Does the GDPR apply to my private address book?

Generally no. Article 2(2)(c) exempts processing by a natural person for purely personal or household activities, and Recital 18 explicitly mentions address-keeping. Friends' numbers, family birthdays, and private notes are outside the regulation's scope. The exemption falls away when a professional or commercial purpose enters — using the same list for client work, for example — or when you publish the data. This is general information, not legal advice.

Can I keep business contacts without their consent?

Usually yes — consent is only one of six lawful bases, and for routine business contacts the typical basis is legitimate interest under Article 6(1)(f): someone who hands you a card or emails you professionally reasonably expects to be stored and contacted. You still owe transparency, must stop when they object, and must delete on valid request. What legitimate interest does not cover is harvesting strangers at scale. Not legal advice — specifics depend on context.

Does it matter where my contact app stores its data?

Yes, twice over. Legally: a vendor processing EU users' contacts is bound by the GDPR, and storage outside the EU brings transfer rules (Chapter V) into play — EU hosting or on-device storage keeps that simple. Practically: server-side plaintext means a breach, an acquisition, or a policy change exposes everyone in your address book, who never chose that app. Local-first storage and end-to-end encryption shrink both the legal surface and the blast radius.

Practice

GDPR and contact data

The GDPR governs processing of personal data in the EU. Purely private address books fall under its household exemption; business use of contacts does not.

Part of the Endearist relationship glossary →

Names, phone numbers, email addresses, birthdays, and notes about people are all personal data under Regulation (EU) 2016/679 — the GDPR. So a contact database is, on its face, exactly the kind of thing the regulation governs. Whether the rules apply to yours hinges on one provision: Article 2(2)(c) excludes processing "by a natural person in the course of a purely personal or household activity." Your private address book, the family birthday list, notes on friends — the regulation deliberately stays out of that sphere, and Recital 18 even names correspondence, address-keeping, and private social networking as examples.

The exemption ends where professional or commercial purpose begins, and courts read it narrowly. The CJEU held already in Lindqvist (2003, under the predecessor directive) that publishing personal data to the open web leaves the personal sphere. A freelancer's contact list used for client acquisition, a founder's networking database, conference leads in a spreadsheet — all of that is ordinary processing, requiring a lawful basis (commonly legitimate interest under Article 6(1)(f)), transparency toward the people concerned, and respect for their access and erasure rights.

Most real address books are honestly somewhere in between — your dentist, your investor, and your sister in one list. This article is general information about how the regulation is structured, not legal advice; for a real compliance question, ask a data-protection professional.

The household exemption — and its edges

Article 2(2)(c) is generous at its core and sharp at its edges. Clearly inside: contacts kept for friendship, family, and private life, however detailed your notes. Clearly outside: anything serving a business, even a side hustle. The edges that catch people: making contact data public (a website, an open social profile) defeats the exemption per the Lindqvist line of cases; CCTV that films the public street fell outside it in Ryneš (2014), showing how literally "purely" is read; and one database used for both spheres can't claim the exemption for its business half. Important asymmetry: the exemption frees you as a private individual, but a company whose app processes your address book remains fully bound by the GDPR for what it does with that data.

When your contact list makes you a controller

Cross into professional territory and you become a "controller" with concrete duties. You need a lawful basis — for ordinary business contacts that's typically a legitimate-interest assessment, since consent is rarely practical for a contact list. You owe transparency: people whose data you collected from them are informed under Article 13, and data obtained from elsewhere triggers Article 14 within a month — the duty the Bisnode enforcement case made expensive to ignore. You must honor rights: access (what do you have on me?), rectification, erasure, and objection. And you're responsible for your processors — the CRM vendor, the cloud, the mail tool all need Article 28 terms. For a solo professional none of this is exotic; it mostly means keeping contacts for defensible purposes, in trustworthy tools, and deleting when asked.

Privacy by architecture, not by paperwork

Article 25's "data protection by design and by default" reads as aspiration in most products and as architecture in a few. A local-first personal CRM is the architectural version: Endearist keeps your contact data on your device by default, performs no enrichment or scraping (no third-party dossiers ever enter your records), and offers sync only in end-to-end encrypted form with an EU-hosted cloud option — so the people in your address book are never exposed to a server that can read about them, and questions like international data transfers shrink dramatically. For purely private use under the household exemption this isn't legally required; it's simply how a tool behaves when it treats your friends' data as a liability to minimize rather than an asset to exploit. None of this paragraph is legal advice — it's product architecture described accurately.

Frequently asked questions

Does the GDPR apply to my private address book?: Generally no. Article 2(2)(c) exempts processing by a natural person for purely personal or household activities, and Recital 18 explicitly mentions address-keeping. Friends' numbers, family birthdays, and private notes are outside the regulation's scope. The exemption falls away when a professional or commercial purpose enters — using the same list for client work, for example — or when you publish the data. This is general information, not legal advice.
Can I keep business contacts without their consent?: Usually yes — consent is only one of six lawful bases, and for routine business contacts the typical basis is legitimate interest under Article 6(1)(f): someone who hands you a card or emails you professionally reasonably expects to be stored and contacted. You still owe transparency, must stop when they object, and must delete on valid request. What legitimate interest does not cover is harvesting strangers at scale. Not legal advice — specifics depend on context.
Does it matter where my contact app stores its data?: Yes, twice over. Legally: a vendor processing EU users' contacts is bound by the GDPR, and storage outside the EU brings transfer rules (Chapter V) into play — EU hosting or on-device storage keeps that simple. Practically: server-side plaintext means a breach, an acquisition, or a policy change exposes everyone in your address book, who never chose that app. Local-first storage and end-to-end encryption shrink both the legal surface and the blast radius.

Sources

Last updated: 2026-06-10

Tend relationships, not records.

Endearist is a local-first personal CRM. Free up to 25 contacts.

Start free