CINXE.COM

<!DOCTYPE html><html lang=en-US class="no-js no-svg"><head><meta charset=UTF-8><meta name=viewport content="width=device-width, initial-scale=1.0"><link rel=profile href=http://gmpg.org/xfn/11><link type=text/css media=all href=https://gdpr.eu/wp-content/cache/autoptimize/css/autoptimize_5b670c3f41f6d1c9d284128a1816dcbc.css rel=stylesheet><title>How does the GDPR affect email? - GDPR.eu</title> <script>(function(d, s, id){ var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) {return;} js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.6"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <meta name=robots content="max-snippet:-1, max-image-preview:large, max-video-preview:-1"><link rel=canonical href=https://gdpr.eu/email-encryption/ ><meta property=og:locale content=en_US><meta property=og:type content=article><meta property=og:title content="How does the GDPR affect email? - GDPR.eu"><meta property=og:description content="The GDPR requires organizations to protect personal data in all its forms. It also changes the rules of consent and strengthens people’s privacy rights. In this article, we’ll explain..."><meta property=og:url content=https://gdpr.eu/email-encryption/ ><meta property=og:site_name content=GDPR.eu><meta property=article:section content="GDPR Compliance"><meta property=article:published_time content=2018-07-11T22:29:56+00:00><meta property=article:modified_time content=2023-09-14T15:46:59+00:00><meta property=og:updated_time content=2023-09-14T15:46:59+00:00><meta property=og:image content=https://gdpr.eu/wp-content/uploads/2018/11/Blog-GDPR-EU-email-encryption-IM.jpg><meta property=og:image:secure_url content=https://gdpr.eu/wp-content/uploads/2018/11/Blog-GDPR-EU-email-encryption-IM.jpg><meta property=og:image:width content=1024><meta property=og:image:height content=512><meta name=twitter:card content=summary_large_image><meta name=twitter:description content="The GDPR requires organizations to protect personal data in all its forms. It also changes the rules of consent and strengthens people’s privacy rights. In this article, we’ll explain..."><meta name=twitter:title content="How does the GDPR affect email? - GDPR.eu"><meta name=twitter:image content=https://gdpr.eu/wp-content/uploads/2018/11/Blog-GDPR-EU-email-encryption-IM.jpg> <script type=application/ld+json class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://gdpr.eu/#organization","name":"GDPR.eu","url":"https://gdpr.eu/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https://gdpr.eu/#logo","url":"https://gdpr.eu/wp-content/uploads/2019/02/profile-pic-PH-gdpr.jpg","width":900,"height":900,"caption":"GDPR.eu"},"image":{"@id":"https://gdpr.eu/#logo"}},{"@type":"WebSite","@id":"https://gdpr.eu/#website","url":"https://gdpr.eu/","name":"GDPR.eu","publisher":{"@id":"https://gdpr.eu/#organization"},"potentialAction":{"@type":"SearchAction","target":"https://gdpr.eu/?s={search_term_string}","query-input":"required name=search_term_string"}},{"@type":"ImageObject","@id":"https://gdpr.eu/email-encryption/#primaryimage","url":"https://gdpr.eu/wp-content/uploads/2018/11/Blog-GDPR-EU-email-encryption-IM.jpg","width":1024,"height":512},{"@type":"WebPage","@id":"https://gdpr.eu/email-encryption/#webpage","url":"https://gdpr.eu/email-encryption/","inLanguage":"en-US","name":"How does the GDPR affect email? - GDPR.eu","isPartOf":{"@id":"https://gdpr.eu/#website"},"primaryImageOfPage":{"@id":"https://gdpr.eu/email-encryption/#primaryimage"},"datePublished":"2018-07-11T22:29:56+00:00","dateModified":"2023-09-14T15:46:59+00:00"},{"@type":"Article","@id":"https://gdpr.eu/email-encryption/#article","isPartOf":{"@id":"https://gdpr.eu/email-encryption/#webpage"},"author":{"@id":"https://gdpr.eu/#/schema/person/ea6a6cfb7b5ad33e0b774ac2085eb166"},"headline":"How does the GDPR affect email?","datePublished":"2018-07-11T22:29:56+00:00","dateModified":"2023-09-14T15:46:59+00:00","commentCount":0,"mainEntityOfPage":{"@id":"https://gdpr.eu/email-encryption/#webpage"},"publisher":{"@id":"https://gdpr.eu/#organization"},"image":{"@id":"https://gdpr.eu/email-encryption/#primaryimage"},"articleSection":"GDPR Compliance"},{"@type":["Person"],"@id":"https://gdpr.eu/#/schema/person/ea6a6cfb7b5ad33e0b774ac2085eb166","name":"Ben