Overview Data Protection Conference (DSK): Guidance on e-mail security

The Conference of Independent Federal and State Data Protection Authorities (Data Protection Conference) has recently published its guidance on the design of IT security for emails. Bavaria voted against this position.

Specifically, it deals with the "Measures for the protection of personal data when transmitted by email".

Compared to the statements made at the time of our "Forum Digitalization Law and Industry 4.0" in 2019 on the topic of "E-mails in the age of the GDPR - legally compliant in the company", the new guidance shows fewer fundamental concerns regarding the medium of "e-mail". Rather, it calls for various technical security measures that are either already established or are increasingly being used anyway. However, the question of how the end-to-end encryption required in certain situations can be implemented in practice remains unanswered. The main problem here is that both the sender and the recipient must support a specific system; this is often the case in practice at present.

It is worth noting that certain points are not addressed in the guidance either, e.g. the question of whether an order processing agreement should always be concluded with an email provider and how the aspect that emails are routed via a large number of external servers during transport should be assessed under data protection law.

Date: 29. May 2020