GDPR and our Email Services

GDPR (or General Data Protection Regulation) clearly identifies your email address as Personally Identifiable Information. When operating an email service we do of course have to store your email address in both our clients sent items, and in our clients Inboxes. How, exactly GDPR is to be applied to this function is not clear, but we should make a concerted effort here to provide some clarification on our position. 

What Information we Store

When you send an email to one of our clients, we store your email address, Your name (if supplied in the body), the subject of the email, your email body and a range of diagnostic headers that identify the path the email took and processing along the way. Most of this information is stored at rest in an encrypted state, but during receipt logfiles will contain your email address and email subject, along with your sending server's IP address, SPF and DKIM data and various technical data regarding the receipt and processing of the message. These logfiles are temporary and exist for 72 hours before being purged. 

When our client sends an email, we store the receipients email address, their name (if supplied), the subject of the email and the email body along with a range of diagnostic information regarding the delivery. Most of this information is stored at rest in an encrypted state, but during transmission logfiles will contain your email address, email subject, along with the receiving server's IP Address, SPF and DKIM records and various technical data regarding the transmission and ultimate acceptance (or not) of the message. These logfiles are temporary and exist for 72 hours before being purged. 

Our Antivirus and Antispam gateways

ANY email passed through these gateways is decoded and stored on disk for a short period whilst it is scanned for content and attachments are scanned for virii. ONLY in the case where spam is detected and results in DISCARD or a virus is detected will this temporary storage become longer lived to allow technitians to inspect the contents if queried. These longer lived traces are purged after 7 days automatically.  Logfiles will store your email address, name (if given), subject and technical data relating to its processing for a period of 30 days before being purged automatically. 

Clarification

It shoud be made clear that we are a data processor for this information in regard to the sending and receiving of email's. Our Client is the data manager for the management of the email's stored in their account, and they are responsible for handling data access requests, not only because they have the control over this but because without their password we as unable to decrypt the information in order to fulfill this role. That is, from a legal standpoint, if you send an email to our client then you transfer ownership of that email by doing so. Likewise, where our client sends you an email, transfer of ownership occurs upon receipt. Only with such binary clarification can we operate a sensible policy around email transmission and storage. 

In Error, Subject Access Requests, and Enquiries

We cannot, and would not interfere with a clients mailbox without their consent, we worked very hard to ensure our system's encryption is robust in this matter, and as above all requests regarding email stored in a mailbox MUST be made to the operator of that mailbox. If you have sent something in error and wish to have it removed or deleted then contact the receipient. If your request is urgent and you are unable to contact the receipient then raise a ticket at our HelpDesk and we will make a best effort to contact them on your behalf. 

The Future

We have no doubt that at some point in the future there will be legal prescedent on the legality and compliance of email transmission and storage but until that date we'll monitoring the situation and make periodic changes to this policy in line with case law.