Email addresses and the scope of the GDPR
On the 25th of May, the General Data Protection Regulation (GDPR) will go into effect. With the instalment of the GDPR, protection of personal data becomes increasingly important. Companies have to take account of more and stricter rules with regard to data protection. However, various questions arise as a result of the instalment of the GDPR. For companies, it may be unclear which data are considered to be personal data and fall underneath the scope of the GDPR. This is the case with email addresses: is an e-mail address considered to be personal data? Are companies that use email addresses subject to the GDPR? These questions will be answered in this article.
In order to answer the question whether or not an email address is considered to be personal data, the term personal data needs to be defined. This term is explained in the GDPR. Based on article 4 sub a GDPR, personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or indirectly, particular in reference to an identifier such as a name, an identification number, location data or an online identifier. Personal data refers to natural persons. Therefore, information concerning deceased persons or legal entities is not considered to be personal data.
Now that the definition of personal data is determined, it needs to be assed if an email address is considered to be personal data. Dutch case law indicates that email addresses could possibly be personal data, but that this is not always the case. It depends whether or not a natural person is identified or identifiable based on the email address. The way persons have structured their email addresses has to be taken into account in order to determine whether the email address can be seen as personal data or not. A lot of natural persons structure their email address in such a way that the address has to be considered personal data. This is for example the case when an email address is structured in the following way: email@example.com. This email address exposes the first and last name of the natural person that uses the address. Therefore, this person can be identified based on this email address. Email addresses that are used for business activities could also contain personal data. This is the case when an e-mail address is structured in the following way: firstname.lastname@example.org. From this email address can be derived what the initials of the person using the email address are, what his last name is and where this person works. Therefore, the person using this email address is identifiable based on the email address.
An email address is not considered to be personal data when no natural person can be identified from it. This is the case when for example the following email address is used: email@example.com. This email address does not contain any data from which a natural person can be identified. General email addresses that are used by companies, like firstname.lastname@example.org, are also not considered to be personal data. This email address does not contain any personal information from which a natural person can be identified. Moreover, the email address is not used by a natural person, but by a legal entity. Therefore, it is not considered to be personal data. From Dutch case law can be concluded that email addresses can be personal data, but this is not always the case; it depends of the structure of the email address.
There is a great chance that natural persons can be identified by the email address they are using, which makes email addresses personal data. In order to class email addresses as personal data, it does not matter if the company actually uses the email addresses in order to identify the users. Even if a company does not use the email addresses with the purpose of identification of natural persons, the email addresses from which natural persons can be identified are still considered to be personal data. Not every technical or coincidental connection between a person and data is sufficient in order to appoint the data as personal data. Yet, if the possibility exists that the email addresses can be used in order to identify the users, for example to detect cases of fraud, the email addresses are considered to be personal data. In this, it does not matter whether or not the company intended to use the email addresses for this purpose. The law speaks of personal data when the possibility exists that the data can be used for a purpose that identifies a natural person.
Special personal data
While email addresses are considered to be personal data most of the time, they are not special personal data. Special personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade membership, and genetic or biometric data. This derives from article 9 GDPR. Also, an email address contains less public information than for example a home address. It is more difficult to gain knowledge of someone’s email address than his home address and it depends for a large part on the user of the email address whether or not the email address is made public. Furthermore, discovery of an email address that should have stayed hidden, has less serious consequences than discovery of a home address that should have stayed hidden. It is easier to change an email address than a home address and discovery of an email address could lead to digital contact, while discovery of a home address could lead to personal contact.
Processing of personal data
We have established that email addresses are considered to be personal data most of the time. However, the GDPR only applies to companies that are processing personal data. Processing of personal data exists of every action with regard to personal data. This is further defined in the GDPR. According to article 4 sub 2 GDPR, processing of personal data means any operation which is performed on personal data, whether or not by automatic means. Examples are collection, recording, organising, structuring, storage and use of personal data. When companies perform the aforementioned activities with regard to email addresses, they are processing personal data. In that case, they are subject to the GDPR.
 Kamerstukken II 1979/80, 25 892, 3 (MvT).