• What is the General Data Protection Regulation (GDPR)? In 2016, the European Commission adopted the new General Data Protection Regulation (GDPR).
    GDPR strengthens and unifies data protection for all individuals within the European Union (EU). It gives EU citizens and residents back control over their personal data. The General Data Protection Regulation is regarded as the toughest privacy and security law in the world and although it is a European law, it even imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the European Union.
  • What does GDPR mean for emails? GDPR is applicable whenever one collects, stores, or uses the data of people in the European Union. A mailbox contains loads of personal data. From names and email addresses to attachments and conversations about people. All of these are covered by GDPR.
  • Key articles for a GDPR email provider There are two key articles (in the 261-page GDPR document of 99 Articles) for a GDPR email provider:

    Article 5

    Personal data shall be processed lawfully, fairly and transparently in relation to the data subject.
    The controller shall be responsible for, and be able to demonstrate, GDPR compliance.

    Article 24

    The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
  • What is a GDPR-compliant email service? Email addresses, email content and attachments are considered personal data. Hence, a service that stores email addresses, sends emails, receives emails, or manages email accounts on behalf of EU citizens or residents needs to take steps to process this data lawfully and transparently. Such an email service must also secure the personal data against theft or loss in a reasonable and appropriate technical or organizational way.
  • What technical and organizational measures did Mailfence implement? Below is an overview of the technical and organizational measures Mailfence implements in order to provide a GDPR-compliant email.
    • Technical measures for GDPR compliance Technical measures are the measures and controls provided to systems and any technological aspect of an organization, such as devices, networks and hardware. It is crucial to protect these for the security of personal data and is the best line of defence against a data breach. Here are some technical measures that Mailfence implements:
        • Cybersecurity Firewalls, malware scans, antivirus protection, anti-spam, anti-abuse, IP reputation, rate limiters, anti-DDoS, continuous patching and updating of used software and many other technical security measures protect the personal data processed by Mailfence against cyberattacks. More information on how we secure the data can be found here:  Secure email. Encryption
        • The emails sent are sent with SSL/TLS encryption. SSL/TLS is a cryptographic protocol designed to secure the transmission of data.
        • Users can encrypt their emails with OpenPGP, the most widely used email encryption standard used by several encrypted email providers.
        Physical security Mailfence implements very robust measures and protocols to secure access to the data centre and ensure that all employees are aware of such controls, access badges, security systems and alarms. Visitors must check in at a counter according to a pre-established procedure and not be left alone.Appropriate disposal Disposal of paperwork and devices containing personal data is done in such a way that personal data cannot be retrieved by an unauthorized person, intentionally or unintentionally. Mailfence destroys documents it no longer needs and ensures that digital databases and hardware devices are securely erased and destroyed.Passwords Mailfence has a policy of setting very strong passwords, and ensures that documents containing sensitive data are protected with a password. The employees of Mailfence apply 2FA as an additional level of security. The Mailfence users are given the possibility to activate 2FA.Access rights Mailfence ensures that access to databases containing personal data is granted on a need-to-know basis and that there is no general access for all employees. The same principle is applied for all procedures and technical information that may have an impact on the confidentiality and security of data.
    • Organizational measures for GDPR email compliance Organizational measures are the internal policies, organizational methods or standards, and controls which Mailfence applies to ensure the security of personal data. They contribute to the protection of personal data throughout the entire processing cycle and ensure we can offer a GDPR-compliant email service. They include:
        Information Security Policy Mailfence’s Information Security Policy includes authority and access control policies, data classification, policies regarding the treatment of our data and operations, security awareness and behaviour training, encryption policies, data backup policies, clear definitions of responsibilities, rights, and duties of personnel and continuous hardening of our systems with reference to security benchmarks.Business continuity plan Mailfence has policies and measures in place to back up corporate data (including personal data) and ensure that it can be recovered and maintained in the event of an incident. These measures include the continuous backup of data and storage in different locations from our offices and our main data centre, as well as the current setting up of a Disaster Recovery Plan.Risk assessments Mailfence does regular risk assessments for the assessment and treatment of information security risks within Mailfence, and in order to define the acceptable level of risk as set by Mailfence leadership.Other Policies and Procedures Mailfence has policies and procedures that help our organization and employees know what to do when certain situations arise. These policies include clean desk policy, bring your own device, remote working policy, data breach procedures or Data Subject Rights (DSR) procedures, etc.Awareness and training Developing a culture of security and data protection awareness ensures employees are aware of the legal requirements and what is expected of them. Security and data protection is not something that is done only by implementing technical solutions. The human factor is extremely important. Regular and ongoing training and awareness-raising activities are done at Mailfence. In order to give back, we share some of our expertise in this domain with our users and the outside world by publishing our Email Privacy and Security course.Reviews & Audits Having policies and procedures is not enough for GDPR email compliance. You have to make sure they are effective. That’s why Mailfence works together with security specialists and bug bounty hunters that continuously test and scan our application. This helps us to evaluate the effectiveness of our work and correct what isn’t working.Third parties Mailfence has a strong policy to keep user data internally. We do not disclose any information to outside parties and do not use Google Analytics trackers. We do not sell, trade or otherwise transfer to outside parties any personally identifiable information except when forced by Belgian law (see paragraph about Surveillance and law enforcement of our Privacy Policy).Mailfence Data Processing Agreement In order for your organization to comply with GDPR, we provide a Data Processing Agreement. You need to ensure that any other third parties such as your email provider, subcontractors, cloud services, etc. that handles your customer's data are compliant. To satisfy this obligation, you need to have a Data Processing Agreement with all the services that process data, in order to establish the rights and obligations of each party under the GDPR.
  • Mailfence and GDPR email compliance Mailfence is a European secure email service that is fully GDPR-compliant. You can use Mailfence in order to comply with GDPR email regulations and requirements. If you have any questions or concerns regarding GDPR email compliance, please contact our support.
    • Sign up