In its paper published on 30 June 2020, the Data Protection Authority (“DPA”) expressed the view that the data of management board members representing a legal person are protected by the GDPR as the data of natural persons who are identifiable by using data disclosed in the National Court Register.
Thus, according to the DPA, personal data controllers (e.g. contractors entering into an agreement with a legal person represented by a board member) are obliged to comply with the information obligation under Article 13 or Article 14 of the GDPR toward board members representing the legal person. This information obligation should also be fulfilled with respect to proxies of legal persons and employees who are contact persons for a legal person.
How does this look in practice?
In practice, when concluding agreements with legal persons since as early as 25 May 2018, many entities on the market have been informing persons representing these entities (management board members, proxies) and contact persons specified in the agreement by placing an appropriate information clause in the form of an annex to these agreements. Thus, the DPA’s position does not appear surprising at first sight.
What do the GDPR regulations say?
Nevertheless, according to some specialists, the DPA’S view appears controversial. They point to the wording of Recital (14) of the GDPR, according to which “the Regulation does not apply to the processing of personal data relating to legal persons, in particular to companies that are legal persons, including data on the company and legal form and contact details of the legal person” and argue that GDPR provisions do not apply to data required to identify a legal person in business transactions. However, the DPA emphasises that, in its view, the data of management board members do not fall within the notion of data of a legal person referred to in the recital.
Therefore, those entities which, within GDPR implementation, have adopted the concept of not fulfilling the information obligation towards management board members representing legal persons and which do not wish to expose themselves to possible objections from the supervisory authority, should consider a change in practice in this respect and draw up an information clause to be attached to their agreements.
When does the information obligation need not be fulfilled?
It is worth remembering, which the DPA also indicates, that the data controller will not be obliged to fulfil the information obligation if one of the pre-requisites releasing him from this obligation occurs.
These conditions are indicated in Articles 13 and 14 of the GDPR. One of them is that the data subject already has information on the processing of his or her data. However, the DPA does not explain in what specific situations the controller could benefit from this exemption. These provisions require the controller to provide the data subject with detailed information on the processing of his or her personal data, for example on recipients to whom the data are transferred and the duration of the data storage period. It would, therefore, be insufficient for the controller to consider that a board member already has information on how his or her data are processed, as he or she knows that his or her data have been transferred to the controller in connection with the conclusion of an agreement. Indeed, a board member does not have detailed information related to the processing of his data (e.g. recipient of the data, storage period, possible transfer of data outside the EEA). It appears that the use of such an exemption could be justified in case of permanent cooperation between entities. However, in practice, this would entail difficulties for the controller, who would have to ensure, for example, that there is no change in the management of the contractor, which would entail the need to fulfil the information obligation towards the new management board member when concluding a subsequent agreement.