Who we are
Suggested text: Our website address is: https://cheapaudioplugins.com.
Comments
Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.
Media
Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Cookies
What Are Cookies?
Cookies are small data files, typically stored as text files, that websites place on visitors’ computers to store various types of information specific to that visitor—or more accurately, the device they are using, such as a browser or mobile phone.
These files were developed to address a limitation in web technology: web pages are “stateless,” meaning they lack memory and struggle to share information with one another. Cookies serve as a form of memory for web pages.
They enable functionalities such as logging in on one page and remaining logged in while navigating through other pages. Cookies also allow users to set preferences for how a page is displayed, ensuring those settings are remembered during subsequent visits.
Additionally, cookies can track the pages you visit across different sites, which enables advertisers to create a profile of your interests. This information allows them to tailor ads to you when you visit sites that display their advertisements, a practice known as “behavioral advertising.”
Nearly all websites utilize cookies in some capacity, and each page you visit writes cookies to your computer while also receiving them back.
While cookies are highly beneficial—enabling modern websites to function with increasing levels of personalization and interactive features—they can also manipulate your web experience in unexpected ways. This manipulation may benefit you or serve the interests of others, including businesses or organizations you may have never interacted with or even heard of.
Determining whether specific cookies are advantageous for you or another party is not possible just by inspecting them; you must rely on the website to disclose how it uses cookies.
To learn more about the different types of cookies and other tracking technologies, continue exploring.
Types of Cookies
Cookies come in various types and serve different purposes, but they can generally be categorized in several ways.
First Party Cookies
One of the key characteristics of a cookie is its ‘Host’—the domain name of the site that sets the cookie. Only the host domain can access and read the cookie once it has been established.
If the host name matches the domain displayed in the browser’s address bar at the time the cookie is set or retrieved, it is classified as a First Party Cookie.
These cookies are created and accessed solely by the website you are visiting, which means they typically cannot be used to track activity or share data across different sites. However, the website owner can still collect data through these cookies and use it to modify the website’s appearance or content for the user. Additionally, they may use this data outside of their website or even sell it to other organizations, but such practices must be disclosed in the site’s privacy policy.
Most desktop browsers allow users to view a list of cookies that have been set, usually organized by the host domain.
Third Party Cookies
If the host domain of a cookie differs from the one shown in the browser address bar when it is downloaded, it is considered a Third Party Cookie.
These cookies are typically added to a website through scripts or tags integrated into the web page. Sometimes, these scripts provide additional functionalities, such as enabling content sharing on social networks.
For instance, if you visit a site that includes a YouTube video, the website owner has embedded code from YouTube. Consequently, YouTube can set cookies via this code, enabling it to know if you have watched the video or merely visited the page hosting it.
The most common use of Third Party Cookies is in online advertising. By placing their tags on a webpage, advertisers can track a user’s activity across multiple websites, allowing them to build a “behavioral profile.” This profile is then used to target users with ads based on their inferred interests, a practice often viewed as intrusive and a violation of privacy rights. Such concerns have driven the development of new privacy laws, including the EU Cookie Law.
Session Cookies
Session Cookies are temporarily stored in the browser’s memory and are deleted when the browser is closed, although they may persist while navigating away from the originating website.
For example, if you find yourself needing to log in each time you open your browser and revisit a site, that site is likely using a session cookie to store your login information.
Many websites rely on session cookies for essential functions and to ensure pages load quickly and efficiently.
Persistent Cookies
As the name suggests, Persistent Cookies remain on your computer even after you close the browser, allowing them to be accessed upon your next visit.
These cookies are created with an expiry date. Once this date is reached, the cookie is deleted. If no expiry date is set, the cookie defaults to a session cookie.
Typically, the expiry date is calculated from the time the cookie is created, plus a designated duration specified by the developer. There is no strict limit on how far into the future this expiry date can be set; it could potentially be decades away. Furthermore, if you revisit a website that has issued a persistent cookie, it may update the cookie with a new expiry date.
If you log into a website, shut down your computer, and return to find you’re still logged in, it indicates the use of a persistent cookie to remember your session.
Persistent cookies are also utilized to track user behavior as they navigate a site, gathering data to help improve user experience—a practice known as Web Analytics. Since Google provides analytics technology free to website owners, nearly all sites utilize some form of it, although there are also paid alternatives available.
Analytics cookies represent one of the most common types of persistent cookies in use today. Interestingly, persistent cookies can sometimes have a shorter lifespan than session cookies, as they can be programmed to expire shortly after being set, while session cookies remain active until the browser is closed.
Secure Cookies
Secure Cookies are transmitted only via HTTPS, commonly found on the checkout pages of online shopping sites.
This encryption ensures that any data contained within the cookie is protected as it travels between the website and the browser. Cookies used by e-commerce sites to store credit card information or facilitate transactions are typically secure, but other types of cookies can also be designated as secure.
HTTP Only Cookies
When a cookie is marked with the HTTP Only attribute, the browser restricts access to its contents from client-side scripts (like JavaScript).
This feature helps protect the cookie from cross-site scripting (XSS) attacks, where a malicious script attempts to exfiltrate the cookie data to a third-party website.
Online Tracking Technologies
While cookies are the most recognized and prevalent form of web tracking technology, many websites, advertisers, and analytics tools employ various other methods to track users and monitor website performance. Here are some examples of alternative tracking technologies.
Web Beacons and Pixels
Web beacons, also known as pixel tags, are tiny, transparent images (usually 1 pixel by 1 pixel) embedded in websites or emails to track user behavior. They are often used alongside cookies.
These beacons function by sending information back to the web server when the image is requested. For instance, when a browser connects to a site containing a web beacon, it requests the server to download the image. This request can include details such as the user’s IP address, browser type, access time, and any previously set cookies.
Web beacons help websites analyze user navigation and improve content personalization and browsing efficiency. If cookies are disabled, web beacons can still account for anonymous visits but won’t track specific user behavior.
Fingerprinting
Fingerprinting is a tracking method often used in conjunction with web beacons. This technique identifies users based on specific information about their devices, browsers, languages, plugins, and other settings, even when cookies are disabled. The unique combination of these attributes can effectively identify individual users.
Local Storage Objects
Local Storage Objects (LSOs) function similarly to cookies, as they are stored in the user’s browser and can hold information. They can store much of the same data as cookies but differ in several key ways: LSOs do not have expiration dates, store information as key-value pairs, and can accommodate larger data volumes compared to cookies.
Super Cookies
The term “Super Cookie” (or Supercookie) refers to tracking technologies that are not standard HTTP cookies and are stored differently on a user’s device. These cookies are more challenging to detect and remove because they cannot be eliminated through standard privacy settings in most browsers.
Adobe Flash applications, for instance, often utilize local file storage for performance optimization, and these files, known as Local Storage Objects, can also serve tracking purposes, leading to their classification as “supercookies.”
Zombie Cookies
Zombie cookies are technologies designed to recreate regular HTTP cookies after users have deleted them. This practice aims to bypass users’ efforts to manage their privacy, making it widely criticized. In many cases, the use of zombie cookies could violate privacy laws and regulations, although their prevalence is relatively low.
Ultrasound Beacons
Ultrasound Beacons emit inaudible signals from devices such as TVs and smartphones to track users beyond the web. For example, a TV advertisement might send out a low-frequency signal that humans cannot hear, while a smartphone app can detect this signal to confirm that a user has viewed a specific commercial.
These beacons also bridge the physical and digital worlds. For instance, an ultrasonic beacon installed in a store can enable apps to identify if a user has visited the location, allowing for targeted advertising based on their proximity.
The Benefits of Cookies
Cookies serve various purposes that significantly enhance the web experience, primarily revolving around one key concept: personalization.
A prime example of this is the online retailer Amazon. As you browse and shop, Amazon gathers insights into your product preferences and purchasing habits. This information allows the site to suggest items you might like, streamlining your shopping experience in a vast marketplace.
When you log into your Amazon account and remain signed in, the site remembers you upon your return—often greeting you by name. It also retains any items you’ve added to your shopping cart but haven’t yet purchased, making it quicker and easier to check out.
While these features ultimately benefit Amazon by increasing sales, they also enhance the user experience.
In fact, online shopping would be cumbersome without cookies. Without them, logging into a website would require you to reintroduce yourself on every page, which would be incredibly tedious.
Cookies can also personalize websites in various other ways beyond shopping. For instance, they can remember user preferences, such as a larger font size for readability. A news site might recall your interests and promote relevant stories on the homepage, enhancing your engagement.
Additionally, cookies have more subtle yet valuable applications, particularly in the realm of analytics.
Analytics
Websites utilize cookies to gauge the popularity of their various pages and even specific sections within those pages. They track nearly every visitor, monitoring details such as entry points, referral sources, the sequence of pages viewed, links clicked, time spent on each page, and exit points.
Some services can even identify which parts of a page capture users’ attention without requiring clicks. They achieve this by tracking the mouse pointer’s location, as many users tend to hover their cursor near the content they are viewing.
The process of aggregating this data into actionable insights is referred to as “web analytics.” This analysis provides website owners with a clear understanding of user behavior, highlighting which pages are most and least popular and how these patterns evolve over time. Armed with this information, they can refine their sites to align more closely with visitor preferences, ultimately enhancing content and services to better meet user needs.
However, it’s important to note that cookies also raise several privacy concerns that users should be aware of.
Cookies and Online Privacy
While cookies play a vital role in the functioning of the modern internet, their introduction has sparked an ongoing debate regarding their impact on user privacy.
Cookies serve as a means for websites and their owners to store and retrieve information about users and their interactions with the site. This data can be used to customize what users see or to record their activities, such as the pages they visit and the time spent on the site.
Although cookies are integral to enhancing the web experience, their usage raises several privacy concerns.
Storing Personally Identifiable Information
Cookies can store personal data, ranging from names and email addresses to unique user identifiers, which may simply be random strings of letters and numbers. This information may be voluntarily provided by users during registration, login, or through order forms, or it may be uniquely assigned by the website. While this practice can be acceptable if the information is secured and stored temporarily, many times it is not, increasing the risk of interception by malicious software, especially on shared computers.
Tracking User Behavior
The most prevalent privacy concern surrounding cookies is their use for tracking users across different websites, particularly through third-party cookies primarily employed for advertising. This tracking often involves placing invisible tags on web pages that set cookies.
When users visit another site that contains the same tag, it notifies advertisers about the last site the user visited when the cookie was created. By aggregating this data across multiple sites, advertisers can build profiles based on users’ browsing histories, allowing them to serve targeted ads aligned with perceived interests.
In most cases, advertisers target browsers rather than individuals, as they typically do not know who the user is. However, since many people log into the same browser regularly, the results can be highly personalized. If someone else uses your computer without a separate profile, they may see ads intended for you, potentially revealing sensitive information about your browsing habits.
Free Content
Advertising revenue supports much of the free content available online, a fact many users understand and accept. However, there are others who feel this practice occurs without their consent.
Moreover, the companies collecting this data are often not the same ones whose websites users visit. These companies not only collect data but also sell it to other organizations, gathering and aggregating information without the awareness of most users—an aspect that many find objectionable.
The sophistication of tracking and profiling methods is also increasing, with some data linked to real-world identities, such as names and addresses. This escalation heightens privacy risks, particularly if such information is stolen or lost.
Privacy Regulation
In response to these concerns, lawmakers are beginning to implement regulations to control these practices. One notable example is the EU cookie directive, which mandates that websites disclose their cookie usage and obtain user consent.
Although the implementation of this directive is inconsistent, it has begun to raise consumer awareness, potentially creating market pressure for greater transparency and user choice.
The EU is also working towards a harmonized Data Protection Regulation, which may necessitate explicit user consent for the use of third-party cookies.
Do Not Track
A recent initiative is the establishment of a “Do Not Track” (DNT) standard for the internet. This would allow users to signal their browsers not to record their behavior, and websites would be required to honor this request.
However, there is still considerable debate over what DNT actually entails, with various lobby groups advocating for their respective positions.
Suggested text: If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 3- day.
About the EU Cookie Law
The EU Cookie Law, often referred to as the “Cookie Directive,” is governed by Directive 2009/136/EC of the European Parliament and Council. This directive outlines the requirements for obtaining user consent for cookies within the European Union.
Directive 2009/136/EC is an amendment to Directive 2002/58/EC, which addresses data protection and privacy in online and electronic communications. The updated directive became effective on May 25, 2011.
The directive is approximately 26 pages long, but the key section on cookies can be found on page 20:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
In simpler terms, this means that before any data can be stored on or retrieved from a device such as a computer, mobile phone, or tablet, users must provide informed consent. The goal is to enhance user privacy and prevent organizations from collecting data without the user’s knowledge.
The directive also references an earlier EU regulation on data protection, Directive 95/46/EC.
About EU Directives
EU directives, such as the Cookie Directive, are not laws themselves but require EU member states to implement local laws that fulfill the directive’s requirements. If member states fail to enact such laws, the EU has the authority to take legal action against them. For example, in 2012, five EU countries faced legal proceedings for not implementing local cookie laws.
For more details on local regulations, you can refer to resources about cookie laws in the UK and across Europe.
Cookie Laws Across Europe
Each European Union (EU) member state is required to adapt its national legislation to implement the EU Cookie Directive. While all countries are mandated to follow the same directive, they have done so at different times and in varied ways, leading to differences in the specific legal requirements from country to country. This overview highlights how the Cookie Directive has been implemented across Europe.
While we strive to provide up-to-date information, verifying developments in certain countries can be challenging. Contributions to help maintain the accuracy of this information are welcome.
Austria
Austria implemented the directive through its Telecommunications Act, which came into effect in November 2011. The law addressing cookies is detailed in Section 96.3, though there is currently no clear guidance on how to comply.
Belgium
Belgium passed a new law on electronic communications on June 28, 2012, implementing the directive. While the law encourages obtaining explicit consent before setting cookies, implied consent is considered valid. Browser controls are not recognized as a form of consent. The Belgian Data Protection Commission is pushing for clarification on:
- Which tracking technologies require consent
- The type of information that should be provided to users for consent to be valid
- How to manage third-party tracking.
Bulgaria
Bulgaria’s cookie law took effect on December 29, 2011, requiring websites to provide information about cookies and allow users the option to refuse them. The Consumer Protection Commission is responsible for enforcement.
Croatia
Although not yet an EU member at the time, Croatia adopted the EU directive in preparation for its membership. Croatian law requires explicit consent for cookies.
Czech Republic
The law is in effect, but there is currently no specific guidance for website owners on compliance.
Cyprus
No available information.
Denmark
The law came into force in December 2011. Denmark requires that detailed information be provided to site visitors about cookies, and browser-based consent is not valid. However, implied consent is acceptable. The Danish Business Authority is responsible for enforcement, and the Danish Media trade association is working on a self-regulation program for cookie usage.
Estonia
Estonia notified the EU that its Electronic Communications Act complies with the Privacy Directive, though the law itself has not been amended. The law includes a “right to refuse” approach, with the Ministry of Economics overseeing the legislation.
Finland
Finland has implemented the directive, and valid consent can be provided via browser settings.
France
French law, enforced by the French Data Protection Authority (CNIL), requires explicit consent for cookies. However, first-party analytics cookies are exempt from prior consent under certain conditions, such as clear notification to visitors and the provision of opt-out mechanisms. French law allows for potential criminal sanctions, including imprisonment, for cookie law violations, although such penalties are rarely applied.
