The GDPR protects natural persons in the scope of the processing of their personal data and the free movement of such data within the EU. That seems simple enough. Natural persons are living and breathing individual human beings. Processing is processing and personal data is personal data, right?
However, things are not always as easy as they seem with the GDPR. As mentioned in a previous article, the definition of personal data as well as the types of identifiers or personally identifiable information (PII) has broadened significantly and it’s important to understand how personal data and identifiers lead to potential identification (even if methods such as pseudonymization and anonymization are used).
Secondly, processing means quite a few activities concerning personal data of natural persons as well.
So, it’s not just important to understand personal data processing principles but also to know what exactly processing is. You process personal data when someone fills in a form on your website, granting you consent to send him/her a newsletter; you process personal data when you receive job applications; you process personal data when simply handing over lists of customers in your capacity as a data controller to a data processor such as your accountant; you process personal data when downloading an Excel file containg them on a USB stick; but you also process personal data if you simply store them. The list is pretty long.
So, less easy than it seems and explained in several articles. Yet, it doesn’t stop there. Even a term as simple as natural persons isn’t that easy at all.
Personal data of legal persons and personal data of natural persons: the issue with Recital 14
As you can read in the GDPR articles (Article 2) on the material scope of the GDPR not all personal data of natural persons fall under the GDPR. Just one example: personal data by a natural person in the course of a purely personal or household activity.
Yet, there is more. Many people have a tiny one-person business or are self-employed whereby there are different mechanisms, depending on country, to incorporate their activities in some form of undertaking.
That could be some form of sole proprietorship, for example. Again, the precise name and ‘legal form’ depend. In its recitals (Recital 14) the GDPR says that it only applies to natural persons and does not cover the processing of personal data concerning legal persons, in particular undertakings established as legal persons or legal entities. And this includes the name of the legal person, the form and also the contact details of the legal person.
So, imagine the name of our tiny business wasn’t i-SCOOP but “Founderlastnamexyz Media”. This is the case for many self-employed consultants, lawyers, accountants and so forth (except for the imaginary “media” part). Moreover, many aren’t just self-employed but have one or the other form of sole proprietorships which could also carry their name or even another form of undertaking with two or three people in the same case.
Very often self-employed people and really tiny undertakings with specific activities operate from the private address of the owner which then doubles as the address of the undertaking. You start seeing the picture.
It isn’t that hard (in fact, it’s really easy) to start combining personal data and identifiers of people in their capacity as natural persons with data (such as address, being self-employed or having an undertaking and so forth) in the sphere of legal persons. Add to that the fact that also the contact details of the legal person do not fall under the GDPR. What are contact details? Phone. Address. Email. Twitter handle. You can go on. There are quite some identification opportunities here when enriching profiles of natural persons of course.
There is a grey zone. While it might seem logical that (personal) data of legal persons are only used for the purposes in the scope of the legal entity and not for enriching natural person profiles by adding/combining the two types of data 1) it is done on a relatively important scale, certainly by ample online platforms and 2) the GDPR isn’t too explicit and clear about it.
Uncertainty is never a good thing, especially if you would happen to be a data controller with such platforms or being in one or the other scenario whereby you think you handle according to the rules of the GDPR but turn out to be leveraging personal data concerning legal persons in such a way that it isn’t compliant, in violation of data subject rights or worse.
The overlaps of personal data of natural persons and legal persons: advice
So, there are ample tools that automatically add specific information from the legal persons sphere to the natural persons environment. And some of those even make mistakes as they are automated whereby you have no way to get them rectified.
Examples include databases of entrepreneurs and their ventures (whereby some enable rectification). Another example are several so-called influencer marketing tools. In the marketing technology stack you can certainly find more. But it’s not just about tools and platforms (whereby all also depends on the scope of processing, the legal bases for processing, the precise scenarios, the usage of automated decision-making including profiling and far more; public and paying databases with data, including personal data, of legal entities in a B2B context never had too much problems for instance but there are quite some platforms we know that definitely will as we’ll cover in a next post).
More important than the tools and platforms are the scenarios. And there are ample more of such scenarios whereby one can wonder if GDPR applies (natural persons) or not (legal entities); yet that grey zone remains.
Siarhei Varankevich MBA, CIPP/E – corporate trainer and data protection professional helping companies to comply with GDPR and Olga Zavalniuk, CIPP/US, CIPP/E Candidate, data protection professional recently shared their views on the issue on LinkedIn, giving two possible scenarios and digging much deeper than we did so far: one of personal data which concerns legal persons in the example of a law firm and one whereby an employee acts on behalf of their employing company (legal person). They look at both scenarios and share their views so it’s an interesting read – and as it’s on LinkedIn ask and debate.
Their advice, awaiting guidelines, is to use the criteria of “purpose”, “content” and “result” in evaluating whether or not GDPR should apply as an older WP29 (now the European Data Protection Board) opinion mentioned and emphasizing that Recital 14 alone cannot be used without its corresponding article in the GDPR.
Moreover, they point to the European Parliament’s draft of the GDPR with the earlier quoted sentence that didn’t make the final text but is clear. Their full article on the matter with the graphic we based ourselves upon here.
Top image: Shutterstock – Copyright: Photon photo – All other images are the property of their respective mentioned owners