Publication //

What are your GDPR and data privacy obligations when exchanging business cards?

We all exchange business cards on a regular basis. It is encouraged and expected in work related settings, not least at the outset of most meetings and during networking events. Indeed, no doubt many of the readers of this article will have collected and shared various IGAL members’ cards at mid-term and AGM conferences. The purpose of sharing business cards is, put in simplest terms, to facilitate the development of relationships and most frequently in a business setting. In essence a data subject passes his/her personal data to another with the intention that s/he will use the data to contact them.


With the heightened scrutiny surrounding data privacy, particularly in light of the General Data Protection Regulations (“GDPR”), this begs the question, what data privacy obligations, if any, arise when someone passes you their business card and thereby their personal data? For example, might it be said that your legal obligations extend to providing the data subject with a GDPR compliant privacy notice setting out (amongst other things) what you will do with his/her personal data and your legitimate interest(s) in doing so? Although this may seem a little onerous and unrealistic, is it technically what you and your employees ought to be doing?

You will be relieved to learn that the GDPR is not quite so draconian as to require you to carry around a bundle of privacy notices at all times on the off chance that someone provides you with his/her business card. The fact that the exchange takes place in a business context is relevant here. When providing a third party with your business card it is reasonable to expect thats/he will use your details to make contact. This could include for a specific purpose, such as a particular matter or transaction, or for direct marketing. In abusiness-to-business scenario there is no need to obtain consent prior to making contact but rather a data controller may rely on their legitimate interests to send correspondence.

Notwithstanding this, those of you with an appreciation of the GDPR may still wonder whether a data controller is nevertheless obliged, according to the letter of the law, to provide a full-length privacy notice or, at the very least, make the information available to the data subject in another format. Although on a strict interpretation this may be the case, in the UK, the Information Commissioner’s Office (the UK’s Data Privacy Regulator) has provided guidance on privacy notices which suggests that to do so would be unwarranted. The Information Commissioner instead prescribes that privacy notices should be provided in a way that is proportionate in all thecircumstances.


In making an assessment as to what is proportionate in all the circumstances, the key is to ask yourself whether and to what extent you are being fair and transparent about your capture and use of personal data. Where it is not feasible to physically provide privacy information, which would normally be the case in a social networking environment, you should still ask the data subject questions on exchange of cards. For example you could ask, “we run a mailing list for clients and business associate contacts, would you like to be included on the list?” Being fair and transparent under the GDPR is about ensuring you are explicit and transparent. By way of another practical example, you should provide a fair collection statement on seminar feedback forms setting out your intended use of data collected on the form.


Once contact is finally made with the data subject, in order to ensure compliance with the lawfulness, fairness and transparency data protection principle, a data controller should indicate where its privacy notice/policy is available and provide a relevant link. The data controller should also remind the data subject of their right to opt-out of direct marketing, refrain from sending them irrelevant marketing materials or share their data with third parties unless it is lawful to do so.


This is not intended to be a definitive statement of English law and for advice on data protection issues under English law, including GDPR, contact:

Jamie Laidler at Greenwoods GRM LLP

Tel: +44 20 7242 0631


London | Cambridge | Peterborough