Wolford","image":{"@type":"ImageObject","@id":"https://gdpr.eu/#authorlogo","url":"https://secure.gravatar.com/avatar/41724bffc3c429bc44aff458c88401e5?s=96&d=mm&r=g","caption":"Ben Wolford"},"description":"A journalist by training, Ben has reported and covered stories around the world. He joined <a href=\"https://proton.me?ref=gdpreu\">Proton</a> to help lead the fight for data privacy.","sameAs":[]}]}</script> <link rel=dns-prefetch href=//ws.sharethis.com><link rel=dns-prefetch href=//cdn.jsdelivr.net><link rel=dns-prefetch href=//maxcdn.bootstrapcdn.com><link rel=dns-prefetch href=//fonts.googleapis.com><link rel=dns-prefetch href=//use.fontawesome.com><link rel=dns-prefetch href=//s.w.org><link rel=alternate type=application/rss+xml title="GDPR.eu » Feed" href=https://gdpr.eu/feed/ ><link rel=alternate type=application/rss+xml title="GDPR.eu » Comments Feed" href=https://gdpr.eu/comments/feed/ ><link rel=alternate type=application/rss+xml title="GDPR.eu » How does the GDPR affect email? Comments Feed" href=https://gdpr.eu/email-encryption/feed/ > <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/gdpr.eu\/wp-includes\/js\/wp-emoji-release.min.js?ver=8c03ada028d9ba4936249699216631ae"}}; !function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([55357,56424,55356,57342,8205,55358,56605,8205,55357,56424,55356,57340],[55357,56424,55356,57342,8203,55358,56605,8203,55357,56424,55356,57340])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);</script> <style>img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 .07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; }</style><link rel=stylesheet id=simple-share-buttons-adder-font-awesome-css href='//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css?ver=8c03ada028d9ba4936249699216631ae' type=text/css media=all><link rel=stylesheet id=opensans-css href='https://fonts.googleapis.com/css?family=Open+Sans' type=text/css media=all><link rel=stylesheet id=font-awesome-css href=https://use.fontawesome.com/releases/v5.1.1/css/all.css type=text/css media=all> <script src="https://gdpr.eu/wp-content/cache/minify/c7035.js"></script> <script id=st_insights_js src='https://ws.sharethis.com/button/st_insights.js?publisher=4d48b7c5-0ae3-43d4-bfbe-3ff8c17a8ae6&product=simpleshare'></script> <link rel=https://api.w.org/ href=https://gdpr.eu/wp-json/ ><link rel=EditURI type=application/rsd+xml title=RSD href=https://gdpr.eu/xmlrpc.php?rsd><link rel=wlwmanifest type=application/wlwmanifest+xml href=https://gdpr.eu/wp-includes/wlwmanifest.xml><link rel=shortlink href='https://gdpr.eu/?p=221'><link rel=alternate type=application/json+oembed href="https://gdpr.eu/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fgdpr.eu%2Femail-encryption%2F"><link rel=alternate type=text/xml+oembed href="https://gdpr.eu/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fgdpr.eu%2Femail-encryption%2F&format=xml"><link rel="shortcut icon" href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon.ico><link rel=apple-touch-icon sizes=57x57 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-57x57.png><link rel=apple-touch-icon sizes=60x60 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-60x60.png><link rel=apple-touch-icon sizes=72x72 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-72x72.png><link rel=apple-touch-icon sizes=76x76 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-76x76.png><link rel=apple-touch-icon sizes=114x114 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-114x114.png><link rel=apple-touch-icon sizes=120x120 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-120x120.png><link rel=apple-touch-icon sizes=144x144 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-144x144.png><link rel=apple-touch-icon sizes=152x152 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-152x152.png><link rel=apple-touch-icon sizes=180x180 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-180x180.png><link rel=icon type=image/png sizes=192x192 href=https://gdpr.eu/wp-content/themes/gdpr/assets/android-icon-192x192.png><link rel=icon type=image/png sizes=32x32 href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon-32x32.png><link rel=icon type=image/png sizes=96x96 href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon-96x96.png><link rel=icon type=image/png sizes=16x16 href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon-16x16.png><link rel=manifest href=https://gdpr.eu/wp-content/themes/gdpr/assets/manifest.json><meta name=msapplication-TileColor content=#ffffff><meta name=msapplication-TileImage content=https://gdpr.eu/wp-content/themes/gdpr/assets/ms-icon-144x144.png><meta name=theme-color content=#ffffff><style>.