1

My initial reading of the GDPR doesn't seem to cover cases of consent with regards to inbound e-mails. If I run a corporate e-mail server and store all incoming e-mails on it, I'm storing private data of data subjects (natural persons).

Am I in breach of GDPR if I don't get consent from the data subjects to do so?

I mean, that seems insane, but the definitions for data controller/processor are so broad it is hard to tell where the boundaries are.

Any insight would be appreciated.

Some supporting documentation: The regulation: http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf

Easier to digest white paper: http://cdn2.hubspot.net/hubfs/659257/uk_site/resources/white-paper/white-paper-gdpr-en-uk.pdf

Jochen Bedersdorfer
  • 111
  • 3
  • GDPR is so new that it isn't in effect, can you please provide any supporting documentation on why you might be in violation? – rook Apr 13 '17 at 00:56

1 Answers1

2

You need to process personally identifiable information (PII) stored in e-mails so that you can run an e-mail server for your company. This means you have a legitimate interest in processing PII and as long as you don't use the the collected personal information for any other reason than e-mail communication, you do not have to obtain an explicit consent.

Since you have a legitimate interest, you are not required to obtain the consent.

You would need the consent, if you, on top of processing the e-mail, would want to use the information in a way that is not required for processing e-mails. E.g. you would send the e-mail addresses to a 3rd party for their marketing purposes -- this is of course a bit extreme, but this is more or less the kind of situation GDPR is trying to prevent.

Of course, even if you have the e-mail server just for sending and receiving e-mails and no consent is needed, there might be some further obligations under GDPR, such as that you are expected to take all the necessary precautions to secure access to the e-mail server, but that is something you need to do anyway.

Tomas Honzak
  • 21
  • 3
  • thank you. In our case, we have software that calculates a relationship graph and might identify e-mail senders that would be subsequently contacted by our company (but not using our software). I guess in that case the more stringent rules for outbound e-mail marketing would apply anyways – Jochen Bedersdorfer Apr 19 '17 at 19:28
  • IANAL but I would tend to agree with your conclusion. Even under the existing Data Protection Directive, a use-case like this, in my opinion, calls for a balancing test. This article might provide more insight: https://www.insideprivacy.com/international/european-union/european-data-protection-regulators-clarify-the-scope-of-the-balancing-test-required-for-reliance-on/ – Tomas Honzak Apr 21 '17 at 13:45
  • Well I hope we provided that for you, Tomas ;) The use case I was inquiring though is broader in that it would also affect Google Mail and other companies that do 'light' processing (thread-detection, language detection, etc. etc.) while storing the e-mail at the same time. It would have widespread consequences if that is being seen as 'processing' with regards to the law – Jochen Bedersdorfer Apr 22 '17 at 16:32