12% 2% 1%

79% 2%Resp. IT / IT manager 684 5% 13% 2% 3% 75% 3%Dir. RH / HR manager 413 7% 11% 3% 4% 75% 1%Dir. Marketing / Marketing manager 178 6% 16% 11% 3%

65% 0%

Q7. What type of personal data does your company transfer to other countries, mostly?

Q7. Quel type de données personnelles votre entreprise transfère-t-elle principalement à d'autres pays ?

BASE

Un manque de connaissance de la législation / Lack of knowledge of the

legislation

L’adaptation de l’entreprise aux

nouvelles exigences de la Loi de Protection des Données demande beaucoup de temps / - Adaptation of the company to the new requirements of the

data protection law is time consuming

Un contrôle trop limité par l’autorité

publique [NATIONALITE]

responsable de la protection des

données, le risque d’être pris en

défaut est faible / Too limited control

by the [NATIONALITY] data protection authority, risk of being caught

is very low

Un manque de flexibilité de la loi

/ Lack of flexibility of the

law

[Autre: spécifiez] /

[Other: specify][NSP&SR] /

[DK&NA]

UE 15 3013 39% 17% 28% 9% 2% 5%

BELGIQUE 200 38% 17% 26% 12% 1% 7%DANMARK 200 46% 9% 21% 6% 3% 15%DEUTSCHLAND 300 37% 15% 33% 6% 2% 8%ELLAS 100 34% 6% 50% 11% 0% 0%ESPANA 300 46% 19% 18% 9% 3% 6%FRANCE 300 33% 24% 28% 9% 1% 5%IRELAND 100 56% 19% 13% 5% 2% 5%ITALIA 300 31% 25% 32% 12% 1% 0%LUXEMBOURG 100 34% 25% 28% 8% 1% 5%NEDERLAND 210 46% 10% 29% 7% 4% 4%OSTERREICH 200 29% 10% 42% 7% 2% 10%PORTUGAL 100 22% 10% 43% 20% 1% 4%FINLAND 102 47% 16% 26% 8% 1% 2%SWEDEN 200 62% 13% 11% 4% 3% 7%UNITED KINGDOM 300 52% 14% 16% 12% 2% 3%

Secteur / SectorConstruction 375 35% 17% 30% 9% 2% 8%industrie / Industry 892 36% 18% 31% 9% 2% 4%Commerce / Trade 701 41% 17% 25% 11% 1% 5%Services 1045 42% 17% 26% 8% 2% 5%Taille / Size250 + 156 38% 22% 26% 7% 2% 4%SME Total 2857 39% 17% 28% 9% 2% 5%SME 20-49 2180 40% 16% 28% 9% 2% 5%SME 50-249 677 37% 19% 27% 11% 2% 4%Statut / StatusResp. de la prot.des don / Resp. for data prot. iss. 1737 39% 16% 27% 10%

2% 5%Resp. IT / IT manager 684 41% 17% 28% 7% 1% 6%Dir. RH / HR manager 413 39% 19% 28% 9% 0% 5%Dir. Marketing / Marketing manager 178 31% 17% 33% 12%

2% 6%

Q8. Selon vous, quelle est la meilleure explication du fait que certains contrôleurs de données ne respectent pas entièrement les clauses et les exigences de la Loi de Protection des Données [NATIONALITE] concernant les transferts de données ?

Q8. In your opinion what could explain the best the fact that some data controllers do not fully respect the provisions and requirements of the [NATIONALITY] data protection law as regards data transfers?

BASE Oui / Yes Non / NoCa dépend / It

depends[NSP&SR] /

[DK&NA]

UE 15 3013 37% 37% 21% 6%




a) L'identité du contrôleur de données ou de son représentant

a) The identity of the data controller or its representative


Q9. Pour chaque recueil de données personnelles, pourriez-vous indiquer si oui ou non, vous rendez disponibles les informations suivantes à la personne concernée ?


depends[NSP&SR] /

[DK&NA]

UE 15 3013 37% 40% 19% 4%




b) L'adresse physique ou électronique d'une personne au sein de l'organisation directement responsable des questions liées à la protection des données

b) The physical or electronic address of a person within the organisation directly responsible for data protection matters




depends[NSP&SR] /

[DK&NA]

UE 15 3013 46% 27% 23% 4%




c) L'objectif du traitement des données personnelles recueillies

c) The purpose of the processing for which the data are intended




depends[NSP&SR] /

[DK&NA]

UE 15 3013 38% 33% 24% 5%




d) Les destinataires ou les catégories de destinataires des données

d) The recipients or categories of recipients of the data




depends[NSP&SR] /

[DK&NA]

UE 15 3013 31% 32% 28% 10%




e) L'obligation ou la non-obligation de répondre et les conséquences possibles de non-réponse



e) The obligation or non-obligation of replying and the possible consequences of failure to reply


depends[NSP&SR] /

[DK&NA]

UE 15 3013 48% 28% 20% 4%





f) L'existence du droit d'accéder et du droit de rectifier les données relatives aux personnes concernées

f) The existence of the right to access and the right to rectify the data concerning the data subjects



depends[NSP&SR] /

[DK&NA]

UE 15 3013 10% 66% 11% 13%




g) Le transfert éventuel des données à des pays hors de l'Union européenne


g) The possible transfer of the data to non-EU countries



depends[NSP&SR] /

[DK&NA]

UE 15 3013 15% 57% 13% 15%




h) Une information indiquant si le pays destinataire fournit (ou non) un niveau adéquat de protection des données

h) The indication whether the recipient country provides (or not) an adequate level of data protection




depends[NSP&SR] /

[DK&NA]

UE 15 3013 36% 38% 22% 4%




a) Les entreprises informent les personnes concernées des objectifs du traitement des données personnelles avant leur collecte

a) Companies inform data subjects of the purposes of the processing before collecting their personal data

Q10. Pour chacune des propositions suivantes, dites-moi si vous pensez oui ou non qu'elles correspondent à la situation de la plupart des entreprises de votre pays...