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style></head><body class="post-template-default single single-post postid-221 single-format-standard cookies-not-set"><div id=wrapper><header id=header><div id=social><div class="container text-right"> <a target=_blank href="http://www.facebook.com/sharer.php?u=https://gdpr.eu/"><em class="fab fa-facebook"></em> <span>Facebook</span></a> <a target=_blank href="http://twitter.com/share?url=https://gdpr.eu/"><em class="fab fa-twitter"></em> <span>Twitter</span></a></div></div><div id=top><div class=container><div class=pull-right><div class=search-box><form role=search method=get class=search-form action=https://gdpr.eu/ > <input type=search id=search-form-68412209ef0e8 class=textbox placeholder=Search... value name=s> <button type=submit class=button><i class=icon-search></i><span>Search</span></button></form></div></div> <span id=logo> <a href=https://gdpr.eu/ class=gdpr></a> <a target=_blank href=https://ec.europa.eu/programmes/horizon2020/en/ class=horizon></a> <img class=full src=https://gdpr.eu/wp-content/themes/gdpr/images/logo-gdpr-eu.svg alt=GDPR.eu> <img class=short src=https://gdpr.eu/wp-content/themes/gdpr/images/logo-gdpr-eu-notext.svg alt=GDPR.eu> </span></div></div><nav id=nav><div class=container><div id=searchx><div class=search-box><form role=search method=get class=search-form action=https://gdpr.eu/ > <input type=search id=search-form-68412209efe9e class=textbox placeholder=Search... value name=s> <button type=submit class=button><i class=icon-search></i><span>Search</span></button></form></div></div><nav id=mainmenu class=menu-primary-menu-container><ul><li id=menu-item-309 class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-309"><a href=https://gdpr.eu/ >Home</a></li><li id=menu-item-351 class="menu-item menu-item-type-post_type menu-item-object-page menu-item-351"><a href=https://gdpr.eu/checklist/ >Checklist</a></li><li id=menu-item-8150 class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8150"><a href=https://gdpr.eu/faq/ >FAQ</a></li><li id=menu-item-394 class="menu-item menu-item-type-taxonomy menu-item-object-post_tag menu-item-394"><a href=https://gdpr.eu/tag/gdpr/ >GDPR</a></li><li id=menu-item-350 class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-350"><a href=https://gdpr.eu/category/news-updates/ >News & Updates</a></li></ul></nav></div></nav></header><div id=main><div id=primary class="content-area one-column"><div id=content class=site-content><div class=post-main-box><div class=featured-image style="background-image: url(https://gdpr.eu/wp-content/uploads/2018/11/Blog-GDPR-EU-email-encryption-IM.jpg); "> <em></em><div class=container><div class=container><h1>How does the GDPR affect email?</h1> <i></i></div></div></div><div class=container><div class=post-detail-box><div class=container><div class=row><div class="col-xl-8 col-lg-12 single-content"><p><span style="font-weight: 400;">The GDPR requires organizations to protect personal data in all its forms. It also changes the rules of consent and strengthens people’s privacy rights. In this article, we’ll explain how to ensure GDPR email compliance.</span></p><p><span style="font-weight: 400;">Email users send over <a href=http://www.radicati.com/wp/wp-content/uploads/2015/02/Email-Statistics-Report-2015-2019-Executive-Summary.pdf>122 work-related emails per day on average</a>, and that number is expected to rise. While we may not think of email as subject to the <a href=https://gdpr.eu/ >European Union’s General Data Protection Regulation (GDPR)</a>, your mailbox in fact contains a trove of personal data. From names and email addresses to attachments and conversations about people, all could be covered by the GDPR’s strict new requirements on data protection.