Germany: Guidance regarding encryption requirements for the process of receiving and sending emails containing personal data
Description
Guidance regarding encryption requirements for the process of receiving and sending emails containing personal data
The German Data Protection Conference (DSK) issued requirements based on Art. 5 par. 1 lit. f, Art. 25 and Art. 32 par. 1 DS-GVO regarding the process of receiving and sending emails. Controllers, processors, recipients and public e-mail service providers are required to ensure transport encryption for normal risks when sending and receiving emails in accordance with the guidelines of the German Federal Office for Information Security (BSI). Furthermore, qualified encryption or end-to-end encryption has to be installed for emails containing confidential personal data. Finally, for such critical emails containing confidential personal data, the DSK recommends a qualified check of the PGP or S/MIME signatures.
Original sourceScope
Policy Area
Data governance
Policy Instrument
Data protection regulation
Regulated Economic Activity
other service provider
Implementation Level
national
Government Branch
executive
Government Body
data protection authority
Key regulatory dimensions
Regulated subjects
The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type
Private organisation
Economic activity
other service provider
Category
All
Policy change by business practice
The detailed activities within the scope of this policy or regulatory change.
email: data processing
Regulatory tool
Sanctions
Determined by existing law or regulation
Regulated subjects
1
algorithm: encryption: creation: production
Regulatory tool
Technical standard adherence
Sanctions
Determined by existing law or regulation
Regulated subjects
1