GDPR and email archiving: Of gunpowder and smokescreens [Update]
Ignorance and fear are poor advisors. Most of the time they cloud the view of the essential. In recent weeks the GDPR (also the new General Data Protection Regulation of the Europeanä Union, which comes into force on May 25, 2018) a whole lot of dust is stirred up.
Certainly, the GDPR will change a lot in data protection law. Unfortunately, there is also a lot of confusion about what the GDPR actually means for email archiving. And unfortunately, market participants (as they did at the end of 2016 with the introduction of the GoBD) use the ignorance of many to market products and services with half-truths.
Gunpowder and smoke bombs
When DSGVO or even DSGVO-compliant products are spoken of, this increasingly brings solutions for e‑mail archiving such as Benno MailArchiv into the viewer’s focus. If one believes the ubiquitous statements, it must be possible from 25 May 2018 to delete e‑mails from the mail archive. After all, the DSGVO defines the so‑called “right to be forgotten”. And thereafter it is indeed absolutely necessary that mails can be deleted. Finally, that is legally intended.
In fact, Article 17 of the GDPR defines the “right to erasure”, colloquially also called the “right to be forgotten”. It says there as well
“The data subject has the right to request the controller to have the personal data concerned deleted without delay, and the controller is obliged to delete personal data without delay, provided one of the following reasons applies: […]”
There are several reasons why deletion is necessary under certain circumstances.
That seems clear enough! The GDPR defines the right to be forgotten. And with that, data (in the case of email archiving, the emails of those affected) must be deleted. Period.
That's certainly how most contemporaries see it. But is it really that simple?
Clarity instead of nebulous information
Uns erreichen immer wieder Anfragen besorgter Kunden und Interessenten, ob Benno MailArchiv denn DSGVO-konform sei. Wie man denn Mails in Benno MailArchiv löschen kann usw.
Die gesamte Situation hat eine nicht unerhebliche Tragweite. Um hier wirkliche Klarheit zu bekommen, haben wir uns des Themas zusammen mit den Datenschutzexperten und TÜV-geprüften Datenschutzbeauftragten der DSO Datenschutz Osnabrück GmbH angenommen. Dabei ist Interessantes heraus gekommen:
GDPR vs. GoBD
Würde one would delete e‑mails from the mail archive, could that be correct and necessary regarding the GDPR. However, this would then inevitably constitute a violation of the GoBD. The archive would be damaged in its overall consistency by the deletion.
Email archiving according to the old data protection law (BDSG, valid until 24.05.2018)
In the case of deletion requests, it is sufficient under the old (and currently still valid) data protection law to set a filter in Benno MailArchiv, with which emails with affected content are excluded from the search. No user can find emails blocked accordingly using a filter set up in Benno MailArchiv and valid throughout the system. Access is permanently blocked, although the affected emails continue to be archived. The overall consistency of the archive remains unaffected.
Email archiving according to the new data protection law (DSGVO, valid from 25.05.2018)
Whether the aforementioned possibility of blocking emails will be sufficient in the future (i.e. after GDPR) is currently unclear. For example, the experts from DSO Datenschutz Osnabrück GmbH told us that even the German state data protection authorities are currently unable to provide any binding information on this matter due to the unclear situation. All statements that can be obtained from these bodies are still private opinions of the employees of the authorities, but not official statements.
Insofar, it is currently at least conceivable that a deletion function in Benno MailArchiv could become necessary. However, the requirement is still unclear.
It could also be that X-ing (i.e. replacing relevant data with XXX or ***) is sufficient to meet the requirements of the GDPR. However, it could also be that only actual deletion is sufficient. The state data protection authorities themselves apparently do not yet know the exact details and therefore have not yet provided any binding information on this matter.
Effects of the GoBD on email archiving
If you intervene (as described above) in a deleting or manipulative manner in the email archive, this could be required under GDPR. However, the financial administration could in turn see a GoBD violation in it. Thus, the email archiving (from the point of view of the GoBD) would then be compromised.
Whether and how the DSGVO and the GoBD are to be reconciled here or what the relevant legal situation looks like is obviously unclear as of today. Binding information is not available according to our current information.
Delete or not delete? That is the question here.
If you should be affected by the question of a specific Maillöschung, decide yourself how you want to proceed in this matter. LWsystems, as the manufacturer of Benno MailArchiv, explicitly no recommendation at this time.
In relation to Benno MailArchiv, this means that we will of course offer a GDPR-compliant deletion function, should the GDPR actually enforce the deletion of emails and this be compatible with the GoBD. Regardless of this, the possibility of blocking certain emails through blacklisting will of course remain, just like previous deletion options that can be used in special individual cases.
The problem of contradictory or non‑harmonised legal bases does not, in our assessment, arise only with the GDPR. Accordingly, the GDPR and possible consequences once again drive a “current” pig through the village, stirring up an indescribable amount of dust, whereas the practice of implementation has not yet been sufficiently clarified.
[Update 11/22/2018]
The question of how GoBD and GDPR, i.e., the topic “record retention obligation” (GoBD) and “deleting emails” (GDPR) can be reconciled, repeatedly leads to discussions with customers and prospects.
Even the data protection officers of large companies and corporations hold partially different viewpoints on this, as we have found in conversations with customers and prospects: While some hold the view that the permanent archiving (or “Non-Deletion”) of e‑mails with personal data is covered by the GoBD and that the GoBD takes precedence over the GDPR, others take the position that there is no legal basis for the permanent archiving of e‑mails with personal data, that deletion is therefore possible and must be carried out.
According to the information available to us, however, it is apparently still not legally clarified whether the GoBD can or must be interpreted in the sense of a “legitimate interest in retention” such that nothing is deleted or whether the opposite is the case, and whether emails containing personal data may or must be deleted.
We will continue to follow this topic and inform you about it. Of course, we will adjust Benno MailArchiv to the legal framework conditions as necessary. At present, it seems that the question of deleting emails has not yet been conclusively clarified.
Effects of the GDPR on Benno MailArchiv
If the legal situation requires changes or innovations in Benno MailArchiv to continue to ensure conformity with GoBD and/or DSGVO, we will implement these adjustments in an appropriate manner, of course. Customers with a valid software maintenance subscription are on the safe side because they can update their installation to the latest Benno MailArchiv version at any time. Thus, all possible adjustments and extensions will be available to them immediately.
All statements made here do not constitute legal advice, as we are neither authorized nor professionally qualified to provide legal advice under professional law.