</span></p><p><span style="font-weight: 400;">Any organization (companies, charities, even micro-enterprises) that handles the personal information of EU citizens or residents <a href=https://gdpr.eu/companies-outside-of-europe/ >is subject to the GDPR</a>. That includes <a href=https://gdpr.eu/companies-outside-of-europe/ >organizations not in the EU</a> but that offer goods or services to people there. The requirements basically boil down to two things: secure people’s data, and make it easy for people to exercise control over their data. (Our “<a href=https://gdpr.eu/what-is-gdpr/ >What is the GDPR?</a>” article provides an overview.) Those who don’t follow the rules can get hit with <a href=https://gdpr.eu/fines/ >a fine of €20 million or 4 percent of global revenue</a>, whichever is higher, plus compensation for damages. </span></p><p><span style="font-weight: 400;">While most of the focus regarding GDPR email requirements has centered around email marketing and spam, there are other aspects, such as email encryption and email safety, that are equally important for GDPR compliance. Below we’ll explain what the GDPR actually says and what it means for email.</span></p><p><span style="font-weight: 400;">Keep in mind that nothing you read here is a good substitute for legal advice. We recommend consulting with an attorney to understand how the GDPR applies to your specific situation.</span></p><h1><span style="font-weight: 400;">GDPR encryption and security</span></h1><h3><span style="font-weight: 400;">What the GDPR says:</span></h3><p><span style="font-weight: 400;">If you collect, store, or use the data of people in the EU, then the GDPR applies to you. And that means you may have an obligation to change the way your organization operates in some fundamental ways. </span></p><p><span style="font-weight: 400;">The GDPR requires “data protection by design and by default,” meaning organizations must always consider the data protection implications of any new or existing products or services. <a href=https://gdpr.eu/article-5-how-to-process-personal-data/ >Article 5</a> of the GDPR lists the principles of data protection you must adhere to, including the adoption of appropriate technical measures to secure data. Encryption and pseudonymization are cited in the law as examples of technical measures you can use to minimize the potential damage in the event of a data breach.</span></p><h3><span style="font-weight: 400;">What it means for email:</span></h3><p><span style="font-weight: 400;">When it comes to email, encryption is the most feasible option. As little as five years ago, that would not have been true. But email encryption technology has developed rapidly, and several companies now offer <a href="https://proton.me/support/what-is-encryption?ref=gdpreu">end-to-end encrypted email service</a>. Cloud-based, secure email is now a convenient and practical option. (Disclosure: GDPR.eu is run by <a href="https://proton.me/mail?ref=gdpreu">Proton Mail, the world’s largest encrypted email service</a>, and funded in part by the European Union’s Horizon 2020 Framework Programme.) </span></p><p><span style="font-weight: 400;">While encryption is not required, it is up to every organization to develop a rationale for developing the most appropriate data security practices. </span></p><h1><span style="font-weight: 400;">Email retention under GDPR</span></h1><h3><span style="font-weight: 400;">What the GDPR says:</span></h3><p><span style="font-weight: 400;">Data erasure is a large part of the GDPR. It is one of the six data protection principles: Article 5(e) states that personal data can be stored for “no longer than is necessary for the purposes for which the personal data are processed.” Data erasure is also one of the personal rights protected by the GDPR in <a href=https://gdpr.eu/article-17-right-to-be-forgotten/ >Article 17</a>, the famous “<a href=https://gdpr.eu/right-to-be-forgotten/ >right to be forgotten</a>.” “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.” There are some exceptions to this latter requirement, such as the public interest. But generally speaking, you have an obligation to erase personal data you no longer need.</span></p><h3><span style="font-weight: 400;">What it means for email:</span></h3><p><span style="font-weight: 400;">Many of us never delete emails. There are plenty of good reasons: We may need to refer to them someday as a record of our activities or even for possible litigation. But the more data you keep, the greater your liability if there’s a data breach. Moreover, the erasure of unneeded personal data is now required under European law. Because of the GDPR, you should periodically review your organization’s email retention policy with the goal of reducing the amount of data your employees store in their mailboxes. The regulation requires you to be able to show that you have a policy in place that balances your legitimate business interests against your data protection obligations under the GDPR.</span></p><p><span style="font-weight: 400;">From a technical standpoint, email data erasure can be quite simple and often it can be automated. Proton Mail and some other email services have an expiring email option that allows you to set messages for deletion after a designated length of time. Whatever email retention strategy your organization decides, it’s going to require some getting used to but will significantly lower your GDPR exposure.</span></p><h1><span style="font-weight: 400;">Email marketing and spam</span></h1><h3><span style="font-weight: 400;">What the GDPR says:</span></h3><p><span style="font-weight: 400;">Among the other data protection principles in <a href=https://gdpr.eu/article-5-how-to-process-personal-data/ >Article 5</a> are “lawfulness, fairness, and transparency.” This means you can only use people’s data if it’s allowed under one of six legal justifications, it must be fair to the data subject, and it must be based on transparent and unambiguous communication with the data subject. (The “data subject,” by the way, is the identifiable person the data is about.)</span></p><p><span style="font-weight: 400;">There are six “lawful bases” for you to “process” (collect, store, use, etc.) people’s data. These are listed in <a href=https://gdpr.eu/article-6-how-to-process-personal-data-legally/ >Article 6</a>. The first is consent, which must be obtained unambiguously and after a full explanation of what you plan to do with the data. Specifically:</span></p><ul><li style="list-style-type: none"><ul><li style="font-weight: 400;"><span style="font-weight: 400;">Consent must be “freely given, specific, informed and unambiguous.”</span></li></ul></li></ul><ul><li style="list-style-type: none"><ul><li style="font-weight: 400;"><span style="font-weight: 400;">Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”</span></li></ul></li></ul><ul><li style="list-style-type: none"><ul><li style="font-weight: 400;"><span style="font-weight: 400;">Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.</span></li></ul></li></ul><ul><li style="list-style-type: none"><ul><li style="font-weight: 400;"><span style="font-weight: 400;">Children under 13 can only give consent with permission from their parent.</span></li></ul></li></ul><ul><li style="font-weight: 400;"><span style="font-weight: 400;">You need to keep documentary evidence of consent.</span></li></ul><p><span style="font-weight: 400;">The sixth legal basis is to have a “legitimate interest” to process the person’s data. Although the term is vague and could apply to a broad range of situations, you may have a hard time relying on this basis because the “fundamental rights and freedoms of the data subject” can often override your legitimate interest. Moreover, it remains to be seen how regulators and the courts will interpret this basis. You probably don’t want to be a test case.</span></p><p><span style="font-weight: 400;">The other four lawful bases are less common, but it’s a good idea to review <a href=https://gdpr.eu/article-6-how-to-process-personal-data-legally/ >Article 6</a> to make sure they don’t apply to you. The bottom line is that you should be very careful about using someone’s data unless you’re sure the person wants it used that way.<br> </span></p><p>However, the ePrivacy Directive, specifically <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058&from=EN">Article 13</a>, presents organizations with another way to use a person’s data for marketing purposes that stems from the contractual basis of the GDPR. In the context of a sale of a good or service, an organization, “may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner,” according to Article 13, part 2. Essentially this means that an organization can lawfully send you marketing emails about the service they provide you as long as they inform you that you can opt-out at any time and there is the option to unsubscribe in every communication.