Dear Jaroslow,
Am 24.07.23 um 19:02 schrieb Jaroslaw Rafa via Postfix-users:
Dnia 24.07.2023 o godz. 17:05:40 Paul Menzel via Postfix-users pisze:
(Also from the legal perspective,
without being a lawyer, I’d say, that actually all German (European)
companies are required to only transmit messages over a verified TLS
connection.)
Never heard of such a requirement in any EU law.
Article 32 of the GPDR [1] says:
Taking into account the state of the art, the costs of implementation
and the nature, scope, context and purposes of processing as well as
the risk of varying likelihood and severity for the rights and
freedoms of natural persons, the controller and the processor shall
implement appropriate technical and organisational measures to ensure
a level of security appropriate to the risk, including inter alia as
appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity,
availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal
data in a timely manner in the event of a physical or technical
incident;
d) a process for regularly testing, assessing and evaluating the
effectiveness of technical and organisational measures for ensuring
the security of the processing.
(The German translation is “Stand der Technik“.)
I claim, that using mandatory and verified TLS encryption is state of
the art, and has basically no cost of implementation thanks to Let’s
Encrypt, so is required especially for confidentiality.
Kind regards,
Paul
[1]: https://gdpr-info.eu/art-32-gdpr/
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
