Surprise: Not all personal data is protected by the GDPR!
Fredrik Blix
Consultant Strategic Cybersecurity & Associate Professor (Universitetslektor),
We all know that the regulation applies to the processing of personal data (“material scope”, article 2, GDPR). But did you know that this scope is further refined by recitals 13-21 and 27 in GDPR? As a result, some data - even if it is related to an individual, and even if it it considered “personal data” - is not protected by the GDPR.
Recital 14 reads: “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.”
Think of all personal data, draw a circle on a paper. In that circle, you have all personal data. Now draw a smaller circle within this circle to illustrate personal data “which concerns legal persons”. Note that the regulation “does not cover the processing” of the data in your small circle, if you agree with what is explicitly stated by recital 14 in GDPR.
I hope you are still with me here? I hear no objections, as it is difficult to object - after all I am still just citing the text in GDPR.
So we have all agreed that some of what GDPR defines as “personal data” is not covered by the same regulation!
In other words; it IS “personal data” - it is information relating to an identified or identifiable natural person - but it is not protected under GDPRs provisions, since it is “concerning legal persons”.
Now let us examine recital 14 in detail as it is very often misunderstood. We will interpret it here based on two important principles:
- A subjective teleological analysis of its meaning
- The principle that regulations which may result in sanctions for those who do not comply with them must be possible to understand by reading the text
The first principle puts us into the lawmakers position. We have to think what they want to accomplish with the regulation. That is protecting the human rights and freedom of people by protecting information relating to them!
The second principle says that we would only read what the text says - we can not make wild guesses outside the semantic content of the text. We have to trust that the lawmaker writes exactly what they mean.
Remember these two principles when we move forward to examine recital 14.
Recital 14 Analysis
- Setting the context - only natural persons “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”.
- Delimiting the scope - not personal data concerning legal persons “This Regulation does not cover the processing of personal data which concerns legal persons”
- Articulating the scope delimitation to include “undertakings” “and in particular undertakings established as legal persons,”
- Exemplifying e.g. contact details “including the name and the form of the legal person and the contact details of the legal person.”
Conclusion
There are many interpretations of recital 14 and it consequences when applying GDPR in practice. In this article, we have together tried to decompose the recital into its different part and interpreted its semantics by applying a set of important principles.
From this we can conclude that GDPR protection does not apply to personal data when its purpose only is to function as contact details for legal persons (a company, a government agency) or the undertaking (the activities conducted within these legal persons).
What does this mean in practice? Let us try to logically work our way into a conclusion:
- Identify all methods you can come up with that can be used to get into contact with a company or government agency or the activities that takes place within these organisations?
- Identify one or two of these methods where you may use “personal data” as part of the contact details.
- Now we can conclude that when the personal data you have identified is used with the purpose of getting into contact with the organization or its activities, it is not covered by GDPR.
A typical business case in my mind are all the email addresses in business to business CRM systems, every time we have an email on an invoice as a reference, etc.
So the test is: This email address to this person, what is its purpose here? Is it to get in contact with the business? Then it is not covered by the GDPR.
Comments are welcome, but be constructive and detailed. If you do not agree, make a clear argument with examples, so that we can all gain a better understanding in the end!
“Work email addresses don’t count as personal data, right?” We’ve heard this a lot recently. The simple answer is that individuals’ work email addresses are personal data. If you are able to identify an individual either directly or indirectly (even in a professional capacity), then GDPR will apply. https://www.cognitivelaw.co.uk/gdpr-issues-do-work-emails-count-as-personal-data/
Cyber Risk & Compliance
4 年Interesting thought. The interpretation in your text seems to be at odds with the core definition of personal data (Article 4 (1)), though. In their Opinion 4/2007 , WP29 set out four "building blocks" that can help identify what comprises personal data The building blocks are as follows: 'any information', 'relating to', 'an identified or identifiable', 'natural person'. Now, given that, the content of personal data includes any sort of information, and it is not limited to information that refers to a narrow interpretation of the individual's private and family life. Additionally, the CJEU established that the concept of private and family life must be widely interpreted (Amann vs Switzerland 2000-02-12). Consequently, personal data includes information about an individual's private life and information regarding any activity undertaken by that individual. My understanding is therefore that this activity may relate to activities in the professional and public sphere as much as in an individual's private life. Conclusively, an individual's contact information at their place of work will be personal data in the same way as their home address or personal phone number and is subject to the Regulation. Despite the above, I find your analysis reasonable and would appreciate perhaps a comment on Recital 14 from the EDPB. It is interesting to know what the regulators were aiming at.
