Do legal persons have a right to data protection?

Do legal persons have a right to data protection?

There are many occasions in which companies hide behind data protection to avoid providing certain information. Is this always the case?

In this article we will examine whether and under what circumstances legal persons can invoke data protection law.

Do legal persons have a right to data protection?

Despite the fact that the General Data Protection Regulation (GDPR) clearly states in several of its articles that the right to data protection applies only to the data of natural persons, companies sometimes continue to invoke these grounds.

Last May, the Supreme Court definitively settled the debate on this practice by ruling on an appeal in cassation against the decision of the High Court of Justice of Catalonia (TSJC).

The High Court of Justice of Catalonia issued a ruling upholding the position taken by a private nursing home for the elderly. 

This residence had refused to provide a journalist with information about sanctions imposed by the Generalitat due to various irregularities, despite the fact that the Comissió de Garantia del Dret d’Accés a la Informació Pública de Catalunya declared the journalist’s right to access the data.

The High Court of Justice of Catalonia interpreted that “her identification, i.e. her name, that of the establishment she owns and her geographical location” must be excluded from the transparency response. In other words, any data with which the organisation can be identified, arguing that “The protection of personal data relating to the commission of administrative offences that do not entail a public reprimand is placed on the same level as data relating to ideology, trade union membership, religion, beliefs, racial origin, health and sex life, and the commission of general offences”.

The Supreme Court established that the limit to the right of access to public information in relation to administrative sanctions that do not entail a public reprimand to the offender can only be applicable to sanctioned natural persons, thus excluding legal persons. 

Similarly, by declaring that companies are not subject to data protection, it sent the transparency case back to the original chamber to assess the case on the basis of freedom of information circumventing data protection.

This confirms that companies, institutions or foundations are not subject to data protection.

In conclusion, it is argued that the decision of the TSJC errs in considering companies as holders of the right to data protection, without any legal basis to support this assertion. 

The Chamber decides to exclude access to information related to an administrative offence committed by a legal person, which results in a corresponding restriction of the right of access to public information and affects the current legal regulation. 

Furthermore, the importance and public interest of the requested information is not adequately assessed.

What information may companies not provide on data protection grounds?

Legal entities may invoke the right to data protection if they refer to the data of natural persons. This data protection applies to both customers and employees of a company or organisation, which means that work e-mail addresses containing the first name or surname of the employee or the telephone numbers of the employee’s employer must not be disclosed either. 

What about sole proprietorships? 

Sole proprietorships can be considered as the big exception to the regulation, as they will be subject to the application of personal data protection when there is a possible identification of a natural person.

Therefore, we can conclude that legal persons do not have the right to data protection as long as there are no data that allow the identification of natural persons. In Let’s Law by RSM we can provide you with our vast experience in the digital law field. So do not hesitate and contact us for any doubt that you might have.