With the General Data Protection Regulation now officially in place, personal information of citizens throughout Europe and beyond is subject to extensive protections. Because of ambiguous language in the Definitions and Recitals of the GDPR, however, it remains unclear in certain situations whose data is protected. Specifically, while it is clear from the GDPR’s definition of “personal data” that the regulations protect “any information relating to an identified or identifiable natural person,” the regulation does not distinguish between data belonging to a “natural person” as opposed to a “legal person” when the two are intertwined.
The GDPR seeks to protect personal information taking a more holistic approach to defining the boundaries of its reach as compared to the compartmentalized concepts of the previous Data Protection Directive. At its core, the GDPR enumerates rights of natural persons who are present within the European Union (EU), whether or not their data is in fact in the EU. The word “citizen” does not appear in the language of the regulation, which would indicate a reluctance to simply identify rights of EU citizens as opposed to the rights of all people within the boundaries of the EU. Practically speaking, the GDPR protects the rights of anyone within its territorial reach while at the same time applying to any entity using or accessing this personal data, no matter where the data exists. Trying to decipher what this means can be confusing without a more thorough analysis of the regulation and its accompanying commentary.
Some frequently asked questions regarding applicability of the GDPR include the following:
If the citizen resides in the EU but not if the citizen resides elsewhere at the time the data was collected or transferred.
Recital 22 states “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.” Article 3(2) states “this Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to... the offering of goods or services…” to data subjects in the EU or the monitoring of behavior when that behavior takes place in the EU. This language indicates that the location of the processing does not determine whether GDPR applies, if other factors have triggered the regulation’s applicability.
If the personal data of the EU citizen is not collected or processed as a result of the offering of goods and services within the EU, the GDPR would not apply.
The aforementioned language suggests that if a data controller or processor is not established in the EU and does not target data subjects in the EU, then it does not have to comply with the GDPR when processing data even if that data belongs to an EU citizen. Therefore, when EU citizens avail themselves of goods and services targeted to people outside the EU, they do so without the protections of the GDPR.
The GDPR applies to natural persons regardless of their citizenship status as long as they are within the territorial boundaries of the EU and are the subject of the offering of goods and services within the EU.
Recital 2 states “rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.”
Recital 14 of the GDPR states that the protection afforded by the GDPR applies to “natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.” Recital 26 further reiterates that “the principles of data protection should apply to any information concerning an identified or identifiable natural person.” The GDPR defines “an identifiable natural person” as “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Recital 14 specifically states that the GDPR does not cover “the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.” Thus, the GDPR protects the personal data of identifiable human beings (“natural persons”) and excludes data related to non-human legal entities (“legal persons”).
Under these guidelines, a customer filling out a form using his own private contact information (for example, John Doe; email@example.com; 123 Main Street, London, UK) would fall within the GDPR’s protections as this information relates to an identifiable natural person. A business that processes data in Europe would need to take the necessary steps under the GDPR to protect this data. In contrast, a customer filling out a form on behalf of a legal entity, rather than for himself (for example, John Doe LLC, johndoeLLC@email.com, 123 Main Street London, UK) would, on its face, seem to be expressly excluded from protection by Recital 14 since it relates to the legal entity John Doe LLC. The ambiguity of the regulation lies in this situation because, in practice, this information is clearly John Doe’s (a living person) name and home address. It is therefore “information that relates to an identifiable natural person” and should fall within the definition of personal data that must be protected under the GDPR.
Where a legal entity’s information identifies a natural person, the question becomes: how will the GDPR treat that data? Is “John Doe LLC” considered the data of a legal entity (and therefore excluded from GDPR protection) or is it the personal data of a natural person that must be protected?
The European Commission shed light on this issue on February 21, 2018, when answering a written question from an EU Parliament member, Richard Sulik, who asked whether email addresses are considered personal data if they are not accompanied by other data. He also asked if a work email address is considered personal data since it can be used to identify a specific person. The commission replied:
“Where an e-mail address uses direct identifiers of an individual (e.g. firstname.lastname@example.org), it is personal data falling within the scope of GDPR. In the absence of direct identifiers, an e-mail address may also constitute personal data when combined with other data (e.g. an address or date of birth) it relates to an individual. Recital 14 of the GDPR clarifies that the regulation does not apply to the processing of personal data which concerns legal persons, including the name and the form of the legal person and the contact details of the legal person. An e-mail address of a legal person such as email@example.com would not fall within the scope of the regulation. However, personal data of employees of the legal person, including their professional e-mail addresses, would fall within the scope of the regulation (e.g. firstname.lastname@example.org). The processing by a company of an e-mail address such as email@example.com which can, with other data in its possession, be related to a natural person falls under the GDPR and such e-mail address can only be disclosed to third parties in accordance with data protection rules.”
A 2017 Judgement of the EU Court of Justice aligns with the commission’s guidance to Sulik. Regarding the case of Camera di Commercio v. Salvatore Manni, the court ruled that a sole director’s name, listed on his company’s register, is considered “personal data.” The court stated that “[i]t is apparent from the Court’s case-law that the fact that that information was provided as part of a professional activity does not mean that it cannot be characterised as personal data…”
Thus, for European regulators and courts, it appears that the crux of whether data belongs to a “natural person” or to a “legal person” is whether that information, either on its own or in conjunction with other data, can be used to identify a human being. For businesses seeking to comply with the GDPR, the safest approach may be to treat any information that can be used to identify an actual human being as “personal data” regardless of whether that information also relates to a legal entity.
If you have any questions or would like more information on the issues discussed in this installment of The eData Guide to GDPR, please contact any of the following Morgan Lewis lawyers:
 Directive 95/46/EC set guidelines for member states to follow and interpret as they saw fit.
 Controllers or processors
 GDPR Art. 4 (1).
 Case C-398/15: Judgment of the Court (Second Chamber) of 9 March 2017 (request for a preliminary ruling from the Corte suprema di cassazione — Italy) — Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore Manni