Social data protection – data protection in the job center
Is it permitted under data protection law to send documents / files as Pdf files with a simple e-mail to the authorized representative?
Clear answer no. But why actually?
Documents and files that contain personal data are subject to the provisions of the GDPR with regard to the transfer process. The integrity and confidentiality of the data must be maintained. Such measures are to be selected that correspond to the risk of the transmitted messages, so that the data protection principles can be guaranteed. In this assessment, the type, scope, circumstances and purposes of their processing as well as the different probability of occurrence and severity of the risks for the rights and freedoms of natural persons must be taken into account in each individual case.
The person responsible for personal data must therefore select the protective measure that takes into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons means. This can take the form of encryption, which, even if the GDPR explicitly names this as an example of a protective measure, is not mandatory, but can also be done differently. Encryption is therefore to be qualified as a sensible protection, end-to-end encryption as well as transport encryption are possible; they reduce risks for the confidentiality of the transmitted messages for their respective purpose. Both procedures should therefore be taken into account when weighing the necessary measures.
The Federal Commissioner for Data Protection and Freedom of Information already clarified this in his activity report from 2019 and also reprimanded it accordingly.
(BfDI, 28th TB from 2019 under point 8.3 – unencrypted email dispatch?)
“Consent of data subjects to unencrypted sending of e-mails cannot release those responsible from their obligation to take suitable technical and organizational measures to protect pD from unauthorized disclosure, […]
The GDPR provides consent as a possible legal basis for data processing in compliance with data protection regulations. According to Art. 6 Para. 1 GDPR, this can only refer to the admissibility of the processing of personal data, but not to the legal obligation to comply with the necessary technical and organizational measures by the person responsible. It would be a violation of the rule of law in Article 20 (3) of the Basic Law if public bodies were allowed to waive compliance with legal obligations on the basis of a “voluntary” decision by the person concerned. ”
Encryption is of course a variant.
Alternatively, one could also think about keeping documents and files in a separate download area and granting the authorized persons, here the legal representatives, temporary access. Compliance with the IT security of the cloud service goes without saying.
Henning Koch is a lawyer at the Marburg location, specialist lawyer for IT law, specialist lawyer for labor law and certified (also official) data protection officer in the business law firm Ruhmann Peters Altmeyer PartG mbB as well as managing director of RPA Datenschutz + Compliance GmbH.