Q10. For each of the following propositions, please tell me whether or not you think they correspond to the situation in most of the companies in your country...


depends[NSP&SR] /

[DK&NA]

UE 15 3013 34% 44% 18% 4%




b) Quand les données ne sont plus utiles à l'objectif de la collecte, elles sont effacées

b) When data no longer serves the purpose of the collection, data is deleted




depends[NSP&SR] /

[DK&NA]

UE 15 3013 67% 16% 12% 5%


SECTEUR -SECTOR constr 375 72% 12% 13% 4%industrie 892 67% 17% 11% 5%trade 701 69% 13% 11% 7%services 1045 65% 17% 14% 5%TAILLE - SIZE250 et + 156 65% 17% 15% 3%SME Tot 2857 68% 15% 12% 5%20 à 49 2180 68% 15% 12% 5%50 à 249 677 66% 17% 13% 5% STATUT - FONCTION Resp, de la pr 1737 67% 16% 11% 6%Responsable in 684 72% 13% 12% 4%Directeur d 413 62% 17% 15% 6%Directeur d 178 66% 16% 14% 4%

c) Les entreprises reçoivent peu de plaintes et ne considèrent pas dès lors la conformité totale à la loi comme une priorité

c) Companies receive few complaints so they do not regard full compliance with the law as a priority




depends[NSP&SR] /

[DK&NA]

UE 15 3013 51% 30% 17% 3%




d) Responding to requests from individuals wanting to access their data involves an important effort for companies


d) Répondre à des demandes d'individus souhaitant accéder à leurs données implique un effort important pour les entreprises


BASEMoins de 10 / Less

than 10Entre 10 et 50 /

Between 10 and 50Entre 51 et 100 /

Between 51 and 100

Entre 101 et 500 / Between 101 and

500Plus de 500 /

More than 500

[Jamais reçu de demande]

/ [Never received any

request][NSP&SR] /

[DK&NA]

UE 15 3013 49% 14% 5% 2% 1% 23% 6%




2% 21% 5%

Q11. Pourriez-vous indiquer le nombre approximatif de demandes d'accès reçues par votre entreprise en 2002?

Q11. Could you indicate the approximate number of access requests received by your company during the year 2002?

BASE Oui / Yes Non / No[NSP&SR] /

[DK&NA]

UE 15 3013 4% 96% 1%





Q12. Votre entreprise a-t-elle reçu des plaintes de personnes dont les données sont actuellement traitées ?

BASE

Explication supplémentaire sur

l’application pratique de certains

concepts et définitions clés de

la Directive européenne et des lois nationales / -

Further clarification on the practical

application of some of

the key definitions and concepts of the European Directive

and national laws

Viser un meilleur équilibre entre le

droit à la protection des données

et la liberté d’expression et

d’information / - Aim at a better balance

between the right to data protection and

the freedom of expression and

information

Plus d’uniformité entre les lois

nationales concernant

l’information à fournir aux personnes

concernées / More uniformity between the national laws as

regards the information

to be provided to data subjects

Plus d’harmonisation des règles sur les mesures de sécurité / More

harmonised rules on security measures

Une législation de protection des données spécifique à

chaque secteur

d’activité / Data protection legislation

specific to each sector of activity


[Other specify]

[NSP&SR] / [DK&NA]

UE 15 3013 27% 20% 16% 15% 19% 1% 3%




15% 0% 0%

Q13. Parmi les actions suivantes, pourriez-vous indiquer laquelle vous préféreriez le plus pour améliorer et simplifier la mise en place du cadre légal sur la protection des données? Premièrement ?

Q13. Please indicate which of the following actions you would most favour to improve and simplify the implementation of the legal framework on data protection? Firstly?

BASE








and national laws







information










chaque secteur




[Other specify]

[NSP&SR] / [DK&NA]

UE 15 3013 19% 18% 20% 19% 17% 1% 7%




19% 0% 3%

Q13. Parmi les actions suivantes. pourriez-vous indiquer laquelle vous préféreriez le plus pour améliorer et simplifier la mise en place du cadre légal sur la protection des données? Deuxièmement?

Q13. Please indicate which of the following actions you would most favour to improve and simplify the implementation of the legal framework on data protection? Secondly?

BASE








and national laws







information










chaque secteur




[Other specify]

[NSP&SR] / [DK&NA]

UE 15 3013 45% 37% 35% 33% 35% 1% 3%




34% 0% 0%

Q13. Parmi les actions suivantes, pourriez-vous indiquer laquelle vous préféreriez le plus pour améliorer et simplifier la mise en place du cadre légal sur la protection des données? Premièrement ? Deuxièmement?

Q13. Please indicate which of the following actions you would most favour to improve and simplify the implementation of the legal framework on data protection? Firstly? Secondly?

BASE

Oui, dans tous les cas / Yes, in all

cases

Oui, mais seulement d’une manière

proportionnée et nécessaire

afin de traquer uniquement ceux

clairement suspectés d’activités

terroristes / - Yes, but only in a

proportionate and necessary manner

in order to track only those

clearly suspected of terrorist activities

Oui, mais seulement si l’intrusion se fait sous la supervision

d’un jugeou de garanties

similaires dans les Etats membres / - Yes, but only if the

intrusion takes place with the

supervision of a judge or a similar guarantees in the

Member States

Non, les libertés et droits

fondamentaux des individus

devraient empêcher

l’intrusion dans ces bases de

données / - No, fundamental

rights and freedoms of individuals

should prevent these databases

from being intruded

[NSP&SR] / [DK&NA]

UE 15 3013 10% 27% 43% 18% 2%

BELGIQUE 200 2% 20% 47% 31% 1%DANMARK 200 15% 32% 37% 16% 1%DEUTSCHLAND 300 9% 27% 49% 14% 2%ELLAS 100 3% 16% 24% 57% 0%ESPANA 300 7% 23% 46% 21% 3%FRANCE 300 4% 20% 52% 25% 0%IRELAND 100 14% 31% 32% 20% 3%ITALIA 300 17% 29% 36% 18% 0%LUXEMBOURG 100 5% 29% 50% 15% 2%NEDERLAND 210 9% 45% 31% 13% 2%OSTERREICH 200 7% 14% 47% 31% 2%PORTUGAL 100 5% 24% 43% 28% 1%FINLAND 102 17% 33% 28% 21% 1%SWEDEN 200 22% 25% 18% 29% 5%UNITED KINGDOM 300 18% 33% 37% 12% 1%

Secteur / SectorConstruction 375 10% 33% 41% 14% 1%industrie / Industry 892 11% 26% 42% 21% 1%Commerce / Trade 701 12% 26% 41% 21% 2%Services 1045 10% 26% 46% 16% 2%Taille / Size250 + 156 5% 29% 48% 18% 1%SME Total 2857 11% 27% 43% 18% 2%SME 20-49 2180 12% 27% 43% 18% 1%SME 50-249 677 8% 27% 43% 20% 3%Statut / StatusResp. de la prot.des don / Resp. for data prot. iss. 1737 12% 27% 42% 17%

2%Resp. IT / IT manager 684 6% 21% 47% 24% 1%Dir. RH / HR manager 413 11% 35% 40% 14% 1%Dir. Marketing / Marketing manager 178 13% 24% 44% 18%

0%

Q14. Certains considèrent que la lutte contre le terrorisme inter., rend nécessaire la tolérance des intrusions par des autorités nationales ou internationales dans les bases de données personnelles. Vous-même, accepteriez-vous dans ce cas l'intrusion dans des bases de données personnelles ?

Q14. Some consider that the fight against international terrorism makes it necessary to tolerate intrusions by national or international authorities in personal databases. Yourself, would you accept the intrusion in personal databases in that case?

