Fax not (any longer) compliant with data protection?

As soon as personal data are processed, the GDPR must also be observed when sending faxes. According to Art. 4, Para. 1 of the GDPR [1], the term “personal data” refers to all data that allow conclusions to be drawn about the person and their identification.

Do fax templates with differentiated personalisation fall under the GDPR?

In everyday business, a fax number is usually not directly assigned to a person. This means that the person cannot be identified via the fax number. However, if identification can happen via other data belonging to the data set, the fax number is also considered personal data.

An e-mail address is always considered personal data. As a rule, it contains the name of the person in the alias of the e-mail. Even with seemingly general e-mail addresses, such as “Sales” or “Info”, caution is advised, as these are often assigned to a person in the data record of the database.

Differentiated personalisation on the fax template means that no personal data within the meaning of the GDPR is used, i.e., first name and surname do not appear in the salutation, address field or anywhere else on the fax template. If no personal data is used at all, the sending of fax templates does not violate data protection under the GDPR.

Changes in the technical environment

Until now, exclusive “end to end” telephone lines were used when sending fax messages. Because of technical changes in the telephone networks these exclusive lines are no longer used, but that data is transported in packets in networks based on internet technology. As a result, access by third parties is possible. In addition, it can no longer be assumed that there is a real fax machine at the receiving point of the fax transmission. Systems are often used that automatically convert incoming fax messages into an e-mail and forward them to certain unencrypted e-mail mailboxes.

Therefore, the level of data protection of a fax is seen to be at the level of an unencrypted e-mail and is usually not suitable for the transmission of personal data (finding of the Bremen data protection commissioner [2]).

These changes could have far-reaching consequences – especially for doctors, hospitals and public authorities, but also for companies that have sent corresponding data by fax as a matter of course up to now.

Digitisation as a solution?

It remains to be seen whether this situation will lead to a return to the postal letter or a digitalisation push. In any case, end-to-end encrypted e-mails are a practicable solution, especially when it comes to sensitive personal data. Since e-mails are generally regarded as a gateway for spam, malware and phishing, including targeted attacks, it is advisable to install reliable security software.

IKARUS mail.security scans all incoming and outgoing e-mails before they are transferred to the network and offers maximum data security and user-friendliness. An additional plus: software development, data processing, analysis and support are carried out in Austria in strict compliance with the European DSGVO.

Worth reading:

Tricked: Phishing campaigns with hidden fonts and zero text