GDPR lays down rights for private individuals, which means that a legal person (e.g. a company) living/based in Europe basically have no rights to claim according to EU law.
However, I have seen terms and conditions agreements between companies (that is, both parties are companies) where one or the other guarantees the other GDPR rights.
From a pure business standpoint, I don’t understand why a company would do that, since that would entail that the company making the guarantee puts itself at a greater risk for penalty fees.
I’m wondering why a company would take on responsibility for protecting another company’s “personal” data like that. Is it because of trust from the other company’s employees or customers? Or is it just a sort of hedge clause to make sure the company making the guarantee never would break the rules of GDPR?
I would love to hear any thoughts or insights on this.
Thank you!
I don’t think one company can guarantee GDPR rights. EU GDPR is the most robust privacy laws in the world and mainly affects those who live in the EU. It sets new standard for data collection, storage and usage among company that operates in europe. It gives people new rights to access and control their data in the internet. It also requires companies to explain clearly how your data is stored and used and make sure to get your consent before collecting it. And in addition also give users the right to be forgotten or the right to delete their information online. Under GDPR those rights are guaranteed. EU regulators enforce GDPR.
I understand that companies are not entitled to GDPR rights at the same level as private individuals.
However, there’s always the possibility that a company can guarantee the other party GDPR rights, by contract, as if the other party were a data subject (like a private individual is according to GDPR). A party can almost always commit to rules or legislation it otherwise wouldn’t have to according to freedom of contract.
My question is (and it might be unnatural to presuppose a question like this) why a company would commit to comply with GDPR rules also in regard for companies as well as private individuals, even though they don’t have to.
My question was related to a business-to-business relation.
haraldlk - this does not make any sense for a company to agree to process, protect, use, etc. the other company’s “personal information” according to GDPR
First question would be what constitutes personal data of a company? GDPR does not provide the answer.
Secondly, historically and legally companies were created by individuals as go-to-market fiction vehicles so that those individuals can hide inside that fiction vehicle. What is inside the vehicle is private but what is outside is public. It is an interface through which a company communicates with the market. For that purpose of communication which by definition is based on trust we have public registers of companies where a lot of their data can be reviewed by anyone. You do not have similar official open data registers of individuals in Europe. That is why company’s data is not protected by privacy regulations and individual data is.
A contract to protect company’s data according to GDPR would not make any sense and would be unenforceable. A company cannot offer data protection if that data is in public domain.