Is it possible to send emails with addresses without blind copy?
The AEPD states that email addresses are considered personal data. Therefore, their processing must comply with data protection regulations. Consequently, this data may not be used or disclosed without the consent of the person concerned.
In order to be able to send or receive messages, an e-mail address is required. As we know, each e-mail address can only be assigned once worldwide. It is therefore available exclusively to each user.
In this aspect, the GDPR defines personal data as any information about an identified or identifiable natural person. Like a first and last name, an e-mail address is considered to all intents and purposes as personal data.
Legal Report 0437/2010
Regarding the consideration of e-mail as personal data the AEPD stated:
“The first of the issues to be resolved in this case lies in determining whether the e-mail address is a personal data.
The e-mail address is formed by a set of signs or words freely chosen generally by its owner, with the only limitation that this address does not coincide with that corresponding to another person. This combination may have meaning in itself or be meaningless, and may even, in principle, coincide with the name of a person other than the holder.
The first of these refers to those cases in which, voluntarily or involuntarily, the e-mail address contains information about its holder, this information being able to refer both to his name and surname and to the company in which he works or his country of residence (whether or not these appear in the name of the domain used).
In this case, in our opinion, there is no doubt that the e-mail address identifies, even directly, the account owner, so that in any case this address must be considered as personal data.
A second case would be the one where, at first sight, the e-mail address does not seem to show data related to the person who owns the account (because, for example, the e-mail account code refers to an abstract denomination or a simple alphanumeric combination without any meaning). In this case, a first examination of this data could lead us to conclude that we are not dealing with personal data.
However, even in this case, the e-mail address will necessarily be referenced to a specific domain, so that the owner can be identified by consulting the server where this domain is managed, without this being considered to involve a disproportionate effort on the part of the person carrying out the identification”.
For all the above reasons, case law has repeatedly stated that the sending of electronic messages must also comply with the obligations regarding the protection of privacy, guaranteeing the confidentiality of the recipients of the messages.
For this purpose, the use of the “blind copy” field must be guaranteed.
In this way, secrecy and confidentiality will be guaranteed between the receivers of the e-mails without making their e-mail addresses visible.
Sanction for non-compliance with regulations
A law firm is sanctioned with €6,000 for sending an e-mail without incorporating the recipients in blind copy.
On April 21, 2020, a complaint was filed with the AEPD against a law firm. The firm had sent an e-mail without activating the blind copy option to eight recipients. In this email, they were informed about the blocking status of their bank accounts.
On the one hand, the Spanish authority considers the violation of Article 32 RGPD. However, it opted not to sanction it, limiting itself to warning the entity with a warning to adopt the necessary measures.
On the other hand, the AEPD considers that the failure to use blind copying also implies a breach of the principle of confidentiality. If we turn to article 5.1 f) of the GDPR, it establishes that personal data “shall be processed in such a way as to ensure appropriate security (…), including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organizational measures”.
This infringement of Article 5 causes the infringement to be considered as a “very serious” infringement. In extreme cases it could reach a penalty amount of 20 million euros or 4 % of the annual worldwide turnover.
Sanction to a company for exposing, without consent, a personal email to third parties
On December 10, 2021, a complaint was filed before the AEPD against a real estate company for exposing a personal email to third parties without the necessary consent.
In the absence of a blind copy, the complainant’s e-mail address was visible to third parties, leaving his personal data unprotected.
The AEPD considered that the principles of integrity and confidentiality had been violated, in addition to recognizing that the necessary security measures had not been adopted to guarantee the protection of the personal data of its clients.
As a consequence of these sanctioning resolutions, from Auratech we must remind the need to inform and train the personnel of the companies about the importance of the use of the “hidden copy” in the sending of e-mails.
Leave a ReplyWant to join the discussion?
Feel free to contribute!