The Law Enforcement Directive (LED) differs from the General Data Protection Regulation (GDPR) in that the LED is a directive that was transposed into Irish law by way of the Data Protection Act 2018 under Part 5; note also that Part 6 of the Data Protection Act 2018 provides for enforcement of both the LED and the GDPR.

“Processing” under Article 4 (2) of the GDPR means doing something with an individual’s personal data, such as collecting, recording, disclosing, altering, consulting with or simply storing the personal data. A data controller who processes personal data must only process the required data for the specific purpose of fulfilling the objectives for which the data was initially gathered and processed.

The General Data Protection Regulation (GDPR) provides extra protection for certain categories of personal data, called “special category data”, under Article 9 of the GDPR. Special category data refers to data which reveals:

Under the Law Enforcement Directive (LED), a competent authority may be a public or private body with powers to prevent, investigate, detect or prosecute (PDIP) criminal matters.

Images of individuals constitute “personal data” under the General Data Protection Regulation (GDPR). The capturing of a person's image and its subsequent use constitutes processing of personal data within the meaning of the GDPR. As with any processing of personal data, the recording of identifiable images of persons must have a legal basis under the data protection legislative frameworks. Individuals have a right to have their personal data processed in a manner that complies with data protection law. 

If you carry out processing activities with personal data partly or wholly by automated means, or if you otherwise deal with personal data which form (or are intended to form) part of a filing system, and you carry out these processing activities in the context of an establishment of your business within the European Economic Area (EEA), you, as data controller, are subject to the General Data Protection Regulation (GDPR) regardless of whether the processing takes place in the EEA or not.

Direct marketing involves a person being targeted by an organisation (marketer) attempting to promote a product or service, or attempting to get the person to request additional information about a product or service. Types of direct marketing may include emails, texts, fax messages, telephone calls or mail. 

In the examination of any data protection complaint we cannot assume that either party is right. We must examine all the facts of the case before reaching a conclusion. Accordingly, until the matter is concluded, any incidents of infringements are alleged infringements. Once the matter is concluded the outcome will state whether, based on our findings of fact, that the incident occurred or not. 

“Personal data” under Article 4(1) of the General Data Protection Regulation (GDPR) is defined as:

Providing personal details to a debt collection agency (data processor) to pursue a debt on behalf of a business or organisation (data controller) does not generally give rise to any data protection concerns. This is covered under the lawful basis of Article 6 (1) (b) of the GDPR “…processing is necessary for the performance of a contract to which the data subject is party”.