Germany
Germany maintains that its existing laws were sufficient to comply with the directive, though draft legislation to further implement the directive was under consideration as of September 2012. Current rules require opt-in consent for cookies that collect personal information, but opt-out is sufficient for others. Germany’s federal system means that enforcement is carried out by data protection authorities in each state.
Greece
The law came into effect on April 10, 2012, transposing the directive into Greek Law 4070/2012. Browser settings are considered valid for consent, but the Greek Data Protection Authority has the power to define the consent process.
Hungary
A new law, effective from July 3, 2011, relaxed Hungary’s previous cookie requirements by removing the necessity for prior consent. The relevant changes are found in Section 155.4 of Act C of 2003 on Electronic Communications.
Ireland
The law is in effect, though there is no official guidance on how to comply.
Italy
Italy requires opt-in consent for cookies, as outlined by the Italian Data Protection Authority (Garante). Users must be informed about cookies in advance and give their consent before they are set. Industry consultations are ongoing to determine the best methods for informing consumers.
Latvia
Latvian law is in effect, but browser-based consent is not sufficient.
Lithuania
Lithuania’s cookie law is in force, requiring explicit consent beyond browser settings.
Luxembourg
Luxembourg has implemented the law, and browser-based consent is considered valid.
Malta
No available information.
The Netherlands
The Netherlands requires explicit consent for cookies, with additional provisions for tracking cookies used in behavioral advertising. From January 2013, site owners are responsible for proving that tracking data is not being processed, making enforcement easier. First-party analytics cookies may be used without prior consent under specific conditions.
Norway
While Norway is not an EU member, it is consulting on cookie laws. An opt-out system is expected, with the encouragement of industry-led self-regulation.
Poland
Poland’s cookie law was passed in November 2012 and came into force in early 2013. It mandates that websites provide clear information about cookies and requires consent before any data is stored or retrieved from a user’s device.
Portugal
Portugal’s Law 46/2012, effective August 30, 2012, mandates prior consent for cookies, making it an opt-in model. The Portuguese Data Protection Authority (CNPD) and the telecom regulator (ICP-ANACOM) are responsible for enforcement. Fines for non-compliance can reach up to €5 million.
Romania
The law has not yet been implemented.
Slovakia
The law is in effect, and consent can be provided through browser settings.
Slovenia
Slovenia has not yet enacted the law, and the EU has initiated legal proceedings against the country.
Spain
Spain’s Data Protection Authority (AEPD) issued guidance on April 29, 2013. Cookie notices must be clearly visible, and implied consent is allowed, though silence or inaction is not valid consent.
Sweden
The law came into force on July 1, 2011. The Post and Telecom Authority (PTS) oversees enforcement. While the law does not prescribe specific methods for obtaining consent, it encourages website owners to find suitable methods.
United Kingdom
The law is in effect. See more information on the UK Cookie Law.
Cookie Law in the UK
Privacy and Electronic Communications Regulations
In the UK, the EU Cookie Directive was implemented through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. These regulations are an amendment to the Privacy and Electronic Communications (EC Directive) Regulations 2003 and came into effect on 26 May 2011, just after the EU deadline.
Key Wording of the UK Regulations
One crucial section of the UK regulations pertains to obtaining user consent for storing or accessing information on their devices:
Confidentiality of Communications
- 6.—(1): No one shall store or access information stored in a user’s or subscriber’s terminal equipment unless the requirements in paragraph (2) are met.
- 6.—(2): The requirements are:
- (a): Clear and comprehensive information must be provided to the user regarding the purpose of storing or accessing information.
- (b): The user must give their consent.
- 6.—(3): If a network is used by the same person to access information on multiple occasions, obtaining consent during the initial use is sufficient for compliance.
- 6.—(3A): Consent can be indicated by the user adjusting their browser settings or using other applications to signal consent.
- 6.—(4): Paragraph (1) does not apply to:
- (a): The technical storage or access necessary for communication over an electronic network.
- (b): Storage or access essential for providing an information society service requested by the user.
In practical terms, this means that a website owner cannot store or access data on a user’s device unless the user has been informed clearly about the purpose of the storage and has given consent. The only exceptions are if the user requests a service that cannot be provided without accessing stored information.
UK Enforcement of the Regulations
The Information Commissioner’s Office (ICO) is responsible for enforcing the cookie regulations in the UK. The ICO has powers to investigate complaints and issue fines of up to £500,000 for serious violations of the law.
However, the ICO has taken a relatively light-touch approach to enforcement. Rather than conducting proactive investigations, it relies on a complaints mechanism. As of Spring 2013, the ICO’s main action has been visually checking websites to ensure they display cookie notifications.
While the ICO can demand that websites update their practices to comply with the law, it has suggested that imposing fines for non-compliance is unlikely. This approach has resulted in many websites either ignoring the regulations or doing the bare minimum to avoid potential legal action.
Some critics argue that this lenient enforcement has weakened online privacy protections, leading to diminished privacy rather than enhancing it as the original directive intended.
Sources of Compliance Guidance for Website Owners
One of the most comprehensive English-language guides to cookie law compliance comes from the UK Information Commissioner’s Office (ICO). The ICO serves as the UK’s Data Protection Authority and is responsible for enforcing the cookie regulations within the UK. While the ICO’s guidance is specifically tailored to UK law, it provides a solid foundation for understanding cookie compliance.
Another significant body offering advice across the EU is the Article 29 Working Party. This group consists of representatives from the data protection authorities of each EU member state. Although their opinions and publications do not carry legal authority, they are considered a key resource for interpreting cookie law and related legislation.
For website owners, one of the most important documents from the Article 29 Working Party is their opinion on the types of cookies that qualify for the “strictly necessary” exemption, which allows certain cookies to be used without requiring user consent.
Cookie Notices and Consent: What You Need to Know
Cookies play a crucial role in the functionality of modern websites, facilitating personalization and social media integration. However, they can also be used in ways that do not benefit visitors. Often, cookies track users across the internet and create detailed profiles that are highly valuable to brands and advertisers for targeted marketing.
This practice is frequently viewed as an invasion of privacy. Since cookies operate quietly in the background, you might not even realize they’re tracking you, nor would you know how to prevent it if desired.
To raise awareness about cookie usage and give users control over their data, the EU implemented privacy legislation in 2011, commonly referred to as the Cookie Law. This law mandates that websites provide clear and comprehensive information regarding their use of cookies, as well as options for users to consent to or decline this use. Websites are legally required to honor your preferences, which may involve blocking unwanted cookies or restricting access to certain site features based on your choices.
Some websites allow you to selectively enable or disable specific types of cookies. However, opting out of certain cookies may limit your ability to fully access or utilize the site’s features.
If you encounter a website that fails to provide adequate information or choices regarding cookie usage, particularly if it is owned by an EU-based company, it could be in violation of the law, and you may take action against the owner.
This website has been created to enhance your understanding of cookies and their application across different sites. You can explore information about your favorite websites, and soon, you will be able to search for specific cookies to learn more about their purposes.
How to File a Complaint About Cookies
Consumers who believe their privacy rights regarding cookies are being violated by a website can file a complaint with their local regulatory authority, typically the Data Protection Authority in their country.
In the UK, this authority is the Information Commissioner’s Office (ICO).
ICO Complaints Tool
The ICO has developed an online tool that allows consumers to report instances of cookie usage without consent.
You can access the tool directly here. The process is anonymous.
Additionally, the ICO provides updated information about cookies on their website, which you can visit here.
Purpose 1: Store and/or Access Information on a Device
Legal Text
Vendors are permitted to:
- Store and access information on devices, including cookies and device identifiers presented to users.
Purpose 2: Select Basic Ads
Legal Text
To facilitate basic ad selection, vendors can:
- Use real-time contextual information to display ads, including details about the content and device, such as device type, capabilities, user agent, URL, and IP address.
- Utilize non-precise geolocation data.
- Control how frequently ads are shown to users.
- Determine the sequence in which ads are presented.
- Prevent ads from being displayed in inappropriate editorial contexts (brand-safe environments).
Vendors cannot:
- Create a personalized ads profile for future ad selection using this information without a separate legal basis for such profiling.
Note: Non-precise means only approximate location data is allowed, with a minimum radius of 500 meters.
Purpose 3: Create a Personalized Ads Profile
Legal Text
To develop a personalized ads profile, vendors can:
- Gather information about users, including their activity, interests, demographic details, and location, to create or modify a user profile for personalized advertising.
- Combine this information with previously collected data from various websites and apps to create or edit a user profile for advertising purposes.
Purpose 4: Select Personalized Ads
Legal Text
To select personalized ads, vendors can:
- Choose personalized ads based on user profiles or historical data, including prior activity, interests, site or app visits, location, or demographic information.
Purpose 5: Create a Personalized Content Profile
Legal Text
To create a personalized content profile, vendors can:
- Collect user information, including activity, interests, site or app visits, demographic details, and location, to create or modify a profile for personalized content.
- Combine this data with previously collected information from various sources to create or edit a user profile for content personalization.
Purpose 6: Select Personalized Content
Legal Text
To select personalized content, vendors can:
- Choose content based on user profiles or historical data, including prior activity, interests, site or app visits, location, or demographic information.
Purpose 7: Measure Ad Performance
Legal Text
To measure ad performance, vendors can:
- Assess whether and how ads were delivered and interacted with by users.
- Provide reports on ad effectiveness and performance.
- Offer insights about users who engaged with ads based on observed interaction data.
- Supply publishers with reports on ads displayed on their platforms.
- Evaluate whether ads are shown in suitable editorial contexts (brand-safe environments).
- Determine the percentage of the ad that was viewable and the duration of that visibility.
- Integrate this information with previously collected data from various sources.
Vendors cannot:
- Apply audience insights derived from panels or similar methods to ad measurement data without a legal basis for market research (Purpose 9).
Purpose 8: Measure Content Performance
Legal Text
To measure content performance, vendors can:
- Assess how content was delivered and engaged with by users.
- Provide measurable reports about users who interacted with the content.
- Combine this information with previously collected data from various sources.
Vendors cannot:
- Measure whether and how ads (including native ads) were delivered and interacted with by users.
- Apply audience insights from panels or similar methods to content performance data without a legal basis for market research (Purpose 9).
Purpose 9: Apply Market Research to Generate Audience Insights
Legal Text
To apply market research for audience insights, vendors can:
- Provide aggregate reports to advertisers about the audiences reached by their ads using panel-based and similar insights.
- Offer aggregate reporting to publishers on the audiences interacting with content and/or ads on their platforms by applying similar insights.
- Link offline data with online users for market research purposes, provided vendors have disclosed the intention to match and combine offline data sources (Feature 1).
- Combine this information with previously collected data from various sources.
Vendors cannot:
- Measure the performance and effectiveness of ads served to specific users without a legal basis for measuring ad performance.
- Assess which content specific users interacted with without a legal basis for measuring content performance.
Purpose 10: Develop and Improve Products
Legal Text
To enhance existing products and develop new ones, vendors can:
- Utilize information to improve current products by adding new features and creating new products.
- Develop new models and algorithms through machine learning.
Vendors cannot:
- Conduct any other data processing activities allowed under different purposes without adhering to this purpose.
Special Purpose 1: Ensure Security, Prevent Fraud, and Debug
Legal Text
To maintain security, prevent fraud, and debug, vendors can:
- Ensure data is transmitted securely.
- Detect and prevent malicious, fraudulent, or illegal activities.
- Ensure the efficient operation of systems, including monitoring and enhancing performance for permitted purposes.
Vendors cannot:
- Conduct any other data processing activities allowed under different purposes for this purpose. Data used for security and fraud prevention may include automatically collected device characteristics, precise geolocation data, and data from actively scanning device characteristics without separate disclosure or opt-in.
Special Purpose 2: Technically Deliver Ads or Content
Legal Text
To deliver information and respond to technical requests, vendors can:
- Use a user’s IP address to deliver ads over the internet.
- Respond to user interactions with ads by directing them to landing pages.
- Use a user’s IP address to deliver content online.
- Respond to user interactions with content by directing them to landing pages.
- Utilize information about device types and capabilities to deliver ads or content appropriately.
Vendors cannot:
- Conduct any other data processing operations permitted under different purposes for this purpose.
Feature 1: Match and Combine Offline Data Sources
Legal Text
Vendors can:
- Combine offline data with online data to support one or more Purposes or Special Purposes.
Feature 2: Link Different Devices
Legal Text
Vendors can:
- Determine that two or more devices belong to the same user or household either deterministically or probabilistically.
- Actively scan device characteristics for identification if users have permitted such scanning (Special Feature 2).
Feature 3: Receive and Use Automatically-Sent Device Characteristics for Identification
Legal Text
Vendors can:
- Create identifiers using automatically collected data from devices, such as IP addresses and user-agent strings.
- Use such identifiers to attempt re-identifying a device.
Vendors cannot:
- Create identifiers from actively scanning devices for specific characteristics, such as installed fonts or screen resolution, without user opt-in.
Special Feature 1: Use Precise Geolocation Data
Legal Text
Vendors can:
- Collect and process precise geolocation data for one or more purposes.
Note: Precise geolocation allows for accurate location data within several meters.
Special Feature 2: Actively Scan Device Characteristics for Identification
Legal Text
Vendors can:
- Create identifiers using data from actively scanning devices for specific characteristics, such as installed fonts or screen resolution.
- Use these identifiers to re-identify a device.
Official Journ al of the E uropean Un ion L 337/11
DIRECTIVES
DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 25 November 2009
amending Directive 2002/22/EC on universal service and users’ rights relating to electronic
communications networks and services, Directive 2002/58/EC concerning the processing of personal
data and the protection of privacy in the electronic communications sector and Regulation (EC)
No 2006/2004 on cooperation between national authorities responsible for the enforcement of
consumer protection laws
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EURO
PEAN UNION,
Having regard to the Treaty establishing the European Commu
nity, and in particular Article 95 thereof,
Having regard to the proposal from the Commission,
Having regard to the opinion of the European Economic and
Social Committee
( 1 ) OJ C 224, 30.8.2008, p. 50.
(1 ),
Having regard to the opinion of the Committee of the Regions
(2 ) OJ C 257, 9.10.2008, p. 51.
( 2),
Having regard to the opinion of the European Data Protection
Supervisor
(3 ) OJ C 181, 18.7.2008, p. 1.
( 3 ),
Acting in accordance with the procedure laid down in Article 251
of the Treaty
(4 ) Opinion of the European Parliament of 24 September 2008 (not yet
published in the Official Journal), Council Common Position of 16 Feb
ruary 2009 (OJ C 103 E, 5.5.2009, p. 40), Position of the European
Parliament of 6 May 2009 and Council Decision of 26 October 2009.
(4 ),
Whereas:
(1) The functioning of the five directives comprising the exist
ing regulatory framework for electronic communications
networks and services (Directive 2002/19/EC of the Euro
pean Parliament and of the Council of 7 March 2002 on
access to, and interconnection of, electronic communica
tions networks and associated facilities (Access Direc
tive)
(5 ) OJ L 108, 24.4.2002, p. 7.