TECHNICAL NOTE

Détails du sondage Survey details Ce sondage téléphonique FLASH EUROBAROMETRE 147: PROTECTION DES DONNEES a été réalisé pour la Direction Générale MARCHE INTERIEUR de la Commission Européenne.

This telephone Survey FLASH EUROBAROMETER 147: DATA PROTECTION has been conducted on behalf of the DG MARKT of the European Commission.

Il s'agit d'un FLASH EUROBAROMETRE CIBLES SPECIFIQUES « ENTERPRISE », géré et organisé par la Direction Générale PRESS, Unité B/1.

It is a SPECIFIC TARGETS “BUSINESSES” FLASH EUROBAROMETER SURVEY, organized and managed by the Directorate General PRESS, Unit B/1.

Les interviews ont été réalisées entre le 15 septembre et le 03 octobre 2003 par les Instituts EOS GALLUP EUROPE dont la liste suit :

The interviews were conducted between the 15th of September and the 3rd of October 2003 by these EOS GALLUP EUROPE Institutes:

Belgique B TNS DIMARSO - BRUXELLES (Interviews : 16/09/2003 – 26/09/2003) Belgium Danemark DK TNS GALLUP - KOBENHAVN (Interviews : 16/09/2003 – 26/09/2003) Denmark Allemagne D TNS EMNID - BIELEFELD (Interviews : 15/09/2003 – 01/10/2003) Germany Grèce EL TNS ICAP - ATHENS (Interviews : 15/09/2003 – 26/09/2003) Greece Espagne E TNS DEMOSCOPIA - MADRID (Interviews : 16/09/2003 – 24/09/2003) Spain France F TNS SOFRES - MONTROUGE (Interviews : 15/09/2003 – 26/09/2003) France Irlande IRL IRISH MKTG SURVEYS - DUBLIN (Interviews : 15/09/2003 – 03/10/2003) Ireland Italie I DOXA - MILANO (Interviews : 15/09/2003 – 22/09/2003) Italy Luxembourg L TNS ILReS - LUXEMBOURG (Interviews : 15/09/2003 – 02/10/2003) Luxemburg Pays-Bas NL TNS NIPO - AMSTERDAM (Interviews : 16/09/2003 – 01/10/2003) Netherlands Autriche A ÖSTERREICHISCHES

GALLUP-VIENNA (Interviews : 18/09/2003 – 25/09/2003) Austria

Portugal P TNS EUROTESTE - LISBOA (Interviews : 15/09/2003 – 26/09/2003) Portugal Finlande FIN TNS SUOMEN GALLUP - ESPOO (Interviews : 16/09/2003 – 18/09/2003) Finland Suède S TNS SVENSKA GALLUP -

STOCKHOLM (Interviews : 15/09/2003 – 29/09/2003) Sweden

Royaume Uni UK ICM - LONDON (Interviews : 15/09/2003 – 30/09/2003) United Kingdom

Représentativité des résultats Representativeness of the results Les cibles de ce Flash ont été définies par la Commission Européenne comme : toutes les entreprises - agriculture exceptée - qui emploient au moins 20 personnes et sont installées dans l'Union Européenne.

The targets for this Flash have been defined by the European Commission as : all companies – agriculture excluded - employing 20 persons or more, installed in the European Union.

Dun & Bradstreet a préparé les listes des entreprises qualifiées pour répondre en tirant un échantillon de leurs bases de données européennes. Ce tirage a été réalisé selon trois critères : le pays (15 niveaux), la taille des entreprises (3 niveaux : 20-49, 50-249 et 250 emplois et plus), et le secteur d'activités (4 niveaux : Construction, Industries, Services et Commerce/Distribution).

Dun & Bradstreet prepared the lists of companies which were qualified to be interviewed, by drawing a sample from their European data-bases. This sampling has been made according to three criteria : the country (15 levels), the size of the company (3 levels : 20-49, 50-249 and 250 employees or more), and the activity sector (4 levels : Construction, Industry, Services and Trade).

Dans chacune des 180 cellules définies par ces critères, le tirage a été réalisé au hasard.

Within each of the 180 cells defined by these criteria, the sampling has been made at random.

La répartition de l'échantillon total entre les cellules de la grille d'échantillonnage s'est faite d'une manière non proportionnelle à la distribution des entreprises du Marché Intérieur Européen : les petits pays ainsi que les grandes entreprises ont été « sur-échantillonnées » de manière à obtenir une base statistique suffisante pour chaque niveau d'analyse, à savoir :

The total sample has been distributed between these sampling "cells" in a way which does not follow the actual distribution of businesses within the European Internal Market : the small countries as well as the larger businesses have been intentionally « over-sampled » in order to get significant results for each level of analysis, i.e. :

- les 15 pays membres - the 15 Member States - les trois catégories de tailles d'entreprises - the 3 sizes of business categories - les quatre secteurs d'activités. - the 4 activity sectors. Bien sûr au moment du traitement des données chaque cellule de la grille d'échantillonnage a été repondérée de manière à reprendre son poids exact dans l'ensemble du Marché Intérieur Européen. De cette manière les résultats « totaux » ne sont pas biaisés par une éventuelle sur- ou sous-représentation des composantes de l'univers analysé.

Of course, during the data processing, each cell in the cross distribution of the sample has been re-weighted down or up to its real weight within the European Internal Market. Thus, the total results presented are not affected by over- and under-samplings, and they are representative of the total universe examined.

Dans chaque entreprise la personne interrogée est responsable de la protection des données, (responsable de la protection des données, responsable informatique, directeur des ressources humaines, directeur du marketing. C'est l'interviewer qui s'assure de l'identité de ce dirigeant, en même temps qu'il contrôle l'exactitude des caractéristiques renseignées par Dun & Bradstreet, à savoir : le nombre de personnes employées et le secteur d'activités.

The person interviewed in each company is responsible for data protection issues (data protection officer, IT manager, Human Resources manager, Marketing Manager). The interviewer checks the identity of this person, at the same time that he/she controls the accuracy of the enterprises characteristics, as delivered by Dun & Bradstreet, namely : the number of employed persons and the activity sector.

TNS Sofres SA – Coordination EOS Gallup Europe FLASH EB 147 (09/2003)

Tailles des échantillons Sizes of the samples Les tailles d'échantillon vont de 100 à 300 entreprises selon les pays.

The sample sizes range from 100 up to 300 businesses, depending on the countries.

Ci-dessous nous présentons le nombre exact d'interviews réalisées dans chaque pays, et les conséquences de leur re- pondération lors du traitement des données de manière à obtenir des résultats représentatifs à chaque niveau de l'analyse.

Hereafter are presented the exact number of interviews conducted in each country, and the consequences of re-weighting this sample during the data-processing, in order to get representative results at each level of analysis.

