Poland’s Supreme Administrative Court issued a ruling clarifying whether a phone number constitutes personal data under GDPR, impacting marketing practices and privacy.
Phone Number as Personal Data: A Landmark Ruling
The question of whether a phone number qualifies as personal data has been settled by a landmark ruling from the Supreme Administrative Court (NSA). The President of the Office for Protection of Personal Data (UODO) previously held a different view, but the NSA’s decision offers a more nuanced perspective.
The case stemmed from a complaint about unsolicited marketing calls, specifically an offer for a free hotel stay. Despite a request to remove data and cease contact, the individual received another call the following day.
The Core of the Dispute: Identifying Individuals
The central issue was whether a phone number alone is sufficient to identify an individual and thus trigger GDPR protections. The NSA’s ruling addresses this directly.
Key GDPR Definition and Context
The NSA based its decision on Article 4(1) of GDPR and recital 26, emphasizing that not all information enabling contact automatically identifies a natural person. The court stressed that the potential for indirect identification depends on a data controller’s ability to combine the number with additional information.
According to Ewa Knapińska, a lawyer at LBKP, the ruling confirms the relative and contextual nature of the definition of personal data, considering “reasonably likely methods,” cost, technology, and legality.
Context and Real Identification Possibilities Matter
The NSA determined that “the mere possibility of making a telephone call does not constitute the possibility of identifying the owner of the telephone number.” The court established that the company lacked the means to definitively link the number to a specific individual.
In practice, simply possessing a phone number is insufficient to classify it as personal data; administrators must assess their ability to assign it to a specific person, considering available resources, technologies, and costs.
Practical Implications for Businesses
Ewa Knapińska of LBKP notes that the ruling introduces necessary precision to the discussion, moving away from a binary approach. It clarifies that a phone number doesn’t have a fixed legal status.
The NSA did not declare that a phone number is *never* personal data, but rather that it cannot be assumed automatically – an assessment is required in each specific case.
When Does a Phone Number Fall Under GDPR?
If a phone number is not considered personal data in a given case, GDPR does not apply, eliminating the need for an informational obligation. However, this can change if the number is later linked to additional identifying information.
The situation changes immediately when a number is combined with other information, such as a CRM entry, email address, or contact history.
Marketing and Continued Caution
Companies and marketing departments must remain cautious. The ruling does not legalize cold calling.
Ewa Knapińska emphasizes that the ruling should not be interpreted as consent for unrestricted telemarketing. Obligations under electronic communications regulations still apply, requiring consent for marketing contacts, and violations can result in significant financial penalties – up to 3% of annual revenue.
