The General Data Protection Regulation (GDPR) provides extra protection for certain categories of personal data, called “special category data”, under Article 9 of the GDPR. Special category data refers to data which reveals:

Under the Law Enforcement Directive (LED), a competent authority may be a public or private body with powers to prevent, investigate, detect or prosecute (PDIP) criminal matters.

Images of individuals constitute “personal data” under the General Data Protection Regulation (GDPR). The capturing of a person's image and its subsequent use constitutes processing of personal data within the meaning of the GDPR. As with any processing of personal data, the recording of identifiable images of persons must have a legal basis under the data protection legislative frameworks. Individuals have a right to have their personal data processed in a manner that complies with data protection law. 

If you carry out processing activities with personal data partly or wholly by automated means, or if you otherwise deal with personal data which form (or are intended to form) part of a filing system, and you carry out these processing activities in the context of an establishment of your business within the European Economic Area (EEA), you, as data controller, are subject to the General Data Protection Regulation (GDPR) regardless of whether the processing takes place in the EEA or not.

Direct marketing involves a person being targeted by an organisation (marketer) attempting to promote a product or service, or attempting to get the person to request additional information about a product or service. Types of direct marketing may include emails, texts, fax messages, telephone calls or mail. 

In the examination of any data protection complaint we cannot assume that either party is right. We must examine all the facts of the case before reaching a conclusion. Accordingly, until the matter is concluded, any incidents of infringements are alleged infringements. Once the matter is concluded the outcome will state whether, based on our findings of fact, that the incident occurred or not. 

“Personal data” under Article 4(1) of the General Data Protection Regulation (GDPR) is defined as:

Providing personal details to a debt collection agency (data processor) to pursue a debt on behalf of a business or organisation (data controller) does not generally give rise to any data protection concerns. This is covered under the lawful basis of Article 6 (1) (b) of the GDPR “…processing is necessary for the performance of a contract to which the data subject is party”. 

A subject access request (SAR) is a request made to a data controller by an individual for a copy of their personal data (as opposed to original documents) which that data controller holds on that individual. Under Article 15 of the General Data Protection Regulation (GDPR) you have a right to obtain a copy of any information relating to you which is kept on computer or in a structured manual filing system or intended for such a system, by any entity or organisation. Making a subject access request allows an individual see what information an entity or company holds on them.