When setting up a company, the Trade Register processes a series of data necessary to ensure the proper functioning of the registration process. These include the contact details of the administrator, which in some cases, increasingly common, coincide with his personal details. In this respect, the following question arises: How is the difference between a legal person and a natural person made, when data such as the company’s registered office or telephone number are identical with the personal data of the administrator?
The personal data of the administrator, once the company is established, loses the quality of being personal, because, according to the law regulating the activity of the Trade Register, that data becomes public and can be accessed by any person who has an interest in it and requests an information extract from the ONRC or other authorized institutions that can issue such data.
However, the personal data of the administrator, although it becomes public, cannot be used other than in relation to his capacity as administrator (to contact the company, to transmit a contract offer, etc.), and cannot be processed for purposes other than this (e.g. to transmit advertisements, to include the address in a database to be sold, etc.).
Therefore, the personal data of the administrator remains “personal” only in those situations where its processing is no longer related to the commercial activity of the company he manages, the latter assuming that by participating in the economic life of the company that data will become public.
Moreover, the Working Party 29 who was actively involved in the creation of the Protection of Individuals with regards to Processing of Personal Data and established by the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, defines and explains in detail the concept of the Directive and mentions:
“The protection conferred by the provisions of the Directive applies to natural persons, i.e., human beings. The right to the protection of personal data is, in this sense, a personal right which is not restricted to nationals or residents of a particular country. Argument 2 of the Directive makes this explicitly clear and states that: “data processing systems are at the service of the individual” and that they “must, irrespective of the nationality or residence of natural persons, respect their fundamental rights and freedoms”. The concept of the natural person is mentioned in Article 6 of the Universal Declaration of Human Rights, according to which “everyone everywhere has the right to be recognized as a person before the law”. Legislation in the Member States, usually in the field of civil law, emphasizes more clearly the concept of the personal trait of human beings, which is understood as representing the capacity to be subject to legal relationships, starting from birth and ending with death. Personal data are therefore data relating, in principle, to identified or identifiable living persons.”
With regards to legal persons, the Working Party formulates the following:
Given that the definition of personal data refers to individuals, i.e., natural persons, information relating to legal persons is in principle not covered by the Directive and the protection granted by the Directive does not apply to them. However, some provisions of the Privacy Directive 2002/58/EC do extend towards legal persons. Article 1 of the Directive states that “paragraph 2. The provisions of this Directive explain and complement Directive 95/46/EC for the purposes mentioned in paragraph 1. Moreover, they are intended to ensure the protection of the legitimate interests of legal person subscribers“. In consequence, Articles 12 and 13 extend the application of certain provisions on to subscriber lists and unsolicited communications to legal persons.
The European Court of Justice has clarified that nothing can prevent Member States from extending the scope of the national legislation by implementing the provisions of the Directive to areas outside its scope, provided that nothing else in Community law prevents this. As a result, Member States such as Italy, Austria, Luxembourg have extended the application of certain provisions of the national law under the Directive (such as the provisions on security measures) to the processing of data relating to legal persons.
As in the case of information on deceased persons, the practical arrangements established by data controllers may also result in data relating to de facto legal persons being subject to data protection provisions. Where the data controller collects data on natural or legal persons separately and includes them in the same dataset, the design of the data processing mechanisms and the control system may be designed to comply with data protection provisions. In fact, it may be easier for the controller to apply the data protection provisions to all types of information contained in its files, rather than trying to separate information relating to individuals from that relating to legal persons.
In view of the above, in the situation where a controller finds contact details on various online platforms owned by private traders, the following considerations are taken into account:
There are some platforms, such as the ONRC, which, by law, are obliged to publish these personal data. Beyond this, there are other online platforms that provide economic and statistical data about certain companies, which in turn can take the data from the ONRC and enter it into their own database. However, most of the well-known platforms in Romania state in their Terms and Conditions that the processed data are used strictly for statistical and informational purposes, making it compulsory for users not to take that information and use it for other purposes (advertising, inclusion in a database, etc.). Therefore, these platforms have a legal basis for processing data, as long as they comply with GDPR principles and are not used to make profit from their publication on their own platforms but are only used to provide the general public with personal data necessary for general information purposes.
In conclusion, any data subject is protected by the 679/2016 Regulation on the protection of natural persons by the principles that govern it (Art. 5 of the Regulation), as well as by the purposes that allow the processing of personal data (Art. 6 of the Regulation). Thus, administrators will be protected by the Regulation whenever their personal data, although made public according to the law, is processed for a purpose other than that which coincides with the company activity to which they belong. Any processing of personal data that is not based on one of the purposes provided for in Article 6 of the Regulation represents unlawful processing and may be sanctioned by the National Data Processing Supervisory Authority.