(5 ), Directive 2002/20/EC of the European Parliament
and of the Council of 7 March 2002 on the authorisation
of electronic communications networks and services
(Authorisation Directive)
(6 ) OJ L 108, 24.4.2002, p. 21.
( 6 ), Directive 2002/21/EC of the
European Parliament and the Council of 7 March 2002 on
a common regulatory framework for electronic communi
cations networks and services (Framework Directive)
( 7 ) OJ L 108, 24.4.2002, p. 33.
( 7 ),
Directive 2002/22/EC (Universal Service Directive)
(8 ) OJ L 108, 24.4.2002, p. 51.
( 8 ) and
Directive 2002/58/EC (Directive on privacy and electronic
communications)
(9 ) OJ L 201, 31.7.2002, p. 37.
( 9 ) (together referred to as ‘the Frame
work Directive and the Specific Directives’)) is subject to
periodic review by the Commission, with a view, in par
ticular, to determining the need for modification in the
light of technological and market developments.
(2) In that regard, the Commission presented its findings in its
Communication to the Council, the European Parliament,
the European Economic and Social Committee and the
Committee of the Regions of 29 June 2006 on the review
of the EU regulatory framework for electronic communi
cations networks and services.
(3) The reform of the EU regulatory framework for electronic
communications networks and services, including the rein
forcement of provisions for end-users with disabilities, rep
resents a key step towards simultaneously achieving a
Single European Information Space and an inclusive infor
mation society. These objectives are included in the strate
gic framework for the development of the information
society as described in the Commission Communication to
the Council, the European Parliament, the European Eco
nomic and Social Committee and the Committee of the
Regions of 1 June 2005 entitled ‘i2010 – A European
Information Society for growth and employment’.
(4) A fundamental requirement of universal service is to pro
vide users on request with a connection to the public com
munications network at a fixed location and at an
affordable price. The requirement is for the provision of
local, national and international telephone calls, facsimile
communications and data services, the provision of which
may be restricted by Member States to the end-user’s
NE9002.21.81
Official Journ al of the E uropean Un ion 18.12.2009
primarylocation or residence. There should be no con
straints on the technical means by which this is provided,
allowing for wired or wireless technologies, nor any con
straints on which operators provide part or all of universal
service obligations.
(5) Data connections to the public communications network
at a fixed location should be capable of supporting data
communications at rates sufficient for access to online ser
vices such as those provided via the public Internet. The
speed of Internet access experienced by a given user may
depend on a number of factors, including the provider(s)
of Internet connectivity as well as the given application for
which a connection is being used. The data rate that can be
supported by a connection to the public communications
network depends on the capabilities of the subscriber’s ter
minal equipment as well as the connection. For this rea
son, it is not appropriate to mandate a specific data or bit
rate at Community level. Flexibility is required to allow
Member States to take measures, where necessary, to
ensure that a data connection is capable of supporting sat
isfactory data rates which are sufficient to permit func
tional Internet access, as defined by the Member States,
taking due account of specific circumstances in national
markets, for instance the prevailing bandwidth used by the
majority of subscribers in that Member State, and techno
logical feasibility, provided that these measures seek to
minimise market distortion. Where such measures result in
an unfair burden on a designated undertaking, taking due
account of the costs and revenues as well as the intangible
benefits resulting from the provision of the services con
cerned, this may be included in any net cost calculation of
universal obligations. Alternative financing of underlying
network infrastructure, involving Community funding or
national measures in accordance with Community law,
may also be implemented.
(6) This is without prejudice to the need for the Commission
to conduct a review of the universal service obligations,
which may include the financing of such obligations, in
accordance with Article 15 of Directive 2002/22/EC (Uni
versal Service Directive), and, if appropriate, to present
proposals for reform to meet public interest objectives.
(7) For the sake of clarity and simplicity, this Directive only
deals with amendments to Directives 2002/22/EC (Univer
sal Service Directive) and 2002/58/EC (Directive on pri
vacy and electronic communications).
(8) Without prejudice to Directive 1999/5/EC of the European
Parliament and of the Council of 9 March 1999 on radio
equipment and telecommunications terminal equipment
and the mutual recognition of their conformity
( 1 ) OJ L 91, 7.4.1999, p. 10.
( 1 ), and in
particular the disability requirements laid down in
Article 3(3)(f) thereof, certain aspects of terminal equip
ment, including consumer premises equipment intended
for disabled end-users, whether their special needs are due
to disability or related to ageing, should be brought within
the scope of Directive 2002/22/EC (Universal Service
Directive) in order to facilitate access to networks and the
use of services. Such equipment currently includes receive-
only radio and television terminal equipment as well as
special terminal devices for hearing-impaired end-users.
(9) Member States should introduce measures to promote the
creation of a market for widely available products and ser
vices incorporating facilities for disabled end-users. This
can be achieved, inter alia, by referring to European stan
dards, introducing electronic accessibility (eAccessibility)
requirements for public procurement procedures and calls
for tender relating to the provision of services, and by
implementing legislation upholding the rights of disabled
end-users.
(10) When an undertaking designated to provide universal ser
vice, as identified in Article 4 of Directive 2002/22/EC
(Universal Service Directive), chooses to dispose of a sub
stantial part, viewed in light of its universal service obliga
tion, or all, of its local access network assets in the national
territory to a separate legal entity under different ultimate
ownership, the national regulatory authority should assess
the effects of the transaction in order to ensure the conti
nuity of universal service obligations in all or parts of the
national territory. To this end, the national regulatory
authority which imposed the universal service obligations
should be informed by the undertaking in advance of the
disposal. The assessment of the national regulatory author
ity should not prejudice the completion of the transaction.
(11) Technological developments have led to substantial reduc
tions in the number of public pay telephones. In order to
ensure technological neutrality and continued access by
the public to voice telephony, national regulatory authori
ties should be able to impose obligations on undertakings
to ensure not only that public pay telephones are provided
to meet the reasonable needs of end-users, but also that
alternative public voice telephony access points are pro
vided for that purpose, if appropriate.
(12) Equivalence in disabled end-users’ access to services should
be guaranteed to the level available to other end-users. To
this end, access should be functionally equivalent, such
that disabled end-users benefit from the same usability of
services as other end-users, but by different means.
NE21/733L
Official Journ al of the E uropean Un ion L 337/13
(13) Definitions need to be adjusted so as to conform to the
principle of technology neutrality and to keep pace with
technological development. In particular, conditions for
the provision of a service should be separated from the
actual definitional elements of a publicly available tele
phone service, i.e. an electronic communications service
made available to the public for originating and receiving,
directly or indirectly, national or national and international
calls through a number or numbers in a national or inter
national telephone numbering plan, whether such a service
is based on circuit switching or packet switching technol
ogy. It is the nature of such a service that it is bidirectional,
enabling both the parties to communicate. A service which
does not fulfil all these conditions, such as for example a
‘click-through’ application on a customer service website,
is not a publicly available telephone service. Publicly avail
able telephone services also include means of communica
tion specifically intended for disabled end-users using text
relay or total conversation services.
(14) It is necessary to clarify that the indirect provision of ser
vices could include situations where originating is made via
carrier selection or pre-selection or where a service pro
vider resells or re-brands publicly available telephone ser
vices provided by another undertaking.
(15) As a result of technological and market evolution, net
works are increasingly moving to ‘Internet Protocol’ (IP)
technology, and consumers are increasingly able to choose
between a range of competing voice service providers.
Therefore, Member States should be able to separate uni
versal service obligations concerning the provision of a
connection to the public communications network at a
fixed location from the provision of a publicly available
telephone service. Such separation should not affect the
scope of universal service obligations defined and reviewed
at Community level.
(16) In accordance with the principle of subsidiarity, it is for the
Member States to decide on the basis of objective criteria
which undertakings are designated as universal service pro
viders, where appropriate taking into account the ability
and the willingness of undertakings to accept all or part of
the universal service obligations. This does not preclude
that Member States may include, in the designation pro
cess, specific conditions justified on grounds of efficiency,
including, inter alia, grouping geographical areas or com
ponents or setting minimum periods for the designation.
(17) National regulatory authorities should be able to monitor
the evolution and level of retail tariffs for services that fall
under the scope of universal service obligations, even
where a Member State has not yet designated an undertak
ing to provide universal service. In such a case, the moni
toring should be carried out in such a way that it would
not represent an excessive administrative burden for either
national regulatory authorities or undertakings providing
such service.
(18) Redundant obligations designed to facilitate the transition
from the regulatory framework of 1998 to that of 2002
should be deleted, together with other provisions that
overlap with and duplicate those laid down in Directive
2002/21/EC (Framework Directive).
(19) The requirement to provide a minimum set of leased lines
at retail level, which was necessary to ensure the contin
ued application of provisions of the regulatory framework
of 1998 in the field of leased lines, which was not suffi
ciently competitive at the time the 2002 framework
entered into force, is no longer necessary and should be
repealed.
(20) To continue to impose carrier selection and carrier pre-
selection directly in Community legislation could hamper
technological progress. These remedies should rather be
imposed by national regulatory authorities as a result of
market analysis carried out in accordance with the proce
dures set out in Directive 2002/21/EC (Framework Direc
tive) and through the obligations referred to in Article 12
of Directive 2002/19/EC (Access Directive).
(21) Provisions on contracts should apply not only to consum
ers but also to other end-users, primarily micro enterprises
and small and medium-sized enterprises (SMEs), which
may prefer a contract adapted to consumer needs. To avoid
unnecessary administrative burdens for providers and the
complexity related to the definition of SMEs, the provi
sions on contracts should not apply automatically to those
other end-users, but only where they so request. Member
States should take appropriate measures to promote aware
ness amongst SMEs of this possibility.
(22) As a consequence of technological developments, other
types of identifiers may be used in the future, in addition
to ordinary forms of numbering identification.
(23) Providers of electronic communications services that allow
calls should ensure that their customers are adequately
informed as to whether or not access to emergency ser
vices is provided and of any limitation on service (such as
a limitation on the provision of caller location information
or the routing of emergency calls). Such providers should
also provide their customers with clear and transparent
information in the initial contract and in the event of any
change in the access provision, for example in billing
NE9002.21.81
Official Journ al of the E uropean Un ion 18.12.2009
information. This information should include any limita
tions on territorial coverage, on the basis of the planned
technical operating parameters of the service and the avail
able infrastructure. Where the service is not provided over
a switched telephony network, the information should also
include the level of reliability of the access and of caller
location information compared to a service that is pro
vided over a switched telephony network, taking into
account current technology and quality standards, as well
as any quality of service parameters specified under Direc
tive 2002/22/EC (Universal Service Directive).
(24) With respect to terminal equipment, the customer contract
should specify any restrictions imposed by the provider on
the use of the equipment, such as by way of ‘SIM-locking’
mobile devices, if such restrictions are not prohibited
under national legislation, and any charges due on termi
nation of the contract, whether before or on the agreed
expiry date, including any cost imposed in order to retain
the equipment.
(25) Without imposing any obligation on the provider to take
action over and above what is required under Community
law, the customer contract should also specify the type of
action, if any, the provider might take in case of security or
integrity incidents, threats or vulnerabilities.
(26) In order to address public interest issues with respect to the
use of communications services and to encourage protec
tion of the rights and freedoms of others, the relevant
national authorities should be able to produce and have
disseminated, with the aid of providers, public interest
information related to the use of such services. This could
include public interest information regarding copyright
infringement, other unlawful uses and the dissemination of
harmful content, and advice and means of protection
against risks to personal security, which may for example
arise from disclosure of personal information in certain cir
cumstances, as well as risks to privacy and personal data,
and the availability of easy-to-use and configurable soft
ware or software options allowing protection for children
or vulnerable persons. The information could be coordi
nated by way of the cooperation procedure established in
Article 33(3) of Directive 2002/22/EC (Universal Service
Directive). Such public interest information should be
updated whenever necessary and should be presented in
easily comprehensible printed and electronic formats, as
determined by each Member State, and on national public
authority websites. National regulatory authorities should
be able to oblige providers to disseminate this standardised
information to all their customers in a manner deemed
appropriate by the national regulatory authorities. When
required by Member States, the information should also be
included in contracts. Dissemination of such information
should however not impose an excessive burden on under
takings. Member States should require this dissemination
by the means used by undertakings in communications
with subscribers made in the ordinary course of business.
(27) The right of subscribers to withdraw from their contracts
without penalty refers to modifications in contractual con
ditions which are imposed by the providers of electronic
communications networks and/or services.
(28) End-users should be able to decide what content they want
to send and receive, and which services, applications, hard
ware and software they want to use for such purposes,
without prejudice to the need to preserve the integrity and
security of networks and services. A competitive market
will provide users with a wide choice of content, applica
tions and services. National regulatory authorities should
promote users’ ability to access and distribute information
and to run applications and services of their choice, as pro
vided for in Article 8 of Directive 2002/21/EC (Framework
Directive). Given the increasing importance of electronic
communications for consumers and businesses, users
should in any case be fully informed of any limiting con
ditions imposed on the use of electronic communications
services by the service and/or network provider. Such
information should, at the option of the provider, specify
the type of content, application or service concerned, indi
vidual applications or services, or both. Depending on the
technology used and the type of limitation, such limita
tions may require user consent under Directive
2002/58/EC (Directive on privacy and electronic
communications).
(29) Directive 2002/22/EC (Universal Service Directive) neither
mandates nor prohibits conditions imposed by providers,
in accordance with national law, limiting end-users’ access
to and/or use of services and applications, but lays down
an obligation to provide information regarding such con
ditions. Member States wishing to implement measures
regarding end-users’ access to and/or use of services and
applications must respect the fundamental rights of citi
zens, including in relation to privacy and due process, and
any such measures should take full account of policy goals
defined at Community level, such as furthering the devel
opment of the Community information society.
(30) Directive 2002/22/EC (Universal Service Directive) does
not require providers to monitor information transmitted
over their networks or to bring legal proceedings against
their customers on grounds of such information, nor does
it make providers liable for that information. Responsibil
ity for punitive action or criminal prosecution is a matter
for national law, respecting fundamental rights and free
doms, including the right to due process.
NE41/733L
Official Journ al of the E uropean Un ion L 337/15
(31) In the absence of relevant rules of Community law, con
tent, applications and services are deemed lawful or harm
ful in accordance with national substantive and procedural
law. It is a task for the Member States, not for providers of
electronic communications networks or services, to decide,
in accordance with due process, whether content, applica
tions or services are lawful or harmful. The Framework
Directive and the Specific Directives are without prejudice
to Directive 2000/31/EC of the European Parliament and
of the Council of 8 June 2000 on certain legal aspects of
information society services, in particular electronic com
merce, in the Internal Market (Directive on electronic com
merce)
( 1 ) OJ L 178, 17.7.2000, p. 1.
(1 ), which, inter alia, contains a ‘mere conduit’ rule
for intermediary service providers, as defined therein.
(32) The availability of transparent, up-to-date and comparable
information on offers and services is a key element for
consumers in competitive markets where several provid
ers offer services. End-users and consumers of electronic
communications services should be able to easily compare
the prices of various services offered on the market based
on information published in an easily accessible form. In
order to allow them to make price comparisons easily,
national regulatory authorities should be able to require
from undertakings providing electronic communications
networks and/or services greater transparency as regards
information (including tariffs, consumption patterns and
other relevant statistics) and to ensure that third parties
have the right to use, without charge, publicly available
information published by such undertakings. National
regulatory authorities should also be able to make price
guides available, in particular where the market has not
provided them free of charge or at a reasonable price.
