DAVID – Archiving e-mail


DAVID – Archiving e-mail

DAVID Archiving e-mail

personal data, such as collection, recording, organisation, storage, adaptation or alteration, retrieval,

consultation, use, disclosure by transmission, dissemination or making available otherwise, alignment or

combination, blocking, erasure or destruction. All treatment a records manager or an archivist can apply

to e-mails will be classified as “processing”.

E-mails often contain personal data concerning a data object. The e-mail header for instance contains the

sender’s and the recipient’s e-mail address. An e-mail address is often information related to an identified

or identifiable natural person. To be qualified as personal data the e-mail address does not need to lead

immediately to the identification of a natural person. Whether a person is labelled as identifiable is based

on all means available to the responsible of the processing or any other person to do the identification.

For example one often receives an e-mail address when signing up with an Internet Service Provider to

access the Internet. Also private companies that are not functioning as ISP sometimes offer on their

website an e-mail service that provides free e-mail addresses 50 . The end user must fill in a form to make

his personal data available. This allows the e-mail service provider to identify its users. This already

suffices to be qualified as personal data.

Not all e-mail addresses consist of personal data though. An organisation’s general e-mail address, often

shaped similar to info@domainname, does not consist of personal data due to the lack of an identifiable

natural person. The content of the electronic message usually contains additional data that allows the

identification of a natural person next to the e-mail address, such as an automated signature message or a

digital signature, accompanied by a certificate. This certificate allows the e-mail receiver to identify its


When incoming and outgoing e-mails are registered and stored in the electronic mailbox of an employee,

processing in the sense of the Privacy Directive takes place. This implies that some rules need to be lived

up to, rules that the European Member States have transposed into national legislation. In this report we

are discussing the provisions of the Directive, which are considered to be sufficiently clear, precise and

unconditional. They are immediately effective whether transposed or not. The Directive however does

not apply when a natural person processes e-mails containing personal data for personal or domestic

goals. E-mails in the user’s personal mailbox are therefore not subject to this Directive even if they

contain personal data.

2. Who needs to live up to the rules

The body responsible for the processing (the controller) has to supervise the compliance with the rules of

the Directive. The controller is defined as: “the natural or legal person, public authority, agency or any

other body who alone or together with others determines the purposes and means of the processing of

personal data.” It will not always be clear who is responsible for the processing of e-mails in an e-mail

system. It will largely depend on who determines the goal of and the means for the processing. The body


Microsoft’s Hotmail service for instance has become tremendously popular. It allows its users to check their e-

mail from most web browsers (http://www.hotmail.com).


More magazines by this user
Similar magazines