Chaque tableau descriptif se lit de la manière suivante :

Each of these sample description tables gives : 1. Dans la première colonne sont renseignées les fréquences absolues et relatives des interviews effectivement réalisées.

1. In the first column one gets the absolute and relative frequencies of the interviews as they have been conducted.

2. Dans la deuxième colonne sont renseignées les fréquences après redressement, selon les tailles d'entreprises et les secteurs d'activité. Ceci est fait au sein de chaque pays individuel, et la structure entre pays ne change pas du tout. C'est ce redressement qui est utilisé pour présenter tous les résultats pays par pays, par exemple dans les "Volumes A" (voir ci-dessous).

2. In the second column one gets the weighted sample, according to size and sector of activity. This is done for each country and the interview frequencies remains unchanged. This "redressed" sample is used to present all results at the national level (i.e.: the country breakdown presented in the "Volumes A", as described later).

3. Dans la troisième colonne sont renseignées les fréquences après la pondération faite pour corriger la sur- représentation accordée aux petits pays. On peut constater les changements de structure considérables intervenus sur le critère "pays". La structure selon les tailles d'entreprises et les secteurs d'activités ne restent pas inchangés (dans la mesure où les profils de tailles et de secteurs ne sont pas strictement identiques dans tous les pays), mais les changements sont marginaux. C'est cette pondération qui est utilisée pour présenter les résultats du total du Marché Intérieur Européen (Colonne Total des "Volumes A", et l'ensemble des "Volumes B").

3. In the third column one gets the structure of the sample when the over-sampling of the small countries has been removed. Now one will notice that the interviews frequencies in each country changed considerably, but that the "Sizes" as well as the "Sectors" structures are only marginally affected (because the sizes and sectors of the businesses are not identically distributed in each country). This "weighted" sample is used to present all the results at the European Union level (i.e.: the Total column of the "Volumes A", and all the results presented in the "Volumes B".).

Interviews Sample Sample CONDUCTED REDRESSED WEIGHTED EU15 TOTAL EU 15 3013 100% 3013 100% 3013 100% BELGIQUE 200 6,6% 200 6,6% 63 2,1% DANMARK 200 6,7% 200 6,7% 40 1,3% DEUTSCHLAND 300 10,0% 300 10,0% 952 31,6% ELLAS 100 3,3% 100 3,3% 41 1,4% ESPANA 300 10,0% 300 10,0% 285 9,4% FINLAND 102 3,3% 102 3,3% 31 1,0% FRANCE 300 10,0% 300 10,0% 380 12,6% IRELAND 100 3,3% 100 3,3% 23 0,8% ITALIA 300 10,0% 300 10,0% 378 12,5% LUXEMBOURG 100 3,3% 100 3,3% 6 0,2% NEDERLAND 210 6,9% 210 6,9% 136 4,5% ÖSTERREICH 200 6,6% 200 6,6% 73 2,4% PORTUGAL 100 3,3% 100 3,3% 95 3,2% SWEDEN 200 6,6% 200 6,6% 59 2,0% UNITED KINGDOM 300 10,0% 300 10,0% 452 15,0%

SECTEUR D’ACTIVITE - ACTIVITY SECTOR Industries - Industry 956 31,7% 907 30,1% 892 29,6% Construction 387 12,8% 377 12,5% 375 12,4% Commerce - Trade 775 25,7% 777 25,8% 701 23,3% Services 895 29,7% 952 31,6% 1045 34,7%

Taille (Emploi) – Size (employment) PME de 20-49 emplois / SME with 20-49 employees 1912 63,5% 2145 71,2% 2180 72,4% PME de 50-249 emplois / SME with 50-249 employees 666 22,1% 711 23,6% 677 22,5% 250 emplois et plus / 250 employees and more 435 14,4% 157 5,2% 156 5,1%


Tableaux de résultats Tables of results * VOLUME A : PAYS PAR PAYS * VOLUME A : COUNTRY BY COUNTRY Le VOLUME A présente les résultats de l'Union Européenne analysés Pays par Pays. Chaque tableau est complété du TOTAL MARGINAL PONDERE, comme expliqué ci-dessus.

The VOLUME A presents the results analysed Country by Country. Each table is completed by the MARGINAL WEIGHTED TOTAL (as explained above).

* VOLUME B : DESCRIPTIFS DES ENTREPRISES * VOLUME B : CHARACTERISTICS OF THE ENTERPRISES

Le VOLUME B présente les résultats de l'Union Européenne (15 Etats Membres), analysés pour quelques caractéristiques essentielles des entreprises considérées :

The VOLUME B presents the results for the European Union (15 Member States) analyzed for some important characteristics of the selected enterprises :

- Catégories de Taille et de Secteur d'activité - Size & Sectors categories * VOLUME C : DESCRIPTIFS DES ENTREPRISES * VOLUME C : CHARACTERISTICS OF THE

ENTERPRISES Idem Volume B, mais pays par pays Same as Volume B, but country by country

Valeur statistique des résultats Statistical significance of the results Les résultats d'un sondage ne sont jamais valables que dans les limites d'une marge statistique d'échantillonnage. Cette marge est plus ou moins grande, et dépend de trois choses :

The results in a survey are valid only between the limits of a statistical margin caused by the sampling process. This margin varies with three factors:

1. La taille de l'échantillon (ou de la partie d'échantillon que l'on analyse) : plus le nombre de répondants est grand, plus la marge statistique est petite ;

1. The sample size (or the size of the analyzed part in the sample) : the greater the number of respondents, the smaller the statistical margin ;

2. Le résultat lui-même : plus le résultat est proche de 50%, plus la marge statistique est grande ;

2. The result in itself: the more the result approaches 50%, the wider the statistical margin will be ;

3. Le degré de certitude que l'on exige : plus on est sévère, plus la marge statistique est grande.

3. The desired degree of confidence: the more "strict" we are, the wider the statistical margin will be.

A titre d'exemple, prenons un cas imaginaire : As an example, examine this illustrative case: 1. 500 personnes ont répondu à une question ; 1. One question has been answered by 500 people; 2. Le résultat analysé est de 50 % environ ; 2. The analyzed result is around 50% ; 3. On choisit un degré de certitude de 95 % (c'est le niveau le plus utilisé par les statisticiens, et c'est celui adopté pour la table ci-dessus) ;

3. We choose a significance level of 95 % (it is the level most often used by the statisticians, and it is the one chosen for the table here above) ;

Dans ce cas illustratif la marge statistique est de : (+/- 4.4%) autour des 50% observés. Et en conclusion : le résultat pour la population totale se situe entre 45.6% et 54.4%.

In this illustrative case the statistical margin is : (+/- 4.4%) around the observed 50%. And as a conclusion: the result for the whole population lies between 45.6% 54.4 %.

Nous reproduisons ci-dessous les marges statistiques calculées pour différents échantillons et différents résultats observés, au degré de certitude de 95%.