Undertakings should not be entitled to any remuneration
for the use of information where it has already been pub
lished and thus belongs in the public domain. In addition,
end-users and consumers should be adequately informed
of the price and the type of service offered before they pur
chase a service, in particular if a freephone number is sub
ject to additional charges. National regulatory authorities
should be able to require that such information is provided
generally, and, for certain categories of services determined
by them, immediately prior to connecting the call, unless
otherwise provided for by national law. When determin
ing the categories of call requiring pricing information
prior to connection, national regulatory authorities should
take due account of the nature of the service, the pricing
conditions which apply to it and whether it is offered by a
provider who is not a provider of electronic communica
tions services. Without prejudice to Directive 2000/31/EC
(Directive on electronic commerce), undertakings should
also, if required by Member States, provide subscribers
with public interest information produced by the relevant
public authorities regarding, inter alia, the most common
infringements and their legal consequences.
(33) Customers should be informed of their rights with respect
to the use of their personal information in subscriber direc
tories and in particular of the purpose or purposes of such
directories, as well as their right, free of charge, not to be
included in a public subscriber directory, as provided for in
Directive 2002/58/EC (Directive on privacy and electronic
communications). Customers should also be informed of
systems which allow information to be included in the
directory database but which do not disclose such infor
mation to users of directory services.
(34) A competitive market should ensure that end-users enjoy
the quality of service they require, but in particular cases it
may be necessary to ensure that public communications
networks attain minimum quality levels so as to prevent
degradation of service, the blocking of access and the slow
ing of traffic over networks. In order to meet quality of ser
vice requirements, operators may use procedures to
measure and shape traffic on a network link so as to avoid
filling the link to capacity or overfilling the link, which
would result in network congestion and poor perfor
mance. Those procedures should be subject to scrutiny by
the national regulatory authorities, acting in accordance
with the Framework Directive and the Specific Directives
and in particular by addressing discriminatory behaviour,
in order to ensure that they do not restrict competition. If
appropriate, national regulatory authorities may also
impose minimum quality of service requirements on
undertakings providing public communications networks
to ensure that services and applications dependent on the
network are delivered at a minimum quality standard, sub
ject to examination by the Commission. National regula
tory authorities should be empowered to take action to
address degradation of service, including the hindering or
slowing down of traffic, to the detriment of consumers.
However, since inconsistent remedies can impair the func
tioning of the internal market, the Commission should
assess any requirements intended to be set by national
regulatory authorities for possible regulatory intervention
across the Community and, if necessary, issue comments
or recommendations in order to achieve consistent
application.
(35) In future IP networks, where provision of a service may be
separated from provision of the network, Member States
should determine the most appropriate steps to be taken to
ensure the availability of publicly available telephone ser
vices provided using public communications networks and
uninterrupted access to emergency services in the event of
catastrophic network breakdown or in cases of force
majeure, taking into account the priorities of different
types of subscriber and technical limitations.
NE9002.21.81
Official Journ al of the E uropean Un ion 18.12.2009
(36) In order to ensure that disabled end-users benefit from
competition and the choice of service providers enjoyed by
the majority of end-users, relevant national authorities
should specify, where appropriate and in light of national
conditions, consumer protection requirements to be met
by undertakings providing publicly available electronic
communications services. Such requirements may include,
in particular, that undertakings ensure that disabled end-
users take advantage of their services on equivalent terms
and conditions, including prices and tariffs, as those offered
to their other end-users, irrespective of any additional costs
incurred by them. Other requirements may relate to whole
sale arrangements between undertakings.
(37) Operator assistance services cover a range of different ser
vices for end-users. The provision of such services should
be left to commercial negotiations between providers of
public communications networks and operator assistance
services, as is the case for any other customer support ser
vice, and it is not necessary to continue to mandate their
provision. The corresponding obligation should therefore
be repealed.
(38) Directory enquiry services should be, and frequently are,
provided under competitive market conditions, pursuant
to Article 5 of Commission Directive 2002/77/EC of
16 September 2002 on competition in the markets for
electronic communications networks and services
( 1 ) OJ L 249, 17.9.2002, p. 21.
( 1 ).
Wholesale measures ensuring the inclusion of end-user
data (both fixed and mobile) in databases should comply
with the safeguards for the protection of personal data,
including Article 12 of Directive 2002/58/EC (Directive on
privacy and electronic communications). The cost-oriented
supply of that data to service providers, with the possibil
ity for Member States to establish a centralised mechanism
for providing comprehensive aggregated information to
directory providers, and the provision of network access
under reasonable and transparent conditions, should be
put in place in order to ensure that end-users benefit fully
from competition, with the ultimate aim of enabling the
removal of retail regulation from these services and the
provision of offers of directory services under reasonable
and transparent conditions.
(39) End-users should be able to call and access the emergency
services using any telephone service capable of originating
voice calls through a number or numbers in national tele
phone numbering plans. Member States that use national
emergency numbers besides ‘112’ may impose on under
takings similar obligations for access to such national
emergency numbers. Emergency authorities should be able
to handle and answer calls to the number ‘112’ at least as
expeditiously and effectively as calls to national
emergency numbers. It is important to increase awareness
of ‘112’ in order to improve the level of protection and
security of citizens travelling in the European Union. To
this end, citizens should be made fully aware, when trav
elling in any Member State, in particular through informa
tion provided in international bus terminals, train stations,
ports or airports and in telephone directories, payphone
kiosks, subscriber and billing material, that ‘112’ can be
used as a single emergency number throughout the Com
munity. This is primarily the responsibility of the Member
States, but the Commission should continue both to sup
port and to supplement initiatives of the Member States to
heighten awareness of ‘112’ and periodically to evaluate
the public’s awareness of it. The obligation to provide caller
location information should be strengthened so as to
increase the protection of citizens. In particular, undertak
ings should make caller location information available to
emergency services as soon as the call reaches that service
independently of the technology used. In order to respond
to technological developments, including those leading to
increasingly accurate caller location information, the Com
mission should be empowered to adopt technical imple
menting measures to ensure effective access to ‘112’
services in the Community for the benefit of citizens. Such
measures should be without prejudice to the organisation
of emergency services of Member States.
(40) Member States should ensure that undertakings providing
end-users with an electronic communications service
designed for originating calls through a number or num
bers in a national telephone numbering plan provide reli
able and accurate access to emergency services, taking into
account national specifications and criteria. Network-
independent undertakings may not have control over net
works and may not be able to ensure that emergency calls
made through their service are routed with the same reli
ability, as they may not be able to guarantee service avail
ability, given that problems related to infrastructure are not
under their control. For network-independent undertak
ings, caller location information may not always be tech
nically feasible. Once internationally-recognised standards
ensuring accurate and reliable routing and connection to
the emergency services are in place, network-independent
undertakings should also fulfil the obligations related to
caller location information at a level comparable to that
required of other undertakings.
(41) Member States should take specific measures to ensure that
emergency services, including ‘112’, are equally accessible
to disabled end-users, in particular deaf, hearing-impaired,
speech-impaired and deaf-blind users. This could involve
the provision of special terminal devices for hearing-
impaired users, text relay services, or other specific
equipment.
NE61/733L
Official Journ al of the E uropean Un ion L 337/17
(42) Development of the international code ‘3883’ (the Euro
pean Telephony Numbering Space (ETNS)) is currently hin
dered by insufficient awareness, overly bureaucratic
procedural requirements and, in consequence, lack of
demand. In order to encourage the development of ETNS,
the Member States to which the International Telecommu
nications Union has assigned the international code ‘3883’
should, following the example of the implementation of
the ‘.eu’ top-level domain, delegate responsibility for its
management, number assignment and promotion to an
existing separate organisation, designated by the Commis
sion on the basis of an open, transparent and non-
discriminatory selection procedure. That organisation
should also have the task of developing proposals for pub
lic service applications using ETNS for common European
services, such as a common number for reporting thefts of
mobile terminals.
(43) Considering the particular aspects related to reporting
missing children and the currently limited availability of
such a service, Member States should not only reserve a
number, but also make every effort to ensure that a service
for reporting missing children is actually available in their
territories under the number ‘116000’, without delay. To
that end, Member States should, if appropriate, inter alia,
organise tendering procedures in order to invite interested
parties to provide that service.
(44) Voice calls remain the most robust and reliable form of
access to emergency services. Other means of contact, such
as text messaging, may be less reliable and may suffer from
lack of immediacy. Member States should, however, if they
deem it appropriate, be free to promote the development
and implementation of other means of access to emer
gency services which are capable of ensuring access equiva
lent to voice calls.
(45) Pursuant to its Decision 2007/116/EC of 15 February
2007 on reserving the national numbering range begin
ning with ‘116’ for harmonised numbers for harmonised
services of social value
( 1 ) OJ L 49, 17.2.2007, p. 30.
( 1 ), the Commission has asked
Member States to reserve numbers in the ‘116’ numbering
range for certain services of social value. The appropriate
provisions of that Decision should be reflected in Directive
2002/22/EC (Universal Service Directive) in order to inte
grate them more firmly into the regulatory framework for
electronic communications networks and services and to
facilitate access by disabled end-users.
(46) A single market implies that end-users are able to access all
numbers included in the national numbering plans of other
Member States and to access services using non-geographic
numbers within the Community, including, among others,
freephone and premium rate numbers. End-users should
also be able to access numbers from the European Tele
phone Numbering Space (ETNS) and Universal Interna
tional Freephone Numbers (UIFN). Cross-border access to
numbering resources and associated services should not be
prevented, except in objectively justified cases, for example
to combat fraud or abuse (e.g. in connection with certain
premium-rate services), when the number is defined as
having a national scope only (e.g. a national short code) or
when it is technically or economically unfeasible. Users
should be fully informed in advance and in a clear manner
of any charges applicable to freephone numbers, such as
international call charges for numbers accessible through
standard international dialling codes.
(47) In order to take full advantage of the competitive environ
ment, consumers should be able to make informed choices
and to change providers when it is in their interests. It is
essential to ensure that they can do so without being hin
dered by legal, technical or practical obstacles, including
contractual conditions, procedures, charges and so on.
This does not preclude the imposition of reasonable mini
mum contractual periods in consumer contracts. Number
portability is a key facilitator of consumer choice and effec
tive competition in competitive markets for electronic
communications and should be implemented with the
minimum delay, so that the number is functionally acti
vated within one working day and the user does not expe
rience a loss of service lasting longer than one working
day. Competent national authorities may prescribe the glo
bal process of the porting of numbers, taking into account
national provisions on contracts and technological devel
opments. Experience in certain Member States has shown
that there is a risk of consumers being switched to another
provider without having given their consent. While that is
a matter that should primarily be addressed by law enforce
ment authorities, Member States should be able to impose
such minimum proportionate measures regarding the
switching process, including appropriate sanctions, as are
necessary to minimise such risks, and to ensure that con
sumers are protected throughout the switching process
without making the process less attractive for them.
(48) Legal ‘must-carry’ obligations may be applied to specified
radio and television broadcast channels and complemen
tary services supplied by a specified media service provider.
Member States should provide a clear justification for the
‘must carry’ obligations in their national law so as to ensure
that such obligations are transparent, proportionate and
properly defined. In that regard, ‘must carry’ rules should
be designed in a way which provides sufficient incentives
for efficient investment in infrastructure. ‘Must carry’ rules
should be periodically reviewed in order to keep them
up-to-date with technological and market evolution and in
order to ensure that they continue to be proportionate to
the objectives to be achieved. Complementary services
include, but are not limited to, services designed to improve
accessibility for end-users with disabilities, such as video
text, subtitling, audio description and sign language.
NE9002.21.81
Official Journ al of the E uropean Un ion 18.12.2009
(49) In order to overcome existing shortcomings in terms of
consumer consultation and to appropriately address the
interests of citizens, Member States should put in place an
appropriate consultation mechanism. Such a mechanism
could take the form of a body which would, independently
of the national regulatory authority and service providers,
carry out research into consumer-related issues, such as
consumer behaviour and mechanisms for changing suppli
ers, and which would operate in a transparent manner and
contribute to the existing mechanisms for stakeholder con
sultation. Furthermore, a mechanism could be established
for the purpose of enabling appropriate cooperation on
issues relating to the promotion of lawful content. Any
cooperation procedures agreed pursuant to such a mecha
nism should, however, not allow for the systematic surveil
lance of Internet usage.
(50) Universal service obligations imposed on an undertaking
designated as having universal service obligations should
be notified to the Commission.
(51) Directive 2002/58/EC (Directive on privacy and electronic
communications) provides for the harmonisation of the
provisions of the Member States required to ensure an
equivalent level of protection of fundamental rights and
freedoms, in particular the right to privacy and the right to
confidentiality, with respect to the processing of personal
data in the electronic communications sector, and to
ensure the free movement of such data and of electronic
communications equipment and services in the Commu
nity. Where measures aiming to ensure that terminal equip
ment is constructed so as to safeguard the protection of
personal data and privacy are adopted pursuant to Direc
tive 1999/5/EC or Council Decision 87/95/EEC of
22 December 1986 on standardization in the field of infor
mation technology and telecommunications
( 1 ) OJ L 36, 7.2.1987, p. 31.
( 1), such mea
sures should respect the principle of technology neutrality.
(52) Developments concerning the use of IP addresses should
be followed closely, taking into consideration the work
already done by, among others, the Working Party on the
Protection of Individuals with regard to the Processing of
Personal Data established by Article 29 of Directive
95/46/EC of the European Parliament and of the Council
of 24 October 1995 on the protection of individuals with
regard to the processing of personal data and on the free
movement of such data
(2 ) OJ L 281, 23.11.1995, p. 31.
( 2 ), and in the light of such pro
posals as may be appropriate.
(53) The processing of traffic data to the extent strictly neces
sary for the purposes of ensuring network and information
security, i.e. the ability of a network or an information sys
tem to resist, at a given level of confidence, accidental
events or unlawful or malicious actions that compromise
the availability, authenticity, integrity and confidentiality of
stored or transmitted data, and the security of the related
services offered by, or accessible via, these networks and
systems, by providers of security technologies and services
when acting as data controllers is subject to Article 7(f) of
Directive 95/46/EC. This could, for example, include pre
venting unauthorised access to electronic communications
networks and malicious code distribution and stopping
‘denial of service’ attacks and damage to computer and
electronic communication systems.
(54) The liberalisation of electronic communications networks
and services markets and rapid technological development
have combined to boost competition and economic
growth and resulted in a rich diversity of end-user services
accessible via public electronic communications networks.
It is necessary to ensure that consumers and users are
afforded the same level of protection of privacy and per
sonal data, regardless of the technology used to deliver a
particular service.
(55) In line with the objectives of the regulatory framework for
electronic communications networks and services and with
the principles of proportionality and subsidiarity, and for
the purposes of legal certainty and efficiency for European
businesses and national regulatory authorities alike, Direc
tive 2002/58/EC (Directive on privacy and electronic com
munications) focuses on public electronic communications
networks and services, and does not apply to closed user
groups and corporate networks.
