The German Data Protection Conference (DSK) has issued a Guidance on measures for the protection of personal data during transmission by e‑mail published (dated March 13, 2020). It explains Protective measures within the meaning of Art. 5(1)(f), 25 and 32 of the GDPR, which data controllers, but also processors and “public email service providers” have to comply with at the Sending e‑mails in transit have to fulfill.
The information is subject to deviating requirements depending on the risks of the individual case and only concerns transport encryption, not the protection of data at rest. To this extent, however, they are to be understood as obligatory.
In summary, the DSK is of the opinion that
- Transport encryption represents a minimum standard. Anyone who receives (collects, i.e., e.g., via a prompt on a website or as part of an agreement) e‑mails specifically must therefore create the prerequisite for transport encryption (at a minimum, the establishment of TLS connections according to the technical guideline TR-02102 – 2 “Cryptographic Procedures: Use of Transport Layer Security (TLS)” of the German Federal Office for Information Security (BSI)):
The use of transport encryption provides basic protection and represents a minimum measure for meeting legal requirements. In processing situations with normal risks, transport encryption already achieves sufficient risk reduction.
- Responsible parties who specifically receive e‑mails “should” also DKIM signatures check, i.e. a specific digital signature that can be included in e‑mails; a public key of the sender’s domain can be used to check whether the e‑mail actually originates from a specific domain.
- At particular risks certain, higher requirements apply.
- Bem Sending e‑mails responsible persons should take part in the TR 03108 – 1 (“Secure e‑mail transport”) and must ensure mandatory transport encryption. In the case of high risks, responsible parties must “regularly” perform end-to-end encryption and qualified transport encryption.
- Who gives a Professional secrecy to § 203 StGB must ensure that only authorized parties can decrypt the messages.
- Public e‑mail service providers must comply with the requirements of Technical Guideline TR 03108 – 1 of the German Federal Office for Information Security (BSI).
The orientation guide contains more detailed information on the individual points and procedures.