Personal Data Also Protected in the Professional Context – ECJ C-710/23
With its ruling of April 3, 2025, the European Court of Justice strengthened data protection in the professional context as well (Case C-710/23). The ECJ declared that the personal data of company representatives appearing in the course of business activities also enjoy full data protection.
Fundamentally, the right to informational self-determination applies. This is true not only for the private but also for the professional sphere. The ECJ made clear that the personal data of managing directors and other representatives of a company fall under the General Data Protection Regulation (GDPR). For companies and authorities, this entails increased requirements for data protection, according to the law firm MTR Legal Rechtsanwälte, which also advises on data protection law.
Personal Data Anonymized
The underlying procedure before the ECJ concerned a legal dispute from the Czech Republic. Here, a citizen requested access to contracts regarding the purchase of COVID-19 tests along with accompanying certificates. The documents contained, among other things, names, signatures, and professional contact details of the persons representing the authority. The authority refused disclosure and redacted the names, signatures, and positions in the documents, citing that these are personal data whose protection takes precedence.
The case ultimately reached the ECJ, which was to clarify whether such “professional” information actually constitutes personal data and whether authorities can be obliged under national law to hear the affected persons before disclosure, even though the General Data Protection Regulation (GDPR) does not expressly require this.
Comprehensive Scope of the General Data Protection Regulation (GDPR)
The ECJ first clarified that names, signatures, and professional contact details of natural persons acting for legal entities undoubtedly constitute personal data within the meaning of Art. 4 No. 1 GDPR. The scope of the GDPR is deliberately broad and includes all information relating to an identified or identifiable natural person. The fact that the data arise in a professional context does not change this, the judges in Luxembourg stated.
Anyone designated as authorized to represent in contracts or official documents is identifiable and therefore protected, the ECJ further explained. The disclosure of such data to third parties constitutes a form of data processing within the meaning of Art. 4 No. 2 GDPR, more precisely a ‘disclosure by transmission.’ Consequently, any disclosure requires a legal basis under Art. 6 GDPR.
Data Security and Protection
In an increasingly digitalized working environment, data security in the professional context is becoming ever more important. The General Data Protection Regulation (GDPR) of the European Union and the Federal Data Protection Act (BDSG) form the central basis for the protection of personal data in Germany and all EU member states. Companies and institutions are obliged to exercise the utmost care when processing personal data and to implement appropriate technical and organizational measures to ensure data security.
Key protective measures include, for example, the encryption of emails, the controlled use of cookies on websites, and protection against unauthorized access through modern IT security solutions. Compliance with these requirements is not only a legal obligation but also a crucial factor for the trust of customers, business partners, and employees. The privacy and informational freedom of the affected persons always remain central to data protection.
In Germany, monitoring compliance with data protection laws is the responsibility of the Federal Commissioner for Data Protection and the State Data Protection Officers. They advise companies and public bodies, control the application of the regulations, and can impose fines in case of violations. At the European level, the European Commission oversees the uniform application of the General Data Protection Regulation in all member states. The Court of Justice of the European Union is responsible for interpreting data protection law and ensures legal certainty and uniform standards throughout the EU with its rulings.
Data subjects have extensive rights under the GDPR: they can request information about the processing of their personal data, demand correction or deletion, and complain to the competent supervisory authorities in case of data protection violations. Courts and the Court of Justice of the European Union ensure that these rights are enforced and that the principles of data protection are applied in practice.
The consistent implementation of data security and data protection is not only a legal obligation for companies and institutions but also an important contribution to protecting privacy and strengthening trust in the digital economy of the European Union. Compliance with the General Data Protection Regulation and the Federal Data Protection Act is therefore indispensable for all actors in the professional environment.
Right to Information and Data Protection
In the second step, the CJEU dealt with the question of how this data protection can be reconciled with the public’s right of access to official documents. Article 86 GDPR explicitly grants Member States the discretion to align the fundamental right of access to information with the protection of personal data. Against this background, the CJEU clarified: National legislators or courts may provide that authorities must inform and consult the affected persons before disclosing their data. Such additional procedural obligations are compatible with the GDPR as long as they are proportionate and do not excessively hinder the right of access to documents.
The ruling has far-reaching consequences for data protection practice in other EU Member States as well. First, it makes clear that professional data such as names, signatures, and business contact details are fully subject to data protection and must be protected accordingly. Companies or authorities cannot claim that such data are “neutral company information.” Any processing, whether storage, publication, or disclosure, must be based on a solid legal ground. For example, there may be a legal obligation to publish, e.g., in the imprint or commercial register. If no legal obligation exists, a careful balancing of interests must be conducted to determine whether there is a legitimate interest in publication.
Compatibility of Transparency and Data Protection
Authorities and companies should examine whether the publication of data is necessary or whether an anonymized version, for example by redacting the data, is sufficient to fulfill the purpose of access to information.
The judgment strengthens data protection in the professional context without disproportionately restricting freedom of information. Authorities or companies face the task of justifying every disclosure of personal data, carefully weighing the interests involved, and making this documented. Transparency and data protection must be harmonized through structured procedures.
MTR Legal Attorneys provide comprehensive advice on data protection.
Please feel free to contact us!
