The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Are Work Email Addresses and Business Contact Information Considered “Personal Data?”
Answer: Yes, in most cases.
Personal data is defined by the GDPR as “any information relating to an identified or identifiable natural person.”1 This broad definition encompasses work email addresses containing the business partner’s name or any business contact information tied to or related to an individual, such as the individual’s name, job title, company, business address, work phone number, etc. In contrast, personal data does not include generic business names, business addresses, generic email addresses or any other general business information, as long as this information has not been linked to an individual. So, for example, “John.Smith@acme.com” would most likely be considered “personal data” governed by the GDPR whereas “email@example.com” would not.
1. GDPR, Article 4.