Business leaders in the European Union: when your personal data becomes visible… and vulnerable

In the digital age, the shadow cast by business leaders is no longer limited to Excel spreadsheets or financial statements. An online presence, whether institutional or commercial, is now becoming a vector of exposure to real risks – problems that many entrepreneurs never think about… until it’s too late.

In the European Union, as soon as a business owner establishes their company, a set of personal data is entered into common legal databases : name, surname, registered office address (which may be their home address), contact details, and their functions and roles within the company. This data—required by company law —is intended to ensure economic and legal transparency.

But in practice, they are not confined to official registries alone. They are duplicated on a large scale by private platforms: information aggregators like pappers.com or societe.com , public data search engines, or "data brokers." Unlike state-run public registries, these sites seek to maximize their audience , making this personal information accessible, indexable, and sometimes amplifiable.

Public databases exist for a legal reason : to guarantee the transparency of economic activity. But this same data, when massively replicated and freely accessible, becomes a field of exploration – sometimes exploited – for malicious individuals.

These are very real risks: attacks, kidnappings, violent attempts

The reader might think: "I'm a craftsman, or I run a small business... why should this concern me?"

And yet: the attacks of 2025 show that the threat is not only theoretical.

In France, a series of high-profile criminal cases—involving cryptocurrency executives—have shocked the public this year. Several leaders have been targeted in kidnapping attempts or violent assaults , sometimes in broad daylight. French authorities have referred around twenty suspects to magistrates for plots to kidnap crypto figures or their relatives , including an attempt on the daughter and grandson of a CEO of a cryptocurrency exchange in Paris: Courthouse News

An earlier case – that of David Balland , co-founder of a cryptocurrency startup, kidnapped with his partner from their home – illustrates the scale of the danger: abducted, separated, and held for ransom in exchange for cryptocurrency, they were eventually found after a police operation. (National Gendarmerie )

In a society where fortunes can be virtual but violence very real, these attacks often have only one declared motivation: money, the expression of a cold, calculated criminal intent targeting what is visible, observable and… accessible.

Thus, long before you become a "major" entrepreneur, your public data can expose you to a world where people assume you have resources – sometimes wrongly, sometimes with tragic consequences.

Why is your public data so dangerous?

The difference between data published in state registries and that disseminated by private aggregators is essential:

• State legal databases (Trade and Companies Register, business directory) are , however, less indexed by search engines. They are generally only accessible through specific queries from public websites or via professional APIs.

  
  

• Private aggregators , on the other hand, collect this data to make it immediately searchable, regularly updated and accessible via the public web , often optimized to appear at the top of search results.

The fact that this information may include the executive's home address, date of birth, precise role in the company, and even past histories, provides fertile ground for a whole range of abuses – from digital harassment to the most brutal criminal exploitation.

What recourse is available to limit the exposure of your data?

European law – in particular the General Data Protection Regulation (GDPR) – is not an empty shell. Even when data is "public" in a commercial or economic sense, you retain rights as a natural person .

According to Article 17 of the GDPR , you can ask a website to delete personal data that can be used to identify you . The sample letters provided by the CNIL illustrate how to formulate these requests, explicitly citing Articles 12 to 17 of the GDPR and emphasizing that the data allows for your personal identification.

A standard letter typically includes:

• Article 17.1 of the GDPR , requiring the erasure of data.

• The precise list of URLs or extracts to be removed .

• A clear statement that you will assert your rights before the supervisory authority if the request is not complied with within the month stipulated by law.

  
  

The CNIL (French Data Protection Authority) reiterates that these requests can be made even if the data comes from public sources: the authority considers it necessary for reusers to comply with the GDPR rules concerning individuals' rights, particularly when there is a risk of a disproportionate infringement of privacy .

Standard letter:

In accordance with Article 17.1 of the General Data Protection Regulation (GDPR), I request that you delete the following personal data concerning me from your files:

[infos_a_supprimer]

I request that this information be removed because:

[reason_for_deletion]

You should also notify this request to erase my data to the organizations to which you have communicated it (Article 19 of the GDPR).

Finally, I ask you to inform me of these elements as soon as possible and at the latest within one month of receipt of this letter (Article 12.3 of the GDPR).

If I do not receive a response from you within the given time frame or if the response is incomplete, I will file a complaint with the National Commission for Information Technology and Freedoms (CNIL).

Please accept, Madam/Sir, the expression of my distinguished greetings.

How can we take concrete action?

