Personal data: professionals are increasingly protected!

Eight years after the entry into force of the RGPD, French news reaffirms that the protection of personal data also applies to professionals and managers of companies. Indeed, a recent decision concerning a dentist wishing to delete her Google My Business file and a decree allowing company managers to hide some of their personal data illustrate this same trend: the protection of personal data also applies to the professional sphere.

‍

These developments invite us to rethink the legal foundations for the processing of these “professional” data, the particular nature of which lies in the close link with economic activity. How to reconcile economic transparency and the protection of the personal data of economic actors?

‍

1. Jurisprudential approach: legitimate interest is not enough (always) to justify the processing of a professional's personal data

‍

In May 2025, the Chambéry Court of Appeal condemned Google for refusing to delete the Google My Business form of a health professional who exercised her right to have it erased (2nd bedroom, May 22, 2025 — no. 22/01814). As a reminder, a Google My Business form automatically references professionals in the Google search engine and displays various information relating to these professionals — name, address, telephone number, hours... Internet users can also publish reviews concerning these professionals, without prior verification by the professional or Google. These Google My Business sheets are thus created without the consent of professionals who are invited to identify themselves with Google in order to complete, update the information on their listing and respond to comments by subscribing to this paid service.

‍

In this case, a dental surgeon noted the presence negative reviews under her Google My Business form, which she could not respond to in accordance with her ethical obligations. She had therefore sent a request to delete her file to Google, which refused to delete her file. The health professional then referred the matter to the French courts, which considered the processing of the data to be unlawful and ordered the deletion of the form under penalty, condemning Google. The company then appealed this decision and the judges of the Chambéry Court of Appeal confirmed the first-instance decision. This decision is in line with the case law of the CJEU since 2017 and reminded again In April 2025 affirming that information that identifies a natural person, even in a professional context, is personal data and needs to be processed in accordance with the GDPR.

‍

What can we learn from this new decision?

‍

• Google cannot take advantage of its legitimate interest to automatically create Google My Business listings. Before the courts, Google has put forward its legitimate interest in providing search engine users with information about professionals. However, as noted by the magistrates of the Chambéry Court of Appeal, the The real objective pursued by Google is purely commercial since professionals are encouraged to create a paid account in order to directly manage their Google My Business listing and in particular to be able to respond to negative reviews. The judges demonstrate the obvious imbalance between Google's potential legitimate interest and the rights of professionals who have no effective control over the opinions posted concerning them. The test to balance the rights of individuals and the legitimate interest of the data controller, as recalled by the CNIL And the EDPS in its guidelines, therefore plays against Google. The processing of professionals' personal data is therefore unlawful since it is based on an inadequate legal basis.

‍

• The consent of professionals could be considered as a legal basis in some cases. Google, and more generally any platform processing personal data relating to professionals without their action, should consider a legal basis other than their legitimate interest. The consent of professionals could thus be the most appropriate legal basis, although complex to implement in practice. Then, for professionals who would agree to subscribe to Google's paid service, the legal basis for processing their data could be the execution of the contract between them and Google.

‍

• The particular case of sheets and opinions concerning health professionals. These professionals must be extra careful since they cannot respond to or comment on online reviews due to medical confidentiality and their ethical obligations. In addition, the publication of reviews in this context may indirectly involve the collection of sensitive data relating to the health of Internet users. One solution could consist in creating specific sheets for health professionals, excluding the possibility for Internet users to leave opinions.

‍

This decision confirms a clear trend that is in line with European case law: the GDPR also protects professionals and their personal data must be processed under an adequate legal basis. It encourages platforms to rethink their legal bases and to potentially audit the data processing of professionals to ensure their compliance.

‍

2. Regulatory approach: a decree makes it possible to hide data relating to the personal residence of managers

‍

On 22 August 2025, the legislator adopted a edict passed almost unnoticed, the scope and effects of which for managers are nevertheless considerable. Company managers can now ask the hiding of information relating to their personal home listed in the Trade and Companies Register.

‍

Before that date, public access to the personal addresses of managers was easy, exposing some of them to real security risks. Several cases, including That of the co-founder of Ledger and his wife, victims of a kidnapping in January 2025, illustrated these excesses. Faced with these threats, many leaders formulated requests for deletion or correction as provided for by the RGPD with the registrars and courts in order to obtain the removal of their personal address from documents and public databases. However, these steps have often proved to be unsuccessful, as it was not possible to demonstrate legitimate reasons for this request for deletion.

‍

Thus, the objective of this decree is to simplify these procedures, reduce the risks of aggression, harassment and/or cyberattack for company managers, while guaranteeing the continuity of access to the necessary information for the competent institutions and authorities. In practice, some personal data must always be transmitted as part of corporate formalities in order to: Guarantee the transparency of business life And the security of economic exchanges. However, all this information is no longer intended to be freely accessible to the public.

‍

Now, during business formalities carried out via the INPI one-stop shop, managers can ask for confidentiality information relating to their personal home. It is also possible for them to change the privacy settings or to request the hiding of this data for companies already registered. Hiding does not mean erasing data: the information remains accessible to the authorized authorities (e.g.: Tracfin, customs administration, notaries, URSSAF, etc.) for the accomplishment of their legal missions, in particular in the fight against the abuse of power.

‍

Note that this new system differs from the classical rights recognized by the RGPD (deletion, correction) since it is a autonomous, absolute law and without an obligation to state reasons, the exercise of which is however subject to the payment of a fee.

‍

This new device recalls the confidentiality feature already proposed by the French Association for Internet Naming in Cooperation (AFNIC), allowing domain name holders to hide their identification data in public databases. The information thus remains accessible to agencies, registrars and competent authorities, but is hidden from the general public.

These two recent developments illustrate the search for a lasting balance between the requirements of economic transparency and the protection of professionals' personal data, which are now fully integrated into the scope of the GDPR.

‍

The message is clear for businesses and platforms whose activity is based on professional data processing to this data does fall under the RGPD, it is therefore necessary to:

• check the legal basis of the treatment (and, if it is based onlegitimate interest, ensure that a genuine balancing test has been carried out);

• anticipate the exercise of rights by professionals (erasing, rectifying, hiding) and setting up adapted internal procedures ;

• guarantee clear and complete information of the persons concerned, in accordance with the transparency requirements of articles 13 and 14 of the GDPR

‍

For any questions or support needs, do not hesitate to contact our IT/Data team!

‍

‍

Clémentine Beaussier, partner lawyer at Squair