Guidance regarding e-mail and the GDPR

21 February 2019

It is common in today´s society that your work e-mail contains a lot of personal data and different types of processing. We receive many questions about how to use your e-mail in accordance with the GDPR. In this blog we therefor describe how you can handle your e-mail in a GDPR-smart way!

Processing of personal data

Most e-mails contain personal data, often both in the shape of the e-mail addresses from the sender and the receiver as well as thecontent of the e-mail. When the personal data is stored in, send from or incoming to the mailbox, the personal data regarding the e-mail is being processed. Since e-mailing almost always means that personal data is being processed, your e-mail should be documented in your record of processing activities. Your use of your e-mail has to comply with the other provisions in the GDPR as well.

One of these provisions, an important one, is that all processing of personal data has to be based on a legal basis. You can read more about the legal bases here. Depending on the content of the e-mail and why you are processing the personal data in the e-mail, the legal basis may differ. Here are some examples:

  • You are e-mailing with a customer, with whom you are about to enter into a contract with. In this case, the processing of personal data can be attributed to the contract and the processing can be based on the legal ground contract.
  • You are advertising through e-mail and the e-mails are being sent to your previous customers. Your previous customers might be interested in buying another service or product from you. If you have a valid legitimate interest assessment for the processing, that resulted in your interest weighing heavier than the data subjects’ interest, the legal basis legitimate interest can be used. Read more about legitimate interest here.

The dark side of the e-mail

What makes the e-mail uncertain is that you have no control over the content of incoming e-mails. However, it is often necessary to process personal data in incoming e-mails for your organization to work. For this processing, it is possible to use the legal basis legitimate interest for the private sector. For the public sector, the personal data in incoming e-mails can be processed based on public interest.

These legal bases will probably be useful for the initial processing, when the e-mail is received in the inbox. When you have read the e-mail, you have to decide if the content can be saved and, if it can be saved, what legal basis you will use to keep the content. In addition to this, you have to decide how long the content in the e-mail can and should be saved. If it is possible, you should transfer the information from the e-mail to another system, where it is easier to ensure that you comply with the GDPR.

Information to the data subject

You have a responsibility to inform the data subject when you process their personal data. This include processing in e-mail. If you receive an e-mail, you should inform the sender how you process their personal data. One way to fulfil your obligation is to have a Privacy Policy on your website and a link to this policy in your e-mail signature.

In e-mails, it is common to mention people who are not included in the e-mail conversation. To fulfil your information obligation, it might be required of you to send information to people who are mentioned in the conversation. To determine if you have to send information to everyone, weigh the following: your workload to contact the person and the importance for the data subject to receive the information. Remember that the principle of proportionality (what is reasonable?) is a part of your GDPR-work.

Salary statements in e-mail

Salary statements essentially always contain personal data and is often send through e-mail to employees. In some cases, information about sick leave is in the salary statement. Information about sick leave is a special category of personal data. Special categories of personal data are considered extra sensitive and deserve extra protection according to the GDPR. You can read more about sensitive personal data in Swedish here. If a salary statement contains information about e.g. health, it should be handled with care.

There is no explicit demand in GDPR that forbids e-mails containing salary statements, but to fulfil the safety demands within the regulation it can be a good idea to not choose e-mail as the means of communication for salary statements. The assessment has to be made by the data controller in regard to what level of safety is necessary, based on what personal data that is concerned within respective processing.

In regard to termination of employment

One question that can be of concern is what happens to the e-mails of an employee when that person stops working for the company. To continue processing the personal data within that person’s inbox and sent folder you can base the processing on the legal ground legitimate interest, if your interest of processing the personal data outweigh the person’s interest of not having his or her data processed. This concerns personal data from the former employee and the people he or she had contact with. Here too, it is necessary that you fulfill your information obligation and it is important that you have routines for the handling of former employees’ e-mail.

Multiple processing’s

Bear in mind that it is usually multiple kinds of processing’s within your e-mail. You probably send e-mails to colleagues, customers, members, suppliers and so on. It is therefore not possible to decide only one legal ground for all the processing within your e-mail. We would like to inform you what this means for your organization!

Do you want to know more?

Please contact us via email;, or phone; 046 – 273 17 17. We would love to help you with the handling of personal data!


Josefin Karlström


The content presented in this blog contains general information and is not to be considered as legal advice.
The content presented in this blog contains general information and is not to be considered as legal advice. Please reach out to us if you have any questions.

Related articles

Data processing agreements

Data processing agreements

Data processing agreements (DPA) are an essential part for organisations which transfers or collects personal data...