RGPD
The entry into force of the GDPR has transformed the way companies and public bodies process personal data, raising crucial questions about the communication of personal data. With growing concerns related to confidentiality and to the
Reading time:
7 min
The entry into force of the GDPR has transformed the way companies and public bodies process personal data, raising crucial questions about the communication of personal data. With growing concerns related to confidentiality and to the protection of data, it is essential to understand how the European legal framework influences data processing practices.
This article focuses specifically on the implications of the GDPR regarding the communication of personal information, addressing fundamental questions such as: What really is personal data according to the GDPR? What would its definitions and concrete implementations be through case law ? Get ready to explore the subtleties of this essential regulation and to discover key elements that shape the current legal landscape.
If you wish to call upon a lawyer specialising in personal data law, contact me!
To grasp the issues related to the communication of personal data, it is crucial to fully understand what the notion of “personal data” covers within the framework of the GDPR. According to Article 4, point 1, of this regulation, data is considered personal if it can be associated with an identified or identifiable natural person. In other words, any information that may make it possible to directly or indirectly identify a person, such as for example a first name, a surname, an address, or an identification number, falls within this definition.
This notion is broadened by case law, which states that the expression “any information” means that all data, whether objective or subjective, may be qualified as personal data provided that it relates to an identifiable person. Thus, elements specific to the physical, cultural or social identity of an individual may also be considered personal data. As case law points out in the ruling of 9 March 2017, Manni (C‑398/15), this information does not lose this qualification, even when its use takes place in a professional context.
It is essential to note that the mere fact that information is communicated in a professional context does not affect its status as personal data. The GDPR aims above all to guarantee the protection and confidentiality of personal information, regardless of its context of use. This fundamentally broad approach ensures that even in a professional world, the rights of individuals are safeguarded.
In summary, understanding the legal definitions surrounding personal data leads us to recognise the soundness of a protection of individuals against data processing practices. This leads us to explore further the scope of the notion of processing itself.
Let’s discuss your needs for 15 min!
To understand the implications of the GDPR on the communication of personal data, it is crucial to consider the notion of “data processing”. Article 4, point 2, of the GDPR defines processing as any operation or set of operations performed on personal data, whether it be collection, recording, storage, modification, use, or even dissemination.
This definition is not exhaustive and underlines the breadth of actions that may be considered processing. Indeed, case law has specified that even a mere consultation of data must be considered processing. It follows that almost all interactions with personal data, in any context, are governed by the GDPR.
The notion of processing becomes all the more relevant when one considers the liability of the actors. The GDPR requires controllers to adopt appropriate technical and organisational measures to protect personal data. This means that it is their responsibility to ensure not only the security of this data, but also to act in continuous compliance with the rights of the data subjects, taking into account the confidentiality of their information.
In addition, as established by case law in the “Google Spain SL and Google Inc. v Agencia Española de Protección de Datos and Mario Costeja González” case (C-131/12), the notion of processing also includes the right to be forgotten, allowing individuals to request the deletion of their data in certain circumstances. This illustrates the importance of respecting the rights of individuals when speaking of data processing.
This exploration of the scope of processing prepares us to reflect on the legal requirements that govern the communication of data, in particular within the framework of access to public documents. But before getting there, it is essential to consider how these principles manifest themselves in the daily practice of organisations.
I want reliable legal documents!
The legal requirements surrounding the communication of data are particularly relevant in the context of access to public documents. Article 6, paragraphs 1, points (c) and (e), of the GDPR addresses the lawfulness of data processing by specifying that the latter may be justified by the legal obligation to which the controller is subject or by the performance of a public interest task.
In this context, it is essential to consider the obligations incumbent on the public authorities responsible for the communication of information. According to Article 86 of the GDPR, certain personal data may be communicated in official documents, provided that this is in accordance with the relevant Union or national legislation.
According to case law, in particular in the case of 9 January 2025, Mousse (C‑394/23), compliance with the GDPR in the communication of data is considered an essential measure for the protection of personal data, taking into account the fundamental rights of individuals.
It is then notable that the implementation of the obligations related to the communication of data should not create disproportionate obstacles. As specified in case law, practical difficulties in informing the data subjects may justify appropriate choices when communicating data, as long as these decisions respect the framework established by the GDPR.
In conclusion, the interaction between the requirements of communication of data and the framework of the GDPR constitutes a delicate balance between transparency for the public and the need to protect individual rights. This dynamic invites continuous reflection on the application of data protection principles, especially in situations involving public documents.
To find out more, do not hesitate to consult the ruling of the Court of Justice of the European Union at the following link: https://curia.europa.eu/juris/document/document.jsf?text=&docid=297537&pageIndex=0&doclang=fr&mode=lst&dir=&occ=first&part=1&cid=1737116.
To learn more
Personal data is any information relating to an identified or identifiable natural person, directly or indirectly. This broad definition, set out by the GDPR, conditions the application of the regulation to a processing operation, and its interpretation is clarified by case law.
Yes. The communication of personal data to third parties constitutes a processing operation subject to the GDPR. It requires a legal basis, the information of individuals and respect for their rights. The European framework strictly governs these transfers in order to protect data.
Case law refines the definition of personal data by specifying, on a case-by-case basis, what makes it possible to identify a person. It sheds light on the concrete implementation of the GDPR, in particular regarding indirectly identifying data and the conditions of its communication.
The communication of data must rest on one of the legal bases of the GDPR: consent, legal obligation, legitimate interest, performance of a contract, among others. The choice of basis conditions the lawfulness of the transfer and the safeguards to be put in place.
Before any communication, you must verify the legal basis, inform the data subjects, ensure the security of the transfer and frame the recipient, in particular through a contract when it acts as a processor. These precautions guarantee compliance with the GDPR.
Yes. The GDPR has transformed the way companies and public bodies process and communicate personal data. Administrations must respect the same principles of lawfulness, information and security in the communication of personal data.
Communicating personal data without an appropriate legal basis constitutes a breach of the GDPR, liable to be sanctioned by the CNIL and to engage the liability of the organisation. The transfer of data must always be justified and framed in order to avoid these risks.
A lawyer specialising in personal data law helps to qualify the data, to determine the legal basis of a communication and to frame transfers to third parties. This support secures the practices of the organisation with regard to the GDPR and case law.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin