EU: Exception for Information about Legal Entities

The EU General Data Protection Regulation (GDPR) does not apply to the processing of personal data concerning legal persons, including the name and form of the legal person and its contact details.

Text of Relevant Provisions

GDPR Recital 14:

"The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person."

Analysis of Provisions

The GDPR explicitly excludes the processing of personal data concerning legal persons from its scope of application. This exclusion is stated in Recital 14, which clarifies that the regulation "does not cover the processing of personal data which concerns legal persons".

This exclusion extends to "undertakings established as legal persons", and specifically includes "the name and the form of the legal person and the contact details of the legal person". This means that information such as a company's name, legal structure, and official contact information are not considered personal data under the GDPR.

The rationale behind this exclusion is that the GDPR is designed to protect the fundamental rights and freedoms of natural persons with respect to their personal data. Legal persons, such as corporations or organizations, do not have the same privacy concerns as individuals, and their information is often already public or regulated under different legal frameworks.

Implications

This exception has significant implications for businesses and organizations:

Business-to-business (B2B) communications: Companies can process and use contact information of other businesses without being subject to GDPR requirements for this data.
Corporate databases: Maintaining databases of company information, including names, addresses, and contact details of legal entities, is not subject to GDPR restrictions.
Marketing to businesses: B2B marketing activities using corporate contact information are not regulated by the GDPR, as long as they do not involve personal data of individual employees.
Public registers: Information about legal persons in public registers (e.g., company registries) is not subject to GDPR protections.

However, it's important to note that this exception does not extend to personal data of individuals associated with legal persons. For example:

An employee's work email address (e.g., [email protected]) is still considered personal data and is protected under the GDPR.
Contact information of individual representatives of a company, when identified by name, is still personal data.

Therefore, while the GDPR does not apply to data about legal entities themselves, organizations must still be cautious when processing any data that can be linked to identifiable individuals within those entities.

Jurisdiction Overview

👮🏼 National Security and Law Enforcement Exemption Judicial Proceedings and Court Records Exemption 🏡 Personal and Domestic Use Exemption ™️ Exception for Information about Legal Entities 🔗 Processing in Context of Local Establishment 🎦 Monitoring Data Subjects Within Jurisdiction 🖥️ Automated Means Criterion 🏛️ Government and Public Agency Exemption 📍 Processing by Local Establishment Physical Location/Residency of Data Subject in Jurisdiction 💼 Processing by Entity Registered or Incorporated in Jurisdiction 🗃️ Filing System Criterion 💽 Prospective Filing System Inclusion 🛍️ Offering Goods and Services to Data Subjects in Jurisdiction 🕵🏿 State Secrets Exemption ⚖️ Sectoral Exceptions Regulated by Other Laws