GDPR-compliant email service

Why businesses need end-to-end encryption for legal compliance and how Tuta Mail can help.

GDPR-compliant email providers need end-to-end encryption. Screenshot message from Tuta Mail - Your message is sent with quantum-safe encryption

The European GDPR requires companies to secure emails containing sensitive data of EU citizens. But do businesses need end-to-end encryption for email? While the EU does not say so explicitly, encryption is the best tool your organization has to achieve GDPR-compliance. Let's explain!


Risk assessment

Companies across Europe are uncertain whether it is secure enough to encrypt emails with only TLS (transport layer encryption) or whether end-to-end encryption must be used, at least when sensitive personal data is being sent.

The question that could decide about millions of GDPR fines is: Does the GDPR require businesses to encrypt emails end-to-end?

First things first, encryption is not an obligatory requirement under the GDPR. But - and this BUT is huge - end-to-end encryption is recommended multiple times in the regulation text. In addition, when doing aGDPR risk assessment properly, every business will come to the conclusion that end-to-end encryption is a must, at least for emails containing sensitive information.

This is underpinned by developments in several European countries and decisions made by the data protection officers in Denmark and Germany.

Denmark is the first EU country officially stating that companies must now protect sensitive personal data in emails with proper end-to-end encryption because of the GDPR.

Tue Goldschmieding, Partner at the Danish law firm Gorissen Federspiel, explains:

Though the Danish Data Protection Agency does not explicitly require end-to-end encryption when sending emails containing special categories of data, the recommendation is very firm and should be interpreted as a defacto requirement.

While the Danish regulators do not say that companies must use end-to-end encryption, they basically say that any company must come to this exact conclusion with their own risk assessment. While regulators in other European countries might be even less explicit, companies must keep in mind that the Danish interpretation for the requirement of end-to-end encryption is based on the same legislation that applies to all European countries: the GDPR. In addition to that, German schools must no longer use Microsoft Office when the data is stored in the US because of GDPR data protection requirements.

These developments in Denmark and Germany point in the direction that every company must have the ability to encrypt emails containing sensitive personal data end-to-end.

How email encryption helps your business achieve compliance

Better safe than sorry.

Given the heavy fines of 4% of sales volume, companies are on the safe side when sending all emails containing personal data end-to-end encrypted.

Only end-to-end email encryption guarantees GDPR-compliance.

The European General Data Protection Regulation (GDPR) (German: Datenschutzgrundverordnung DSGVO) highlights encryption as an appropriate technical measure to protect personal data. The new legislation states that end-to-end encryption makes data unintelligible to any person who accesses the data in the case of a data breach or data loss.

By encrypting your emails end-to-end, your business makes sure to comply with the legal requirements within the EU, and beyond.

Even if end-to-end encryption is not (yet) a legal requirement for businesses in your country, you can show your expertise in data protection to partners, customers, and employees by choosing an encrypted email provider like Tuta Mail. This builds trust and respect, and can give your company a competitive advantage as best security practices help you build an excellent brand image.

What businesses need email security

In addition to this, for some professions handling a lot of personal information via email has become standard practice. Business emails contain a lot of personal data, particularly when your customers are private citizens, and these emails oftentimes contain very sensitive data.

Every business handles personal information via emails at some point: HR information about applicants or employees, Curriculum Vitaes (CVs) or payroll letters sent via email, and personal information about customers such as birthday congratulations are only a few examples.

Professionals such as headhunter and HR services, financial consultants, educational professions, attorneys and lawyers, medical professionals and physicians, non-profits like the Committee for Justice as well as journalists researching people and their private lives must take extra steps to protect their email communication with and about their customers and partners. End-to-end encrypted emails are the best tool they have to communicate confidentially in their respective business context.

The GDPR is only one reason why businesses need email encryption. Check out all the reasons and secure your business emails.

What Tuta Mail does to guarantee GDPR compliance in business emails

Tuta Mail offers a very easy way to encrypt any email end-to-end to any recipient with quantum-resistant encryption algorithms. With Tuta Mail’s built-in encryption, no plugin or complicated encryption software is needed.

Check out this YouTube video to learn how quickly you can encrypt and password-protect any email in Tuta Mail.

Unlike other email providers, Tuta Mail does not have access to your data or your encryption keys. On top of that, Tuta Mail comes with a flexible and fair pricing plan that suits every business.

GDPR-compliant email client GDPR-compliant email client Tuta Mail: The GDPR-compliant email client can encrypt emails easily.

