Do you know what type of organisation you are doing business with?
Most organisations deal with a large variety of suppliers and customers. Details of these suppliers and customers are often held in basic systems like spreadsheets or simple databases, although, more and more bespoke Customer Relationship Management (CRM) systems are being implemented.
A recent fine issued by the Norwegian Data Inspectorate (NOK 300,000, c €30,000) reiterates that not all customers and suppliers are the same: sole traders require special treatment.
Not all organisations the same
A registered company, though a legal person, is not a living person. This means that financial information and credit checks relating to a registered company are not personal data. Email addresses such as firstname.lastname@example.org are also not personal data. However, employee-specific email addresses, e.g., email@example.com are, as they identify an individual.
A sole trader is different to a registered company as the commercial activities are deemed to be inextricably linked to the individual undertaking the commercial activity. This is the case even if they employ other people. Therefore, any financial information and credit checks relating to the sole trader, e.g., website addresses, telephone numbers etc., are all deemed personal data. Info@soletraderbusiness.com would again still be personal data because there is not deemed to be a difference between the individual and the business they run. The challenge here is that it may not be immediately obvious that the information being processed relates to a sole trader and thus needs to be treated as personal data.
General obligations GDPR and ePrivacy
Under data protection laws Data Controllers have obligations to process personal data properly. Under GDPR (Art 4.1) personal data is defined as
“… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
Any processing of personal data under the GDPR requires a lawful basis. Furthermore, electronic marketing to individuals under ePrivacy laws generally requires consent. Where there is an existing relationship with an individual client or consumer, a company may engage in marketing that offers similar products or services, but must also provide an opt-out for such marketing.
|Type:||Financial Information||Generic email|
|Telephone number, website, address.|
|Registered Company||Non-Personal Data||Non-Personal Data||Non-Personal Data|
|Sole Trader||Personal data||Personal Data||Personal Data|
The case in Norway
This case revolved around the fact that a company — Odin Flissenter AS (an import company), ran a credit check on an organisation with which it was doing business. However, this organisation was not a registered company but a sole trader and therefore the information they were accessing was in fact personal data.
The Norwegian Data Inspectorate deemed the processing not to have had an adequate lawful basis and therefore breached the rights, under data protection law, of the individual acting as a sole trader. This error was deemed serious enough to warrant a fine of almost €30,000.
What to take away from this case?
Not all organisations with which you may be doing business are equal. You must take steps to identify individuals and sole traders and treat their data in a manner that meets your obligations as a Controller under data protection laws. This means:
- Training your staff to ensure they understand that not all data is treated in the same way;
- When engaging with a new client or supplier, verify their organisational status from the outset;
- Record this data within your CRM (or other record management systems).
Where a sole trader is identified:
- Ensure you have a lawful basis for processing their data;
- Where you have received their data from a third party, ensure you comply with Article 14 of the GDPR where applicable, and notify them of how their data was obtained and what it will be used for;
- Review your standard procedures to ensure their personal data is handled correctly;
- Ensure their data is safe and secure and that you can demonstrate the measures you have taken in this regard;
- Ensure you comply with the regulations in relation to electronic marketing being sent to individuals. This usually requires consent and always providing an opt-out;
- Have a process to review their data on a regular basis to ensure it is up-to-date and accurate;
- Provide them with the necessary information in privacy notices setting out how and why their data will be processed as well reminding them of their rights.
There is quite a number of items to address, but if you require assistance reviewing your records or establishing processes to handle such data correctly, our advisors would be happy to work with you. We can also provide staff training as needed.