The abuse rule is gone:
GDPR applies retroactively to your e-mail / email There is an established behavior in many people to save e-mails that can be “good to have”. Do you feel met? Me too. With the entry into force of the new data protection legislation, everyone with this behavior has been forced to let go of the redundant e-mail. It is no longer possible to save e-mail to the same extent as before 25 May 2018.
All emails are covered
Emails usually contain personal information such as name and contact information, which means that you most likely process and have processed personal information for a long time as soon as you have sent and received e-mail.
As the new rules require that all personal data processing has a clear purpose and a legal basis, all e-mail communication is affected, both the communication before and after 25 May 2018.
Inevitable handling of personal data
In order to process personal data at all, you need support in the Data Protection Ordinance, a so-called legal basis. Unfortunately, if there is no other reason than that it can be “good to have”, you have to press the Delete button and empty the trash. What could be another reason then? Below we list some legal bases for the processing of personal data.
- If you are an authority, you receive and process e-mails with the support of the public interest.
- Incoming e-mail is unknown, so you receive and process it on the basis of a balance of interests (legitimate interest).
- You have, alternatively must enter into, an agreement with the person you have e-mail contact with.
The right to information
Anyone who sends an e-mail to you or your organization is automatically covered by the organization’s processing of personal data.
He thus has the same right to information as the organization’s other registrants.
Email is for communication, not storage
Once you have received and saved the email on the basis of a legal basis, you must decide how long and where you should store the communication.
Email management is not appropriate if it is a long-term processing of personal data that is obvious.
For long-term processing, the data should be transferred to a case or document management system and the e-mail with the personal data deleted.
Another aspect to take into account is the type of personal data in question. Sensitive and privacy-sensitive information must be deleted from the e-mail as soon as possible and transferred to a case or document management system.
Name and postal address do not in most cases constitute privacy-sensitive information, however, it may be a person with a special need for protection of their identity. In these cases, you should be careful about how you handle the data.
No one mentioned, nothing forgotten…
The saying goes: “no one mentioned, no one forgotten”, but if it were the case that a third person is still mentioned in an e-mail, it may be that he needs to be informed about this.
If no identifiable information about a third person is mentioned, however, you do not have to worry about forgetting to do something. Professional title and company name are in most cases harmless information and often go a long way.
If you still need to name someone and give their contact information to someone, or if you receive information about a third person, it may be that you need to inform them that you are disclosing or processing information about them.
However, this is an assessment that you must make based on the circumstances of each individual case. Make a trade-off whether the work effort to get hold of the person is reasonable in relation to the person in question being informed.
Usual e-mail correspondence between colleagues is fine
According to the Swedish Data Inspectorate, it is OK between colleagues to send information about a third person without informing him about this, provided that the personal information is of an insensitive nature.
The Data Inspectorate sees it as “disproportionate” to require that the third person be informed in particular regarding personal data in “usual e-mail correspondence between colleagues or in other everyday messages”.
A hot topic of discussion prior to the implementation of the European Data Protection Regulation (GDPR) was email marketing. How is it really? Can a company send newsletters and advertisements to private individuals via e-mail?
What does the law say?
According to the Marketing Act, it is not allowed to send advertising via email to anyone, at any time and in any way. The law instead prescribes specific situations where it is allowed, which are usually called opt in and soft opt in, as well as what an advertisement sent via e-mail should look like.
Soft opt-in situation – This situation does not require consent but is based on a company receiving the natural person’s e-mail address in connection with the sale to the person in question.
If the person has objected or objects to the use of their e-mail address to receive marketing, the right of the company to market via e-mail disappears. In addition, marketing may only refer to the company’s own products, which must be closely related to the first purchased product.
Opt-in situation – This situation means that a company may send advertising via e-mail to a natural person (private individuals and sole proprietors) only if the latter has agreed to it in advance.
Formal requirements – Irrespective of the above situations, the e-mail must always contain a valid address to which the recipient can turn with a request that the marketing should cease.
Note that this requirement also applies when a company sends marketing to legal persons (this includes personal addresses to the workplace, eg first firstname.lastname@example.org). It is also important that the email addresses to which the marketing is sent are not visible to all recipients.