Trên 25th of May, the General Data Protection Regulation (GDPR) will go into effect. With the instalment of the GDPR, protection of personal data becomes increasingly important. Companies have to take account of more and stricter rules with regard to data protection. However, various questions arise as a result of the instalment of the GDPR. For companies, it may be unclear which data are considered to be personal data and fall underneath the scope of the GDPR. This is the case with email addresses: is an e-mail address considered to be personal data? Are companies that use email addresses subject to the GDPR? These questions will be answered in this article.
Dữ liệu cá nhân
In order to answer the question whether or not an email address is considered to be personal data, the term personal data needs to be defined. This term is explained in the GDPR. Based on article XNUMX sub a GDPR, personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or indirectly, particular in reference to an identifier such as a name, an identification number, location data or an online identifier. Personal data refers to natural persons. Therefore, information concerning deceased persons or legal entities is not considered to be personal data.
Địa chỉ email
Now that the definition of personal data is determined, it needs to be assed if an email address is considered to be personal data. Dutch case law indicates that email addresses could possibly be personal data, but that this is not always the case. It depends whether or not a natural person is identified or identifiable based on the email address.[XNUMX] The way persons have structured their email addresses has to be taken into account in order to determine whether the email address can be seen as personal data or not. A lot of natural persons structure their email address in such a way that the address has to be considered personal data. This is for example the case when an email address is structured in the following way: [email được bảo vệ] Địa chỉ email này hiển thị tên và họ của người tự nhiên sử dụng địa chỉ đó. Do đó, người này có thể được xác định dựa trên địa chỉ email này. Địa chỉ email được sử dụng cho các hoạt động kinh doanh cũng có thể chứa dữ liệu cá nhân. Đây là trường hợp khi một địa chỉ email được cấu trúc theo cách sau: [email được bảo vệ] Từ địa chỉ email này có thể được rút ra tên viết tắt của người sử dụng địa chỉ email là gì, họ của anh ta là gì và nơi người này làm việc. Do đó, người sử dụng địa chỉ email này có thể nhận dạng được dựa trên địa chỉ email.
Một địa chỉ email không được coi là dữ liệu cá nhân khi không có người tự nhiên nào có thể được xác định từ đó. Đây là trường hợp khi ví dụ địa chỉ email sau được sử dụng: [email được bảo vệ] Địa chỉ email này không chứa bất kỳ dữ liệu nào mà một người tự nhiên có thể được xác định. Địa chỉ email chung được sử dụng bởi các công ty, như [email được bảo vệ], are also not considered to be personal data. This email address does not contain any personal information from which a natural person can be identified. Moreover, the email address is not used by a natural person, but by a legal entity. Therefore, it is not considered to be personal data. From Dutch case law can be concluded that email addresses can be personal data, but this is not always the case; it depends of the structure of the email address.
There is a great chance that natural persons can be identified by the email address they are using, which makes email addresses personal data. In order to class email addresses as personal data, it does not matter if the company actually uses the email addresses in order to identify the users. Even if a company does not use the email addresses with the purpose of identification of natural persons, the email addresses from which natural persons can be identified are still considered to be personal data. Not every technical or coincidental connection between a person and data is sufficient in order to appoint the data as personal data. Yet, if the possibility exists that the email addresses can be used in order to identify the users, for example to detect cases of fraud, the email addresses are considered to be personal data. In this, it does not matter whether or not the company intended to use the email addresses for this purpose. The law speaks of personal data when the possibility exists that the data can be used for a purpose that identifies a natural person.[XNUMX]
Dữ liệu cá nhân đặc biệt
While email addresses are considered to be personal data most of the time, they are not special personal data. Special personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade membership, and genetic or biometric data. This derives from article XNUMX GDPR. Also, an email address contains less public information than for example a home address. It is more difficult to gain knowledge of someone’s email address than his home address and it depends for a large part on the user of the email address whether or not the email address is made public. Furthermore, discovery of an email address that should have stayed hidden, has less serious consequences than discovery of a home address that should have stayed hidden. It is easier to change an email address than a home address and discovery of an email address could lead to digital contact, while discovery of a home address could lead to personal contact.[XNUMX]
Xử lý dữ liệu cá nhân
We have established that email addresses are considered to be personal data most of the time. However, the GDPR only applies to companies that are processing personal data. Processing of personal data exists of every action with regard to personal data. This is further defined in the GDPR. According to article XNUMX sub XNUMX GDPR, processing of personal data means any operation which is performed on personal data, whether or not by automatic means. Examples are collection, recording, organising, structuring, storage and use of personal data. When companies perform the aforementioned activities with regard to email addresses, they are processing personal data. In that case, they are subject to the GDPR.
 ECLI: NL: GHAM: 2002: AE5514.
 Kamerstukken II XNUMX/XNUMX, XNUMX XNUMX, XNUMX (MvT).
 ECLI: NL: GHAM: 2002: AE5514.