Is sending unencrypted emails or invoices allowed?

GDPR Art 32, 82, 83 – State of the art according to the GDPR – End-to-end encryption of e-mails – Saving the invoices on a personalized website makes sense – Fine and lawsuit for damages

Many companies email invoices or other confidential information to their customers. Documents or PDF invoices are often sent as attachments, sometimes signed, but often unsigned.

Data protection-conscious employees rightly ask themselves how this sending by e-mail must be seen from a data protection point of view, in particular whether encrypted transmission is required.

The General Data Protection Regulation (GDPR) does not prescribe direct technical measures for confidentiality when sending. Art. 32 GDPR stipulates that when data is processed, measures must be taken to ensure the security of processing. The GDPR uses the term “state of the art” to describe the data security measures to be taken, without defining it more precisely.

In any case, the encryption of e-mails falls under the term “state of the art” and is therefore necessary in order not to contravene the security measures of the GDPR. The GDPR also leaves open the question of what strength of encryption must be used in order to correspond to the “state of the art”.

The client-based end-to-end encryption of e-mails enables an e-mail to be encrypted over the entire transmission path. Since this form of application is still not used sufficiently by many companies and authorities, the choice usually falls on server-based encryption.

Server-based encryption

In fact, all modern email servers offer server-to-server encryption (if enabled). From a technical point of view, mail servers negotiate with their counterparts whether they will accept encryption or not. It is only transmitted in plain text if the other party does not accept encryption. In the traffic between the user and his mail server, all mail programs have encrypted and unencrypted transmission alternatives.

Furthermore, practically all mail servers offer an encrypted connection from the mail client (e.g. Outlook) to the mail server. If both sender and recipient use this encryption option and if the server-server connection (including all intermediate servers) is encrypted, then the requirements of the GDPR are met in any case.

Failure to use encryption at any of the steps will breach confidentiality and may constitute a GDPR data breach. That depends on the type of data and the type of transmission path. Responsibility for this data breach lies with the sender. He can only avoid this responsibility if the persons concerned (this does not necessarily have to be the recipient) expressly agree to the insecure transmission of their data.

It is also advisable – for example as an e-mail attachment – to indicate to the user that he should retrieve his e-mails in encrypted form. However, the notice is not required by law.

Where the receiving server is not designed for encryption, it should…
a) Documents or invoices are not sent by email (if such an email falls into the wrong hands, a customer could accuse the lack of security of the processing in accordance with Art. 32 GDPR) or
b) the recipient is informed that he is using an insecure mail server and his consent is obtained that he still wants the mail to be delivered or
c) End-to-end encryption takes place (the recipient must provide a public key for this).

In the medium term, it is advisable for companies that regularly exchange documents to forego mail delivery and store documents or invoices on a personalized website.

Penalties for breach of security

Failure to comply with the obligation to take measures to ensure the security of processing is punished by the supervisory authority with up to EUR 10 million or 2% of the last year’s global annual turnover (Article 83 (4) GDPR). In addition, those affected can file a claim for damages with the civil court for material and immaterial damage (Article 82 GDPR).

You might be interested in that