In a recent Position, the Bulgarian Commission for Personal Data Protection (“BCPDP“) has elaborated on whether an e-mail and a mobile phone number fall within the concept of “personal data”. The analysis was carried out at the request of the Ombudsman of the Republic of Bulgaria in connection to some proposed amendments to the Bulgarian Road Act. However, the Position adopted by the CPDP is general and not only in the context of the bill under discussion.
By its official Position, the regulator stipulated that an e-mail and a mobile phone number are, in principle, covered by the concept of personal data. The BCPDP’s reasoning is based on the argument that it is possible to individualize a specific person directly or indirectly through these categories of data. Yet, the BCDPD does not provide any criteria if that would always be the case and respectively, will the application of the General Data Protection Regulation (the “GDPR”) be always mandatory.
However, a careful review of the Position points to the conclusion that an e-mail address is to be considered personal data if it allows the identification of the individual. As an example, the BCPDP confirms that an e-mail address that contains names (e.g. firstname.lastname@example.org) is personal data. It should be therefore concluded that the processing of e-mails which do not allow identification of the person will not fall within the scope of the GDPR.
The BCPDP does not provide such a differentiation with respect to the processing of mobile phone numbers. It could therefore be wrongfully concluded that telephone numbers are always personal data. Of course, that would be contrary to the GDPR. The latter requires that the data allow identification of the individual, considering all objective factors, such as the cost and amount of time required for identification, the technologies available at the time of data processing and technological developments. It is therefore unreasonable to assume a person can be identified solely based on an available phone number in the absence of any other data (unless we have access to the database of the respective mobile operator).
Of course, the assessment of whether the information constitutes personal data should be carried out through a comprehensive analysis of all relevant facts and circumstances. The collection of additional information to the already available telephone number or e-mail address will logically facilitate the individualization of the person, hence the GDPR will most likely always apply in such cases.
For further information contact:
Mileslava Bogdanova – Misheva, Senior Associate