Skip to main content
NormaGrid

Law Enforcement Directive (LED)

In force Law Enforcement Directive Adopted: 27 April 2016 · Applies from: 6 May 2018

AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.

Summary

Directive (EU) 2016/680 lays down rules on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security. It harmonises key data-protection principles, data subject rights and oversight in the law-enforcement sector across the EU, while facilitating lawful information exchange between authorities. It also sets conditions for transfers of personal data to third countries and international organisations for law-enforcement purposes.

Who is affected?

It applies primarily to Member States’ competent authorities (e.g., police, prosecutors and other bodies with law-enforcement tasks) when processing personal data for law-enforcement purposes. It protects individuals whose personal data are processed by those authorities and involves supervisory authorities and courts in oversight and remedies.

Scope

Processing of personal data by competent authorities for law-enforcement purposes (criminal offences and public security threats), including domestic processing and cross-border exchanges, and transfers to third countries/international organisations.

Key Points

  • Sets law-enforcement-specific data protection principles (lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality and accountability).
  • Requires appropriate technical and organisational measures, including security of processing and logging/recording in certain systems.
  • Provides data subject rights (information, access, rectification, erasure/restriction) with possible restrictions where necessary and proportionate for law-enforcement objectives.
  • Imposes obligations on controllers/processors, including data protection by design and by default, documentation, and (where applicable) data protection impact assessments and designation of a data protection officer.
  • Establishes independent supervision by national data protection authorities and effective judicial remedies and compensation.
  • Regulates transfers to third countries and international organisations, including conditions and safeguards for onward transfers.

Key Deadlines

  • — Deadline for Member States to transpose Directive (EU) 2016/680 into national law

Related Regulations

Frequently Asked Questions

Who must comply with the Law Enforcement Directive (LED)?

The LED applies to competent authorities in EU Member States, such as police, prosecutors, and other bodies with law-enforcement responsibilities, when they process personal data for law-enforcement purposes.

What types of data processing fall under the scope of the LED?

The LED covers the processing of personal data by competent authorities for preventing, investigating, detecting, or prosecuting criminal offences, executing criminal penalties, and safeguarding against threats to public security.

What are the key data protection principles established by the LED?

The LED sets out principles including lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, and accountability, specifically tailored for law enforcement activities.

What rights do individuals have under the LED?

Individuals have rights to information, access, rectification, and erasure or restriction of their personal data, though these rights may be restricted where necessary and proportionate for law-enforcement objectives.

What are the main obligations for controllers and processors under the LED?

Controllers and processors must implement appropriate technical and organisational measures, ensure security of processing, maintain documentation, apply data protection by design and by default, and, where applicable, appoint a data protection officer and conduct data protection impact assessments.

How does the LED regulate transfers of personal data to third countries or international organisations?

Transfers are permitted only under specific conditions and safeguards, ensuring adequate protection of personal data, and onward transfers are also subject to strict requirements.

What are the penalties for non-compliance with the LED?

Penalties for non-compliance are determined by national law but may include administrative sanctions, judicial remedies, and compensation for individuals whose rights are infringed.

How does the LED interact with the General Data Protection Regulation (GDPR)?

The LED is separate from the GDPR and applies specifically to law enforcement data processing, whereas the GDPR covers general personal data processing in the private and public sectors outside law enforcement.

What steps should competent authorities take to comply with the LED?

Authorities should review and update data protection policies, implement technical and organisational safeguards, ensure staff are trained, maintain records of processing, and cooperate with supervisory authorities.

Who oversees compliance with the LED at the national level?

National data protection authorities are responsible for supervising compliance with the LED, providing guidance, handling complaints, and enforcing the directive.

Key Terms

Competent Authority
A public body or entity with official responsibility for law enforcement tasks, such as police, prosecutors, or customs authorities.
Data Subject
An individual whose personal data is processed by competent authorities for law-enforcement purposes.
Controller
The entity (usually a competent authority) that determines the purposes and means of processing personal data under the LED.
Processor
A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Data Protection by Design and by Default
An obligation to integrate data protection measures into processing activities and systems from the outset and ensure only necessary data are processed.
Data Protection Impact Assessment (DPIA)
A process to assess and mitigate risks to data subjects’ rights and freedoms when processing operations are likely to result in high risks.
Supervisory Authority
An independent public authority established by a Member State to oversee the application of the LED and protect individuals’ data protection rights.
Third Country
A country outside the European Union to which personal data may be transferred under specific conditions and safeguards.
Onward Transfer
The subsequent transfer of personal data from a third country or international organisation to another third country or organisation.
Restriction of Rights
A limitation on data subject rights (such as access or erasure) permitted under the LED when necessary and proportionate for law-enforcement objectives.