Below we reproduce the statistical margins computed for various observed results, on various sample sizes, at the 95% significance level.

MARGES STATISTIQUES D'ECHANTILLONAGE STATISTICAL MARGINS DUE TO THE SAMPLING PROCESS (AU NIVEAU DE CONFIANCE DE 95 %) (AT THE 95 % LEVEL OF CONFIDENCE) Différentes tailles d'échantillon sont en lignes ; Various sample sizes are in rows; Différents résultats observés sont en colonnes : Various observed results are in columns:

5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55% 60% 65% 70% 75% 80% 85% 90% 95% n=50 6.0 8.3 9.9 11.1 12.0 12.7 13.2 13.6 13.8 13.9 13.8 13.6 13.2 12.7 12.0 11.1 9.9 8.3 6.0 n=50 n=75 4.9 6.8 8.1 9.1 9.8 10.4 10.8 11.1 11.3 11.3 11.3 11.1 10.8 10.4 9.8 9.1 8.1 6.8 4.9 n=75 n=100 4.3 5.9 7.0 7.8 8.5 8.9 9.3 9.6 9.8 9.8 9.8 9.6 9.3 8.9 8.5 7.8 7.0 5.9 4.3 n=100 n=150 3.5 4.8 5.7 6.4 6.9 7.3 7.6 7.8 8.0 8.0 8.0 7.8 7.6 7.3 6.9 6.4 5.7 4.8 3.5 n=150 n=200 3.0 4.2 4.9 5.5 6.0 6.4 6.6 6.8 6.9 6.9 6.9 6.8 6.6 6.4 6.0 5.5 4.9 4.2 3.0 n=200 n=250 2.7 3.7 4.4 5.0 5.4 5.7 5.9 6.1 6.2 6.2 6.2 6.1 5.9 5.7 5.4 5.0 4.4 3.7 2.7 n=250 n=300 2.5 3.4 4.0 4.5 4.9 5.2 5.4 5.5 5.6 5.7 5.6 5.5 5.4 5.2 4.9 4.5 4.0 3.4 2.5 n=300 n=400 2.1 2.9 3.5 3.9 4.2 4.5 4.7 4.8 4.9 4.9 4.9 4.8 4.7 4.5 4.2 3.9 3.5 2.9 2.1 n=400 n=500 1.9 2.6 3.1 3.5 3.8 4.0 4.2 4.3 4.4 4.4 4.4 4.3 4.2 4.0 3.8 3.5 3.1 2.6 1.9 n=500 n=600 1.7 2.4 2.9 3.2 3.5 3.7 3.8 3.9 4.0 4.0 4.0 3.9 3.8 3.7 3.5 3.2 2.9 2.4 1.7 n=600 n=700 1.6 2.2 2.7 3.0 3.2 3.4 3.5 3.6 3.7 3.7 3.7 3.6 3.5 3.4 3.2 3.0 2.7 2.2 1.6 n=700 n=800 1.5 2.1 2.5 2.8 3.0 3.2 3.3 3.4 3.5 3.5 3.5 3.4 3.3 3.2 3.0 2.8 2.5 2.1 1.5 n=800 n=900 1.4 2.0 2.3 2.6 2.8 3.0 3.1 3.2 3.3 3.3 3.3 3.2 3.1 3.0 2.8 2.6 2.3 2.0 1.4 n=900 n=1000 1.4 1.9 2.2 2.5 2.7 2.8 3.0 3.0 3.1 3.1 3.1 3.0 3.0 2.8 2.7 2.5 2.2 1.9 1.4 n=1000 n=1500 1.1 1.5 1.8 2.0 2.2 2.3 2.4 2.5 2.5 2.5 2.5 2.5 2.4 2.3 2.2 2.0 1.8 1.5 1.1 n=1500 n=2000 1.0 1.3 1.6 1.8 1.9 2.1 2.1 2.2 2.2 2.2 2.2 2.2 2.1 2.1 1.9 1.8 1.6 1.3 1.0 n=2000 n=2500 0.9 1.2 1.4 1.6 1.7 1.8 1.9 2.0 2.0 2.0 2.0 2.0 1.9 1.8 1.7 1.6 1.4 1.2 0.9 n=2500 n=3000 0.8 1.1 1.3 1.4 1.5 1.6 1.7 1.8 1.8 1.8 1.8 1.8 1.7 1.6 1.5 1.4 1.3 1.1 0.8 n=3000 n=5000 0.6 0.8 1.0 1.1 1.2 1.3 1.4 1.4 1.4 1.4 1.4 1.4 1.4 1.3 1.2 1.1 1.0 0.8 0.6 n=5000 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55% 60% 65% 70% 75% 80% 85% 90% 95%


QUESTIONNAIRES

C O N F I D E N T I E L

Ref: 5013LVTL00 C O N F I D E N T I A L

Ref: 5013LVTL00

FLASH EUROBAROMETRE No. 147 « Protection des Données » - septembre 2003 Version française 19.08.2003

FLASH EUROBAROMETER No. 147 « Data Protection » - September 2003 English version 19.08.2003 page 1/11

INFORMATIONS A PREPARER AVANT L’INTERVIEW (a) REGION NUTS : ........................................................... (CODER SELON LOCALITE D&B) (b) CODE SIC ou NACE : ................................................... (SELON D&B) (c) NOMBRE DE TRAVAILLEURS :.................................. (SELON D&B) Bonjour, je m’appelle [nom de l’enquêteur] et je désirerais parler à la personne responsable de la protection des données au sein de votre entreprise, c’est-à-dire la personne responsable de la gestion de toute base de données contenant des informations personnelles sur les clients, les fournisseurs ou les employés. [CIBLES ACCEPTABLES: Responsable de la protection des données ou responsable des questions liées à la protection des données, Responsable informatique, Directeur des ressources humaines, Directeur du marketing] Tout d’abord, j’ai besoin de quelques informations concernant votre entreprise. D1. Quel est votre titre et quelles sont vos responsabilités dans l’entreprise ?

