Does GDPR apply to your personal contacts and address book?


We all use our computers and phones to store and use each others email addresses and phone numbers, but how is that affected by GDPR?

Is your address book in scope?

The test for whether data is in-scope for GDPR is this:

Information relating to a living individual who is, or can be, identified by that information, including data that can be combined with other information to identify an individual. This can be a very wide definition, depending on the circumstances, and can include data which relates to the identity, characteristics or behaviour of an individual or influences the way in which that individual is treated or evaluated.

By that measure, a contact card held on your company computer is within scope as it obviously identifies a living individual.

On what lawful basis are you storing and processing contact data?

Given that is that case, by what lawful means are you holding and processing that contact data? You have six choices under Article 6:

  1. By Consent (which you request and record)
  2. Due to a Contract: to process a contract with an individual
  3. A Legal obligation: in order to comply with the law itself
  4. Vital interests: to protect someone’s life
  5. Public task: an official public interest
  6. Legitimate interests: a ‘balance tested’ judgement between the interests of the organisation, and the interests of the individual

For most people exchanging business cards the reason might be option 6, as you and your firm have a legitimate interest in being able to contact the individual to carry out your day-to-day work.

Knowing your GDPR rights

This doesn’t though escape you from the other obligations of GDPR to give the individuals who are in your address book their rights to:

  • Be informed you have them in your address book, and for what purposes you process their data, and to understand any third parties who might access their data and to know about any transfer of their data outside the EU
  • Are able to request access to the data you hold on them
  • Can request rectifications to the data
  • Can ask for it to be erased
  • Can ask you to restrict the purposes to which their data is processed
  • Can you ask for an electronic copy of the data you hold
  • Can object to you holding their data for some purposes

Emailing everyone in your address book for consent?

One way of complying with GDPR means sending an email to every single person in your address book to either get consent for you to hold and process their data, and to explain how they exercise their rights under GDPR.  Imagine the unimaginable number of emails flying around where we all email each other on GDPR?

Alternatively it seems from looking at GDPR you could use the “legitimate interests” basis to justify holding someones business card details but perhaps we should all make a comment upon exchanging business cards to ask if it is ok to store their details on your electronic devices for day-to-day business purposes. I spoke to the UK ICO on this and they felt that a verbal consent was appropriate, but didn’t opine on how to record that consent and the purposes for which the consent was given.

Going beyond day-to-day contact

And then of course if you were to add their details to a marketing distribution list, you would have gone beyond an assumed consent (for day-to-day business purposes) into an area which under GDPR would really need an extended and explicit consent. It’s reasonable to expect that if I hand you my business card we remain in touch personally, that’s all it’s for. BUT, if you then add my email address to your company marketing list and I begin to receive emails for a new purpose (such as advertising your latest widget), that wouldn’t necessarily be justified by your ‘legitimate interest’ outweighing my rights, and ought to involve my consent for that purpose. (In my opinion)

Exercising your rights

Over-arching all this are the GDPR rights above, even if you just add me to your address book I still need to know how to exercise my GDPR rights. One solution might be for every firm to provide a GDPR request form on their website to cover the above rights, such as asking what data is held on you, or asking for a copy of the data, or making a correction. The difficulty is that large firms will need to know all the places inside their firm that your data might be held, and be able to respond accordingly.  If you work in a large global organisation the IT department may argue they should be able to dip into everyones address books to grab any data to meet a GDPR access request.

In summary

  • Your business address book is in scope for GDPR
  • You need to tread carefully on the purposes you use the address book for
  • Day-to-day contacts are expected, but adding people to a marketing list may need consent
  • Providing a way for someone to exercise their GDPR rights must be part of every firms compliance plan

What are your plans for this scenario? Let me know in the comments.