What Does the GDPR Actually Require for Emails?
TL;DR: Art. 32 GDPR requires protective measures for personal data that correspond to the "state of the art" -- this includes email encryption. While transport encryption (TLS) is now considered the minimum standard, the German Data Protection Conference (DSK) recommends end-to-end encryption for sensitive data. Companies that fail to document a risk assessment face fines of up to 10 million euros. With an automated gateway like Conbool SecureMail, GDPR-compliant encryption can be implemented without manual effort.
Email remains the primary means of communication in business. According to Bitkom, German companies send over 300 billion emails daily -- a significant portion of which contains personal data: job applications, customer data, contract information, health data, or financial information. The General Data Protection Regulation (GDPR) sets clear requirements for the protection of this data, yet in practice, many companies face uncertainty: Is email encryption mandatory or merely a recommendation?
The answer lies in the interplay of Art. 32 GDPR, the recommendations of the German Data Protection Conference (DSK), and BSI baseline protection. This article shows you what is legally required, when each encryption level becomes necessary, and how to implement the requirements efficiently in practice.
What Exactly Does Art. 32 GDPR Say About Encryption?
Art. 32 GDPR is the central provision when it comes to technical protective measures. The article requires that controllers and processors, "taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures."
In Art. 32(1)(a), encryption is explicitly named as an appropriate measure. This means: The legislator has deliberately identified encryption as one of the core measures. While it is not unconditionally mandatory in every situation, it is the standard measure expected by the legislator when personal data is transmitted electronically.
The decisive point is the term "state of the art." This dynamic reference means that requirements evolve with technological progress. What was considered sufficient five years ago may be inadequate today. The Federal Office for Information Security (BSI) specifies this term in its baseline protection modules, particularly in module APP.5.3 (General Email Client and Server).
How Does the German Data Protection Conference Position Itself on Email Encryption?
The German Data Protection Conference (DSK) -- the body of independent German data protection supervisory authorities of the federal and state governments -- has commented on email encryption multiple times, drawing a clear line.
Transport Encryption as the Minimum Standard
The DSK states in its guidance document that transport encryption (TLS) represents the minimum requirement for sending emails containing personal data. Specifically, TLS 1.2 or higher is required, and the authorities also recommend proper certificate validation and the use of DANE or MTA-STS.
End-to-End Encryption for High Risk
For emails containing special categories of personal data under Art. 9 GDPR -- such as health data, data on political opinions, religious beliefs, or sexual orientation -- as well as data with high protection requirements, the DSK classifies end-to-end encryption as the state of the art. In these cases, TLS alone is not sufficient.
This position has been reinforced through several DSK resolutions and individual state commissioners. The Hamburg Commissioner for Data Protection, for example, has clarified that professional secrecy holders such as doctors, lawyers, and tax advisors should generally encrypt emails containing client or patient data end-to-end.
When Is Email Encryption Mandatory and When Is It a Recommendation?
The question of obligation versus recommendation cannot be answered universally -- it depends on a risk-based assessment that each company must conduct individually. Art. 32 GDPR requires a weighing of the following factors:
- Type of Data: Are these simple contact details or particularly sensitive categories under Art. 9 GDPR?
- Scope of Processing: Are individual records or bulk data being sent by email?
- Risk to Data Subjects: What consequences would unauthorized access to the data have for the affected individuals?
- Implementation Costs: Are the costs of encryption proportionate to the protection requirements?
In practice, this results in the following orientation:
| Scenario | Encryption Requirement | Rationale |
|---|
| General business communication without personal data | Recommended (TLS) | Good practice, but not required by data protection law |
| Emails with simple personal data (name, address) | TLS mandatory | DSK minimum standard |
| Emails with sensitive business and personnel data | TLS mandatory, E2E recommended | Elevated protection requirements |
| Health data, financial data, data under Art. 9 GDPR | TLS + end-to-end mandatory | DSK position, state of the art |
| Professional secrecy holders (lawyers, doctors, tax advisors) | End-to-end mandatory | Additional professional law requirements |
Important: This risk assessment must be documented. Supervisory authorities expect companies to demonstrate why they chose a particular encryption level. If this documentation is missing, decisions in fine proceedings will be made to the detriment of the company.
TLS vs. S/MIME vs. PGP: What Counts as Sufficient?
Not all encryption is equal. There are fundamental differences between transport encryption and content encryption that are decisive for the GDPR assessment.
Transport Encryption (TLS)
TLS (Transport Layer Security) encrypts the connection between two mail servers. The email itself, however, is stored in plain text on the participating servers. TLS therefore protects against eavesdropping during transport, but not against unauthorized access on the servers themselves.
- Advantages: Easy to implement, no end-user interaction required, high compatibility
- Disadvantages: No protection on the server, no guarantee that the recipient server supports TLS (without DANE/MTA-STS)
- GDPR Assessment: Minimum standard according to DSK
S/MIME (Secure/Multipurpose Internet Mail Extensions)
S/MIME provides true end-to-end encryption. The email is encrypted at the sender's end and can only be decrypted by the intended recipient. S/MIME is based on X.509 certificates issued by a Certificate Authority (CA).
