This is a repost of the original article published on LinkedIn on July 21, 2018. https://www.linkedin.com/pulse/gdpr-disclosing-professional-personal-data-duty-maciej-gawronski/
When an institution (a firm, a public body…) discloses data of their staff (board members, employees, proxies, subcontractors…) to another institution, it is questionable if information duty from article 13 or 14 of the EU General Data Protection Regulation (GDPR) applies.
Such data, in particular professional contact data (name, position, email, phone number) have dual nature. As long as there are used to communicate with the disclosing institution for the intended purpose of the disclosure, they are “personal” data of that institution. However, when you use them for other purposes (direct marketing even addressed to that institution, offering financial services to an individual, etc) they are being used as “regular” personal data.
Data Protection Working Party at the Polish Ministry of Digitalisation works on a reasonable interpretation of the situation and applicable law (taking into consideration recital 14 of the GDPR This Regulation does not cover the processing of personal data which concerns legal persons…). But until the situation is clear, the simplest way to deal with it might be to include the following clause in an agreement or even in general terms and conditions:
Disclosing Staff’s Professional Data
The Party informs members of their staff about disclosing such members professional data to the other Party to the extent required to release the receiving Party from information duty resulting from Article 14 of the GDPR.
There may be more variations of transferring the information duty. One may ask, if such declaration accounts for sufficient demonstration of compliance in the meaning of Article 5.2 and 24.1 of the GPDR. You may question if such “disclosed” employee would know contact details of a receiving party data protection officer. But we need to apply some basic common sense. If your employer tells you who received your data, you can check their website for their DPO contact details, and where to look for them and what rights you have, you should know from a data protection training you should receive from your employer.
Of course this is not an ideal solution. The ideal solution is to confirm that no information duty applies as long as “professional” personal data are concerned, disclosure is by an authorised party for a professional purpose and the use does not extend beyond that professional purpose.