GDPR Definition of Natural Persons and Legal Persons

Natural Persons and Legal Persons: A Definition

References to “natural person” occur 133 times times in the GDPR, and “legal person” 22 times.  So what are Natural Persons and Legal Persons and why doesn’t the regulation just refer to “people” or “human beings”?

Let’s take natural persons first.  A natural person is a human being.  From birth (and depending on your nationality, sometimes before birth) a natural person such as you or I has certain rights under law.

The GDPR applies only to natural persons who are living, as specified in Article 27, Article 158 and Article 160.  However, death does not signal a free-for-all on the personal data of the deceased.  Individual nations can and do apply their own regulations here, in particular to give the deceased person’s family, heirs and/or other nominated people rights over the use and protection of the data.  A common case for this would be to access and administer a deceased person’s social media profile.  Bird & Bird have a useful guide to how the personal data of deceased people is protected in various EU countries.

Robots are not covered by the GDPR, however life-like

A legal person is perhaps better described as a non-human legal entity.  Think of a corporation, your national government, the United Nations, European Union or even the European Data Protection Board.  These bodies are treated as being legally distinct from the natural person or persons who comprise the body.

Even the EPDB can’t escape the GDPR

In almost all cases in the GDPR natural and legal persons are interchangeable, with both having similar responsibilities regarding the controlling and processing of the personal data of other natural persons.  However, when it comes to accessing data on natural and legal persons a clear distinction is made: the GDPR “does not cover the processing of personal data which concerns legal persons … including the name … and the contact details of the legal person” – see the Article 14 post for more on this.  This means that, for example, corporations cannot use the GDPR as a cloak to hide their contact details.


Leave a Reply

Your email address will not be published. Required fields are marked *