[PRECISEZ]…

[ENSUITE COCHEZ SEULEMENT UNE DES RESPONSABILITES PRINCIPALES REPRISES CI-DESSOUS – UN SEUL CHOIX POSSIBLE]

- Responsable de la protection des données ou responsable

des questions liées à la protection des données........................ 1 - Responsable informatique........................................................... 2 - Directeur des ressources humaines ............................................ 3 - Directeur du marketing ................................................................ 4 [Autre]....................................................................................5

[Autre] = [STOP INTERVIEW – L’INTERVIEW N’EST PAS VALABLE SI LA PERSONNE CONTACTEE NE SE CONSIDERE PAS RESPONSABLE DES QUESTIONS LIEES A LA PROTECTION DES DONNEES AU SEIN DE L’ENTREPRISE]

INFORMATION TO BE PREPARED BEFORE INTERVIEW (a) NUTS REGION: .......................................... (CODE ACCORDING TO D&B LOCALITY) (b) SIC or NACE CODE:................................... (ACCORDING TO D&B) (c) COMPANY SIZE : ........................................ (ACCORDING D&B)

Good morning, my name is [name of interviewer] and I would like to speak to the person in charge of data protection issues within your company. By this I mean the person in charge of the handling of any databases containing personal information on customers, suppliers or employees. [TARGET ACCEPTED: Data protection officer or responsible for data protection issues, IT manager, Human Resources Manager, Marketing Manager]

First of all I need some information on your company. D1. What exactly is your title and your responsibility in the company? [SPECIFY]… [THEN CODE THE MAIN RESPONSABILITIES BELOW – ONE CODE ONLY] - Data protection officer or responsible for data protection issues .1 - IT manager ...................................................................................2 - Human Resources Manager ........................................................3 - Marketing Manager ......................................................................4

- [Other]................................................................................... 5 [Other] = [STOP INTERVIEW – INTERVIEW NOT VALID IF THE PERSON IN CHARGE DOES NOT CONSIDER HIMSELF AS RESPONSIBLE FOR DATA PROTECTION ISSUES WITHIN THE COMPANY]



Ref: 5013LVTL00



D2. Combien de personnes sont employées au sein de votre entreprise en

[NOTRE PAYS]? N= [ ] [ ] [ ] [ ] [ ] personnes employées

[SI MOINS DE 20 PERSONNES EMPLOYEES STOP INTERVIEW – L’INTERVIEW N’EST PAS VALABLE]

[SI NSP/SR STOP INTERVIEW- L’INTERVIEW N’EST PAS VALABLE]

D3. Votre entreprise est-elle principalement une entreprise :… ?

[LIRE- UNE SEULE REPONSE POSSIBLE]

- de construction ou de travaux publics ......................................... 1 - d’exploitation minière, d’extraction .............................................. 2 - de production et de fabrication de biens...................................... 3 - de commerce et de distribution (en gros ou en détail) ................ 4 - de transports (de biens ou personnes) ....................................... 5 - de services financiers (banques, assurance, courtage) .............. 6 - de services commerciaux ............................................................ 7 - de services aux consommateurs ................................................. 8 - d’autres services.......................................................................... 9 - administration .............................................................................10 - (aucun de ces cas) [PRECISEZ… VERIFIEZ LES

EXCLUSIONS!!]………………………………………………….…..11 [-Agriculture STOP INTERVIEW- L’INTERVIEW N’EST PAS VALABLE] [- NSP/SR STOP INTERVIEW - L’INTERVIEW N’EST PAS VALABLE]

D2. How many people are in regular employment within your company in

[OUR COUNTRY] ? N= [ ] [ ] [ ] [ ] [ ] people employed

[IF LESS THAN 20 PEOPLE EMPLOYED STOP INTERVIEW –INTERVIEW NOT VALID/]

[IF DK/NA STOP INTERVIEW- INTERVIEW NOT VALID] D3. Is your company mainly involved in…

[READ OUT – ONLY ONE ANSWER] - construction or civil engineering.................................................. 1 - mining, extractive industry........................................................... 2 - production and manufacturing of goods...................................... 3 - trade and distribution (wholesale or retail) .................................. 4 - transport (of goods or people) .................................................... 5 - financial services (banking, insurance, brokerage) ..................... 6 - business services ........................................................................ 7 - personal services ........................................................................ 8 - other services .............................................................................. 9 - administration............................................................................ 10 - (none of those cases) [SPECIFY… CHECK EXCLUSIONS!!] ... 11 [-Agriculture STOP INTERVIEW - INTERVIEW NOT VALID] [- DK/NA STOP INTERVIEW - INTERVIEW NOT VALID]



Ref: 5013LVTL00



D4. Votre entreprise est: ... - une entreprise indépendante.................................................................... 1 - la société-mère d’un groupe multinational................................................ 2 - une filiale d’un groupe multinational dont le siège principal est située

au sein de l’Union européenne ................................................................ 3 - une filiale d’un groupe multinational dont le siège principal est située

hors de l’Union européenne .................................................................... 4 - [NSP/SR] [STOP INTERVIEW – L’INTERVIEW N’EST PAS VALABLE]5

D4. Your company is:…

- an independent company ............................................................ 1 - the mother company of a multinational group ............................. 2 - a subsidiary of a multinational group with headquarters

in the EU ..................................................................................... 3 - a subsidiary of a multinational group with headquarters

outside of the EU ........................................................................ 4 - [DK/NA] [STOP INTERVIEW – INTERVIEW NOT VALID]......... 5



Ref: 5013LVTL00



Q1. Diriez-vous que le niveau de protection offert par la Loi

(NATIONALITE) de Protection des Données est…?

[LIRE – UNE SEULE REPONSE]

- Elevé............................................................................................ 1 - Moyen ......................................................................................... 2 - Faible ........................................................................................... 3 - [NSP/SR] ..................................................................................... 4

Q2. D’après votre expérience commerciale et de façon générale, seriez-

vous plutôt d’accord ou plutôt pas d’accord avec chacune des propositions suivantes ?

- Plutôt d’accord............................................................................. 1 - Plutôt pas d’accord ...................................................................... 2 - [NSP/SR] ..................................................................................... 3

[LIRE – UNE REPONSE PAR ITEM]

Les exigences de la Loi de Protection des Données…

a) Sont nécessaires afin de respecter un niveau élevé de protection des consommateurs ainsi que les droits fondamentaux des citoyens

b) Sont trop strictes à certains égards c) Ne sont pas nécessaires sauf pour certains secteurs d’activités

Q1. Would you say that the level of protection offered by the

(NATIONALITY) Data Protection Law is…?

[READ OUT – ONE ANSWER ONLY]

- High ............................................................................................ 1 - Medium ....................................................................................... 2 - Low ............................................................................................. 3 - [DK/NA] ....................................................................................... 4

Q2. From your business perspective and in general terms, would you

rather agree or rather disagree with each of the following requirements of the data protection law?

- Rather agree ............................................................................... 1 - Rather disagree........................................................................... 2 - [DK/NA] ....................................................................................... 3

[READ OUT – ONE ANSWER PER ITEM]

The requirements of the data protection law…

a) Are necessary in order to respect a high level of protection for

consumers and the fundamental rights of citizens b) Are too strict in certain respects c) Are not necessary except for certain sectors of activity



Ref: 5013LVTL00



Q3. Pour chacune des propositions suivantes, dites-moi si vous êtes tout à fait d’accord, plutôt d’accord, plutôt pas d’accord ou pas du tout d’accord avec elles ?

