Electronic Mail Under the GDPR Microscope. The Polish DPA Warns Against Violations

E-mail as One of the Main Sources of GDPR Breaches

For years, electronic mail has been the primary communication tool in organizations -both in the private and public sectors. However, its widespread use also means that it is increasingly becoming a source of serious personal data protection breaches.

According to analyses and communications published by the Polish Personal Data Protection Office (PUODO), a significant proportion of reported GDPR breach incidents concern data processed via electronic mail.

PUODO points out that organizations still underestimate the risks associated with e-mails – both at the technical and organizational levels. As a result, even routine correspondence may lead to a breach of the confidentiality, integrity, or availability of personal data.

Most Common Breaches: Account Hacking and Lack of Message Security

Analyses published by PUODO indicate that the most common GDPR breaches related to electronic mail concern two fundamental problems. The first involves unauthorized access to corporate e-mail accounts, often resulting from successful phishing attacks, the use of weak passwords, or the absence of additional security mechanisms.

The second category concerns e-mails containing personal data sent without adequate safeguards, particularly in the form of unencrypted attachments. In such cases, a breach may occur not only as a result of an external attack, but also through accidental interception of correspondence or unauthorized access to its content.

Kobieta pracująca na laptopie i ikona kłódki

E-mail Inbox as an Archive? PUODO Issues a Warning

Experts in personal data protection have observed a troubling trend of treating e-mail inboxes as the default repository for documents. In practice, this means that contracts, customer data, HR documentation, or financial information are stored in mailboxes for years.

PUODO clearly emphasizes that electronic mail is not intended for the long-term storage of personal data. Organizations often fail to analyze where their mail servers are physically located, what level of security they provide, or whether they comply with GDPR requirements concerning data processing, including transfers of data outside the EU.

E-mail Data Retention and Article 5 GDPR

One of the key obligations imposed on data controllers under the GDPR is the implementation and application of a data retention policy. This also applies to information sent and stored via electronic mail.

According to Article 5 GDPR, personal data should be:

processed solely for a clearly defined purpose,

stored no longer than necessary to achieve that purpose.

The absence of clearly defined e-mail retention rules, or failure to comply with them, leads to a breach of the storage limitation principle, which may result in administrative liability, including financial penalties.

Two Main Risk Areas According to PUODO

PUODO identifies two principal categories of threats related to e-mails:

1. Unauthorized Access to Mailboxes

Breaches most commonly occur as a result of:

phishing,

the use of simple or repetitive passwords,

the absence of multi-factor authentication (MFA),

insufficient incident response procedures.

2. Lack of Protection for Transmitted Data

Sending personal data in unencrypted attachments means that – as experts vividly describe it – an e-mail resembles a postcard whose contents may be accessible to third parties at various stages of transmission.

Human Errors Still a Serious Problem

Frequent GDPR breaches also result from user errors such as:

mistakes in e-mail addresses,

uncritical use of auto-complete functions,

sending messages to multiple recipients without using the BCC field,

attaching incorrect files.

Each of these errors may lead to unauthorized disclosure of personal data, which may require notification to PUODO and, in some cases, also notification of the affected individuals.

PUODO Recommendations: How to Reduce the Risk of Breaches

In response to the growing number of incidents, PUODO recommends implementing a range of technical and organizational measures, including:

encrypting attachments and entire messages,

applying the “two-channel” principle when sharing passwords,

implementing multi-factor authentication (MFA),

conducting regular GDPR and cybersecurity training for employees,

introducing a so-called “mindfulness ritual,” meaning mandatory verification of the recipient, content, and attachments before sending an e-mail.

Summary

Electronic mail should not be treated as a secure archive for personal data. As PUODO clearly emphasizes, effective data protection in the context of e-mails requires a combination of technology, procedures, and employee awareness.

The absence of appropriate safeguards, policies, and controls means that even an apparently harmless e-mail may become the source of a serious GDPR violation, exposing an organization to financial penalties and loss of trust.

Frequently Asked Questions (FAQ)

Does every mistake in an e-mail address constitute a GDPR breach?

Are private e-mail accounts at work compliant with the GDPR?

Does the GDPR require encryption of all e-mails?

How long may e-mails containing personal data be retained?

Must every e-mail-related breach be reported to PUODO?