Financial institutions are legally obliged under Anti-Money Laundering (AML) legislation to carry out Politically Exposed Persons (PEP) screening where there is a 'reasonable risk' of money laundering and terrorist financing.

The Article 5(1) (e) General Data Protection Regulation (GDPR) principle of “storage limitation” requires that personal data… is kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.  If the purpose for which the information was obtained has ceased and the personal data is no longer required, the data must be deleted or disposed of securely.

As part of their claims processing procedures, health insurance companies may request medical information directly from a patient’s medical practitioner or service provider (hospital) so that medical costs and services can be paid. This is normally done with the consent of the patient who completes the relevant claim form with their Insurer.

When a person is seeking a quotation for an insurance policy, it is part of the contractual process whereby the initial stages are known as “an invitation to treat”. This means that the customer provides relevant information to the insurance company for assessment; based on the information supplied, the insurance company then makes an offer of insurance with the relevant cost of same to the consumer, who in turn either accepts or rejects such offer.

Where images are captured by Street View cameras, there is typically a time delay before images are published on the internet; therefore the image available through Street View is not a 'real time' image. This delay allows for Google to deploy blurring technology to faces and car registration plates.  It is important to note that street views of property or family pets do not constitute personal data and are therefore not subject to data protection law (and consequently not subject to requests for erasure under Article 17 of the GDPR).

There is nothing in the General Data Protection Regulation (GDPR) that prohibits people from taking photos in a public place. Provided you are not harassing anyone, taking photographs of people in public is generally allowed and most likely will qualify for the household exemption under Article 2(2)(c) of the GDPR.

The General Data Protection Regulation (GDPR) requires that appropriate security measures be put in place which take account of the harm that would result from accidental or unlawful processing, including destruction, loss, alteration, unauthorised disclosure of or access to the information. The security measures should ensure ongoing confidentiality, integrity, availability and resilience of the processing systems. This should take account of best practice in available technology and processes and the cost of installation.

If you wish to contact the Data Protection Commission (DPC) in relation to your data protection rights, you can do so by submitting a webform, by sending an email, by post or by telephone.

A data protection notice (also known as “privacy policy”) is an accountability tool that helps a data controller demonstrate that it is compliant with data protection law, in particular in respect of its obligations under the transparency principle (Articles 12 to 14 of the General Data Protection Regulation (GDPR)), and to fulfil the right of data subjects to receive certain information in relation to a data controller’s processing operations.

The Data Protection Commission (DPC) is the national independent authority in Ireland responsible for upholding the fundamental right of individuals in the European Union (EU) to have their personal data protected. Accordingly, the DPC is the Irish supervisory authority responsible for monitoring the application of the General Data Protection Regulation (GDPR), and it also has functions and powers related to other regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive (LED).