Specific situations

• Author: David Zetoony
• Profession: Is a partner in the Boulder, Colorado office of Bryan Cave Leighton Paisner, LLP, an international law firm
• Pages: 153-160

153

specIfIc

sItUAtIons

Q.156 WHAt ARe tHe MAIn ReQUIReMents

tHAt tHe GDpR IMposes WHen A

coMpAny coLLects GeneRAL BUsIness

contAct InfoRMAtIon?

As is discussed in Q 19, business contact information is considered “per-

sonal data” under the GDPR and, as a result, is governed by the regula-

tion when it is kept in a ling system or in a structured form.

The following are the main requirements within the GDPR that apply

to a company that collects business contact information:

1. Permissible Purpose. As is discussed in Q 30, there are six permis-

sible purposes for the collection and processing of information.

Most companies rely either upon a business contact’s consent or

their company’s legitimate interest in maintaining business contact

information. If your company relies upon the latter, it is important

to consider whether you have a “legitimate interest” in each type of

data collected about a contact. For example, you may have a stron-

ger business interest in keeping information about how to contact

them (e.g., their e-mail address) than you do in keeping information

about their health (e.g., notes concerning recent medical conditions

or treatments).

2. Data Minimization. The GDPR permits you to retain personal

data for “no longer than is necessary for the purposes for which

the personal data are processed.”282 As a result, if you no longer

need business contact information you should consider deleting or

removing it. For example, if you collected the name and contact

282. GDPR, Article 5(1)(e).