If you work with lead capture, marketing or sales, it is very likely that you have thought something like this:
“If it’s on the internet and anyone can see it… can’t I use it?”
The short answer is: it depends. And the reason is simple: the GDPR does not focus on whether a piece of data is “public” or “private”, but on whether that data identifies (or can identify) a person.
Let’s land it with real examples, without jargon and without beating around the bush.
First: what does the GDPR mean by “personal data”?
Personal data is any information that relates to an identified or identifiable natural person.
The important part is in “identifiable”. You don’t need to put “DNI” or “passport”. If you can reach a specific person with that data, directly or indirectly, the GDPR comes into play.
Easy (and very common) examples
- Name and surname
- Email (yes, even if it’s professional)
- Phone Number
- Instagram user if it allows someone to be identified
- Profile picture when applicable to a person
- IP address (in many contexts)
- Location Data
And be careful: a piece of data can be personal even if it does not identify on its own, if combined with other data it allows someone to be identified.
So, what does it mean for a piece of data to be “public”?
The fact that it is accessible to the public (for example, published on a website or on a social network) does not eliminate its nature as personal data.
“Public” describes where the data is , not what it is or how it can be used.
Think of this as a quick analogy:
- The fact that a house has an open door does not make that house “just anyone’s”.
- Just because an email is visible on the internet doesn’t make that email “no rules.”
Professional data: is it also personal data?
Yes, many times. This point is one of the most misunderstood.
A [email protected] type email is usually linked to a specific person (name + surname or first name + job title). That makes it, in practice, a personal fact.
Even when the email is more generic (for example [email protected]), it depends on the context: if there is an identifiable person behind it or if the use of the data ends up affecting someone specific, it may fall within the scope of the GDPR.
Rule of thumb
If you can end up saying “this information is from this person”, treat it as personal data.
What about company data? Does the GDPR apply?
The GDPR protects individuals, not companies as such. But in the real world, a lot of “company” data is attached to people:
- A corporate website with a “Contact: Laura Gómez”
- An Instagram profile of a freelancer
- An email from a salesperson with a name and surname
As soon as the data is associated with an identifiable person, it is no longer “just a company”.
The big mistake: “if it’s public, I can use it”
This is the classic that generates problems (and complaints) in recruitment.
The fact that a piece of data is public may influence some decisions (for example, the legal basis used or the reasonable expectation of the data subject), but it is not a free pass.
With personal data, even if it is public, there are principles that always matter:
- Purpose: to be clear about what you use it for
- Minimization: Use only what is necessary
- Transparency: don’t play the game of misdirection about who you are and why you contact us
- Respect for rights: for example, dealing with opposition
Quick checklist: is this personal data?
If in doubt, ask yourself these questions:
- Does this data refer to a real person?
- Does it allow someone to be identified directly or indirectly?
- Can it be combined with other data to identify?
- Can my use of the data affect a specific person?
If you answered “yes” to one or more, treat it as personal data.
Why are you interested in understanding this if you do recruitment?
Because most legal “scares” do not come from using technology, but from using data without a minimum criterion.
In recruitment, the risk is not usually “using an email”, but:
- use more data than necessary,
- contact without transparency,
- not managing the right to object well,
- or not being able to justify the legal basis for the processing.
Closing: a useful idea to avoid making mistakes
In GDPR, “personal data” does not mean “secret data”. It means “data that connects with a person”.
And from there, the important thing is not only where you got it from, but how you use it, for what and what guarantees you apply.
This article is informational and does not constitute personalized legal advice.
