RGPD

Interpretation of the GDPR on the communication of personal data

The entry into force of the GDPR has transformed the way companies and public bodies process personal data, raising crucial questions about the communication of personal data. With growing concerns related to confidentiality and to the

Contents
Schedule a discussion

Reading time:

7 min

The entry into force of the GDPR has transformed the way companies and public bodies process personal data, raising crucial questions about the communication of personal data. With growing concerns related to confidentiality and to the protection of data, it is essential to understand how the European legal framework influences data processing practices.

This article focuses specifically on the implications of the GDPR regarding the communication of personal information, addressing fundamental questions such as: What really is personal data according to the GDPR? What would its definitions and concrete implementations be through case law ? Get ready to explore the subtleties of this essential regulation and to discover key elements that shape the current legal landscape.

If you wish to call upon a lawyer specialising in personal data law, contact me!

How to define personal data according to the GDPR?

To grasp the issues related to the communication of personal data, it is crucial to fully understand what the notion of “personal data” covers within the framework of the GDPR. According to Article 4, point 1, of this regulation, data is considered personal if it can be associated with an identified or identifiable natural person. In other words, any information that may make it possible to directly or indirectly identify a person, such as for example a first name, a surname, an address, or an identification number, falls within this definition.

This notion is broadened by case law, which states that the expression “any information” means that all data, whether objective or subjective, may be qualified as personal data provided that it relates to an identifiable person. Thus, elements specific to the physical, cultural or social identity of an individual may also be considered personal data. As case law points out in the ruling of 9 March 2017, Manni (C‑398/15), this information does not lose this qualification, even when its use takes place in a professional context.

  • The constituent elements of personal data include: Identifiers such as surnames or first names Identification numbers Email addresses Location data
  • According to the IAB Europe ruling (C‑604/22), the processing of information that allows the identification of a person represents a major legal issue.

It is essential to note that the mere fact that information is communicated in a professional context does not affect its status as personal data. The GDPR aims above all to guarantee the protection and confidentiality of personal information, regardless of its context of use. This fundamentally broad approach ensures that even in a professional world, the rights of individuals are safeguarded.

In summary, understanding the legal definitions surrounding personal data leads us to recognise the soundness of a protection of individuals against data processing practices. This leads us to explore further the scope of the notion of processing itself.

Let’s discuss your needs for 15 min!

What is the scope of the notion of data processing according to the GDPR?

To understand the implications of the GDPR on the communication of personal data, it is crucial to consider the notion of “data processing”. Article 4, point 2, of the GDPR defines processing as any operation or set of operations performed on personal data, whether it be collection, recording, storage, modification, use, or even dissemination.

This definition is not exhaustive and underlines the breadth of actions that may be considered processing. Indeed, case law has specified that even a mere consultation of data must be considered processing. It follows that almost all interactions with personal data, in any context, are governed by the GDPR.

  • The different types of processing include: The collection of information via online forms The storage of data on servers The modification of data in a database The sharing of data between several entities
  • Relying on the ruling of the General Court of the European Union (GCEU) of 29 July 2021, processing may also cover operations of publication of information that is personal in nature, even if these operations form part of a broader analysis. A lawyer specialising in software and database law can support you in bringing your data processing and storage systems into compliance.

The notion of processing becomes all the more relevant when one considers the liability of the actors. The GDPR requires controllers to adopt appropriate technical and organisational measures to protect personal data. This means that it is their responsibility to ensure not only the security of this data, but also to act in continuous compliance with the rights of the data subjects, taking into account the confidentiality of their information.

In addition, as established by case law in the “Google Spain SL and Google Inc. v Agencia Española de Protección de Datos and Mario Costeja González” case (C-131/12), the notion of processing also includes the right to be forgotten, allowing individuals to request the deletion of their data in certain circumstances. This illustrates the importance of respecting the rights of individuals when speaking of data processing.

This exploration of the scope of processing prepares us to reflect on the legal requirements that govern the communication of data, in particular within the framework of access to public documents. But before getting there, it is essential to consider how these principles manifest themselves in the daily practice of organisations.

I want reliable legal documents!

What are the legal requirements concerning the communication of data within the framework of access to public documents?

The legal requirements surrounding the communication of data are particularly relevant in the context of access to public documents. Article 6, paragraphs 1, points (c) and (e), of the GDPR addresses the lawfulness of data processing by specifying that the latter may be justified by the legal obligation to which the controller is subject or by the performance of a public interest task.

In this context, it is essential to consider the obligations incumbent on the public authorities responsible for the communication of information. According to Article 86 of the GDPR, certain personal data may be communicated in official documents, provided that this is in accordance with the relevant Union or national legislation.