Tuta Mail protects all your business emails in five ways to guarantee GDPR-compliance:

  1. The entire mailbox is end-to-end encrypted. Emails, calendars, contacts (address book) - all data in Tuta is encrypted end to end with quantum-safe encryption. The encrypted data can only be accessed by your company. All data is stored encrypted on our own servers in highly secured data centers located in Germany with ISO 27001 certifications.

  2. Tuta Mail automatically encrypts all emails among your employees end-to-end. This makes it very easy for you to share personal information, e.g. about applicants or customers, internally via email.

  3. Tuta Mail enables you to send end-to-end encrypted emails to outside users with sharing a password.

  4. An Order Processing Agreement with legally binding data protection guarantees helps your company to demonstrate your compliance with the GDPR.

  5. Tuta and all our servers are located in Germany, making sure that all your data stays within the legal scope of the GDPR.

Tuta Mail offers an extensive business package

Tuta Mail is a secure email service that lets you access your encrypted mailbox at any time via webmail, via our Android and iOS apps, or via our desktop clients for Windows, macOS and Linux.

You can quickly set up Tuta Mail for your organization as we have automated lots of steps during the setup process. Check out all the details in our FAQ.

With its built-in end-to-end encryption, Tuta Mail enables you to make use of the advantages of the cloud (accessibility, cost efficiency, fast scalability, easy backup) while protecting from its disadvantages (security issues). You and your business are in full control of your data, and you have full data ownership.

Tuta Mail for business enables you to:

  • Create an unlimited number of email accounts for all employees with your own domain(s) and make use of ample storage.

  • Create shared mailboxes for teams such as HR, support, or sales that multiple employees can access from their personal mailbox.

  • Create as many alias email addresses as you need as these are unlimited with your own domain.

  • Manage email accounts with administrators (reset passwords, disable accounts, etc.).

  • Add local administrators such as project managers, department chiefs etc.

  • Place a login on your website where your employees as well as external partners receiving encrypted, password-protected emails can log into their encrypted mailboxes.

  • Use your own branding (logo & colors) within your company’s mailboxes.

  • Make unlimited use of our smart search feature that enables you to search your encrypted emails and contacts securely.

  • Access your mailbox and calendar when offline.

  • Create folders and subfolders and user smart filters for sorting incoming emails automatically.

  • Secure all employee email account with two-factor authentication, U2F is also supported, even on mobile devices.

GDPR compliance requires businesses to safeguard personal data, even when in transit.

To sum this up: Tuta Mail takes your email security to the next level with its quantum-safe end-to-end encryption while it lets your business save money at the same time. You can save time and money by hosting all your business emails encrypted on Tuta’s secure servers based in Germany - no need for a plugin or complicated encryption software. And don’t just take our word for it. Businesses, for instance the youth welfare service “Jugendhilfe Bockenem” with its 170 employees, chose Tuta Mail to become 100% GDPR-compliant.

Secure your business emails now!


GDPR email FAQ

What is a GDPR-compliant email service?

A GDPR-compliant email service must secure all data according to the requirements of the EU General Date Protection Regulation and offer a data processing agreement (DPA). The best choice for businesses is an email provider that offers end-to-end encryption with quantum-safe protocols and is located in the European Union for best data protection.

Is an email address personal data under GDPR?

Yes, email addresses are personal data, just like physical addresses. These can be used to identify a person and, thus, fall under the category of personally identifiable information (PII) that is protected with the European GDPR.

Here are some examples for PII:

  • email addresses
  • Physical addresses
  • Names
  • Birthdays
  • Social Security numbers (SSN)

Particularly, if you collect email addresses of people living in the European Union, you and your business must take special care to protect this personal data.

What does GDPR mean for emails?

GDPR for emails refers to two things:

First, businesses collecting emails addresses, for instance, for marketing purposes. These email addresses must be protected according to GDPR legal requirements, and people must consent to receiving marketing emails with double-opt-in.

Second, businesses sending emails containing sensitive personal information such as payroll statements, CVs, or other personal information. These emails must be protected with end-to-end encryption to be in full compliance with the GDPR.

Why is standard TLS encryption not secure enough?

Today, all emails are protected with so called TLS encryption. This transport encryption does not encrypt the content of the emails, but simply builds up an encrypted tunnel through which the emails are sent in plain text.

TLS encryption is not safe enough to protect emails with sensitive personal information. As emails are being sent via several different servers, the TLS encryption is decrypted at every server and then re-encrypted. Only end-to-end encryption protects sensitive data within emails from data loss and data breaches. Thus, end-to-end encryption makes all business emails GDPR-compliant.