- Tout à fait d’accord ...................................................................... 1 - Plutôt d’accord............................................................................. 2 - Plutôt pas d’accord ...................................................................... 3 - Pas du tout d’accord.................................................................... 4 - [NSP/SR] ..................................................................................... 5


a) Il y a une harmonisation suffisante de la Loi de Protection des Données

des Etats Membres pour considérer que les données personnelles peuvent circuler librement au sein de l’Union Européenne

b) La Loi de Protection des Données en [NOTRE PAYS] est interprétée et

appliquée de façon plus rigoureuse que dans les autres Etats Membres

Q4. Selon vous, pensez-vous que la législation existante sur la protection

des données est adaptée ou non à faire face à la quantité grandissante d’échanges d’informations personnelles, par exemple transférées via Internet?


- Tout à fait adaptée....................................................................... 1 - Plutôt bien adaptée...................................................................... 2 - Plutôt mal adaptée....................................................................... 3 - Pas du tout adaptée .................................................................... 4 - [NSP/SR] ..................................................................................... 5

Q3. For each of the following propositions, please tell me if you totally

agree, rather agree, rather disagree or totally disagree with it?

- Totally agree................................................................................ 1 - Rather agree ............................................................................... 2 - Rather disagree........................................................................... 3 - Totally disagree........................................................................... 4 - [DK/NA] ....................................................................................... 5

[READ OUT – ONE ANSWER PER ITEM] a) There is sufficient harmonisation of Member States’ data

protection laws to consider that personal data can be moved freely within the European Union

b) The data protection law in [OUR COUNTRY] is interpreted and

applied more rigorously than in other Member States

Q4. In your opinion, do you think that the existing legislation on data

protection is suited or not to cope with the increasing amount of personal information being exchanged, for example transferred over the Internet?


- Very well suited ........................................................................... 1 - Rather well suited........................................................................ 2 - Rather unsuited........................................................................... 3 - Not suited at all ........................................................................... 4 - [DK/NA] ....................................................................................... 5



Ref: 5013LVTL00



Q5. Utilisez-vous des technologies ou des logiciels, aussi appelés

‘technologies de renforcement de la protection de la vie privée’, assurant la protection des bases de données de votre entreprise lorsqu’elles contiennent des informations sur la vie privée (par exemple, les tueurs de cookies ou les logiciels assurant l’anonymat)?


- Oui .................................................................................................. 1 - Non, mais j’en ai entendu parler ..................................................... 2 - Non et je n’en ai jamais entendu parler .......................................... 3 - [NSP/SR]......................................................................................... 4

Q6. Votre entreprise transfère-t-elle des données personnelles vers des pays

hors Union européenne/Espace Economique européen?

[LIRE – UNE SEULE REPONSE] - Oui .................................................................................................. 1 - Non ................................................................................................. 2 - [NSP/SR]......................................................................................... 3

Q5. Do you use any technology or software products that enhance privacy

protection of databases in your company (for example, cookie killers or anonymisation software), also called ‘Privacy Enhancing Technologies’?


- Yes ................................................................................................. 1 - No, but I have heard of them.......................................................... 2 - No and I have never heard of them................................................ 3 - [DK/NA]........................................................................................... 4



- Yes ................................................................................................. 1 - No ................................................................................................... 2 - [DK/NA]........................................................................................... 3



Ref: 5013LVTL00



Q7. Quel type de données personnelles votre entreprise transfère-t-elle

principalement à d’autres pays ?


- Données sur le personnel pour les besoins de gestion des ressources humaines .............................................................. 1

- Données sur les clients ou les consommateurs pour un usage commercial ..................................................................... 2

- Données recueillies au sein de l’Union européenne pour être vendues ou louées à des contrôleurs de données dans d’autres pays ................................................................................. 3

- [Autre: spécifiez] ............................................................................. 4 - [L’entreprise ne transfère pas de données personnelles vers

d’autre pays] ................................................................................... 5 - [NSP/SR]......................................................................................... 6

Q8. Selon vous, quelle est la meilleure explication du fait que certains

contrôleurs de données ne respectent pas entièrement les clauses et les exigences de la Loi de Protection des Données [NATIONALITE] concernant les transferts de données ?

[LIRE – UNE SEULE REPONSE] - Un manque de connaissance de la législation ......................................... 1 - L’adaptation de l’entreprise aux nouvelles exigences de la Loi

de Protection des Données demande beaucoup de temps.................... 2 - Un contrôle trop limité par l’autorité publique [NATIONALITE]

responsable de la protection des données, le risque d’être pris en défaut est faible ....................................................................................... 3

- Un manque de flexibilité de la loi ............................................................. 4 - [Autre: spécifiez]..................................................................................... 5 - [NSP/SR] .................................................................................................. 6

Q7. What type of personal data does your company transfer to other

countries, mostly?


- Human resources data for human resources purposes................. 1 - Clients’ or consumers’ data for commercial purposes ................... 2 - Data collected in the European Union that is meant to be sold or

licensed to data controllers in other countries ............................... 3 - [Other specify] ................................................................................ 4 - [The company does not transfer personal data to other countries]5 - [DK/NA]........................................................................................... 6

Q8. In your opinion, what could explain the best the fact that some data

controllers do not fully respect the provisions and requirements of the [NATIONALITY] data protection law as regards data transfers?

[READ OUT – ONE ANSWER ONLY] - Lack of knowledge of the legislation ........................................................ 1 - Adaptation of the company to the new requirements of the data

protection law is time consuming............................................................. 2 - Too limited control by the [NATIONALITY] data protection authority,

risk of being caught is very low................................................................ 3 - Lack of flexibility of the law ...................................................................... 4 - [Other: specify]....................................................................................... 5 - [DK/NA] .................................................................................................... 6



Ref: 5013LVTL00



Q9. Pour chaque recueil de données personnelles, pourriez-vous indiquer si

oui ou non, vous rendez disponibles les informations suivantes à la personne concernée ?

- Oui .................................................................................................. 1 - Non ................................................................................................. 2 - Ca dépend ...................................................................................... 3 - [NSP/SR]......................................................................................... 4


a) L’identité du contrôleur de données ou de son représentant b) L’adresse physique ou électronique d’une personne au sein de

l’organisation directement responsable des questions liées à la protection des données

c) L’objectif du traitement des données personnelles recueillies d) Les destinataires ou les catégories de destinataires des données e) L’obligation ou la non-obligation de répondre et les conséquences

possibles de non-réponse f) L’existence du droit d’accéder et du droit de rectifier les données

relatives aux personnes concernées g) Le transfert éventuel des données à des pays hors de l’Union

européenne h) Une information indiquant si le pays destinataire fournit (ou non) un

niveau adéquat de protection des données

Q9. Could you please indicate whether or not you make each of the following

information available to the data subject for each collection of personal data?

