Email distribution list in CC instead of BCC leads to a fine

Fine E-mail distribution list

Data protection breach with email distribution lists

by A. Navidy / J. Baeck

If an open mailing list is used to send emails in a commercial environment, there is a risk that this will be considered a data protection breach by the supervisory authorities and subject to a fine.

In February 2019, Harald von Bose, the State Commissioner for Data Protection in Saxony-Anhalt, imposed several fines on a man from Merseburg. In several cases, he had sent emails with hundreds of personal email addresses in an open distribution list (CC).

The content of these emails included complaints, statements, slurs and also criminal charges against representatives from business, politics and the press.

According to Mr. von Bose, the content of these emails was legitimate and in principle covered by Article 5 (1) of the Basic Law (freedom of expression), but not the handling of up to 1,600 email addresses, which were used almost daily. In the dispute with the supervisory authority, the man from Merseburg had invoked Article 5 (1) of the Basic Law. However, this fundamental right does not justify the use of open e-mail distribution lists.

The processing of personal data (email addresses) cannot be justified, neither to the extent of the pure use by sending the emails, nor by the legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR (expression of opinion) of the sender. With regard to the publication of the email addresses by the open distribution list, however, the balancing decision is in favor of the data subjects, as this publication interferes with their fundamental rights to informational self-determination. This balancing decision is also supported by the so-called reservation of limitations in Art. 5 para. 2 GG.

The various fines are likely to be based on Art. 83 para. 1 GDPR, Section 22 para. 2a no. 1 DSG LSA, Section 43 para. 2 BDSG and amount to a total of € 2,628.50.
It cannot be ruled out that further fines will follow, as the man is said to have continued to violate data protection regulations even after the fines were issued.

In the business context, even greater attention should be paid in future to the correct addressing when sending external emails, as there is an exception for the open email distribution list only in the private sphere, in which the GDPR does not apply "by natural persons for the exercise of exclusively personal or family activities" in accordance with Art. 2 para. 2 lit. c) GDPR.

Further information:

Share this post :