R?dgivare | Prisbel?nt f?rfattare | CTO
4 年Enligt sk?ll 10 GDPR s? har Sverige r?tt att utvidga och precisera begreppet personuppgift. I det perspektivet s? kan det vara av intresse att Svea hovr?tt har ansett att registreringsnumret f?r en enskild firma, vilket inneh?ller personnumret f?r den som st?r bakom firman, utg?r en personuppgift, (dom 2004-08-31 i m?l nr B 4151–04).
R?dgivare | Prisbel?nt f?rfattare | CTO
4 年S? h?r har man tidigare resonerat. "Information om juridiska personer kan ocks? fr?n fall till fall anses ”avse” fysiska personer i enlighet med kriterierna i detta dokument. Detta kan vara fallet n?r namnet p? en juridisk person h?rr?r fr?n namnet p? en fysisk person. Ett annat fall kan vara f?retags-epost, som vanligen anv?nds av en viss anst?lld, eller information om ett litet f?retag (r?ttsligt sett snarare ett ”objekt” ?n en juridisk person), som beskriver sin ?gares beteende. I alla dessa fall, d?r kriterierna ”inneh?ll”, ”syfte” eller ”resultat” g?r att informationen om den juridiska personen eller f?retaget anses ”avse” en fysisk person, b?r informationen anses som personuppgifter och uppgiftsskyddsbest?mmelserna g?lla" https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_sv.pdf
Manager, Information Security and Privacy Office
4 年I would offer a completely different interpretation of recital 14. 1)?????Setting the context – only natural persons? Here there should be no disagreement. GDPR only applies to natural persons. Natural persons has to be alive, or they would not be natural persons. 2)?????Delimiting the scope – not personal data concerning legal persons This is just a refinement of an obvious conclusion arising from the fact that GDPR only applies to natural persons. If it only applies to natural persons it can’t apply to legal persons as they are mutually exclusive. The date of incorporation, the form, bylaws as well as the financial standing of a legal person clearly is not information about a natural person unless processed in a specific context. There are the situations in which the same information can concern both a legal and a natural person, but then the GDPR would apply on the basis of the information does concern a natural person.? 3)?????Articulating the scope of delimitation to include “undertakings”? Here it becomes interesting. Undertaking is a term precisely defined by the CJEU. The case C-74/16 (Congregación de Escuelas Pías Provincia Betania v Ayuntamiento de Getafe) offers us a re-stated definition of “undertaking” as?“covers any entity engaged in an economic activity, regardless of its legal status and the way in which it is financed”.?This definition tells us that undertakings a simply the organizational form of any economic activity and not the economic activity as such. To provide extra support for this conclusion I would offer you C-41/90 (H?fner and Elser v Mactrotron GmbH),?“the concept of an undertaking?encompasses every entity?engaged in an economic activity”. Now let’s consider this sentence from recital 14 with this in mind. As discussed above, it is clear that legal persons are excluded from the protection of the GDPR. Now the sentence reads “… and in particular undertakings established as legal persons…”. Even a standard (non-legal) interpretation would offer that this part is simply a refinement of what came before, the term “legal person”. If you add to that, the concept of undertaking as the entity that is engaged in economic activity rather than the economic activity itself then it is clear that the intent was never to remove the day-to-day activities of legal person (or undertaking) from the material scope of the GDPR. 4)?????Exemplifying e.g. contact details. The only take away from this part is that the name, form and contact details of the legal person is excluded from the GDPR. This should be obvious as we have concluded above that legal persons are not within the material scope of the GDPR. Is the e-mail address of an employee the contact details of the legal person? Obviously not, the contact details of the legal persons are the contact details to the legal person itself, i e “GDPR LLC, PRIVACY STREET 1, CITY OF ENCRYPTION”. Now that we have considered the entire recital 14 and reached the complete opposite conclusion, I would argue that my explanation is more coherent with the Charter of fundamental rights, concepts defined by EU-law as well as the rest of the regulation itself. And thus, details about individuals engaged in the activities of a legal person (or undertaking) is within the material scope of the GDPR, including e-mail addresses.