</p><h3><span style="font-weight: 400;">What this means for email:</span></h3><p><span style="font-weight: 400;">After the GDPR passed, some people said it would be “the end of email marketing” or “the end of spam.” But it will be neither. Spam has always been outlawed or against the terms of use of most email providers. Those who send unsolicited or malicious mass emails will probably continue to send them. Did your spam folder dry up after May 25, 2018, when the GDPR took effect?</span></p><p><span style="font-weight: 400;">As for email marketing, the GDPR does not ban email marketing by any means. The GDPR did not set out to be anti-business, just pro-consumer. A good marketing email should ideally provide value to the recipient and be something they want to receive anyway. What the GDPR does is clarify the terms of consent, requiring organizations to ask for an affirmative opt-in to be able to send communications. And you must also make it easy for people to change their mind and opt-out. Only if a marketing email does not present the option to unsubscribe, is sent to someone who never signed up for it, or does not advertise a service related to one the receiver uses is it violating the GDPR.<br> </span></p><h1><span style="font-weight: 400;">Organizational email security</span></h1><h3><span style="font-weight: 400;">What the GDPR says:</span></h3><p><span style="font-weight: 400;">There’s one more email aspect of the GDPR, and that’s email security. <a href=https://gdpr.eu/article-5-how-to-process-personal-data/ >Article 5</a>(f) says you must protect personal data “against accidental loss, destruction or damage, using appropriate technical or organizational measures.” </span></p><h3><span style="font-weight: 400;">What this means for email:</span></h3><p><span style="font-weight: 400;">Email encryption is a technical measure. Organizational measures have to do with internal policies, <a href=https://gdpr.eu/data-protection-officer/ >management</a>, and training. Ninety-one percent of cyber attacks begin with a phishing email, in which hackers attempt to gain access to an account or device using deception or malware. Links and attachments from unknown accounts should never be clicked or downloaded. Once an attacker gains access to one account or device, it’s often easy to access others, meaning a mistake by one employee could compromise vast amounts of data. If you cannot show regulators that you have implemented the proper technical and organizational measures, then you could be on the hook for huge EU fines and compensation to data subjects.</span></p><p><span style="font-weight: 400;">To avoid liability, it’s important to educate your team about email safety. Basic steps like requiring two-factor authentication can go a long way toward protecting data and complying with the GDPR.</span></p><div class=rp4wp-related-posts><h3>Related Posts</h3><ul><li><div class=rp4wp-related-post-content> <a href=https://gdpr.eu/article-20-right-to-data-portability/ >Art. 20 GDPR - Right to data portability</a></div></li><li><div class=rp4wp-related-post-content> <a href=https://gdpr.eu/article-10-personal-data-relating-to-criminal-convictions-and-offences/ >Art. 10 GDPR - Processing of personal data relating to criminal convictions and offences</a></div></li><li><div class=rp4wp-related-post-content> <a href=https://gdpr.eu/article-6-how-to-process-personal-data-legally/ >Art. 6 GDPR - Lawfulness of processing</a></div></li></ul></div><div class=post-share><div id=ssba-modern-2 class="ssba ssbp-wrap left ssbp--theme-4"><div style=text-align:left><span class=ssba-share-text>Share on:</span><ul class=ssbp-list><li class=ssbp-li--facebook><a data-site class="ssba_facebook_share ssbp-facebook ssbp-btn" href="http://www.facebook.com/sharer.php?u=https://gdpr.eu/email-encryption/" target=_blank ><div title=Facebook class=ssbp-text>Facebook</div></a></li><li class=ssbp-li--google><a data-site class="ssba_google_share ssbp-google