Personal data in company records

[baltpeter]

Usually, our company records don't contain any personal data as legal entities don't fall under the GDPR (Recital 14). However, in some cases, it would make sense to include personal data in a record, for example if a company name or DPO email contains a natural person's name. Until now, we've had a policy to forbid this without any exceptions.

Our governing association's general assembly on September 15, 2021, has adopted a resolution to change this policy:

We believe that as a data protection non-profit, we have a legitimate interest in helping our users exercise their fundamental right to data protection by providing them with our company database, even if that requires the processing of personal data on rare occasions. Thus, from now on, we allow the inclusion of personal data in company records given the following conditions are met:

• Personal data can only be included in a record if absolutely necessary to achieve our goal of helping users exercise their right to privacy.

  For example, if a company lists both a generic [email protected] as well as a personal [email protected] email for the DPO, no processing of personal data is necessary and we will use the generic email. If however no generic email address is available, it is okay to include one containing a person's name in the record.
  Similarly, if a company name contains a person's name (like Jane Doe Marketing Consultancy, Ltd.), it is okay to create a record with this exact name.

• Personal data can be included in a company record if it is more “data protection-specific” than generic non-personal data.

  For example, if there are a generic [email protected] and a personal [email protected] email for the DPO, it is okay to include the personal email in the record.

• Company records can only include personal data acquired from public sources. The exact URLs to those source have to be included in the record.

  Thus, if you found out about the [email protected] email from a private email conversation with the company, it could not be included in a record unless there is also a public source for it. Similarly, if the email is only listed on a privacy policy printout in an offline store but not available online, it can also not be included. Including data from public privacy polices or company registers is okay, though.

Even though not legally required, to ensure we are respecting the data protection rights of people working for companies listed in our company database as well, we are voluntarily offering an extended right to object. They can contact us to object to the processing of their data in our company database, even without providing reasons arising from their particular situation. In the case of people working for a company, we will always accept those requests and remove their data from the database. In the case of people owning a company, we reserve the right to refuse those requests but only if we believe there to be an outweighing public interest in the publication. For more details, see our privacy policy (datenanfragen/website#676).