(56) Technological progress allows the development of new
applications based on devices for data collection and iden
tification, which could be contactless devices using radio
frequencies. For example, Radio Frequency Identification
Devices (RFIDs) use radio frequencies to capture data from
uniquely identified tags which can then be transferred over
existing communications networks. The wide use of such
technologies can bring considerable economic and social
benefit and thus make a powerful contribution to the inter
nal market, if their use is acceptable to citizens. To achieve
this aim, it is necessary to ensure that all fundamental
rights of individuals, including the right to privacy and data
protection, are safeguarded. When such devices are con
nected to publicly available electronic communications
networks or make use of electronic communications ser
vices as a basic infrastructure, the relevant provisions of
Directive 2002/58/EC (Directive on privacy and electronic
communications), including those on security, traffic and
location data and on confidentiality, should apply.
(57) The provider of a publicly available electronic communi
cations service should take appropriate technical and
organisational measures to ensure the security of its ser
vices. Without prejudice to Directive 95/46/EC, such mea
sures should ensure that personal data can be accessed
only by authorised personnel for legally authorised pur
poses, and that the personal data stored or transmitted, as
NE81/733L
Official Journ al of the E uropean Un ion L 337/19
well as the network and services,are protected. Moreover,
a security policy with respect to the processing of personal
data should be established in order to identify vulnerabili
ties in the system, and monitoring and preventive, correc
tive and mitigating action should be regularly carried out.
(58) The competent national authorities should promote the
interests of citizens by, inter alia, contributing to ensuring
a high level of protection of personal data and privacy. To
this end, competent national authorities should have the
necessary means to perform their duties, including com
prehensive and reliable data about security incidents that
have led to the personal data of individuals being compro
mised. They should monitor measures taken and dissemi
nate best practices among providers of publicly available
electronic communications services. Providers should
therefore maintain an inventory of personal data breaches
to enable further analysis and evaluation by the competent
national authorities.
(59) Community law imposes duties on data controllers regard
ing the processing of personal data, including an obliga
tion to implement appropriate technical and organisational
protection measures against, for example, loss of data. The
data breach notification requirements contained in Direc
tive 2002/58/EC (Directive on privacy and electronic com
munications) provide a structure for notifying the
competent authorities and individuals concerned when
personal data has nevertheless been compromised. Those
notification requirements are limited to security breaches
which occur in the electronic communications sector.
However, the notification of security breaches reflects the
general interest of citizens in being informed of security
failures which could result in their personal data being lost
or otherwise compromised, as well as of available or advis
able precautions that they could take in order to minimise
the possible economic loss or social harm that could result
from such failures. The interest of users in being notified is
clearly not limited to the electronic communications sec
tor, and therefore explicit, mandatory notification require
ments applicable to all sectors should be introduced at
Community level as a matter of priority. Pending a review
to be carried out by the Commission of all relevant Com
munity legislation in this field, the Commission, in consul
tation with the European Data Protection Supervisor,
should take appropriate steps without delay to encourage
the application throughout the Community of the prin
ciples embodied in the data breach notification rules con
tained in Directive 2002/58/EC (Directive on privacy and
electronic communications), regardless of the sector, or the
type, of data concerned.
(60) Competent national authorities should monitor measures
taken and disseminate best practices among providers of
publicly available electronic communications services.
(61) A personal data breach may, if not addressed in an adequate
and timely manner, result in substantial economic loss and
social harm, including identity fraud, to the subscriber or
individual concerned. Therefore, as soon as the provider of
publicly available electronic communications services
becomes aware that such a breach has occurred, it should
notify the breach to the competent national authority. The
subscribers or individuals whose data and privacy could be
adversely affected by the breach should be notified with
out delay in order to allow them to take the necessary pre
cautions. A breach should be considered as adversely
affecting the data or privacy of a subscriber or individual
where it could result in, for example, identity theft or fraud,
physical harm, significant humiliation or damage to repu
tation in connection with the provision of publicly avail
able communications services in the Community. The
notification should include information about measures
taken by the provider to address the breach, as well as rec
ommendations for the subscriber or individual concerned.
(62) When implementing measures transposing Directive
2002/58/EC (Directive on privacy and electronic commu
nications), the authorities and courts of the Member States
should not only interpret their national law in a manner
consistent with that Directive, but should also ensure that
they do not rely on an interpretation of it which would
conflict with fundamental rights or general principles of
Community law, such as the principle of proportionality.
(63) Provision should be made for the adoption of technical
implementing measures concerning the circumstances, for
mat and procedures applicable to information and notifi
cation requirements in order to achieve an adequate level
of privacy protection and security of personal data trans
mitted or processed in connection with the use of elec
tronic communications networks in the internal market.
(64) In setting detailed rules concerning the format and proce
dures applicable to the notification of personal data
breaches, due consideration should be given to the circum
stances of the breach, including whether or not personal
data had been protected by appropriate technical protec
tion measures, effectively limiting the likelihood of iden
tity fraud or other forms of misuse. Moreover, such rules
and procedures should take into account the legitimate
interests of law enforcement authorities in cases where
early disclosure could unnecessarily hamper the investiga
tion of the circumstances of a breach.
(65) Software that surreptitiously monitors the actions of the
user or subverts the operation of the user’s terminal equip
ment to the benefit of a third party (spyware) poses a seri
ous threat to the privacy of users, as do viruses. A high and
equal level of protection of the private sphere of users
needs to be ensured, regardless of whether unwanted
NE9002.21.81
Official Journ al of the E uropean Un ion 18.12.2009
spying programmes or viruses are inadvertently down
loaded via electronic communications networks or are
delivered and installed in software distributed on other
external data storage media, such as CDs, CD-ROMs or
USB keys. Member States should encourage the provision
of information to end-users about available precautions,
and should encourage them to take the necessary steps to
protect their terminal equipment against viruses and
spyware.
(66) Third parties may wish to store information on the equip
ment of a user, or gain access to information already
stored, for a number of purposes, ranging from the legiti
mate (such as certain types of cookies) to those involving
unwarranted intrusion into the private sphere (such as spy
ware or viruses). It is therefore of paramount importance
that users be provided with clear and comprehensive infor
mation when engaging in any activity which could result
in such storage or gaining of access. The methods of pro
viding information and offering the right to refuse should
be as user-friendly as possible. Exceptions to the obligation
to provide information and offer the right to refuse should
be limited to those situations where the technical storage
or access is strictly necessary for the legitimate purpose of
enabling the use of a specific service explicitly requested by
the subscriber or user. Where it is technically possible and
effective, in accordance with the relevant provisions of
Directive 95/46/EC, the user’s consent to processing may
be expressed by using the appropriate settings of a browser
or other application. The enforcement of these require
ments should be made more effective by way of enhanced
powers granted to the relevant national authorities.
(67) Safeguards provided for subscribers against intrusion into
their privacy by unsolicited communications for direct
marketing purposes by means of electronic mail should
also be applicable to SMS, MMS and other kinds of similar
applications.
(68) Electronic communications service providers make sub
stantial investments in order to combat unsolicited com
mercial communications (spam). They are also in a better
position than end-users in that they possess the knowledge
and resources necessary to detect and identify spammers.
E-mail service providers and other service providers should
therefore be able to initiate legal action against spammers,
and thus defend the interests of their customers, as part of
their own legitimate business interests.
(69) The need to ensure an adequate level of protection of pri
vacy and personal data transmitted and processed in con
nection with the use of electronic communications
networks in the Community calls for effective implemen
tation and enforcement powers in order to provide
adequate incentives for compliance. Competent national
authorities and, where appropriate, other relevant national
bodies should have sufficient powers and resources to
investigate cases of non-compliance effectively, including
powers to obtain any relevant information they might
need, to decide on complaints and to impose sanctions in
cases of non-compliance.
(70) The implementation and enforcement of the provisions of
this Directive often require cooperation between the
national regulatory authorities of two or more Member
States, for example in combating cross-border spam and
spyware. In order to ensure smooth and rapid cooperation
in such cases, procedures relating for example to the quan
tity and format of information exchanged between authori
ties, or deadlines to be complied with, should be defined by
the relevant national authorities, subject to examination by
the Commission. Such procedures will also allow the
resulting obligations of market actors to be harmonised,
contributing to the creation of a level playing field in the
Community.
(71) Cross-border cooperation and enforcement should be rein
forced in line with existing Community cross-border
enforcement mechanisms, such as that laid down in Regu
lation (EC) No 2006/2004 (the Regulation on consumer
protection cooperation)
( 1 ) OJ L 364, 9.12.2004, p. 1.
( 1 ), by way of an amendment to
that Regulation.
(72) The measures necessary for the implementation of Direc
tives 2002/22/EC (Universal Service Directive)
and 2002/58/EC (Directive on privacy and electronic com
munications) should be adopted in accordance with Coun
cil Decision 1999/468/EC of 28 June 1999 laying down
the procedures for the exercise of implementing powers
conferred on the Commission
(2 ) OJ L 184, 17.7.1999, p. 23.
(2 ).
(73) In particular, the Commission should be empowered to
adopt implementing measures on effective access to ‘112’
services, as well as to adapt the Annexes to technical
progress or changes in market demand. It should also be
empowered to adopt implementing measures concerning
information and notification requirements and security of
processing. Since those measures are of general scope and
are designed to amend non-essential elements of Directives
2002/22/EC (Universal Service Directive) and 2002/58/EC
(Directive on privacy and electronic communications) by
supplementing them with new non-essential elements,
they must be adopted in accordance with the regulatory
procedure with scrutiny provided for in Article 5a of Deci
sion 1999/468/EC. Given that the conduct of the regula
tory procedure with scrutiny within the normal time limits
could, in certain exceptional situations, impede the timely
adoption of implementing measures, the European Parlia
ment, the Council and the Commission should act speed
ily in order to ensure the timely adoption of those
measures.
NE02/733L
Official Journ al of the E uropean Un ion L 337/21
(74) When adopting implementing measures on security of
processing, the Commission should consult all relevant
European authorities and organisations (the European Net
work and Information Security Agency (ENISA), the Euro
pean Data Protection Supervisor and the Working Party on
the Protection of Individuals with regard to the Processing
of Personal Data established by Article 29 of Directive
95/46/EC), as well as all other relevant stakeholders, par
ticularly in order to be informed of the best available tech
nical and economic means of improving the
implementation of Directive 2002/58/EC (Directive on pri
vacy and electronic communications).
(75) Directives 2002/22/EC (Universal Service Directive)
and 2002/58/EC (Directive on privacy and electronic com
munications) should therefore be amended accordingly.
(76) In accordance with point 34 of the Interinstitutional Agree
ment on better law-making
( 1 ) OJ C 321, 31.12.2003, p. 1.
(1 ), Member States are encour
aged to draw up, for themselves and in the interests of the
Community, their own tables illustrating, as far as possible,
the correlation between Directives 2002/22/EC (Universal
Service Directive) and 2002/58/EC (Directive on privacy
and electronic communications) and the transposition
measures, and to make them public,
HAVE ADOPTED THIS DIRECTIVE:
Article 1
Amendments to Directive 2002/22/EC (Universal Service
Directive)
Directive 2002/22/EC (Universal Service Directive) is hereby
amended as follows:
1) Article 1 shall be replaced by the following:
‘Article 1
Subject-matter and scope
- Within the framework of Directive 2002/21/EC
(Framework Directive), this Directive concerns the provision
of electronic communications networks and services to end-
users. The aim is to ensure the availability throughout the
Community of good-quality publicly available services
through effective competition and choice and to deal with
circumstances in which the needs of end-users are not satis
factorily met by the market. The Directive also includes pro
visions concerning certain aspects of terminal equipment,
including provisions intended to facilitate access for disabled
end-users. - This Directive establishes the rights of end-users and
the corresponding obligations of undertakings providing
publicly available electronic communications networks
and services. With regard to ensuring provision of universal
service within an environment of open and competitive mar
kets, this Directive defines the minimum set of services of
specified quality to which all end-users have access, at an
affordable price in the light of specific national conditions,
without distorting competition. This Directive also sets out
obligations with regard to the provision of certain mandatory
services. - This Directive neither mandates nor prohibits condi
tions, imposed by providers of publicly available electronic
communications and services, limiting end-users’ access to,
and/or use of, services and applications, where allowed under
national law and in conformity with Community law, but
lays down an obligation to provide information regarding
such conditions. National measures regarding end-users’
access to, or use of, services and applications through elec
tronic communications networks shall respect the funda
mental rights and freedoms of natural persons, including in
relation to privacy and due process, as defined in Article 6 of
the European Convention for the Protection of Human Rights
and Fundamental Freedoms. - The provisions of this Directive concerning end-users’
rights shall apply without prejudice to Community rules on
consumer protection, in particular Directives 93/13/EEC
and 97/7/EC, and national rules in conformity with Commu
nity law.’;
2) Article 2 shall be amended as follows:
(a) point (b) shall be deleted;
(b) points (c) and (d) shall be replaced by the following:
‘(c) “publicly available telephone service” means a ser
vice made available to the public for originating and
receiving, directly or indirectly, national or national
and international calls through a number or num
bers in a national or international telephone num
bering plan;
(d) “geographic number” means a number from the
national telephone numbering plan where part of
its digit structure contains geographic significance
used for routing calls to the physical location of the
network termination point (NTP);’;
(c) point (e) shall be deleted;
(d) point (f) shall be replaced by the following:
‘(f) “non-geographic number” means a number from
the national telephone numbering plan that is not a
geographic number. It includes, inter alia, mobile,
freephone and premium rate numbers.’;
NE9002.21.81
Official Journ al of the E uropean Un ion 18.12.2009
3) Article 4 shall be replaced by the following:
‘Article 4
Provision of access at a fixed location and provision of
telephone services - Member States shall ensure that all reasonable requests
for connection at a fixed location to a public communica
tions network are met by at least one undertaking. - The connection provided shall be capable of support
ing voice, facsimile and data communications at data rates
that are sufficient to permit functional Internet access, taking
into account prevailing technologies used by the majority of
subscribers and technological feasibility. - Member States shall ensure that all reasonable requests
for the provision of a publicly available telephone service
over the network connection referred to in paragraph 1 that
allows for originating and receiving national and interna
tional calls are met by at least one undertaking.’;
4) Article 5(2) shall be replaced by the following:
‘2. The directories referred to in paragraph 1 shall com
prise, subject to the provisions of Article 12 of Directive
2002/58/EC of the European Parliament and of the Council
of 12 July 2002 concerning the processing of personal data
and the protection of privacy in the electronic communica
tions sector (Directive on privacy and electronic communi
cations) , all subscribers of publicly available telephone
services.