Here are the steps that all leaders can follow :

1. Identify precisely the pages and data to be removed from aggregator sites.

   
   

2. Send a written request (registered mail + email) citing the relevant GDPR articles and the rights being exercised.

   
   

3. Keep all evidence of sending: copies, acknowledgments of receipt, screenshots.

   
   

4. Follow up every week if no response is given within the legal one-month period.

   
   

5. If no action is taken within the allotted time: a complaint can be filed with the CNIL using their official form – which often triggers a more rigorous investigation by the authorities.

   
   

6. Reinforce the process by sending a complaint, if necessary, to the website host and the registrar of the associated domain name. See our guide: Doxxing, defamation, harassment: your rights and actions to defend yourself

   
   

At WAAD, we recommend this gradual and determined strategy : requests, follow-ups, then official action. In many cases, this approach leads to the effective removal of data from aggregators .

The counter-arguments of aggregators: understanding their tactics so as not to be misled

In the vast majority of cases, when you exercise your GDPR rights with a data aggregator site, the first response is not a deletion , but a long, complex and deliberately discouraging text.

This response often resembles what lawyers call "legal mush" : an accumulation of partial arguments, taken out of context, intended not to inform... but to make you give up .

The arguments almost always come back in the same form:

1. "We exercise freedom of expression and information"

Aggregators frequently invoke freedom of expression or the freedom to inform the public. This argument is partially true , but legally incomplete .

Freedom of expression is never absolute . It must be balanced against:

• the right to privacy ,

• the right to the protection of personal data ,

• and the principle of proportionality , which is fundamental in European law.

When a website publishes name, surname, home address, functions, professional history , and allows a natural person to be directly identified, the GDPR applies fully , including if the data comes from public sources.

2. "This is public data, so we have the right to use it."

This is the most frequent argument… and one of the most misleading.

Yes, some data is public in its original source (trade register, BODACC, INSEE, etc.). But public does not mean freely usable without limit .

The GDPR is very clear: the reuse of public data for commercial purposes or mass dissemination constitutes the processing of personal data .

This implies:

• a valid legal basis,

• a legitimate purpose,

• and above all respect for the rights of the persons concerned , including the right to object and to erasure .

  
  

In other words: the public nature of data does not negate your rights.

3. "We are simply using the data from the state; you should contact them."

This is probably the most fallacious argument — and yet one of the most used.

Aggregators are perfectly aware that:

• The state has a legal obligation to publish certain information.

• and that he cannot erase them on simple request , except through a reform of the law.

By referring you to the administration, they are deliberately conflating two distinct legal realities :

• The State publishes as part of a legal mission.

• A private actor is free to choose to reuse, index, enrich, distribute and monetize this data.

  
  

This choice entails his own legal responsibility .

Just because the State has to publish does not mean that every private actor has the right to distribute without limit , without impact analysis, and without respecting your GDPR rights.

It is precisely on this point that the CNIL is consistent : the commercial or massive reuse of public data must comply with the GDPR .

4. Why are these responses being sent?

It is important to understand one essential thing: 👉 these answers are standardized .

They are designed to:

• to impress legally,

• to discourage individuals and leaders,

• save time,

• filtering those who will go all the way... and those who will give up.

  
  

In practice, as soon as you stand firm , follow up, explicitly mention the CNIL and demonstrate that the data allows you to be personally identified, deletions occur in the majority of cases .

When the site still refuses: reverse the balance of power (legally)

However, it sometimes happens that some site managers stubbornly refuse any removal, even after reminders and threats of reporting.

Before immediately hiring a lawyer — which can be costly — there is a perfectly legal psychological and legal lever , from the field, that few people know about.

TIP: Reverse the roles

Aggregators apply to their users what they refuse to apply to themselves .

In concrete terms:

• The leaders of these platforms are themselves listed on… aggregators .

• Their name, surname, functions , and very often their personal or professional address , are accessible on the same sites they operate.

  
  

👉 So you can:

1. Legally retrieve the public information of the person in charge (via papers, company.com , RCS).

2. Write a registered letter that is courteous, factual and strictly legal.

3. Send it directly to his name , at his official address.

   
   

The objective is neither threat nor intimidation , but a clear message:

In the vast majority of cases, this approach is enough to trigger:

• an immediate awareness,

• a quick response

• and the effective deletion of the data.

  
  

⚠️ Essential Disclaimer

This process must absolutely:

• to remain strictly legal

• to limit ourselves to written correspondence ,

• never involve physical contact,

• must not contain any threats , pressure or inappropriate remarks.

  
  

This is a legal and symbolic reminder , not a confrontation.

What if nothing changes despite everything?

If the sites refuse to delete the data, or respond with dilatory legal arguments (freedom of expression, public data, right to use publicly available information), do not be discouraged .

These counter-arguments are often formulated to avoid deletion, but they do not take into account the fact that GDPR rules require a case-by-case analysis , particularly when there is a disproportionate risk of exposure of natural persons.

At this stage, it is often necessary to:

• Consult a lawyer specializing in data protection.

• Prepare a complaint with legal assistance .

• Formally notify the reluctant entity.

  
  

Determination and rigor are your best allies when facing platforms that seek to minimize their legal obligations.

One last practical tip for sole proprietorships

If you are a sole trader (without legal separation between person and company), you have an additional option: with INSEE, you can request the anonymization of your personal data linked to your SIREN/SIRET, which prevents its dissemination on certain public registers.

Even if you are not a sole proprietor , a reasoned request for anonymization may sometimes be accepted – provided that you justify concrete risks to your safety or privacy.

Protect your data to protect your life

In a world where access to information is instantaneous, the personal data of leaders is no longer just a set of lines in a legal database: it has become a piece of the global public puzzle . This opens the door to abuses – from online harassment to violent crimes.

At the heart of this reality, it is essential that every business leader does not passively endure the exposure of their information , but learns to exercise their rights, to act legally and to protect themselves concretely.

You are not alone. Tools exist, laws protect you, and authorities – such as the CNIL – can intervene when your rights are denied or ignored.

Digital technology opens up immense opportunities… but also risks that we can no longer afford to ignore.

LEGAL ANNEX – LEGAL FRAMEWORK FOR THE PROTECTION OF BUSINESS LEADERS' DATA (EU / FRANCE)

This appendix aims to provide readers with legal information on their actual rights, the applicable texts and the legal levers that can be used against data aggregation sites.

1. The fundamental principle: public data remains personal data

So :

• name and surname of a manager,

• address (personal or professional),

• function within a society,

• history of activities,

• capital links,

  
  

➡️ are legally personal data , even when they come from public records.

2. The reuse of public data is a processing activity subject to the GDPR

Aggregator sites (pappers, societe.com , etc.) carry out data processing within the meaning of the GDPR.

The mere fact of:

• copy data,

• index them on Google.

• to make them accessible via a public interface,

• or exploit them to generate traffic,

  
  

➡️ constitutes a separate process from that carried out by the State.

👉 The argument “we are only using public data” is legally inadmissible on its own.

3. The obligations of data aggregators

All data controllers must comply with the following principles:

Article 5 GDPR – Fundamental Principles

The data must be:

• processed lawfully , fairly and transparently ,

• adequate, relevant and limited to what is necessary (minimization),

• protected against disproportionate infringements of privacy.

  
  

The mass dissemination of personal addresses or data allowing direct identification may constitute a violation of the principle of proportionality , particularly when it exposes people to concrete risks (harassment, threats, physical harm).

4. The right to erasure (Article 17 GDPR)

The business owner can exercise their right to erasure , particularly when:

The CNIL reminds us that the public origin of the data does not preclude the exercise of this right , when the dissemination infringes on privacy in a disproportionate manner.

5. The right to object (Article 21 GDPR)

Even if the deletion is contested, the manager can invoke:

👉 Risks to personal safety , harassment or invasion of privacy constitute recognized legitimate grounds .

6. Freedom of expression: a clear limit set by European law

Aggregators often invoke freedom of expression (Article 85 GDPR). However:

• This freedom must be balanced against fundamental rights.

• It does not justify mass distribution ,

• Neither generalized indexing,

• Nor the absence of an effective opposition mechanism.

  
  

European case law is consistent: 👉 the freedom to inform does not automatically take precedence over the protection of personal data.

7. Official position of the CNIL (France)

The CNIL specifies that the commercial reuse of data from public sources:

• must comply with the principles of the GDPR,

• must allow for the effective exercise of rights,

• and may be limited or prohibited when it creates a disproportionate infringement on privacy.

  
  

The CNIL explicitly encourages the individuals concerned to:

• to exercise their rights directly with the websites,

• preserve the evidence.

• then file a complaint if no satisfactory response is provided within the legal timeframe of one month.

  
  

8. Legal deadlines and response obligations

Failure to respond, an incomplete or dilatory response constitutes an offence liable to administrative sanction.