ssbp-btn" href="https://plus.google.com/share?url=https://gdpr.eu/email-encryption/" target="_blank" ><div title=Google+ class=ssbp-text>Google+</div></a></li><li class=ssbp-li--twitter><a data-site class="ssba_twitter_share ssbp-twitter ssbp-btn" href="http://twitter.com/share?url=https://gdpr.eu/email-encryption/&text=How%20does%20the%20GDPR%20affect%20email%3F%20" target="_blank" ><div title=Twitter class=ssbp-text>Twitter</div></a></li><li class=ssbp-li--linkedin><a data-site=linkedin class="ssba_linkedin_share ssba_share_link ssbp-linkedin ssbp-btn" href="http://www.linkedin.com/shareArticle?mini=true&url=https://gdpr.eu/email-encryption/" target="_blank" ><div title=Linkedin class=ssbp-text>Linkedin</div></a></li></ul></div></div></div></div><div class="col-lg-4 d-none d-xl-block"><div id=sidebar><section class=yellow><h5>Forms and Templates</h5><ul><li><a href=/data-processing-agreement/ ><i class="far fa-file-alt"></i>  Data Processing Agreement</a></li><li><a href=/right-to-erasure-request-form/ ><i class="far fa-file-alt"></i>  Right to Erasure Request Form</a></li><li><a href=/privacy-notice/ ><i class="far fa-file-alt"></i>  Privacy Policy</a></li></ul></section></div></div></div></div></div><div class=post-author-details-box> <span class=author-intials><img src=https://gdpr.eu/wp-content/uploads/2019/01/ben.gif style=' height: 100%; max-width: initial !important;'></span><div class=post-author-details><h6>Ben Wolford</h6> <span>Editor in Chief, GDPR EU</span><p>A journalist by training, Ben has reported and covered stories around the world. He joined <a href="https://proton.me?ref=gdpreu">Proton</a> to help lead the fight for data privacy.</p></div></div></div></div></div></div></div><footer id=footer><div class=container><div class=post-author-details-box><div class=post-author-details><h6>About GDPR.EU</h6><p> </p><p>GDPR.EU is a website operated by Proton Technologies AG, which is co-funded by Project REP-791727-1 of the Horizon 2020 Framework Programme of the European Union. This is not an official EU Commission or Government resource. The europa.eu webpage concerning GDPR can be found <a href=https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en target=_blank>here</a>. Nothing found in this portal constitutes legal advice.</p></div></div><div class=footer-top><div class=row><div class=col-sm-3> <br><h5>Getting Started</h5><br><div class=menu-deep-footer-column-1-container><ul class=fmenu><li id=menu-item-9315 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9315"><a href=https://gdpr.eu/what-is-gdpr/ >What is GDPR?</a></li><li id=menu-item-9316 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9316"><a href=https://gdpr.eu/fines/ >What are the GDPR Fines?</a></li><li id=menu-item-9317 class="menu-item menu-item-type-post_type menu-item-object-page menu-item-9317"><a href=https://gdpr.eu/checklist/ >GDPR Compliance Checklist</a></li></ul></div></div><div class=col-sm-3> <br><h5>Templates</h5><br><div class=menu-deep-footer-column-2-container><ul class=fmenu><li id=menu-item-9318 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9318"><a href=https://gdpr.eu/data-processing-agreement/ >Data Processing Agreement</a></li><li id=menu-item-9319 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9319"><a href=https://gdpr.eu/right-to-erasure-request-form/ >Right to Erasure Request Form</a></li><li id=menu-item-9320 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9320"><a href=https://gdpr.eu/privacy-notice/ >Writing a GDPR-compliant privacy notice</a></li></ul></div></div><div class=col-sm-3> <br><h5>Technical Review</h5><br><div class=menu-deep-footer-column-3-container><ul class=fmenu><li id=menu-item-9321 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9321"><a href=https://gdpr.eu/data-protection-officer/ >Data Protection Office Guide</a></li><li id=menu-item-9322 class="menu-item menu-item-type-post_type menu-item-object-post current-menu-item menu-item-9322"><a href=https://gdpr.eu/email-encryption/ aria-current=page>GDPR and Email</a></li><li id=menu-item-9323 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9323"><a href=https://gdpr.eu/companies-outside-of-europe/ >Does GDPR apply outside of the EU</a></li></ul></div></div><div class=col-sm-3> <br><h5>About Us</h5><br><p>GDPR.eu is co-funded by the <a href=https://ec.europa.eu/programmes/horizon2020/en/ >Horizon 2020</a> Framework Programme of the European Union <strong>and operated by Proton AG</strong>.