( * ) OJ L 201, 31.7.2002, p. 37.’;
5) the title of Article 6 and Article 6(1) shall be replaced by the
following:
‘Public pay telephones and other publics voice tele
phony access points - Member States shall ensure that national regulatory
authorities may impose obligations on undertakings in order
to ensure that public pay telephones or other public voice
telephony access points are provided to meet the reasonable
needs of end-users in terms of the geographical coverage, the
number of telephones or other access points, accessibility to
disabled end-users and the quality of services.’;
6) Article 7 shall be replaced by the following:
‘Article 7
Measures for disabled end-users - Unless requirements have been specified under Chap
ter IV which achieve the equivalent effect, Member States
shall take specific measures to ensure that access to, and
affordability of, the services identified in Article 4(3) and
Article 5 for disabled end-users is equivalent to the level
enjoyed by other end-users. Member States may oblige
national regulatory authorities to assess the general need and
the specific requirements, including the extent and concrete
form of such specific measures for disabled end-users. - Member States may take specific measures, in the light
of national conditions, to ensure that disabled end-users can
also take advantage of the choice of undertakings and service
providers available to the majority of end-users. - In taking the measures referred to in paragraphs 1
and 2, Member States shall encourage compliance with the
relevant standards or specifications published in accordance
with Articles 17 and 18 of Directive 2002/21/EC (Frame
work Directive).’;
7) in Article 8, the following paragraph shall be added:
‘3. When an undertaking designated in accordance with
paragraph 1 intends to dispose of a substantial part or all of
its local access network assets to a separate legal entity under
different ownership, it shall inform in advance the national
regulatory authority in a timely manner, in order to allow
that authority to assess the effect of the intended transaction
on the provision of access at a fixed location and of tele
phone services pursuant to Article 4. The national regulatory
authority may impose, amend or withdraw specific obliga
tions in accordance with Article 6(2) of Directive 2002/20/EC
(Authorisation Directive).’;
8) Article 9(1) and (2) shall be replaced by the following:
‘1. National regulatory authorities shall monitor the evo
lution and level of retail tariffs of the services identified in
Articles 4 to 7 as falling under the universal service obliga
tions and either provided by designated undertakings or
available on the market, if no undertakings are designated in
relation to those services, in particular in relation to national
consumer prices and income. - Member States may, in the light of national conditions,
require that designated undertakings provide to consumers
tariff options or packages which depart from those provided
under normal commercial conditions, in particular to ensure
that those on low incomes or with special social needs are
not prevented from accessing the network referred to in
Article 4(1) or from using the services identified in
Article 4(3) and Articles 5, 6 and 7 as falling under the uni
versal service obligations and provided by designated
undertakings.’;
NE22/733L
)*(
Official Journ al of the E uropean Un ion L 337/23
9) Article 11(4) shall be replaced by the following:
‘4. National regulatory authorities shall be able to set per
formance targets for undertakings with universal service obli
gations. In so doing, national regulatory authorities shall take
account of views of interested parties, in particular as referred
to in Article 33.’;
10) the title of Chapter III shall be replaced by the following:
‘REGULATORY CONTROLS ON UNDERTAKINGS WITH
SIGNIFICANT MARKET POWER IN SPECIFIC RETAIL MAR
KETS’;
11) Article 16 shall be deleted;
12) Article 17 shall be amended as follows:
(a) paragraph 1 shall be replaced by the following:
‘1. Member States shall ensure that national regula
tory authorities impose appropriate regulatory obliga
tions on undertakings identified as having significant
market power on a given retail market in accordance
with Article 14 of Directive 2002/21/EC (Framework
Directive) where:
(a) as a result of a market analysis carried out in accor
dance with Article 16 of Directive 2002/21/EC
(Framework Directive), a national regulatory
authority determines that a given retail market iden
tified in accordance with Article 15 of that Direc
tive is not effectively competitive; and
(b) the national regulatory authority concludes that
obligations imposed under Articles 9 to 13 of Direc
tive 2002/19/EC (Access Directive) would not result
in the achievement of the objectives set out in
Article 8 of Directive 2002/21/EC (Framework
Directive).’;
(b) paragraph 3 shall be deleted;
13) Articles 18 and 19 shall be deleted;
14) Articles 20 to 23 shall be replaced by the following:
‘Article 20
Contracts - Member States shall ensure that, when subscribing to
services providing connection to a public communications
network and/or publicly available electronic communications
services, consumers, and other end-users so requesting, have
a right to a contract with an undertaking or undertakings
providing such connection and/or services. The contract shall
specify in a clear, comprehensive and easily accessible form
at least:
(a) the identity and address of the undertaking;
(b) the services provided, including in particular,
— whether or not access to emergency services and
caller location information is being provided, and
any limitations on the provision of emergency ser
vices under Article 26,
— information on any other conditions limiting access
to and/or use of services and applications, where
such conditions are permitted under national law in
accordance with Community law,
— the minimum service quality levels offered, namely
the time for the initial connection and, where appro
priate, other quality of service parameters, as defined
by the national regulatory authorities,
— information on any procedures put in place by the
undertaking to measure and shape traffic so as to
avoid filling or overfilling a network link, and infor
mation on how those procedures could impact on
service quality,
— the types of maintenance service offered and cus
tomer support services provided, as well as the
means of contacting these services,
— any restrictions imposed by the provider on the use
of terminal equipment supplied;
(c) where an obligation exists under Article 25, the sub
scriber’s options as to whether or not to include his or
her personal data in a directory, and the data concerned;
(d) details of prices and tariffs, the means by which up-to-
date information on all applicable tariffs and mainte
nance charges may be obtained, payment methods
offered and any differences in costs due to payment
method;
(e) the duration of the contract and the conditions for
renewal and termination of services and of the contract,
including:
— any minimum usage or duration required to benefit
from promotional terms,
— any charges related to portability of numbers and
other identifiers,
— any charges due on termination of the contract,
including any cost recovery with respect to termi
nal equipment,
(f) any compensation and the refund arrangements which
apply if contracted service quality levels are not met;
NE9002.21.81
Official Journ al of the E uropean Un ion 18.12.2009
(g) the means of initiating procedures for the settlement of
disputes in accordance with Article 34;
(h) the type of action that might be taken by the undertak
ing in reaction to security or integrity incidents or threats
and vulnerabilities.
Member States may also require that the contract include any
information which may be provided by the relevant public
authorities for this purpose on the use of electronic commu
nications networks and services to engage in unlawful activi
ties or to disseminate harmful content, and on the means of
protection against risks to personal security, privacy and per
sonal data, referred to in Article 21(4) and relevant to the ser
vice provided. - Member States shall ensure that subscribers have a right
to withdraw from their contract without penalty upon notice
of modification to the contractual conditions proposed by
the undertakings providing electronic communications net
works and/or services. Subscribers shall be given adequate
notice, not shorter than one month, of any such modifica
tion, and shall be informed at the same time of their right to
withdraw, without penalty, from their contract if they do not
accept the new conditions. Member States shall ensure that
national regulatory authorities are able to specify the format
of such notifications.
Article 21
Transparency and publication of information - Member States shall ensure that national regulatory
authorities are able to oblige undertakings providing public
electronic communications networks and/or publicly avail
able electronic communications services to publish transpar
ent, comparable, adequate and up-to-date information on
applicable prices and tariffs, on any charges due on termina
tion of a contract and on standard terms and conditions in
respect of access to, and use of, services provided by them to
end-users and consumers in accordance with Annex II. Such
information shall be published in a clear, comprehensive and
easily accessible form. National regulatory authorities may
specify additional requirements regarding the form in which
such information is to be published. - National regulatory authorities shall encourage the pro
vision of comparable information to enable end-users and
consumers to make an independent evaluation of the cost of
alternative usage patterns, for instance by means of interac
tive guides or similar techniques. Where such facilities are not
available on the market free of charge or at a reasonable
price, Member States shall ensure that national regulatory
authorities are able to make such guides or techniques avail
able themselves or through third party procurement. Third
parties shall have a right to use, free of charge, the informa
tion published by undertakings providing electronic commu
nications networks and/or publicly available electronic
communications services for the purposes of selling or mak
ing available such interactive guides or similar techniques. - Member States shall ensure that national regulatory
authorities are able to oblige undertakings providing public
electronic communications networks and/or publicly avail
able electronic communications services to inter alia:
(a) provide applicable tariff information to subscribers
regarding any number or service subject to particular
pricing conditions; with respect to individual categories
of services, national regulatory authorities may require
such information to be provided immediately prior to
connecting the call;
(b) inform subscribers of any change to access to emergency
services or caller location information in the service to
which they have subscribed;
(c) inform subscribers of any change to conditions limiting
access to and/or use of services and applications, where
such conditions are permitted under national law in
accordance with Community law;
(d) provide information on any procedures put in place by
the provider to measure and shape traffic so as to avoid
filling or overfilling a network link, and on how those
procedures could impact on service quality;
(e) inform subscribers of their right to determine whether or
not to include their personal data in a directory, and of
the types of data concerned, in accordance with
Article 12 of Directive 2002/58/EC (Directive on privacy
and electronic communications); and
(f) regularly inform disabled subscribers of details of prod
ucts and services designed for them.
If deemed appropriate, national regulatory authorities may
promote self- or co-regulatory measures prior to imposing
any obligation. - Member States may require that the undertakings
referred to in paragraph 3 distribute public interest informa
tion free of charge to existing and new subscribers, where
appropriate, by the same means as those ordinarily used by
them in their communications with subscribers. In such a
case, that information shall be provided by the relevant pub
lic authorities in a standardised format and shall, inter alia,
cover the following topics:
(a) the most common uses of electronic communications
services to engage in unlawful activities or to dissemi
nate harmful content, particularly where it may preju
dice respect for the rights and freedoms of others,
including infringements of copyright and related rights,
and their legal consequences; and
NE42/733L
Official Journ al of the E uropean Un ion L 337/25
(b) the means of protection against risks to personal secu
rity, privacy and personal data when using electronic
communications services.
Article 22
Quality of service - Member States shall ensure that national regulatory
authorities are, after taking account of the views of interested
parties, able to require undertakings that provide publicly
available electronic communications networks and/or ser
vices to publish comparable, adequate and up-to-date infor
mation for end-users on the quality of their services and on
measures taken to ensure equivalence in access for disabled
end-users. That information shall, on request, be supplied to
the national regulatory authority in advance of its
publication. - National regulatory authorities may specify, inter alia,
the quality of service parameters to be measured and the con
tent, form and manner of the information to be published,
including possible quality certification mechanisms, in order
to ensure that end-users, including disabled end-users, have
access to comprehensive, comparable, reliable and user-
friendly information. Where appropriate, the parameters,
definitions and measurement methods set out in Annex III
may be used. - In order to prevent the degradation of service and the
hindering or slowing down of traffic over networks, Member
States shall ensure that national regulatory authorities are
able to set minimum quality of service requirements on an
undertaking or undertakings providing public communica
tions networks.
National regulatory authorities shall provide the Commis
sion, in good time before setting any such requirements, with
a summary of the grounds for action, the envisaged require
ments and the proposed course of action. This information
shall also be made available to the Body of European Regu
lators for Electronic Communications (BEREC). The Commis
sion may, having examined such information, make
comments or recommendations thereupon, in particular to
ensure that the envisaged requirements do not adversely
affect the functioning of the internal market. National regu
latory authorities shall take the utmost account of the Com
mission’s comments or recommendations when deciding on
the requirements.
Article 23
Availability of services
Member States shall take all necessary measures to ensure the
fullest possible availability of publicly available telephone ser
vices provided over public communications networks in the
event of catastrophic network breakdown or in cases of force
majeure. Member States shall ensure that undertakings
providing publicly available telephone services take all nec
essary measures to ensure uninterrupted access to emergency
services.’;
15) the following Article shall be inserted:
‘Article 23a
Ensuring equivalence in access and choice for disabled
end-users - Member States shall enable relevant national authori
ties to specify, where appropriate, requirements to be met by
undertakings providing publicly available electronic commu
nication services to ensure that disabled end-users:
(a) have access to electronic communications services
equivalent to that enjoyed by the majority of end-users;
and
(b) benefit from the choice of undertakings and services
available to the majority of end-users. - In order to be able to adopt and implement specific
arrangements for disabled end-users, Member States shall
encourage the availability of terminal equipment offering the
necessary services and functions.’;
16) Article 25 shall be amended as follows:
(a) the title shall be replaced by the following:
‘Telephone directory enquiry services’;
(b) paragraph 1 shall be replaced by the following:
‘1. Member States shall ensure that subscribers to
publicly available telephone services have the right to
have an entry in the publicly available directory referred
to in Article 5(1)(a) and to have their information made
available to providers of directory enquiry services
and/or directories in accordance with paragraph 2.’;
(c) paragraphs 3, 4 and 5 shall be replaced by the following:
‘3. Member States shall ensure that all end-users pro
vided with a publicly available telephone service can
access directory enquiry services. National regulatory
authorities shall be able to impose obligations and con
ditions on undertakings that control access of end-users
for the provision of directory enquiry services in
accordance with the provisions of Article 5 of
Directive 2002/19/EC (Access Directive). Such obliga
tions and conditions shall be objective, equitable, non-
discriminatory and transparent.
NE9002.21.81
Official Journ al of the E uropean Un ion 18.12.2009 - Member States shall not maintain any regulatory
restrictions which prevent end-users in one Member
State from accessing directly the directory enquiry ser
vice in another Member State by voice call or SMS, and
shall take measures to ensure such access in accordance
with Article 28. - Paragraphs 1 to 4 shall apply subject to the require
ments of Community legislation on the protection of
personal data and privacy and, in particular, Article 12
of Directive 2002/58/EC (Directive on privacy and elec
tronic communications).’;
17) Articles 26 and 27 shall be replaced by the following:
‘Article 26
Emergency services and the single European emergency
call number - Member States shall ensure that all end-users of the ser
vice referred to in paragraph 2, including users of public pay
telephones, are able to call the emergency services free of
charge and without having to use any means of payment, by
using the single European emergency call number “112” and
any national emergency call number specified by Member
States. - Member States, in consultation with national regula
tory authorities, emergency services and providers, shall
ensure that undertakings providing end-users with an elec
tronic communications service for originating national calls
to a number or numbers in a national telephone numbering
plan provide access to emergency services. - Member States shall ensure that calls to the single Euro
pean emergency call number “112” are appropriately
answered and handled in the manner best suited to the
national organisation of emergency systems. Such calls shall
be answered and handled at least as expeditiously and effec
tively as calls to the national emergency number or numbers,
where these continue to be in use. - Member States shall ensure that access for disabled end-
users to emergency services is equivalent to that enjoyed by
other end-users. Measures taken to ensure that disabled end-
users are able to access emergency services whilst travelling
in other Member States shall be based to the greatest extent
possible on European standards or specifications published in
accordance with the provisions of Article 17 of Directive
2002/21/EC (Framework Directive), and they shall not pre
vent Member States from adopting additional requirements
in order to pursue the objectives set out in this Article. - Member States shall ensure that undertakings con
cerned make caller location information available free of
charge to the authority handling emergency calls as soon as
the call reaches that authority. This shall apply to all calls to
the single European emergency call number “112”. Member
States may extend this obligation to cover calls to national
emergency numbers. Competent regulatory authorities shall
lay down criteria for the accuracy and reliability of the caller
location information provided. - Member States shall ensure that citizens are adequately
informed about the existence and use of the single European
emergency call number “112”, in particular through initia
tives specifically targeting persons travelling between Mem
ber States. - In order to ensure effective access to “112” services in
the Member States, the Commission, having consulted
BEREC, may adopt technical implementing measures. How
ever, these technical implementing measures shall be adopted
without prejudice to, and shall have no impact on, the organi
sation of emergency services, which remains of the exclusive
competence of Member States.
Those measures, designed to amend non-essential elements
of this Directive by supplementing it, shall be adopted in
accordance with the regulatory procedure with scrutiny
referred to in Article 37(2).
