Does GDPR apply to your personal contacts and address book?

Bill GDPR 11 Comments

We all use our computers and phones to store and use each others email addresses and phone numbers, but how is that affected by GDPR?

Is your address book in scope?

The test for whether data is in-scope for GDPR is this:

Information relating to a living individual who is, or can be, identified by that information, including data that can be combined with other information to identify an individual. This can be a very wide definition, depending on the circumstances, and can include data which relates to the identity, characteristics or behaviour of an individual or influences the way in which that individual is treated or evaluated.

By that measure, a contact card held on your company computer is within scope as it obviously identifies a living individual.

On what lawful basis are you storing and processing contact data?

Given that is that case, by what lawful means are you holding and processing that contact data? You have six choices under Article 6:

  1. By Consent (which you request and record)
  2. Due to a Contract: to process a contract with an individual
  3. A Legal obligation: in order to comply with the law itself
  4. Vital interests: to protect someone’s life
  5. Public task: an official public interest
  6. Legitimate interests: a ‘balance tested’ judgement between the interests of the organisation, and the interests of the individual

For most people exchanging business cards the reason might be option 6, as you and your firm have a legitimate interest in being able to contact the individual to carry out your day-to-day work.

Knowing your GDPR rights

This doesn’t though escape you from the other obligations of GDPR to give the individuals who are in your address book their rights to:

  • Be informed you have them in your address book, and for what purposes you process their data, and to understand any third parties who might access their data and to know about any transfer of their data outside the EU
  • Are able to request access to the data you hold on them
  • Can request rectifications to the data
  • Can ask for it to be erased
  • Can ask you to restrict the purposes to which their data is processed
  • Can you ask for an electronic copy of the data you hold
  • Can object to you holding their data for some purposes

Emailing everyone in your address book for consent?

One way of complying with GDPR means sending an email to every single person in your address book to either get consent for you to hold and process their data, and to explain how they exercise their rights under GDPR.  Imagine the unimaginable number of emails flying around where we all email each other on GDPR?

Alternatively it seems from looking at GDPR you could use the “legitimate interests” basis to justify holding someones business card details but perhaps we should all make a comment upon exchanging business cards to ask if it is ok to store their details on your electronic devices for day-to-day business purposes. I spoke to the UK ICO on this and they felt that a verbal consent was appropriate, but didn’t opine on how to record that consent and the purposes for which the consent was given.

Going beyond day-to-day contact

And then of course if you were to add their details to a marketing distribution list, you would have gone beyond an assumed consent (for day-to-day business purposes) into an area which under GDPR would really need an extended and explicit consent. It’s reasonable to expect that if I hand you my business card we remain in touch personally, that’s all it’s for. BUT, if you then add my email address to your company marketing list and I begin to receive emails for a new purpose (such as advertising your latest widget), that wouldn’t necessarily be justified by your ‘legitimate interest’ outweighing my rights, and ought to involve my consent for that purpose. (In my opinion)

Exercising your rights

Over-arching all this are the GDPR rights above, even if you just add me to your address book I still need to know how to exercise my GDPR rights. One solution might be for every firm to provide a GDPR request form on their website to cover the above rights, such as asking what data is held on you, or asking for a copy of the data, or making a correction. The difficulty is that large firms will need to know all the places inside their firm that your data might be held, and be able to respond accordingly.  If you work in a large global organisation the IT department may argue they should be able to dip into everyones address books to grab any data to meet a GDPR access request.

In summary

  • Your business address book is in scope for GDPR
  • You need to tread carefully on the purposes you use the address book for
  • Day-to-day contacts are expected, but adding people to a marketing list may need consent
  • Providing a way for someone to exercise their GDPR rights must be part of every firms compliance plan

What are your plans for this scenario? Let me know in the comments.

Comments 11

  1. Artists build up lists of people interested in their work, sending out mailings about a new exhibition or a news update. Does this count as marketing or can I assume that expressing an interest in my work implies consent to receive emails?

    1. Post

      You need to get their consent and make clear to them what they should expect to receive. They also need to know how to exercise their rights under gdpr, same as everyone else. Bill

  2. Bill
    Thanks for this helpful article.
    My wife is a dog trainer and maintains records of our existing and past customers. Records of include names and address, telephone number and email address. The records are provided by the customers and only used in relation to current business or in response to an email from them. She uses the records for no other purpose, such as marketing. Since this is normal day to day business contact is she required to comply with GDPR?
    Many thanks

    1. Post
  3. If an address book is within scope of GDPR does that mean that it falls under the right to transparency and therefore the individuals (all of them) should be notified that their data is being held and an opportunity to update or delete it. This would be especially true for contacts that only apply irregularly or extended network.

    1. Post

      My own belief is that your privacy policy should say that their details will be used in the course of day to day business, and also that their data may be used on computers and personal devices where you cannot guarantee privacy. Tell them you will use best practices to secure their data. I would not email everyone in my address book, as the ‘legitimate interest’ justification makes sense here – you usually have their details because you and they need to be in touch with each other.

  4. Does GDPR apply to non-business person contacts. i.e. does it apply to friends and family in my smart phone and if yes is seems a sorry state of affairs to have to ask your Mum if you can store their contact and birthday details. In this same scope we have family who are blocked but in order to block them means their details have to be on the phone. Does this mean under GDPR that they can force you to effectively unblock them by removing their details. If there is a difference then when is a family/friend not an actual friend e.g. fb friends.

    1. Post
  5. The issue I have with email on personal devices is cross copying data to other apps. These other apps can include WhatsApp that can in theory get at all your contacts eg: when installing WhatsApp/facebook you get prompted to allow the app to access your contacts. Wham ! Clients contact details are now on WhatsApp and Facebook account on a personal device/personal facebook account. Further a user of a personal device can then create a group in say WhatsApp and include those contacts hence giving out mobile numbers to other people.
    If you have a company phone the IT department can block WhatsApp and the company is GDPR safe. Am I wrong in this?

    1. Your thoughts make sense – data leakage is a practical issue. If your phone is subject to some sort of corporate lock down then perhaps this can be controlled. If it’s a personal device, the scenario you mention above is entirely feasible. Sounds like GDPR training for staff might be needed to at least cover your firm legally for any breaches.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.