Personalized contact details for employees of business partners – a problem under data protection law?

The following example is chosen for easier handling. Laura Müller is an employee of a business partner of our company and her email address is Laura.Müller@musterfirma.de. The business partner has now sent this e-mail address to our company, as Laura Müller is our contact person and is responsible for the specific cooperation between the companies. Without their e-mail address, this collaboration would be impossible or very difficult.

Contrary to popular belief, company-related, but personalized contact data are also personal data and are subject to data protection regulations. The e-mail address can therefore be clearly assigned to the employee Laura Müller and therefore also a personal date.

This classification means that our company cannot simply use this e-mail address as it sees fit, but only to the extent that the General Data Protection Regulation provides a legal basis for this. This applies even if our business partner has submitted the personalized contact details in order to process the business relationship.

At first glance, one could come up with the idea of ​​using the e-mail address to fulfill the contract according to Art. 6 Para. 1 lit. b GDPR. Finally, in the example described here, there is a contract between our company and the business partner and the processing is also necessary for the fulfillment of this contractual relationship.

But here a careful look into the law is necessary. According to Art. 6 Para. 1 lit. b GDPR, personal data may only be processed if this is necessary for the performance of a contract to which the data subject is a party.

In our example, Laura Müller is not a party to the contract. Rather, the basic contract has been concluded between two companies. Laura Müller is only involved here because of her employment relationship with our business partner.

As a result, the use of the email address cannot result in the fulfillment of a contract according to Art. 6 Para. 1 lit. b GDPR.

Even if Art. 6 Para. 1 lit. b GDPR is not relevant, the use of the e-mail address does not have to be prevented. The General Data Protection Regulation provides a number of possible legal bases in Art. 6, Paragraph 1, which stand alongside one another without priority and can be examined for their applicability.

In principle, Laura Müller could therefore also be asked for her consent and the use of the e-mail address based on the consent in accordance with Art. 6 Para. 1 lit. a GDPR are supported. However, this procedure is not recommended for reasons of practicality. In addition to the high administrative effort, the fact that the declaration of consent can be freely revoked at any time speaks against this approach.

Legal basis of the legitimate interest according to Art. 6 Para. 1 lit. f GDPR

The best solution to this data protection problem lies in the legal basis of the legitimate interest according to Art. 6 Para. 1 lit. f GDPR. The above considerations on the fulfillment of the contract can also be used for the reason. The economic reasons for the cooperation between two companies also have a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR.

In contrast, the rights and freedoms of Laura Müller are usually not to be seen as predominant. For example, the e-mail address can be assigned to the operational sphere, despite personal reference, and the effects on the right to informational self-determination are to be viewed as rather minor.

However, the legal basis of the legitimate interest means that only a generalized rule case is taken into account in the weighing of interests. It can be the case that in individual cases, due to special circumstances, Art. 6 Paragraph 1 lit. f GDPR is not applicable or only applicable after a careful individual examination.

As has been shown, even at first glance, complex issues can be fed into a data protection-compliant and practicable solution and the use of personalized e-mail addresses will also remain possible in the future.

Would you like our support as an external data protection officer or data protection consultant? We’re here to help. Contact us by phone on +49 (0) 8505 91927-0 or using our contact form.