GDPR and email archiving: Of gunpowder and smokescreens [Update]
Ignorance and fear are bad advisors. They usually cloud the view of what's essential. In recent weeks, the GDPR (the new General Data Protection Regulation of the European Union, which came into effect on May 25, 2018) has stirred up a lot of dust.
Certainly, the GDPR will change a lot in data protection law. Unfortunately, there is also a lot of confusion about what the GDPR actually means for email archiving. And unfortunately, market participants (as they did at the end of 2016 with the introduction of the GoBD) use the ignorance of many to market products and services with half-truths.
Gunpowder and smoke bombs
If GDPR or even GDPR-compliant products are mentioned, this also increasingly brings solutions for e-mail archiving like Benno MailArchiv into the focus of the observer. If you believe the statements that are appearing everywhere, it should be possible to delete e-mails from the mail archive from May 25, 2018. After all, the GDPR defines the so-called "right to be forgotten". And then it is absolutely necessary that e-mails can be deleted. After all, this is then legally provided for.
In fact, Article 17 of the GDPR defines the "right to erasure", also known as the "right to be forgotten". It says so there
“The person concerned has the right to demand that the responsible person immediately deletes the personal data concerning them, and the person responsible is obliged to immediately delete personal data if one of the following reasons applies: […]”
There are several reasons why deletion is necessary under certain circumstances.
That seems clear enough! The GDPR defines the right to be forgotten. And with that, data (in the case of email archiving, the emails of those affected) must be deleted. Period.
That's certainly how most contemporaries see it. But is it really that simple?
Clarity instead of nebulous information
We continue to receive inquiries from concerned customers and interested parties as to whether Benno MailArchiv is GDPR-compliant. How to delete emails in Benno MailArchiv, etc.
The entire situation has a considerable impact. To get real clarity here, we have taken on the topic together with the data protection experts and TÜV-tested data protection officers of DSO Datenschutz Osnabrück GmbH. Interesting findings have emerged:
GDPR vs. GoBD
If emails were deleted from the email archive, this could be correct and necessary in relation to the GDPR. However, this would then inevitably be a violation of the GoBD. The archive would be damaged in its overall consistency by the deletion.
Email archiving according to the old data protection law (BDSG, valid until 24.05.2018)
In the case of deletion requests, it is sufficient under the old (and currently still valid) data protection law to set a filter in Benno MailArchiv, with which emails with affected content are excluded from the search. No user can find emails blocked accordingly using a filter set up in Benno MailArchiv and valid throughout the system. Access is permanently blocked, although the affected emails continue to be archived. The overall consistency of the archive remains unaffected.
Email archiving according to the new data protection law (DSGVO, valid from 25.05.2018)
Whether the aforementioned possibility of blocking emails will be sufficient in the future (i.e. after GDPR) is currently unclear. For example, the experts from DSO Datenschutz Osnabrück GmbH told us that even the German state data protection authorities are currently unable to provide any binding information on this matter due to the unclear situation. All statements that can be obtained from these bodies are still private opinions of the employees of the authorities, but not official statements.
Insofar, it is currently at least conceivable that a deletion function in Benno MailArchiv could become necessary. However, the requirement is still unclear.
It could also be that X-ing (i.e. replacing relevant data with XXX or ***) is sufficient to meet the requirements of the GDPR. However, it could also be that only actual deletion is sufficient. The state data protection authorities themselves apparently do not yet know the exact details and therefore have not yet provided any binding information on this matter.
Effects of the GoBD on email archiving
If you intervene (as described above) in a deleting or manipulative manner in the email archive, this could be required under GDPR. However, the financial administration could in turn see a GoBD violation in it. Thus, the email archiving (from the point of view of the GoBD) would then be compromised.
Whether and how the DSGVO and the GoBD are to be reconciled here or what the relevant legal situation looks like is obviously unclear as of today. Binding information is not available according to our current information.
Delete or not delete? That is the question here.
If you are affected by the question of a specific mail deletion, you decide for yourself how you want to proceed in this matter. LWsystems as the manufacturer of Benno MailArchiv expressly gives no recommendation on this matter for the time being.
In relation to Benno MailArchiv, this means that we will of course offer a GDPR-compliant deletion function, should the GDPR actually enforce the deletion of emails and this be compatible with the GoBD. Regardless of this, the possibility of blocking certain emails through blacklisting will of course remain, just like previous deletion options that can be used in special individual cases.
The problem of conflicting or non-reconcilable legal bases is not, in our estimation, limited to the GDPR. Insofar as the GDPR and possible consequences are concerned, once again a "current" issue is being driven through the village, stirring up a lot of dust, whereas the practical implementation is not yet sufficiently clarified.
[Update 11/22/2018]
The question of how GoBD and DSGVO or the topic 'retention obligation' (GoBD) and 'deletion of emails' (DSGVO) can be brought into line, leads to repeated discussions with customers and interested parties.
Even the data protectors of large companies and corporations sometimes hold different positions on this, as we have found in discussions with customers and interested parties: While some hold the view that the permanent archiving (or 'non-deletion') of emails with personal content is covered by the GoBD or that the GoBD takes precedence over the DSGVO, others assume that there is no legal basis for the permanent archiving of emails with personal content, and therefore deletion must be possible and carried out.
However, according to the information available to us, it is apparently not yet legally clarified whether the GoBD can or must be interpreted in the sense of a "legitimate interest in retention" so that it is not deleted, or whether the opposite is the case, and emails with personal content may or must be deleted.
We will continue to follow this topic and inform you about it. Of course, we will adjust Benno MailArchiv to the legal framework conditions as necessary. At present, it seems that the question of deleting emails has not yet been conclusively clarified.
Effects of the GDPR on Benno MailArchiv
If the legal situation requires changes or innovations in Benno MailArchiv to continue to ensure conformity with GoBD and/or DSGVO, we will implement these adjustments in an appropriate manner, of course. Customers with a valid software maintenance subscription are on the safe side because they can update their installation to the latest Benno MailArchiv version at any time. Thus, all possible adjustments and extensions will be available to them immediately.
All statements made here do not constitute legal advice, as we are neither authorized nor professionally qualified to provide legal advice under professional law.