DSK publishes guidance: Protective measures when sending e-mails
In a new guidance document, the German Data Protection Conference (Datenschutzkonferenz, DSK) summarizes what needs to be considered when sending and receiving e-mails and what requirements encryption procedures should meet. The DPA recommends that data controllers, their processors and public email service providers implement the requirements set out in the guidance. Controllers must take reasonable steps to mitigate the risks posed by the transmission of personal data by e-mail.
The protection of personal data when sending e-mails extends both to the personal content of the messages and to the circumstances of the communication if information about natural persons can be derived from it.
In this respect, controllers using public email service providers must satisfy themselves that the providers offer sufficient guarantees of compliance with the requirements of the GDPR. This can be done primarily by means of suitable configuration settings, insofar as such are offered by the service provider:
The guidance is available here.