Will the General Data Protection Regulation make business cards a thing of the past?
It is believed that business cards, such a 20th century phenomenon, were first used in China back in the 15th century and that they had reached Europe by the 17th century. Despite their antiquity, they nevertheless continue to play an important role in the business world. Cards are still a simple, easy, rapid and inexpensive way for professionals to exchange their contact details. However, and despite the fact that business cards have endured for over 6 centuries, we raise the question: Could their days be counted from 25 May 2018 when it will be compulsory to comply with the terms of the RGPD?
Curiously, and odd as it may seem to many, the RGPD, unlike the current Spanish data protection regulations (the Personal Data Protection Law and its implementing Regulation), includes contact information of natural persons providing services in legal entities and details of individual entrepreneurs (full name, position or post, postal or email address, professional telephone and fax numbers).
What will this mean? Collecting information (such as taking a business card) which at present is not considered personal data processing will become that very thing from 25 May 2018, and that processing shall not only be covered by a legal basis but the data controller, that is, the person who takes the card if he or she does so within the framework of their professional activity, shall be required to inform the person handing over the card of all the relevant points contained in article 13 RGPD.
While it is true that the question of the legal basis for processing seems to be resolved by the terms of article 19 of the LOPD bill, which allows this processing on the legal basis of the legitimate interest of the data controller, there is nothing specific regulating the duty to inform.
If the current wording of the draft LOPD bill is retained, it may well be considered that every time we collect data from an interested party through, in this case, business cards, we would be required to inform that party of the personal data processing that we propose to carry out, mentioning all the points contained in article 13 RGPD (the controller's identity and contact details, purpose of the processing, legal basis, period of conservation, rights and much more), which would make exchanging business cards impractical, given the amount of information to be provided.
And business cards are not the only problem, as this can be extrapolated to any data collection carried out by entrepreneurs or professionals, which would entail the requirement to notify interested parties of an enormous amount of information which, if the appropriate mechanisms are not put in place, will make many relations and practices which hitherto were generally notable for their ease and simplicity, practically impossible. There is currently talk of information layers rather like cookies, in order to comply with the duty to inform, but other solutions will probably have to be developed in this regard.
Therefore, it is quite likely that unless the LOPD draft exempts entrepreneurs and professionals' duty to inform on data processing of our much appreciated and at times supremely enviable business cards (and if not, just tell that to Patrick Bateman in American Psycho) they will be subjected to a viability analysis, the like of which has never been seen until now. The development of identification exchange applications could be one way of solving the problem, as cards could be exchanged attaching the legally required information. All imaginative proposals welcomed!
Alejandro Padín, counsel of Corporate Department in Madrid.