Electronic Mail Under the GDPR Microscope.
The Polish DPA Warns Against Violations
For years, electronic mail has been the primary communication tool in organizations -both in the private and public sectors. However, its widespread use also means that it is increasingly becoming a source of serious personal data protection breaches.
According to analyses and communications published by the Polish Personal Data Protection Office (PUODO), a significant proportion of reported GDPR breach incidents concern data processed via electronic mail.
PUODO points out that organizations still underestimate the risks associated with e-mails – both at the technical and organizational levels. As a result, even routine correspondence may lead to a breach of the confidentiality, integrity, or availability of personal data.
Electronic Mail Under the GDPR Microscope.
Most Common Breaches: Account Hacking and Lack of Message Security
Analyses published by PUODO indicate that the most common GDPR breaches related to electronic mail concern two fundamental problems. The first involves unauthorized access to corporate e-mail accounts, often resulting from successful phishing attacks, the use of weak passwords, or the absence of additional security mechanisms.
The second category concerns e-mails containing personal data sent without adequate safeguards, particularly in the form of unencrypted attachments. In such cases, a breach may occur not only as a result of an external attack, but also through accidental interception of correspondence or unauthorized access to its content.
Electronic Mail Under the GDPR Microscope.
E-mail Inbox as an Archive? PUODO Issues a Warning
Experts in personal data protection have observed a troubling trend of treating e-mail inboxes as the default repository for documents. In practice, this means that contracts, customer data, HR documentation, or financial information are stored in mailboxes for years.
PUODO clearly emphasizes that electronic mail is not intended for the long-term storage of personal data. Organizations often fail to analyze where their mail servers are physically located, what level of security they provide, or whether they comply with GDPR requirements concerning data processing, including transfers of data outside the EU.
Electronic Mail Under the GDPR Microscope.
E-mail Data Retention and Article 5 GDPR
One of the key obligations imposed on data controllers under the GDPR is the implementation and application of a data retention policy. This also applies to information sent and stored via electronic mail.
Electronic Mail Under the GDPR Microscope.
According to Article 5 GDPR, personal data should be:
- processed solely for a clearly defined purpose,
- stored no longer than necessary to achieve that purpose.
The absence of clearly defined e-mail retention rules, or failure to comply with them, leads to a breach of the storage limitation principle, which may result in administrative liability, including financial penalties.
Electronic Mail Under the GDPR Microscope.
Two Main Risk Areas According to PUODO
PUODO identifies two principal categories of threats related to e-mails:
Electronic Mail Under the GDPR Microscope.
Human Errors Still a Serious Problem
Frequent GDPR breaches also result from user errors such as:
- mistakes in e-mail addresses,
- uncritical use of auto-complete functions,
- sending messages to multiple recipients without using the BCC field,
- attaching incorrect files.
Each of these errors may lead to unauthorized disclosure of personal data, which may require notification to PUODO and, in some cases, also notification of the affected individuals.
Electronic Mail Under the GDPR Microscope.
PUODO Recommendations: How to Reduce the Risk of Breaches
In response to the growing number of incidents, PUODO recommends implementing a range of technical and organizational measures, including:
Electronic Mail Under the GDPR Microscope.
Summary
Electronic mail should not be treated as a secure archive for personal data. As PUODO clearly emphasizes, effective data protection in the context of e-mails requires a combination of technology, procedures, and employee awareness.
The absence of appropriate safeguards, policies, and controls means that even an apparently harmless e-mail may become the source of a serious GDPR violation, exposing an organization to financial penalties and loss of trust.
Frequently Asked Questions (FAQ)
No. A breach occurs when personal data is disclosed to an unauthorized person. The scale of the breach depends, among other things, on the type of data involved and the level of risk to the affected individuals.
As a rule, no. Processing personal data through private e-mail accounts may violate the GDPR if the controller has no control over the security and location of the data.
The GDPR does not specify particular technologies, but it does require the application of appropriate technical measures. When transmitting sensitive data, encryption is effectively the standard expected by supervisory authorities.
Only for as long as necessary to fulfill the purpose of processing. Once that purpose has been achieved, the e-mails should be deleted or anonymized in accordance with the retention policy. It should also be remembered that the adopted purpose must be genuine and comply with the necessity principle.
Not always. Notification is required when the breach may result in a risk to the rights or freedoms of natural persons, which must always be assessed individually on a case-by-case basis.
