Selgitustatolus
| Dokumendiregister | Andmekaitse Inspektsioon |
| Viit | 2.2-9/25/2460-1 |
| Registreeritud | 30.07.2025 |
| Sünkroonitud | 31.07.2025 |
| Liik | Sissetulev kiri |
| Funktsioon | 2.2 Loa- ja teavitamismenetlused |
| Sari | 2.2-9 Selgitustaotlused |
| Toimik | 2.2-9/2025 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | Princh A/S |
| Saabumis/saatmisviis | Princh A/S |
| Vastutaja | Pille Lehis (Andmekaitse Inspektsioon) |
| Originaal | Ava uues aknas |
Failid
Tähelepanu! Tegemist on välisvõrgust saabunud kirjaga. |
Dear Data Protection Inspectorate,
I am contacting you to request your authoritative guidance regarding the use of email as a transmission channel for personal data, including special category data, in the context of document printing and scanning services offered by public institutions, specifically
public libraries.
Context:
In many EU Member States, public libraries provide services that allow patrons to print or scan personal documents using solutions provided by third-party service providers. These third-party solutions commonly operate in the following ways:
a) Printing: Users submit documents to be printed by emailing them to a designated email address. This inbox is managed by the third party and processed by their server, which extracts the attachments (and sometimes the email body) and routes the content to
the print queue at the library.
b) Scanning: Users scan a document at the library scanner, and the system sends the digital version (typically a PDF) to the user’s email.
In both scenarios, personal data, including potentially special category data under Article 9 of the GDPR, is transmitted via standard email protocols, without additional client-side encryption or secure portal mechanisms.
Given the sensitivity and structure of this processing operation, I would greatly appreciate your guidance on the following specific legal and technical questions:
1) Legality of Email as a Transmission Channel:
In your view, is the use of standard (unencrypted) email by or on behalf of public institutions a legally appropriate and GDPR-compliant method for transmitting personal data, including special category data, under Article 5(1)(f), Article 9, and Article 32
GDPR?
2) Minimum Safeguards:
2.1) What technical and organisational measures (TOMs) would you consider minimally necessary in this context to meet the standard of "appropriate security" under Article 32 GDPR? Specifically:
2.2) Is encryption (at rest and/or in transit) mandatory or strongly recommended?
2.3) Would the use of TLS-based email transmission be considered sufficient?
2.4) Does your authority view the absence of end-to-end encryption as a risk that must be mitigated?
3) Legal Basis and Special Category Conditions:
Assuming special category data is involved (e.g. health, financial, or legal documents):
3.1) What lawful basis under Article 6 and special condition under Article 9 would be appropriate for this type of public service provision?
3.2) Must explicit consent be obtained, or could another ground under Article 9(2) be applicable?
4) Role Distribution and Responsibilities:
4.1) How should the roles and responsibilities under GDPR be assigned in this setup?
4.2) Is the library the controller and the third-party provider the processor, even if the email address to provide the service belongs to the third party?
4.3) During the transmission phase—specifically from the moment the end-user sends the document until it is received by the provider’s server—who holds primary responsibility for ensuring compliance with data protection obligations and safeguarding the data?
4.4) Are there specific contractual clauses or controller–processor agreements you would expect to be in place under Article 28 GDPR?
5) DPIA Requirements:
5.1) Would this type of data flow (involving potentially sensitive documents, use of third parties, and transmission via email) trigger a legal obligation to carry out a Data Protection Impact Assessment under Article 35 GDPR?
5.2) If so, what specific risks should such a DPIA assess and mitigate?
Your expert view will be instrumental in ensuring alignment with national interpretations and enforcement expectations. I would be very grateful for your response and for any existing guidance your authority has published on this matter.
|
||||||||||||||||||