</p></div></div></div><div class=formz><p> </p><p><strong>GDPR Forms and Templates</strong></p><p> <a href=/data-processing-agreement/ ><i class="far fa-file-alt"></i> <strong>Data Processing Agreement</strong> <i class="fa fa-chevron-right"></i></a> <a href=/right-to-erasure-request-form/ ><i class="far fa-file-alt"></i> <strong>Right to Erasure Request Form</strong> <i class="fa fa-chevron-right"></i></a> <a href=/privacy-notice/ ><i class="far fa-file-alt"></i> <strong>Privacy Policy</strong> <i class="fa fa-chevron-right"></i></a></p></div><p> </p><p class=copyright>© 2025 Proton AG. All Rights Reserved.</p><p class=text-center> <br> <a href=https://gdpr.eu/terms-and-conditions/ >Terms and Conditions</a>     <a href=https://gdpr.eu/privacy-policy/ >Privacy Policy</a></p></div></footer></div><div id=compliance_a style=display:none;> <a href=# class="close fa fa-times"></a> <img src=https://gdpr.eu/wp-content/themes/gdpr/images/gdpr_graphic.svg alt="GDPR Graphic"><p>GDPR compliance is easier with <strong>encrypted email</strong></p> <span><a target=_blank href="https://proton.me/business/gdpr?ref=gdpreu">Learn more <i class="fa fa-chevron-right"></i></a></span></div><style id=simple-share-buttons-adder-ssba-inline-css>.ssba { } .ssba img { width: 35px !important; padding: 6px; border: 0; box-shadow: none !important; display: inline !important; vertical-align: middle; box-sizing: unset; } #ssba-classic-2 .ssbp-text { display: none!important; } .ssba .fb-save { padding: 6px; } .ssbp-list li a {height: 25px!important; width: 25px!important; background-color: #0072ff!important; } .ssbp-list li a:hover {background-color: #0072ff!important; } .ssbp-list li a::before {line-height: 25px!important;; font-size: 16px;color: #fff!important;} .ssbp-list li a:hover::before {color: #fff!important;} .ssbp-list li { margin-left: 8px!important; } .ssba-share-text { font-size: 16px; font-weight: normal; font-family: inherit; } @font-face { font-family: 'ssbp'; src:url('https://gdpr.eu/wp-content/plugins/simple-share-buttons-adder/fonts/ssbp.eot?xj3ol1'); src:url('https://gdpr.eu/wp-content/plugins/simple-share-buttons-adder/fonts/ssbp.eot?#iefixxj3ol1') format('embedded-opentype'), url('https://gdpr.eu/wp-content/plugins/simple-share-buttons-adder/fonts/ssbp.woff?xj3ol1') format('woff'), url('https://gdpr.eu/wp-content/plugins/simple-share-buttons-adder/fonts/ssbp.ttf?xj3ol1') format('truetype'), url('https://gdpr.eu/wp-content/plugins/simple-share-buttons-adder/fonts/ssbp.svg?xj3ol1#ssbp') format('svg'); font-weight: normal; font-style: normal; /* Better Font Rendering =========== */ -webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; }</style> <script>var cnArgs = {"ajaxurl":"https:\/\/gdpr.eu\/wp-admin\/admin-ajax.php","hideEffect":"fade","onScroll":"no","onScrollOffset":"100","cookieName":"cookie_notice_accepted","cookieValue":"true","cookieTime":"2592000","cookiePath":"\/","cookieDomain":"","redirection":"1","cache":"1","refuse":"yes","revoke_cookies":"0","revoke_cookies_opt":"automatic","secure":"1"};</script> <script src="https://gdpr.eu/wp-content/cache/minify/6fdea.js"></script> <script>Main.boot( [] );</script> <script src=https://cdn.jsdelivr.net/npm/js-cookie@2/src/js.cookie.min.js></script> <div id=cookie-notice role=banner class="cn-bottom bootstrap" style="color: #fff; background-color: #000;" aria-label="Cookie Notice"><div class=cookie-notice-container><span id=cn-notice-text>We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.</span><a href=# id=cn-accept-cookie data-cookie-set=accept class="cn-set-cookie cn-button bootstrap button">Ok</a><a href=# id=cn-refuse-cookie data-cookie-set=refuse class="cn-set-cookie cn-button bootstrap button">No</a><a href=https://gdpr.eu/privacy-policy/ target=_blank id=cn-more-info class="cn-more-info cn-button bootstrap button">Privacy policy</a></div><div class=cookie-notice-revoke-container><a href=# class="cn-revoke-cookie cn-button bootstrap button">Revoke cookies</a></div></div> <script defer src=https://gdpr.eu/wp-content/cache/autoptimize/js/autoptimize_5dd90da4735596921829dacc461fe36f.js></script></body></html>