GDPR

Are the contact details of a company's director also personal data?

Joris Deene
9 months ago
313 views
4 minutes reading time

The Court of Justice of the European Union has on April 3, 2025 (C-710/23) rendered an important judgment on the processing of personal datas in official documents. This ruling clarifies when data of persons acting on behalf of legal entities are considered personal data and under what conditions they may be released. Consider, for example, the name, signature or e-mail address of the directors of a company.

The facts of the case

The case involved a dispute between a citizen (L.H.) and the Czech Ministry of Health. L.H. requested information from the ministry about the individuals who had signed contracts for the purchase of COVID-19 screening tests and the corresponding certificates.

The ministry provided some of the requested documentation, but rendered certain information illegible, including names, signatures, positions and sometimes e-mail addresses and telephone numbers of the natural persons who had signed these documents on behalf of legal entities. The ministry did this to protect personal data in accordance with the General Data Protection Regulation (GDPR).

The preliminary questions

The case eventually ended up before the Czech Republic's highest administrative court, which referred two key questions to the Court of Justice:

  1. Do the first name, last name, signature and contact information of a person representing a legal entity constitute "personal data" within the meaning of the AVG, even if this data is only used to identify who may act on behalf of the legal entity?
  2. May national law (including settled case law) impose additional conditions beyond the AVG, such as the obligation to inform and consult data subjects in advance before their data is disclosed to third parties?

The Court's ruling

Personal data of representatives

On the first question, the Court ruled unequivocally that the name, signature and contact details of a natural person representing a legal entity do constitute personal data within the meaning of Article 4(1) and (2) of the AVG.

The Court emphasized that the concept of "personal data" must be interpreted broadly and potentially encompasses all types of information relating to an identified or identifiable natural person. The circumstance that this data is used exclusively to identify who may act on behalf of a legal entity is irrelevant to this qualification.

The Court also made clear that recital 14 of the AVG, which states that the regulation does not cover data on legal persons, does not change this interpretation. This recital refers to data of the legal entity itself (such as the company name, CBE number, registered office address, info@bedrijf.be email address), not to the data of natural persons acting on behalf of legal entities.

National supplementary requirements

On the second question, the Court ruled that Article 6(1)(c) and (e) of the AVG, read in conjunction with Article 86, does not preclude national case law that requires data controllers to inform and consult data subjects before providing their data.

Such an obligation may even contribute to lawful, fair and transparent processing by giving data subjects the opportunity to express their views.

However, there is an important nuance: the application of this obligation must not be impossible or require disproportionate effort. Nor should it disproportionately restrict the public's right of access to official documents.

Practical implications

This ruling has important implications for government agencies as well as businesses and individuals:

  1. For government agencies: When issuing official documents, they must treat the names, signatures and contact information of individuals acting on behalf of legal entities as personal data. They must, in principle, inform and consult data subjects before issue, unless this is impossible or disproportionately difficult.
  2. For companies and their representatives: Natural persons who sign contracts on behalf of companies are entitled to protection of their personal data, even when acting in a professional capacity.
  3. For the broader public: The right of access to official documents remains, but must be balanced against the right to data protection. An automatic refusal to provide information simply because it is difficult to consult data subjects is not permitted.

Conclusion

This ruling confirms that the AVG requires a balanced approach between two important interests: transparency in government actions and protection of personal data. National rules can provide additional protection for data subjects, but this protection should not go so far as to disproportionately restrict the right of access to information.

For organizations that receive or submit information requests, it is crucial to understand and respect this balance.

Do you have questions about how this ruling affects your situation? Our specialized lawyers are ready to advise you on all aspects of data protection and access to government information.

Joris Deene

Attorney-partner at Everest Attorneys

View all posts

You might also like this

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics