German Data Protection Conference publishes guidance on minimum protection of personal data in e-mail
The German Data Protection Conference (deutsche Datenschutzkonferenz, “DSK”) recently published an orientation guidance on the protection of personal data when using e-mails. With its new guidance, the DSK shows which requirements must be met by the procedures for sending and receiving e-mail messages by transport by data controllers, their contract processors and public e-mail service providers.
The protective measures set out in the guidance serve to comply with the requirements of the EU General Data Protection Regulation (hereinafter “GDPR”) – in particular to ensure adequate security for personal data (Art. 5 (1) lit. f GDPR), to implement the principles of Privacy by Design and Privacy by Default (Art. 25 GDPR) and to ensure adequate technical and organisational measures (Art. 32 (1) GDPR). The aim of the protective measures is to reduce the risks involved in processing personal data in connection with e-mail traffic.
However, the guidance is limited to the risks associated with a breach of the confidentiality and integrity of personal data. Furthermore, only those risks that arise during the transport of the e-mail are taken into account and not those that arise when the e-mail is dormant, i.e. has already been received, or when it is being further processed.