Article 27
European telephone access codes - Member States shall ensure that the “00” code is the
standard international access code. Special arrangements for
making calls between locations adjacent to one another
across borders between Member States may be established or
continued. End-users in the locations concerned shall be fully
informed of such arrangements. - A legal entity, established within the Community and
designated by the Commission, shall have sole responsibility
for the management, including number assignment, and pro
motion of the European Telephony Numbering Space
(ETNS). The Commission shall adopt the necessary imple
menting rules. - Member States shall ensure that all undertakings that
provide publicly available telephone services allowing inter
national calls handle all calls to and from the ETNS at rates
similar to those applied for calls to and from other Member
States.’;
18) the following Article shall be inserted:
‘Article 27a
Harmonised numbers for harmonised services of social
value, including the missing children hotline number - Member States shall promote the specific numbers in
the numbering range beginning with “116” identified by
Commission Decision 2007/116/EC of15 February 2007
NE62/733L
Official Journ al of the E uropean Un ion L 337/27
on reserving the national numbering range beginning with
“116” for harmonised numbers for harmonised services of
social value . They shall encourage the provision within
their territory of the services for which such numbers are
reserved. - Member States shall ensure that disabled end-users are
able to access services provided under the “116” numbering
range to the greatest extent possible. Measures taken to facili
tate disabled end-users’ access to such services whilst travel
ling in other Member States shall be based on compliance
with relevant standards or specifications published in accor
dance with Article 17 of Directive 2002/21/EC (Framework
Directive). - Member States shall ensure that citizens are adequately
informed of the existence and use of services provided under
the “116” numbering range, in particular through initiatives
specifically targeting persons travelling between Member
States. - Member States shall, in addition to measures of general
applicability to all numbers in the “116” numbering range
taken pursuant to paragraphs 1, 2, and 3, make every effort
to ensure that citizens have access to a service operating a
hotline to report cases of missing children. The hotline shall
be available on the number “116000”. - In order to ensure the effective implementation of the
“116” numbering range, in particular the missing children
hotline number “116000”, in the Member States, including
access for disabled end-users when travelling in other Mem
ber States, the Commission, having consulted BEREC, may
adopt technical implementing measures. However, these
technical implementing measures shall be adopted without
prejudice to, and shall have no impact on, the organisation
of these services, which remains of the exclusive competence
of Member States.
Those measures, designed to amend non-essential elements
of this Directive by supplementing it, shall be adopted in
accordance with the regulatory procedure with scrutiny
referred to in Article 37(2).
( * ) OJ L 49, 17.2.2007, p. 30.’;
19) Article 28 shall be replaced by the following:
‘Article 28
Access to numbers and services - Member States shall ensure that, where technically and
economically feasible, and except where a called subscriber
has chosen for commercial reasons to limit access by calling
parties located in specific geographical areas, relevant
national authorities take all necessary steps to ensure that
end-users are able to:
(a) access and use services using non-geographic numbers
within the Community; and
(b) access all numbers provided in the Community, regard
less of the technology and devices used by the operator,
including those in the national numbering plans of
Member States, those from the ETNS and Universal
International Freephone Numbers (UIFN). - Member States shall ensure that the relevant authori
ties are able to require undertakings providing public com
munications networks and/or publicly available electronic
communications services to block, on a case-by-case basis,
access to numbers or services where this is justified by rea
sons of fraud or misuse and to require that in such cases pro
viders of electronic communications services withhold
relevant interconnection or other service revenues.’;
20) Article 29 shall be amended as follows:
(a) paragraph 1 shall be replaced by the following:
‘1. Without prejudice to Article 10(2), Member States
shall ensure that national regulatory authorities are able
to require all undertakings that provide publicly avail
able telephone services and/or access to public commu
nications networks to make available all or part of the
additional facilities listed in Part B of Annex I, subject to
technical feasibility and economic viability, as well as all
or part of the additional facilities listed in Part A of
Annex I.’;
(b) paragraph 3 shall be deleted;
21) Article 30 shall be replaced by the following:
‘Article 30
Facilitating change of provider - Member States shall ensure that all subscribers with
numbers from the national telephone numbering plan who
so request can retain their number(s) independently of the
undertaking providing the service in accordance with the
provisions of Part C of Annex I. - National regulatory authorities shall ensure that pric
ing between operators and/or service providers related to the
provision of number portability is cost-oriented, and that
direct charges to subscribers, if any, do not act as a disincen
tive for subscribers against changing service provider. - National regulatory authorities shall not impose retail
tariffs for the porting of numbers in a manner that would dis
tort competition, such as by setting specific or common retail
tariffs.
NE9002.21.81
)*(
Official Journ al of the E uropean Un ion 18.12.2009 - Porting of numbers and their subsequent activation
shall be carried out within the shortest possible time. In any
case, subscribers who have concluded an agreement to port
a number to a new undertaking shall have that number acti
vated within one working day.
Without prejudice to the first subparagraph, competent
national authorities may establish the global process of port
ing of numbers, taking into account national provisions on
contracts, technical feasibility and the need to maintain con
tinuity of service to the subscriber. In any event, loss of ser
vice during the process of porting shall not exceed one
working day. Competent national authorities shall also take
into account, where necessary, measures ensuring that sub
scribers are protected throughout the switching process and
are not switched to another provider against their will.
Member States shall ensure that appropriate sanctions on
undertakings are provided for, including an obligation to
compensate subscribers in case of delay in porting or abuse
of porting by them or on their behalf. - Member States shall ensure that contracts concluded
between consumers and undertakings providing electronic
communications services do not mandate an initial commit
ment period that exceeds 24 months. Member States shall
also ensure that undertakings offer users the possibility to
subscribe to a contract with a maximum duration of 12
months. - Without prejudice to any minimum contractual period,
Member States shall ensure that conditions and procedures
for contract termination do not act as a disincentive against
changing service provider.’;
22) Article 31(1) shall be replaced by the following:
‘1. Member States may impose reasonable “must carry”
obligations, for the transmission of specified radio and tele
vision broadcast channels and complementary services, par
ticularly accessibility services to enable appropriate access for
disabled end-users, on undertakings under their jurisdiction
providing electronic communications networks used for the
distribution of radio or television broadcast channels to the
public where a significant number of end-users of such net
works use them as their principal means to receive radio and
television broadcast channels. Such obligations shall only be
imposed where they are necessary to meet general interest
objectives as clearly defined by each Member State and shall
be proportionate and transparent.
The obligations referred to in the first subparagraph shall be
reviewed by the Member States at the latest within one year
of 25 May 2011, except where Member States have carried
out such a review within the previous two years.
Member States shall review “must carry” obligations on a
regular basis.’;
23) Article 33 shall be amended as follows:
(a) paragraph 1 shall be replaced by the following:
‘1. Member States shall ensure as far as appropriate
that national regulatory authorities take account of the
views of end-users, consumers (including, in particular,
disabled consumers), manufacturers and undertakings
that provide electronic communications networks
and/or services on issues related to all end-user and con
sumer rights concerning publicly available electronic
communications services, in particular where they have
a significant impact on the market.
In particular, Member States shall ensure that national
regulatory authorities establish a consultation mecha
nism ensuring that in their decisions on issues related to
end-user and consumer rights concerning publicly avail
able electronic communications services, due consider
ation is given to consumer interests in electronic
communications.’;
(b) the following paragraph shall be added:
‘3. Without prejudice to national rules in conformity
with Community law promoting cultural and media
policy objectives, such as cultural and linguistic diversity
and media pluralism, national regulatory authorities and
other relevant authorities may promote cooperation
between undertakings providing electronic communica
tions networks and/or services and sectors interested in
the promotion of lawful content in electronic commu
nication networks and services. That cooperation may
also include coordination of the public interest informa
tion to be provided pursuant to Article 21(4) and the
second subparagraph of Article 20(1).’;
24) Article 34(1) shall be replaced by the following:
‘1. Member States shall ensure that transparent, non-
discriminatory, simple and inexpensive out-of-court proce
dures are available for dealing with unresolved disputes
between consumers and undertakings providing electronic
communications networks and/or services arising under this
Directive and relating to the contractual conditions and/or
performance of contracts concerning the supply of those net
works and/or services. Member States shall adopt measures
to ensure that such procedures enable disputes to be settled
fairly and promptly and may, where warranted, adopt a sys
tem of reimbursement and/or compensation. Such proce
dures shall enable disputes to be settled impartially and shall
not deprive the consumer of the legal protection afforded by
national law. Member States may extend these obligations to
cover disputes involving other end-users.’;
NE82/733L
Official Journ al of the E uropean Un ion L 337/29
25) Article 35 shall be replaced by the following:
‘Article 35
Adaptation of annexes
Measures designed to amend non-essential elements of this
Directive and necessary to adapt Annexes I, II, III, and VI to
technological developments or changes in market demand
shall be adopted by the Commission in accordance with the
regulatory procedure with scrutiny referred to in
Article 37(2).’;
26) Article 36(2) shall be replaced by the following:
‘2. National regulatory authorities shall notify to the Com
mission the universal service obligations imposed upon
undertakings designated as having universal service obliga
tions. Any changes affecting these obligations or of the
undertakings affected under the provisions of this Directive
shall be notified to the Commission without delay.’;
27) Article 37 shall be replaced by the following:
‘Article 37
Committee procedure - The Commission shall be assisted by the Communica
tions Committee set up under Article 22 of Directive
2002/21/EC (Framework Directive). - Where reference is made to this paragraph, Article 5a(1)
to (4) and Article 7 of Decision 1999/468/EC shall apply,
having regard to the provisions of Article 8 thereof.’;
28) Annexes I, II, III shall be replaced by the text appearing in
Annex I to this Directive, and Annex VI shall be replaced by
the text appearing in Annex II to this Directive;
29) Annex VII shall be deleted.
Article 2
Amendments to Directive 2002/58/EC (Directive on
privacy and electronic communications)
Directive 2002/58/EC (Directive on privacy and electronic com
munications) is hereby amended as follows:
1) Article 1(1) shall be replaced by the following:
‘1. This Directive provides for the harmonisation of the
national provisions required to ensure an equivalent level of
protection of fundamental rights and freedoms, and in par
ticular the right to privacy and confidentiality, with respect to
the processing of personal data in the electronic communi
cation sector and to ensure the free movement of such data
and of electronic communication equipment and services in
the Community.’;
2) Article 2 shall be amended as follows:
(a) point (c) shall be replaced by the following:
‘(c) “location data” means any data processed in an elec
tronic communications network or by an electronic
communications service, indicating the geographic
position of the terminal equipment of a user of a
publicly available electronic communications
service;’;
(b) point (e) shall be deleted;
(c) the following point shall be added:
‘(h) “personal data breach” means a breach of security
leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access
to, personal data transmitted, stored or otherwise
processed in connection with the provision of a
publicly available electronic communications ser
vice in the Community.’;
3) Article 3 shall be replaced by the following:
‘Article 3
Services concerned
This Directive shall apply to the processing of personal data
in connection with the provision of publicly available elec
tronic communications services in public communications
networks in the Community, including public communica
tions networks supporting data collection and identification
devices.’;
4) Article 4 shall be amended as follows:
(a) the title shall be replaced by the following:
‘Security of processing’;
(b) the following paragraph shall be inserted:
‘1a. Without prejudice to Directive 95/46/EC, the
measures referred to in paragraph 1 shall at least:
— ensure that personal data can be accessed only by
authorised personnel for legally authorised
purposes,
— protect personal data stored or transmitted against
accidental or unlawful destruction, accidental loss
or alteration, and unauthorised or unlawful storage,
processing, access or disclosure, and,
NE9002.21.81
Official Journ al of the E uropean Un ion 18.12.2009
— ensure the implementation of a security policy with
respect to the processing of personal data,
Relevant national authorities shall be able to audit the
measures taken by providers of publicly available elec
tronic communication services and to issue recommen
dations about best practices concerning the level of
security which those measures should achieve.’;
(c) the following paragraphs shall be added:
‘3. In the case of a personal data breach, the provider
of publicly available electronic communications services
shall, without undue delay, notify the personal data
breach to the competent national authority.
When the personal data breach is likely to adversely
affect the personal data or privacy of a subscriber or
individual, the provider shall also notify the subscriber
or individual of the breach without undue delay.
Notification of a personal data breach to a subscriber or
individual concerned shall not be required if the provider
has demonstrated to the satisfaction of the competent
authority that it has implemented appropriate techno
logical protection measures, and that those measures
were applied to the data concerned by the security
breach. Such technological protection measures shall
render the data unintelligible to any person who is not
authorised to access it.
Without prejudice to the provider’s obligation to notify
subscribers and individuals concerned, if the provider
has not already notified the subscriber or individual of
the personal data breach, the competent national author
ity, having considered the likely adverse effects of the
breach, may require it to do so.
The notification to the subscriber or individual shall at
least describe the nature of the personal data breach and
the contact points where more information can be
obtained, and shall recommend measures to mitigate the
possible adverse effects of the personal data breach. The
notification to the competent national authority shall, in
addition, describe the consequences of, and the measures
proposed or taken by the provider to address, the per
sonal data breach. - Subject to any technical implementing measures
adopted under paragraph 5, the competent national
authorities may adopt guidelines and, where necessary,
issue instructions concerning the circumstances in which
providers are required to notify personal data breaches,
the format of such notification and the manner in which
the notification is to be made. They shall also be able to
audit whether providers have complied with their noti
fication obligations under this paragraph, and shall
impose appropriate sanctions in the event of a failure to
do so.
Providers shall maintain an inventory of personal data
breaches comprising the facts surrounding the breach,
its effects and the remedial action taken which shall be
sufficient to enable the competent national authorities to
verify compliance with the provisions of paragraph 3.
The inventory shall only include the information neces
sary for this purpose. - In order to ensure consistency in implementation
of the measures referred to in paragraphs 2, 3 and 4, the
Commission may, following consultation with the Euro
pean Network and Information Security Agency
(ENISA), the Working Party on the Protection of Indi
viduals with regard to the Processing of Personal Data
established by Article 29 of Directive 95/46/EC and the
European Data Protection Supervisor, adopt technical
implementing measures concerning the circumstances,
format and procedures applicable to the information
and notification requirements referred to in this Article.
When adopting such measures, the Commission shall
involve all relevant stakeholders particularly in order to
be informed of the best available technical and economic
means of implementation of this Article.
