Answer given by Ms Jourová on behalf of the Commission

21.2.2018

As recalled by the Honourable Member, the definition of personal data in Article 4(1) of the General Data Protection Regulation (GDPR)[1] is broad as it encompasses any information relating to an identified or identifiable natural person. To determine whether an e-mail address constitutes personal data it must be assessed whether the e-mail address relates to a natural person, either identified or identifiable, notably in view of all the means reasonably likely to be used by the controller or by another person to identify the natural person.[2]

Where an e-mail address uses direct identifiers of an individual (e.g. johnsmith@gmail.com), it is personal data falling within the scope of GDPR. In the absence of direct identifiers, an e-mail address may also constitute personal data when combined with other data (e.g. an address or date of birth) it relates to an individual.

Recital 14 of the GDPR clarifies that the regulation does not apply to the processing of personal data which concerns legal persons, including the name and the form of the legal person and the contact details of the legal person. An e-mail address of a legal person such as ikeacontact@ikea.com would not fall within the scope of the regulation. However, personal data of employees of the legal person, including their professional e-mail addresses, would fall within the scope of the regulation (e.g. johnsmith@ikea.sk).

The processing by a company of an e-mail address such as flower234@gmail.com which can, with other data in its possession, be related to a natural person falls under the GDPR and such e-mail address can only be disclosed to third parties in accordance with data protection rules. The ePrivacy Directive sets forth additional rules for sending marketing material to e-mail addresses.[3]

• [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1‐88.
• [2] Recital 26 of the GDPR; Article 29 Working Party Opinion 04/2007 on the concept of personal data, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf
• [3] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37‐47, as amended by Directive 2009/136/EC of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, OJ L 337, 9 18.12.2009, p. 11-36.