- Yes ................................................................................................. 1 - No ................................................................................................... 2 - It depends....................................................................................... 3 - [DK/NA]........................................................................................... 4


a) The identity of the data controller or its representative b) The physical or electronic address of a person within the organisation

directly responsible for data protection matters c) The purpose of the processing for which the data are intended d) The recipients or categories of recipients of the data e) The obligation or non-obligation of replying and the possible

consequences of failure to reply f) The existence of the right to access and the right to rectify the data

concerning the data subjects g) The possible transfer of the data to non-EU countries h) The indication whether the recipient country provides (or not) an

adequate level of data protection



Ref: 5013LVTL00



Q10. Pour chacune des propositions suivantes, dites-moi si vous pensez oui ou non qu’elles correspondent à la situation de la plupart des entreprises de votre pays…

- Oui .................................................................................................. 1 - Non ................................................................................................. 2 - Ca dépend ...................................................................................... 3 - [NSP/SR]......................................................................................... 4


a) Les entreprises informent les personnes concernées des objectifs du traitement des données personnelles avant leur collecte

b) Quand les données ne sont plus utiles à l’objectif de la collecte, elles sont effacées

c) Les entreprises reçoivent peu de plaintes et ne considèrent pas dès lors la conformité totale à la loi comme une priorité

d) Répondre à des demandes d’individus souhaitant accéder à leurs données implique un effort important pour les entreprises

Q11. Pourriez-vous indiquer le nombre approximatif de demandes d’accès

reçues par votre entreprise en 2002?

[LIRE – UNE SEULE REPONSE] - Moins de 10 .................................................................................... 1 - Entre 10 et 50 ................................................................................. 2 - Entre 51 et 100 ............................................................................... 3 - Entre 101 et 500 ............................................................................. 4 - Plus de 500 ..................................................................................... 5 - [Jamais reçu de demande] ............................................................. 6 - [NSP/SR]......................................................................................... 7

Q10. For each of the following propositions, please tell me whether or not you

think they correspond to the situation in most of the companies in your country…

- Yes ................................................................................................. 1 - No ................................................................................................... 2 - It depends....................................................................................... 3 - [DK/NA]........................................................................................... 4


a) Companies inform data subjects of the purposes of the processing before collecting their personal data

b) When data no longer serves the purpose of the collection, data is deleted

c) Companies receive few complaints so they do not regard full compliance with the law as a priority

d) Responding to requests from individuals wanting to access their data involves an important effort for companies

Q11. Could you indicate the approximate number of access requests received

by your company during the year 2002?


- Less than 10 ................................................................................... 1 - Between 10 and 50......................................................................... 2 - Between 51 and 100 ...................................................................... 3 - Between 101 and 500 .................................................................... 4 - More than 500 ................................................................................ 5 - [Never received any request] ......................................................... 6 - [DK/NA]........................................................................................... 7



Ref: 5013LVTL00



Q12. Votre entreprise a-t-elle reçu des plaintes de personnes dont les

données sont actuellement traitées ?

[LIRE – UNE SEULE REPONSE] - Oui .................................................................................................. 1 - Non ................................................................................................. 2 - [NSP/SR]......................................................................................... 3

Q13. Parmi les actions suivantes, pourriez-vous indiquer laquelle vous

préféreriez le plus pour améliorer et simplifier la mise en place du cadre légal sur la protection des données? Premièrement ? Deuxièmement?

a) Premièrement ..............................................................1 2 3 4 5 6 7 b) Deuxièmement.............................................................1 2 3 4 5 6 7

[LIRE – ROTATION – UNE REPONSE POUR « PREMIEREMENT » ET UNE

REPONSE POUR « DEUXIEMENT » ATTENDUES] - Explication supplémentaire sur l’application pratique de certains

concepts et définitions clés de la Directive européenne et des lois nationales. ............................................................................................... 1

- Viser un meilleur équilibre entre le droit à la protection des données et la liberté d’expression et d’information. ............................................... 2 - Plus d’uniformité entre les lois nationales concernant l’information à

fournir aux personnes concernées........................................................... 3 - Plus d’harmonisation des règles sur les mesures de sécurité ................. 4 - Une législation de protection des données spécifique à chaque

secteur d’activité ...................................................................................... 5 - [Autre: spécifiez] ....................................................................................... 6 - [NSP/SR] .................................................................................................. 7

Q12. Has your company received complaints from people whose data is being

currently processed?


- Yes ................................................................................................. 1 - No ................................................................................................... 2 - [DK/NA]........................................................................................... 3

Q13. Please indicate which of the following actions you would most favour to

improve and simplify the implementation of the legal framework on data protection? Firstly? Secondly?

a) Firstly ........................................................................... 1 2 3 4 5 6 7 b) Secondly...................................................................... 1 2 3 4 5 6 7

[READ OUT – ROTATE – ONE ANSWER FOR « FIRSTLY » AND

ONE ANSWER FOR « SECONDLY » EXPECTED]

- Further clarification on the practical application of some of the key definitions and concepts of the European Directive and national laws ............................................................................................ 1

- Aim at a better balance between the right to data protection and the freedom of expression and information ............................................ 2

- More uniformity between the national laws as regards the information to be provided to data subjects................................................................ 3

- More harmonised rules on security measures ........................................ 4 - Data protection legislation specific to each sector of activity................... 5 - [Other specify] .......................................................................................... 6 - [DK/NA] .................................................................................................... 7



Ref: 5013LVTL00



Q14. Certains considèrent que la lutte contre le terrorisme international, rend

nécessaire la tolérance des intrusions par des autorités nationales ou internationales dans les bases de données personnelles. Vous-même, accepteriez-vous dans ce cas l’intrusion dans des bases de données personnelles ?


- Oui, dans tous les cas .............................................................................. 1 - Oui, mais seulement d’une manière proportionnée et nécessaire

afin de traquer uniquement ceux clairement suspectés d’activités terroristes ................................................................................ 2

- Oui, mais seulement si l’intrusion se fait sous la supervision d’un juge ou de garanties similaires dans les Etats membres................................. 3

- Non, les libertés et droits fondamentaux des individus devraient empêcher l’intrusion dans ces bases de données ................................................... 4

- [NSP/SR] .................................................................................................. 5

[FIN DE L’INTERVIEW – REMERCIER LE REPONDANT]

Q14. Some consider that the fight against international terrorism makes it

necessary to tolerate intrusions by national or international authorities in personal databases. Yourself, would you accept the intrusion in personal databases in that case?

[READ OUT – ONE ANSWER ONLY] - Yes, in all cases ....................................................................................... 1 - Yes, but only in a proportionate and necessary manner in order to

track only those clearly suspected of terrorist activities .......................... 2 - Yes, but only if the intrusion takes place with the supervision of a

judge or a similar guarantees in the Member States ............................... 3 - No, fundamental rights and freedoms of individuals should prevent

these databases from being intruded ...................................................... 4 - [DK/NA] .................................................................................................... 5

[END OF INTERVIEW – THANK INTERVIEWEE]

data protection in the european...

Documents