May we send personal data by email under the GDPR?

Yes, but only if appropriate safeguards are in place; we help you assess your email flows, apply suitable technical and organisational measures and document how email and personal data under GDPR are protected in your organisation.

What are examples of technical safeguards for email?

We typically recommend a mix of encryption, strong authentication, careful configuration of email clients and secure platforms for sensitive content, tailored to the risks in your organisation. Together we design a technical baseline that supports GDPR-compliant email use.

How can Morling Consulting help improve our email and personal data routines?

We review how personal data are sent by email today, identify risks and propose practical improvements in processes, policies, tools and training. Our lawyers then support you in implementing the routines so that email handling becomes secure, efficient and GDPR compliant.

Email and personal data under GDPR

Is an email address personal data?

Most organisations process some form of personal data and routinely use email for communications. Depending on the nature of the personal data, the General Data Protection Regulation (GDPR) requires appropriate technical and organisational measures to protect the rights and freedoms of the individuals whose data is emailed. This overview explains the position under the GDPR when using email to handle personal data and how Morling Consulting can help you with sending personal data by email GDPR obligations in practice.

Business professionals discussing email personal data protection in front of a digital inbox screen, illustrating secure handling of sensitive information in corporate communication.

Sending special category data by email

Handling sensitive personal data (special categories of personal data), such as data on health, political opinions or religious affiliation, demands heightened caution and protection. Where such data are communicated, safeguards must be commensurate with the risks. For example, access can be placed behind secure authentication such as BankID or an equivalent strong login.

The UK data protection regulator reviewed a case involving an organisation supporting people living with HIV that sent an email to its members without using the blind carbon copy (“BCC”) function. Recipients could see all other recipients and several email addresses identified specific individuals. Because those individuals were identifiable, inferences could be drawn about their health. The organisation should have used BCC for that email distribution.

While BCC was central to that example, you should assess whether to use BCC whenever sending to many recipients. What counts as “many” will vary, but you must consider what information may be exposed to other recipients if BCC is not used.

SAFEGUARDS

Sending personal data by email GDPR: secure by design

Implementing technical and organisational safeguards is essential to meet GDPR requirements for any processing of personal data, not least when data is sent by email. To email personal data securely under the GDPR, you must protect it against unauthorised access, whether through system compromise or human error.

When emailing personal data, it is important under the GDPR to consider the following technical measures:

Encryption to protect email content.
Implementation of two-factor authentication to minimise unauthorised access.
Disabling auto-complete for recipients in email clients.

Organisations should also consider the following organisational measures:

Training staff in data security and clear rules for emailing personal data in line with the GDPR.
Internal review and approval procedures for emails containing personal data.
Establishing and regularly updating policies for processing personal data by email.

Combining technical and organisational safeguards creates a safer framework for processing personal data. Organisations should map what types of personal data are sent, how sensitive those data are and whether alternative transfer mechanisms are available. If an email with personal data reaches an unauthorised recipient, this constitutes a personal data breach and must be reported to the competent supervisory authority within the EU/EEA within 72 hours.

Secure envelope icon with padlock symbolizing protection of email personal data and GDPR-compliant handling of sensitive information.

Support with questions on sending personal data by email GDPR compliance

Morling Consulting are GDPR specialists and provide tailored solutions for organisations that process personal data. Our lawyers support you end-to-end — from advisory through to implementation of safeguards. We assist with:

Advice on the GDPR and email communications.
Implementation of technical and organisational measures.
Review of procedures and policies.
Support in managing personal data breaches.
Staff training on the GDPR.

Contact us if you have questions about whether your email practices meet GDPR requirements, or any other questions on personal data processing. We work across Europe to help you establish secure, compliant handling of personal data.

There is no blanket prohibition on emailing personal data, but the GDPR requires that personal data are protected appropriately. This means organisations must adopt suitable technical and organisational measures to reduce the risk of unauthorised access. This guidance addresses sending personal data by email GDPR considerations in practical terms.

Encryption of email content.
Two-factor authentication for email accounts.
Disabling auto-complete in the recipient field.
Use of secure platforms to access sensitive information.

Internal training on the GDPR and secure email use.
Review procedures (for example, dual control) before sending personal data.
Policies for handling email and personal data that are updated regularly.

If personal data are sent to the wrong recipient, this constitutes a personal data breach. The controller must document the incident, assess the risks and, in some cases, notify the competent supervisory authority within the EU/EEA within 72 hours. Morling Consulting can support you with documenting and, where required, reporting such incidents correctly.

If emailing multiple recipients and the address fields could reveal sensitive information (for example, a condition inferred from membership of a particular group), you should use BCC to conceal the recipient list. Pay special attention to this when you:

Handle sensitive personal data.
Send newsletters or information emails to larger groups.
Communicate with individuals in vulnerable situations.

Not necessarily — it depends on the type of personal data and the risks to individuals. However, where sensitive or large volumes of personal data are processed, encryption can be an effective means of meeting GDPR requirements. Morling Consulting can help you perform a risk-based assessment.

Sensitive personal data (special categories under the GDPR) include, for example, data on health, political opinions, religious beliefs, trade union membership, sexual orientation or ethnic origin. These data are subject to stronger protections and may only be processed under specific conditions. Extra care is needed in email communications both for sensitive personal data and for other data that may be particularly risk-exposed. Technical controls and internal procedures must be scaled to the sensitivity of the data.

Morling Consulting provides practical support and legal expertise: advice on GDPR-secure email communications, review of existing procedures and policies, design of tailored security solutions, staff training and support with incident management.

Review of which personal data are sent by email and the related risks.
Support in identifying effective measures such as encryption and complementary solutions.
Development of internal guidance for staff handling personal data.
Help to establish a process for detecting and reporting personal data breaches.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields