>>whereas press@ec.europa.eu would not. There have been cases where a role based email like that have been considered being personal details in case of only one person having access to the mailbox. This on the basis that there can be collected information (IP-adresses and such) from other parties (like facebook) that links this address to the sole person operating the mailbox.
It works like if you have a access card to a building, or a anonymous username/password, which then identifies the person holding it, it doesn't matter if no personal details are stored. That there is a single person holding the card or username/password, which can be linked by having the person in question surrender the card or username/password is enough to make it personal details under GDPR. However, it can be permitted to store or publish such information, since it falls under so called "pseudonymized identity" in the same way an address like iloveap...@example.org registred on a public webmail service like Hotmail.com or gmail.com would be considered a "pseudonymized identity". So a "pseudonymized identity" can be permitted to be stored/used in some cases, and prohibited in other cases. It isn't free land just because the mailbox is a role-based one. HOWEVER if the role-based mailbox is accessible by multiple people (for example, if multiple persons has the username/password or if the role-based mailbox is a group-based one which dumps the email into multiple identity-based mailboxes - multi-target forward) then its "free land", free to do whatever you want with it. It’s the same way that the company details of a organization, is not considered being in GDPR, **UNLESS** the company is a sole proprietor, then the company details is considered being in scope for GDPR despite being a organization. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