- Advantages: End-to-end encryption, digital signature, natively supported in Outlook and Apple Mail
- Disadvantages: Complex certificate management, all communication partners need certificates
- GDPR Assessment: Meets the state of the art for sensitive data
PGP (Pretty Good Privacy)
PGP also provides end-to-end encryption but uses a decentralized "Web of Trust" or keyservers for key distribution instead of a central CA. PGP is particularly prevalent in the open-source community and among technically savvy users.
- Advantages: End-to-end encryption, decentralized, no CA dependency
- Disadvantages: Complex key management, low adoption in enterprises, no native Outlook support
- GDPR Assessment: Meets the state of the art, but less commonly deployed in practice
The recommendation of the BSI baseline protection is clear: For protecting emails with high protection requirements, a combination of TLS transport encryption and S/MIME or PGP content encryption should be used. This is exactly the principle that the Conbool SecureMail Gateway implements automatically.
What Penalties Are Imposed for Inadequate Data Protection?
The GDPR provides for substantial fines in Art. 83. Violations of Art. 32 -- i.e., inadequate technical protective measures -- can be punished with fines of up to 10 million euros or 2 percent of global annual revenue, whichever amount is higher.
In practice, supervisory authorities have already imposed fines multiple times due to inadequate email security:
- The State Commissioner for Data Protection and Freedom of Information of Baden-Wuerttemberg has repeatedly warned companies that sent personal data by email without TLS encryption.
- The Berlin Commissioner for Data Protection has explicitly highlighted cases in her annual report where health data was transmitted unencrypted by email.
- At the European level, the Irish Data Protection Commission has imposed fines in the double-digit millions when technical protective measures were deemed insufficient.
In addition to fines, compensation claims by affected individuals under Art. 82 GDPR and significant reputational damage are also at risk. Especially for companies falling under the NIS2 Directive, the requirements tighten further: NIS2 requires the use of cryptography and encryption in Section 30 para. 2 no. 8 BSIG. Read more about this in our article on NIS2 and email encryption obligations.
How Does Conbool SecureMail Simplify GDPR Compliance?
The biggest challenge with email encryption is not the technology itself, but its practical implementation in everyday business. Manual encryption processes regularly fail due to employee acceptance: certificates must be requested, keys exchanged, and updates applied. The Conbool SecureMail Gateway solves this problem through complete automation.
Automatic Encryption Based on Rules
In the SecureMail dashboard, you define policies that determine which emails are protected with which encryption level. The gateway analyzes every outgoing email and automatically applies the appropriate encryption -- whether TLS, S/MIME, or PGP. Employees neither need to manage certificates nor make decisions.
Central Certificate Management
The gateway handles the entire certificate lifecycle management: automatic requesting, renewal, distribution, and revocation of S/MIME certificates. This prevents security gaps caused by expired or missing certificates.
Secure Communication Without Recipient Infrastructure
Not every communication partner has their own encryption infrastructure. For these cases, SecureMail offers a secure web portal for external communication. Recipients without S/MIME or PGP receive a notification and can retrieve the encrypted message through a protected browser interface. This ensures GDPR-compliant communication even with external partners, authorities, or customers.
Comprehensive Logging
For the accountability obligation under Art. 5(2) GDPR, the SecureMail Gateway documents every encryption operation in an audit-proof manner. During an inspection by the supervisory authority, you can demonstrate at any time that your email communication meets the requirements.
Learn more in our article on digital sovereignty and automated email encryption about why a German gateway product provides additional legal security compared to US cloud solutions.
Frequently Asked Questions
Is email encryption generally mandatory under the GDPR?
Art. 32 GDPR explicitly names encryption as an appropriate protective measure. Whether it is mandatory in a specific case depends on the risk assessment. Transport encryption (TLS) is considered the minimum standard for all emails containing personal data according to the DSK position. For sensitive data under Art. 9 GDPR, end-to-end encryption is to be regarded as the state of the art.
Is TLS encryption sufficient to be GDPR-compliant?
TLS is the minimum standard but is not sufficient in all cases. For emails containing particularly sensitive data -- such as health data, financial data, or data from professional secrecy holders -- the DSK additionally requires end-to-end encryption via S/MIME or PGP. A documented risk assessment is decisive.
What happens if my communication partner does not support encryption?
This is not a reason to forgo encryption. Solutions like the Conbool SecureMail Gateway provide a secure web portal for such cases, through which recipients without their own encryption infrastructure can securely retrieve emails. This ensures GDPR compliance even in external communication.
How do I correctly document the risk assessment under Art. 32 GDPR?
Document the protection requirements, chosen technical measures, and the rationale for your decision for each data category. Use the DSK guidance documents and BSI baseline protection as reference frameworks. An automated gateway like SecureMail supports you through audit-proof logging of all encryption operations.
Conclusion: Act Now -- Before the Supervisory Authority Acts
GDPR-compliant email encryption is not an optional nice-to-have, but a legal requirement whose non-compliance can have severe consequences. The good news: With modern gateway solutions, implementation can be fully automated -- without training effort for employees and without restrictions in daily workflows.
Want to know how Conbool SecureMail secures your email communication in a GDPR-compliant manner?
Contact us for a personal consultation. Also learn how the NIS2 Directive tightens email security requirements and why digital sovereignty in email encryption is a strategic advantage.
