I suspect in practice they are going to DTRT and only enforce against
violations of the spirit.
On 05/25/2018 10:14, Rolf E. Sonneveld wrote:
Hi, Paul,
On 25-05-18 11:46, Paul Smith wrote:
I've been going through some GDPR stuff. Amongst other things, we
provide SMTP relay services to some customers, so are a 'Data
Processor' under GDPR. In itself, that's OK as our own operations are
GDPR compliant.
But, how it interacts with email, it all seems to get very horrible.
I suspect the *intention* is OK, but I'm struggling with the actual
regulations.
If someone sends a message from the UK to someone in the USA, by
definition, we must send that email outside of the EU. When we send
the email, we are sending personal data (eg usually the name/email
address of the sender never mind the content which could be anything
(outside our control)). That causes issues for GDPR.
When we send the outgoing message to another mail server, that other
server's operator is also a Data Processor. According to Article 28
of GDPR, we have to get prior approval of the Data Controller before
using them, and a responsibility to check that they are GDPR
compliant. Obviously that isn't going to happen in any feasible way...
Then there's the question about whether Internet connectivity/Wifi
hotspt providers are also Data Processors as they potentially have
access to the message data (including personal data) and could be
classed as 'processing' it.
Also, if a user is on holiday in the USA and downloads email to their
phone or in an Internet cafe, we are 'sending it outside the EU', so
again, GDPR has issues.
I thought it was all OK, but one of our customers asked us to sign a
contract for GDPR which prevents us from sending data outside of the
UK and from sending it to any other companies without prior written
permission. I've pointed out the problems to them, but wondered if
anyone else had come across this.
Yes, dealing with exactly the same kind of problem(s). One of my
customers asks me to sign for the fact that mail is encrypted when
handling it. However, using standard MTA software, messages that are
in the queue waiting to get delivered, are unencrypted. Am I forced to
use disk encryption?
/rolf
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop