Commentary to Recital 14 of GDPR on which personal data concerning legal persons is exempted from GDPR protection

When it enters into force on 25 May 2018, the GDPR will provide a broad spectrum of protections to individuals whose personal data is collected and processed by businesses in the EU and abroad. 

On its face, the GDPR is limited in its scope to personal data of natural persons (Art. 1(1)). Recital 14 reiterates this:

The protection afforded by this Regulation should apply to natural persons ... in relation to the processing of their personal data

But this provision of Recital 14 is followed by an exception that the processing of personal data pertaining to legal persons is not covered by the law:

... This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person. 

Please note that the Recital does not contain an exhaustive list of such data, but rather provides examples.

Information that concerns legal persons may at the same time be personal data of a natural person, and vice versa. They overlap. So where do we draw the line between personal data that should be protected under the GDPR, and personal data which shouldn’t?

We attempted to illustrate this dilemma in the following diagram, where Section 1 represents “personal data which concerns legal persons” that is protected by the GDPR, and in Section 2 lies “personal data which concerns legal persons” that is exempted from GDPR protection by Recital 14.

Let us consider 2 different scenarios:

Scenario 1:

Company name contains the name of the natural person(s), e.g. Law Office of Mary Johnson, Esq., as well as cases in which the address of the legal person is the same as that of the natural person (when a business is registered at the home address).

In our opinion, this is a clear example of “personal data which concerns legal persons” as described in Recital 14. This conclusion is further supported by the European Parliament’s draft of the GDPR (Recital 12 in the old version), as it contains an additional sentence with the clarification which was not included in the final text of the Regulation:

...With regard to the processing of data which concern legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person, the protection of this Regulation should not be claimed by any person. This should also apply where the name of the legal person contains the names of one or more natural persons.

As such, we can conclude that this data belongs in Section 2 of the diagram and is not protected by the Regulation.

Scenario 2:

A data controller collects information from a webform on his website. The controller assumes that when a client’s employee fills out the webform to make a purchase of a product or service on behalf of his company, the employee’s information constitutes “personal data which concerns legal persons”, and is not protected by the GDPR in accordance with Recital 14.

However, we disagree. Instead, we think that this personal data belongs in Section 1 of the diagram, and is covered by the Regulation. 

It would have been instrumental in this case to use Art29WP Opinion 4/2007 on the concept of personal data, since it contains relevant examples on pages 23-24:

Information about legal persons may also be considered as "relating to" natural persons on their own merits, in accordance with the criteria set out in this document. This may be the case where the name of the legal person derives from that of a natural person. Another case may be that of corporate email, which is normally used by a certain employee, or that of information about a small business (legally speaking an "object" rather than a legal person), which may describe the behaviour of its owner. In all these cases, where the criteria of "content", "purpose" or "result" allow the information about a legal person or business to be considered as "relating" to a natural person, it should be viewed as personal data, and the data protection rules should apply.

But unfortunately, the Working Party in its 2007 opinion was focusing on whether certain information can considered personal data or not. Recital 14 on the contrary does not argue that some information relating to legal persons is not personal data. Instead, it clearly states that name, form and contact details may include personal data, but this data is not protected by the GDPR.

Nevertheless, we believe that the criteria of “content”, “purpose” and “result” can be used not just to classify information as personal data, but also to determine whether personal information relates to legal person so closely that GDPR protection should apply. In case of the webform, the purpose of the field “Your name” is clearly to collect personal data from the client’s employee. The content requirement is also met, and the result criterion is fulfilled when the person’s contact information is used for direct marketing.

Additionally, an employee of the company does not necessarily equal legal person in relation to that company. As such, the assumption that any employee’s information is not protected by the GDPR is just far-fetched and unreasonable, and the controller is interpreting Recital 14 too broadly.

It is also worth mentioning that Recital 14 alone cannot be used without a corresponding article in the Regulation. According to Commission Manual on Legislative drafting

recitals set out the reasons for the contents of the enacting terms (i.e. the articles) of an act… The recitals should state concisely the reasons for the main provisions of the enacting terms of the act. Accordingly: ... (c) The recitals must relate to the substantive provisions, and the order in which they appear should correspond as far as possible to that of the provisions for which they give the reasons…

In our case, none of the GDPR articles, including Art.2, reiterate the exception mentioned in the Recital 14.

Considering all of the above, we believe that further guidance from Art29WP is necessary to avoid incorrect interpretation of the Recital 14 and creation of possible loopholes. A good starting point is to use the criteria of “purpose”, “content” and “result” in evaluating whether or not GDPR should apply.

----------------------

Authors:

Siarhei Varankevich MBA, CIPP/E - corporate trainer and data protection professional helping companies in Belarus, Russia and Ukraine to comply with GDPR. 

Olga Zavalniuk, CIPP/US, CIPP/E Candidate, data protection professional.

Licence: Creative Commons Attribution- ShareAlike 4.0 International (CC BY-SA 4.0). You are free to

• Share — copy and redistribute the material in any medium or format
• Adapt — remix, transform, and build upon the material
• for any purpose, even commercially.

Under the following terms:

• Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
• ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.