Is it possible to create data subject to the GDPR without any involvement by the person in question?

Say I email a colleague, in a professional capacity:

I have been thinking about offering John Smith, who currently works at Big Corp, a job

John Smith has had no involvement with my organisation. As far as I know, he has no idea I even exist.

Is this data now subject to the GDPR? Specifically, does John Smith now have a right of access to this information? Or even, did I need his consent to send this email?

1 Answer


That said, though there are plenty of separate compliance issues raised by the question, most are easily soluble. But everything is contextual. To illustrate analytical technique used, let us reuse the example given in another answer[EDIT: apologies, on reflection I meant the clarifying comment I think was placed by the OP], the email about head-hunting John Smith without Mr Smith’s prior knowledge.

The legal-analytical starting point for all GDPR compliance is Article 30 [Disclaimer: the writer constructively is a part-owner of gdpr360. For explanation of link choice please see profile], as structurally expanded as necessary to satisfy data subject rights exercise, etc [given that such a metadata artifact is mandatory, from a commercial perspective it makes sense to formalize and reuse it to support all GDPR compliance]. I would record such activities as bundled in with (or separately as an “internal discussion” subprocess) those parts of the recruitment “super-process” whose legal basis is legitimate interests.

Extending it slightly for general interest, if Mr Smith were to be in the EU and the controller is not, the extra-eu transfer hurdle also must be overcome. In this particular case, absent Binding Corporate Rules [itself logically an expanded variant of the Article 30 artifact, the intuitively simplest approach would be to satisfy all the conditions set out in the “wash-up” final paragraph of Article 49(1). This seems likely, providing the final “safeguard” condition is satisfied – say (in US cases) Privacy Shield registration. (notification is discussed below)

For avoidance of doubt none of the derogations available within the GDPR is a universal palliative, despite all the snake-oil that’s been sold over the last couple of years. Everything is context-sensitive. If you have a new scenario that doesn’t comfortably fit into the analyses previously embedded into your Article 30 metadata artifact, then by definition you have a new process to analyze and record.

Notification is a separate issue. Mr Smith clearly did not supply his info directly, so it’s equally clearly an Article 14 rather than Article 13 scenario. The controller therefore technically would have one month to notify. That said, I note the GDPR, as with EU law generally, is not “tick-box” compliance but focuses on outcomes and proportionality. I therefore would regard any technical breach of Notification requirements, in zero-aggravation contexts such as the example, as extremely low financial risk in terms of either fines or compensation. GDPR is rooted in events of 15-20 years ago impacting international comity, and is drafted very widely in order to avoid emasculation-by-loophole (primarily by Member States, but also by multinational controllers), but the John Smith scenario is not one of the policy targets and so neither Supervisors nor data subjects nor Courts seem likely to be troubled by it, unless aggravated by data breach or whatever else is going on.

Great question!

Write a Comment

Your email address will not be published.