Those measures, designed to amend non-essential ele
ments of this Directive by supplementing it, shall be
adopted in accordance with the regulatory procedure
with scrutiny referred to in Article 14a(2).’;
5) Article 5(3) shall be replaced by the following:
‘3. Member States shall ensure that the storing of infor
mation, or the gaining of access to information already
stored, in the terminal equipment of a subscriber or user is
only allowed on condition that the subscriber or user con
cerned has given his or her consent, having been provided
with clear and comprehensive information, in accordance
with Directive 95/46/EC, inter alia, about the purposes of the
processing. This shall not prevent any technical storage or
access for the sole purpose of carrying out the transmission
of a communication over an electronic communications net
work, or as strictly necessary in order for the provider of an
information society service explicitly requested by the sub
scriber or user to provide the service.’;
6) Article 6(3) shall be replaced by the following:
‘3. For the purpose of marketing electronic communica
tions services or for the provision of value added services, the
provider of a publicly available electronic communications
service may process the data referred to in paragraph 1 to the
extent and for the duration necessary for such services or
NE03/733L
Official Journ al of the E uropean Un ion L 337/31
marketing, if the subscriber or user to whom the data relate
has given his or her prior consent. Users or subscribers shall
be given the possibility to withdraw their consent for the pro
cessing of traffic data at any time.’;
7) Article 13 shall be replaced by the following:
‘Article 13
Unsolicited communications - The use of automated calling and communication sys
tems without human intervention (automatic calling
machines), facsimile machines (fax) or electronic mail for the
purposes of direct marketing may be allowed only in respect
of subscribers or users who have given their prior consent. - Notwithstanding paragraph 1, where a natural or legal
person obtains from its customers their electronic contact
details for electronic mail, in the context of the sale of a prod
uct or a service, in accordance with Directive 95/46/EC, the
same natural or legal person may use these electronic con
tact details for direct marketing of its own similar products
or services provided that customers clearly and distinctly are
given the opportunity to object, free of charge and in an easy
manner, to such use of electronic contact details at the time
of their collection and on the occasion of each message in
case the customer has not initially refused such use. - Member States shall take appropriate measures to
ensure that unsolicited communications for the purposes of
direct marketing, in cases other than those referred to in
paragraphs 1 and 2, are not allowed either without the con
sent of the subscribers or users concerned or in respect of
subscribers or users who do not wish to receive these com
munications, the choice between these options to be deter
mined by national legislation, taking into account that both
options must be free of charge for the subscriber or user. - In any event, the practice of sending electronic mail for
the purposes of direct marketing which disguise or conceal
the identity of the sender on whose behalf the communica
tion is made, which contravene Article 6 of Directive
2000/31/EC, which do not have a valid address to which the
recipient may send a request that such communications cease
or which encourage recipients to visit websites that contra
vene that Article shall be prohibited. - Paragraphs 1 and 3 shall apply to subscribers who are
natural persons. Member States shall also ensure, in the
framework of Community law and applicable national legis
lation, that the legitimate interests of subscribers other than
natural persons with regard to unsolicited communications
are sufficiently protected. - Without prejudice to any administrative remedy for
which provision may be made, inter alia, under
Article 15a(2), Member States shall ensure that any natural or
legal person adversely affected by infringements of national
provisions adopted pursuant to this Article and therefore
having a legitimate interest in the cessation or prohibition of
such infringements, including an electronic communications
service provider protecting its legitimate business interests,
may bring legal proceedings in respect of such infringements.
Member States may also lay down specific rules on penalties
applicable to providers of electronic communications ser
vices which by their negligence contribute to infringements
of national provisions adopted pursuant to this Article.’;
8) the following Article shall be inserted:
‘Article 14a
Committee procedure - The Commission shall be assisted by the Communica
tions Committee established by Article 22 of Directive
2002/21/EC (Framework Directive). - Where reference is made to this paragraph, Article 5a(1)
to (4) and Article 7 of Decision 1999/468/EC shall apply,
having regard to the provisions of Article 8 thereof. - Where reference is made to this paragraph,
Article 5a(1), (2), (4) and (6) and Article 7 of Decision
1999/468/EC shall apply, having regard to the provisions of
Article 8 thereof.’;
9) in Article 15, the following paragraph shall be inserted:
‘1b. Providers shall establish internal procedures for
responding to requests for access to users’ personal data
based on national provisions adopted pursuant to para
graph 1. They shall provide the competent national author
ity, on demand, with information about those procedures,
the number of requests received, the legal justification
invoked and their response.’;
10) the following Article shall be inserted:
‘Article 15a
Implementation and enforcement - Member States shall lay down the rules on penalties,
including criminal sanctions where appropriate, applicable to
infringements of the national provisions adopted pursuant to
this Directive and shall take all measures necessary to ensure
that they are implemented. The penalties provided for must
be effective, proportionate and dissuasive and may be applied
to cover the period of any breach, even where the breach has
subsequently been rectified. The Member States shall notify
those provisions to the Commission by 25 May 2011, and
shall notify it without delay of any subsequent amendment
affecting them.
NE9002.21.81
L 337/32 EN Official Journ al of the E uropean Un ion 18.12.2009 - Without prejudice to any judicial remedy which might
be available, Member States shall ensure that the competent
national authority and, where relevant, other national bodies
have the power to order the cessation of the infringements
referred to in paragraph 1. - Member States shall ensure that the competent national
authority and, where relevant, other national bodies have the
necessary investigative powers and resources, including the
power to obtain any relevant information they might need to
monitor and enforce national provisions adopted pursuant to
this Directive. - The relevant national regulatory authorities may adopt
measures to ensure effective cross-border cooperation in the
enforcement of the national laws adopted pursuant to this
Directive and to create harmonised conditions for the provi
sion of services involving cross-border data flows.
The national regulatory authorities shall provide the Com
mission, in good time before adopting any such measures,
with a summary of the grounds for action, the envisaged
measures and the proposed course of action. The Commis
sion may, having examined such information and consulted
ENISA and the Working Party on the Protection of Individu
als with regard to the Processing of Personal Data established
by Article 29 of Directive 95/46/EC, make comments or rec
ommendations thereupon, in particular to ensure that the
envisaged measures do not adversely affect the functioning of
the internal market. National regulatory authorities shall take
the utmost account of the Commission’s comments or rec
ommendations when deciding on the measures.’.
Article 3
Amendment to Regulation (EC) No 2006/2004
In the Annex to Regulation (EC) No 2006/2004 (the Regulation
on consumer protection cooperation), the following point shall
be added:
‘17. Directive 2002/58/EC of the European Parliament and of the
Council of 12 July 2002 concerning the processing of per
sonal data and the protection of privacy in the electronic
communications sector (Directive on privacy and electronic
communications): Article 13 (OJ L 201, 31.7.2002, p. 37).’.
Article 4
Transposition - Member States shall adopt and publish by 25 May 2011 the
laws, regulations and administrative provisions necessary to com
ply with this Directive. They shall forthwith communicate to the
Commission the text of those measures.
When Member States adopt those measures, they shall contain a
reference to this Directive or be accompanied by such a reference
on the occasion of their official publication. The methods of mak
ing such reference shall be laid down by the Member States. - Member States shall communicate to the Commission the
text of the main provisions of national law which they adopt in
the field covered by this Directive.
Article 5
Entry into force
This Directive shall enter into force on the day following its pub
lication in the Official Journal of the European Union.
Article 6
Addressees
This Directive is addressed to the Member States.
Done at Strasbourg, 25 November 2009.
For the European Parliament
The President
J. BUZEK
For the Council
The President
Å. TORSTENSSON
Official Journ al of the E uropean Un ion L 337/33
ANNEX I
‘ANNEX I
DESCRIPTION OF FACILITIES AND SERVICES REFERRED TO IN ARTICLE 10 (CONTROL OF
EXPENDITURE), ARTICLE 29 (ADDITIONAL FACILITIES) AND ARTICLE 30 (FACILITATING CHANGE
OF PROVIDER)
Part A: Facilities and services referred to in Article 10
(a) Itemised billing
Member States are to ensure that national regulatory authorities, subject to the requirements of relevant legislation on
the protection of personal data and privacy, may lay down the basic level of itemised bills which are to be provided by
undertakings to subscribers free of charge in order that they can:
(i) allow verification and control of the charges incurred in using the public communications network at a fixed loca
tion and/or related publicly available telephone services; and
(ii) adequately monitor their usage and expenditure and thereby exercise a reasonable degree of control over their bills.
Where appropriate, additional levels of detail may be offered to subscribers at reasonable tariffs or at no charge.
Calls which are free of charge to the calling subscriber, including calls to helplines, are not to be identified in the calling
subscriber’s itemised bill.
(b) Selective barring for outgoing calls or premium SMS or MMS, or, where technically feasible, other kinds of similar applications,
free of charge
i.e. the facility whereby the subscriber can, on request to the designated undertaking that provides telephone services,
bar outgoing calls or premium SMS or MMS or other kinds of similar applications of defined types or to defined types
of numbers free of charge.
(c) Pre-payment systems
Member States are to ensure that national regulatory authorities may require designated undertakings to provide means
for consumers to pay for access to the public communications network and use of publicly available telephone services
on pre-paid terms.
(d) Phased payment of connection fees
Member States are to ensure that national regulatory authorities may require designated undertakings to allow con
sumers to pay for connection to the public communications network on the basis of payments phased over time.
(e) Non-payment of bills
Member States are to authorise specified measures, which are to be proportionate, non-discriminatory and published,
to cover non-payment of telephone bills issued by undertakings. These measures are to ensure that due warning of any
consequent service interruption or disconnection is given to the subscriber beforehand. Except in cases of fraud, per
sistent late payment or non-payment, these measures are to ensure, as far as is technically feasible that any service inter
ruption is confined to the service concerned. Disconnection for non-payment of bills should take place only after due
warning is given to the subscriber. Member States may allow a period of limited service prior to complete disconnec
tion, during which only calls that do not incur a charge to the subscriber (e.g. ‘112’ calls) are permitted.
NE9002.21.81
(f) Tariff advice
i.e. the facility whereby subscribers may request the undertaking to provide information regarding alternative lower-
cost tariffs, if available.
(g) Cost control
i.e. the facility whereby undertakings offer other means, if determined to be appropriate by national regulatory authori
ties, to control the costs of publicly available telephone services, including free-of-charge alerts to consumers in case of
abnormal or excessive consumption patterns.
Part Facilities referred to in Article 29
(a) Tone dialling or DTMF (dual-tone multi-frequency operation)
i.e. the public communications network and/or publicly available telephone services supports the use of DTMF tones as
defined in ETSI ETR 207 for end-to-end signalling throughout the network both within a Member State and between
Member States.
(b) Calling-line identification
i.e. the calling party’s number is presented to the called party prior to the call being established.
This facility should be provided in accordance with relevant legislation on protection of personal data and privacy, in
particular Directive 2002/58/EC (Directive on privacy and electronic communications).
To the extent technically feasible, operators should provide data and signals to facilitate the offering of calling-line iden
tity and tone dialling across Member State boundaries.
Part Implementation of the number portability provisions referred to in Article 30
The requirement that all subscribers with numbers from the national numbering plan, who so request can retain their num
ber(s) independently of the undertaking providing the service shall apply:
(a) in the case of geographic numbers, at a specific location; and
(b) in the case of non-geographic numbers, at any location.
This Part does not apply to the porting of numbers between networks providing services at a fixed location and mobile
networks.
ANNEX II
INFORMATION TO BE PUBLISHED IN ACCORDANCE WITH ARTICLE 21
(TRANSPARENCY AND PUBLICATION OF INFORMATION)
The national regulatory authority has a responsibility to ensure that the information in this Annex is published, in accor
dance with Article 21. It is for the national regulatory authority to decide which information is to be published by the under
takings providing public communications networks and/or publicly available telephone services and which information is
to be published by the national regulatory authority itself, so as to ensure that consumers are able to make informed choices. - Name(s) and address(es) of undertaking(s)
i.e. names and head office addresses of undertakings providing public communications networks and/or publicly avail
able telephone services. - Description of services offered
2.1. Scope of services offered
9002.21.81noinUnaeporuEehtfolanruoJlaiciffONE43/733L
:C
:B
18.12.2009 EN Official Journ al of the E uropean Un ion L 337/35
2.2. Standard tariffs indicating the services provided and the content of each tariff element (e.g. charges for access, all types
of usage charges, maintenance charges), and including details of standard discounts applied and special and targeted
tariff schemes and any additional charges, as well as costs with respect to terminal equipment.
2.3. Compensation/refund policy, including specific details of any compensation/refund schemes offered.
2.4. Types of maintenance service offered.
2.5. Standard contract conditions, including any minimum contractual period, termination of the contract and procedures
and direct charges related to the portability of numbers and other identifiers, if relevant. - Dispute settlement mechanisms, including those developed by the undertaking.
- Information about rights as regards universal service, including, where appropriate, the facilities and services men
tioned in Annex I.
ANNEX III
QUALITY OF SERVICE PARAMETERS
Quality-of-Service Parameters, Definitions and Measurement Methods referred to in Articles 11 and 22
For undertakings providing access to a public communications network
PARAMETER
(Note 1) DEFINITION MEASUREMENT METHOD
Supply time for initial connection ETSI EG 202 057 ETSI EG 202 057
Fault rate per access line ETSI EG 202 057 ETSI EG 202 057
Fault repair time ETSI EG 202 057 ETSI EG 202 057
For undertakings providing a publicly available telephone service
Call set up time
(Note 2)
ETSI EG 202 057 ETSI EG 202 057
Response times for directory enquiry
services
ETSI EG 202 057 ETSI EG 202 057
Proportion of coin and card operated
public pay-telephones in working
order
ETSI EG 202 057 ETSI EG 202 057
Bill correctness complaints ETSI EG 202 057 ETSI EG 202 057
Unsuccessful call ratio
(Note 2)
ETSI EG 202 057 ETSI EG 202 057
Version number of ETSI EG 202 057-1 is 1.3.1 (July 2008)
Note 1
Parameters should allow for performance to be analysed at a regional level (i.e. no less than level 2 in the Nomenclature of
Territorial Units for Statistics (NUTS) established by Eurostat).
Note 2
Member States may decide not to require up-to-date information concerning the performance for these two parameters to
be kept if evidence is available to show that performance in these two areas is satisfactory.’
L 337/36 EN Official Journ al of the E uropean Un ion 18.12.2009
ANNEX II
‘ANNEX VI
INTEROPERABILITY OF DIGITAL CONSUMER EQUIPMENT REFERRED TO IN ARTICLE 24 - Common scrambling algorithm and free-to-air reception
All consumer equipment intended for the reception of conventional digital television signals (i.e. broadcasting via ter
restrial, cable or satellite transmission which is primarily intended for fixed reception, such as DVB-T, DVB-C or DVB-S),
for sale or rent or otherwise made available in the Community, capable of descrambling digital television signals, is to
possess the capability to:
— allow the descrambling of such signals according to a common European scrambling algorithm as administered by
a recognised European standards organisation, currently ETSI,
— display signals that have been transmitted in the clear provided that, in the event that such equipment is rented, the
renter is in compliance with the relevant rental agreement. - Interoperability for analogue and digital television sets
Any analogue television set with an integral screen of visible diagonal greater than 42 cm which is put on the market for
sale or rent in the Community is to be fitted with at least one open interface socket, as standardised by a recognised
European standards organisation, e.g. as given in the Cenelec EN 50 049-1:1997 standard, permitting simple connec
tion of peripherals, especially additional decoders and digital receivers.
Any digital television set with an integral screen of visible diagonal greater than 30 cm which is put on the market for
sale or rent in the Community is to be fitted with at least one open interface socket (either standardised by, or conform
ing to a standard adopted by, a recognised European standards organisation, or conforming to an industry-wide speci
fication) e.g. the DVB common interface connector, permitting simple connection of peripherals, and able to pass all the
elements of a digital television signal, including information relating to interactive and conditionally accessed services.’
Embedded content from other websites
Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
Who we share your data with
Suggested text: If you request a password reset, your IP address will be included in the reset email.
How long we retain your data
Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where your data is sent
Suggested text: Visitor comments may be checked through an automated spam detection service.