  • The main requirements can be summarised as follows: Personal data must be processed in a lawful, fair and transparent manner. Controllers must ensure that the data is essential to the performance of the public interest task. An obligation to inform and consult the data subject is imposed before any communication. Member States may introduce specific provisions to guarantee compliance with the GDPR.
  • In addition, the decisions taken by the authorities must be proportionate in order to avoid excessive restrictions on the right of access to public documents.

According to case law, in particular in the case of 9 January 2025, Mousse (C‑394/23), compliance with the GDPR in the communication of data is considered an essential measure for the protection of personal data, taking into account the fundamental rights of individuals.

It is then notable that the implementation of the obligations related to the communication of data should not create disproportionate obstacles. As specified in case law, practical difficulties in informing the data subjects may justify appropriate choices when communicating data, as long as these decisions respect the framework established by the GDPR.

In conclusion, the interaction between the requirements of communication of data and the framework of the GDPR constitutes a delicate balance between transparency for the public and the need to protect individual rights. This dynamic invites continuous reflection on the application of data protection principles, especially in situations involving public documents.

To find out more, do not hesitate to consult the ruling of the Court of Justice of the European Union at the following link: https://curia.europa.eu/juris/document/document.jsf?text=&docid=297537&pageIndex=0&doclang=fr&mode=lst&dir=&occ=first&part=1&cid=1737116.

To learn more

What is personal data according to the GDPR?

Personal data is any information relating to an identified or identifiable natural person, directly or indirectly. This broad definition, set out by the GDPR, conditions the application of the regulation to a processing operation, and its interpretation is clarified by case law.

Does the GDPR govern the communication of personal data?

Yes. The communication of personal data to third parties constitutes a processing operation subject to the GDPR. It requires a legal basis, the information of individuals and respect for their rights. The European framework strictly governs these transfers in order to protect data.

How does case law clarify the notion of personal data?

Case law refines the definition of personal data by specifying, on a case-by-case basis, what makes it possible to identify a person. It sheds light on the concrete implementation of the GDPR, in particular regarding indirectly identifying data and the conditions of its communication.

On what legal basis can personal data be communicated?

The communication of data must rest on one of the legal bases of the GDPR: consent, legal obligation, legitimate interest, performance of a contract, among others. The choice of basis conditions the lawfulness of the transfer and the safeguards to be put in place.

What precautions before communicating data to a third party?

Before any communication, you must verify the legal basis, inform the data subjects, ensure the security of the transfer and frame the recipient, in particular through a contract when it acts as a processor. These precautions guarantee compliance with the GDPR.

Are public bodies concerned by these rules?

Yes. The GDPR has transformed the way companies and public bodies process and communicate personal data. Administrations must respect the same principles of lawfulness, information and security in the communication of personal data.

What is the risk of communicating data without a legal basis?

Communicating personal data without an appropriate legal basis constitutes a breach of the GDPR, liable to be sanctioned by the CNIL and to engage the liability of the organisation. The transfer of data must always be justified and framed in order to avoid these risks.

Is a lawyer useful to secure the communication of data?

A lawyer specialising in personal data law helps to qualify the data, to determine the legal basis of a communication and to frame transfers to third parties. This support secures the practices of the organisation with regard to the GDPR and case law.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

10 min

The 5 Little-Known Legal Obligations of Commercial Agents in France
Here are the five legal obligations that commercial agents must absolutely know and comply with in France.

6 min

The buzz around AI-generated Ghibli-style images: what lessons can we learn?
With the advent of new technologies, artificial intelligence has taken a monumental step forward in artistic creation. The emergence of DALL·E 3, integrated into OpenAI's ChatGPT platform, has not only captivated a broad audience with its ability to generate images of a qualit

7 min

AI ACT - Implementation
The AI Act is the very first legal framework addressing the risks of AI and enabling Europe to play a leading role on the global stage.

12 min

Offshore software development: the essential contractual clauses to secure your international project
The globalisation of the IT sector has considerably reshaped the software development landscape, with increasing reliance on service providers located abroad. This approach, commonly referred to as offshore development, offers undeniable economic and technical advantages, but

7 min

GDPR DPO: duties, responsibilities and real cost for a business
Since the General Data Protection Regulation (GDPR) came into force in May 2018, the role of Data Protection Officer (DPO) has established itself as a central pillar of digital compliance. Yet many directors of micro-businesses, SMEs and sta

3 min

The Digital Sector Targeted by the DGCCRF in 2023
In 2023, more than ever, the digital sector is at the heart of the DGCCRF's concerns.
Prendre rendez-vous
Book an appointment