DSK: Mini­mum pro­tec­tion of per­so­nal data when recei­ving and sen­ding e‑mails

The Ger­man Data Pro­tec­tion Con­fe­rence (DSK) has issued a Gui­dance on mea­su­res for the pro­tec­tion of per­so­nal data during trans­mis­si­on by e‑mail published (dated March 13, 2020). It explains Pro­tec­ti­ve mea­su­res within the mea­ning of Art. 5(1)(f), 25 and 32 of the GDPR, which data con­trol­lers, but also pro­ces­sors and “public email ser­vice pro­vi­ders” have to com­ply with at the Sen­ding e‑mails in tran­sit have to fulfill.

The infor­ma­ti­on is sub­ject to devia­ting requi­re­ments depen­ding on the risks of the indi­vi­du­al case and only con­cerns trans­port encryp­ti­on, not the pro­tec­tion of data at rest. To this ext­ent, howe­ver, they are to be under­s­tood as obli­ga­to­ry.

In sum­ma­ry, the DSK is of the opi­ni­on that

  • Trans­port encryp­ti­on repres­ents a mini­mum stan­dard. Anyo­ne who recei­ves (coll­ects, i.e., e.g., via a prompt on a web­site or as part of an agree­ment) e‑mails spe­ci­fi­cal­ly must the­r­e­fo­re crea­te the pre­re­qui­si­te for trans­port encryp­ti­on (at a mini­mum, the estab­lish­ment of TLS con­nec­tions accor­ding to the tech­ni­cal gui­de­line TR-02102 – 2 “Cryp­to­gra­phic Pro­ce­du­res: Use of Trans­port Lay­er Secu­ri­ty (TLS)” of the Ger­man Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI)):

    The use of trans­port encryp­ti­on pro­vi­des basic pro­tec­tion and repres­ents a mini­mum mea­su­re for mee­ting legal requi­re­ments. In pro­ce­s­sing situa­tions with nor­mal risks, trans­port encryp­ti­on alre­a­dy achie­ves suf­fi­ci­ent risk reduction.

  • Respon­si­ble par­ties who spe­ci­fi­cal­ly recei­ve e‑mails “should” also DKIM signa­tures check, i.e. a spe­ci­fic digi­tal signa­tu­re that can be inclu­ded in e‑mails; a public key of the sender’s domain can be used to check whe­ther the e‑mail actual­ly ori­gi­na­tes from a spe­ci­fic domain.
  • At par­ti­cu­lar risks cer­tain, hig­her requi­re­ments apply.
  • Bem Sen­ding e‑mails respon­si­ble per­sons should take part in the TR 03108 – 1 (“Secu­re e‑mail trans­port”) and must ensu­re man­da­to­ry trans­port encryp­ti­on. In the case of high risks, respon­si­ble par­ties must “regu­lar­ly” per­form end-to-end encryp­ti­on and qua­li­fi­ed trans­port encryption.
  • Who gives a Pro­fes­sio­nal sec­re­cy to § 203 StGB must ensu­re that only aut­ho­ri­zed par­ties can decrypt the messages.
  • Public e‑mail ser­vice pro­vi­ders must com­ply with the requi­re­ments of Tech­ni­cal Gui­de­line TR 03108 – 1 of the Ger­man Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI).

The ori­en­ta­ti­on gui­de con­ta­ins more detail­ed infor­ma­ti­on on the indi­vi­du­al points and procedures.




Rela­ted articles