GDPR Professional Contact Information

Professional Contact Information

The classification of professional contact information as personal data has evolved over time across different data protection regulations. Let’s examine the situation:

1. Previous situation under older national frameworks

Historically, certain personal data related to identified or identifiable individuals were excluded from the scope of data protection regulations. Examples include:

  • Individuals providing services within a legal entity, where only their name, role or position, and professional contact details (email, postal address, phone, fax) are recorded—essentially, the information found on a business card.
  • Sole proprietors referenced in their capacity as business operators.

As a result, professional contact information was generally exempt from stricter data protection rules, and many data protection authorities confirmed this position in various resolutions and legal opinions.

2. Situation under the GDPR

With the introduction of the General Data Protection Regulation (GDPR), the landscape changed significantly.
The GDPR applies to the processing of personal data, whether fully or partially automated, or non-automated data that is intended to be included in a filing system. The GDPR does not specifically mention professional contact information. Since the GDPR does not explicitly exclude professional contact details, they are considered personal data under the regulation, and their processing is therefore subject to GDPR provisions.

Legal basis for processing professional contact information

Professional contact data may be processed lawfully if one of the following bases applies (Article 6 GDPR):

  • Consent from the data subject.
  • Necessity for the performance of a contract or pre-contractual measures.
  • Compliance with a legal obligation.
  • Protection of vital interests.
  • Performance of a task carried out in the public interest or official authority. Legitimate interests pursued by the data controller, provided these do not override the rights and freedoms of the data subject.

Legitimate interests pursued by the data controller, provided these do not override the rights and freedoms of the data subject.

  • In practice, professional contact data is typically processed on the basis of legitimate interest, as long as:
  • Only the minimum necessary data is processed for professional contact purposes—excluding personal phone numbers or private email addresses, even if occasionally used for work.

Practical implications

Processing professional contact information under GDPR does not require explicit consent, provided it is based on legitimate interest. However, other GDPR obligations still apply, including:

  • Transparency: informing individuals about the processing of their data.
  • Security measures to protect the data.
  • Proper handling and limitation to the purpose for which it is collected.

In conclusion, professional contact information is now treated as personal data under GDPR, but the processing can rely on the legitimate interest of the data controller, without requiring explicit consent, as long as all other GDPR principles are respected.

EPRODAT — Experts in gegevensbescherming en privacy-compliance
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.