GDPR and communication
Processing of personal data when using e-mail
It is common to process personal data when using e-mail in business. Therefore, it is good to know the rules of GDPR regarding this, so as not to happen to violate them.
Processing personal data when using e-mail
Processing of personal data when using e-mail in business is very common. Everything from when potential employees send in their CVs, customers send in requests, staff emails between each other and much more.
There are many situations where companies send e-mails containing personal data and thus have to comply with the rules of the GDPR. In addition, an e-mail address in itself may constitute personal data.
Using e-mail to send out advertisements
It is common for companies to use email as a marketing channel. Businesses can send marketing emails to both previous customers and potential new customers. Since it is a matter of marketing, there may also be national laws that regulate how companies are allowed to do so. However, companies must also comply with the rules of the GDPR, as it relates to the processing of personal data.
The rules on consent for sending e-mails may differ from one Member State to another
Please note that there may be national laws on marketing that require consent when sending emails for marketing purposes. In Sweden, for example, there is a requirement for consent if it is a ‘cold relationship’, according to the Marketing Act. That is, in case there has not been a business relationship between the company and the recipient of the email marketing before. If, on the other hand, there has been a business relationship in the past, consent is not required. It is because the processing can be based on legitimate interest as a legal basis instead. Please note, however, that the company must stop sending emails if the person so requests.
Misdelivered messages are a common personal data breach
One of the most common personal data breaches is misdelivered emails. This is usually done by someone misspelling the recipient’s e-mail when they send an e-mail containing personal data. To avoid this, it is good to create clear routines for employees. For example, make it a part of the data protection culture to always check that the recipient is correctly indicated. In addition, it is important to keep in mind that many scammers send out emails where they claim to be someone they are not. Therefore, it is also good to always double check that the recipient is who they claim to be.
Contracts with data subjects may be the legal basis in certain cases
In some cases, e-mail is used as a means of communication to enter into agreements. For example, if a person wants to order a service on a website and the message is sent to the email of the company. However, please note that it may be better to store the personal data on a different legal basis if possible.
Regularly clean out the inbox and outbox
The GDPR requires companies to delete or anonymise personal data when it is no longer necessary for the purpose for which it was collected. Many personal data contained in different emails do not need to be stored for a very long time in relation to the purpose of the processing. For example, messages with questions from customers, a request from a data subject to have a right under the GDPR satisfied or similar.
Don't forget the outbox
A common mistake that many companies make when deleting emails is simply deleting the non-essential emails from their inbox. In other words, companies often forget to delete emails containing personal data from the outbox, which is just as important.
Have predetermined dates
To ensure that emails containing personal data are cleaned out regularly in accordance with the GDPR, it is good to have predetermined dates. For example, the written instructions may state that all employees must review their inbox and outbox every quarter, semi-annually or annually, in order to delete what is not necessary to continue processing.
Exceptions
If an email contains information that the company needs to defend or contest a legal claim, that email may be saved as long as it is relevant to the case. The processing is then carried out on the basis of the company's legitimate interest in defending or contesting a legal claim.
Is it allowed to send payslips by e-mail?
The answer to the question is that it depends on what the pay slip contains and whether the email is encrypted. Many payslips contain information about sick leave, which constitutes sensitive personal data under the GDPR. This means, among other things, that the company must handle the sensitive personal data with greater security than ‘ordinary personal data’. Such as not sending it via unencrypted email. In other words, payslips should not be sent by unencrypted e-mail if they contain information about sick leave or other sensitive personal data.
Also, do not send other privacy-sensitive personal data via unencrypted e-mail
There are four groups of privacy-sensitive data, of which sensitive personal data is one. Examples of privacy-sensitive personal data are: credit card number, social security number and details of violations of the law. Companies should not send privacy-sensitive personal data via unencrypted e-mail, as the Swedish supervisory authority has clarified.
Transfers of personal data to third countries by e-mail
The definition of a third country according to the GDPR
A third country is a country outside the EU/EEA, and when transferring personal data there, the rules are stricter. If the third country has an adequate level of protection, which only the European Commission can decide on, it is allowed to transfer personal data there without having to take any additional safeguards. For example EU standard contractual clauses (SCCs).
It is not uncommon for companies to send e-mails containing personal data to a recipient located in a third country. If it is an occasional e-mail, there is normally no problem without some extra safeguards. It is even if the country does not have an adequate level of protection. However, the company may need to take extra protective measures if this is something that happens on a regular basis.
Employers who process personal data about employees via e-mail
Consent is not an appropriate legal basis to support a processing on if the power relationship between the two parties is unequal. For example, between an employer and an employee. If an employer processes employees’ personal data via e-mail, legitimate interest may be an appropriate basis to use for the processing instead. Alternatively, for the performance of the contract with the data subject (that is, the employment contract).
Positive to describe the processing of e-mails in the privacy notice
Companies shall inform data subjects how they process personal data, as evidenced by the principle of lawfulness, fairness and transparency. It is one of the seven data protection principles. The information usually appears in a privacy notice. Moreover it is good to include how the company processes personal data in its e-mail. For example, information about storage and how often they are cleared out. The privacy notice should also be linked in the company’s e-mail signature, so that recipients of the e-mail are informed about the processing.
More about GDPR
Processing of personal data is common in HR work
Companies need to process personal data in their HR work. Everything from processing before employment, during employment to after termination of employment. In addition, companies usually process sensitive personal data of their employees. For example, information on sick leave and medical certificates for sick leave. In addition to the sensitive personal data, companies usually also process personal data that can be subjectively sensitive to privacy. For example assessments of the employee’s work performance. It is important to remember that employees have the same rights as other data subjects under the GDPR. Employers must thus treat employees’ personal data with the same care as that of their customers.