Our email archiving software has been rigorously audited and is now certified as being compliant with data subject rights under the EU’s General Data Protection Regulation (GDPR). But what exactly does that mean?
“[..] On the basis of the findings made during the audit, the MailStore Server software, when used correctly, meets the requirements of the applicable German laws, including the requirements set out in the General Data Protection Regulation (GDPR).” This is what is stated in the audit report compiled by German independent data protection experts. In a multi-level process, the experts analyzed our software in terms of its ability to comply with the principles of data privacy, as set down explicitly in the EU GDPR. Both the Bundesdatenschutzgesetz (BDSG – German Federal Data Protection Act) and the 2018 version of this Act (BDSG 2018) were incorporated in the analysis. The audit procedure followed the approach set out in Directive IDW PS 330 on the auditing of IT-based systems. In addition to a comprehensive application test, documents were inspected and procedural documentation and a pre-specified test database for emails used.
MailStore Supports the Implementation of the Rights of Data Subjects
Conducted at our headquarters in Viersen, the audit examined our software in terms of its ability to guarantee the rights of data subjects as defined in the relevant laws on data privacy. The rights of data subjects as stipulated by the GDPR include the following:
Right of Access (Article 15 GDPR)
Archived emails contain personal data. With MailStore Server, the contents of an email can be fully searched, extracted in a commonly used format, and then made available. This enables companies and organizations to meet their obligation to provide information.
Right to Object (Article 21 GDPR)
When a company processes personal data, it must demonstrate that it has obtained the consent of the data subject to do so. The data subject must also be able to withdraw this consent. As MailStore Server is an email archiving software, the consent and withdrawal of this consent, as issued in emails, are captured in an upstream system. The resulting transaction emails – for example opt-ins of email marketing or lead management systems – are reproduced in the email archive.
Right to Erasure (Article 17 GDPR)
For a variety of reasons, individuals have the right to demand that their personal data be deleted (“the right to be forgotten”). When data is deleted, the following requirements must be met:
- Emails must be irretrievably erased
- Statutory retention periods must be safeguarded
- Database conformity must be guaranteed
With the aid of individually configurable retention policies, the software allows you to automate the deletion of emails from the archive, i.e. including personal data stored on the data subject. Furthermore, delete requests can be recorded by specifying the reason for the deletion as part of a manual delete procedure that is logged.
Right to Data Portability (Article 20 GDPR)
Data subjects have the right to receive personal data stored about them in a structured, commonly used and machine-readable format, and to transfer this data to another controller. MailStore Server’s export function in commonly used email formats such as EML, MSG, and PST takes this right to data portability into account.
Data Privacy: a Key Issue Even Before the GDPR
In the context of email management, data privacy was a relevant topic even before the GDPR came into play. While clearly raising awareness among MailStore customers, the EU General Data Protection Regulation has also given rise to a degree of uncertainty, too. In the past, when we spoke of audit-proof email archiving, we were usually referring to matters of various local fiscal and commercial law. But today, the notion of “legally compliant email archiving” must also be seen in the context of legislation on the processing of personal data. That’s why Roland Latzel, Director of Marketing at MailStore, is delighted at having obtained the certification: “We felt it was important that the quality of our software was endorsed by an independent party. And it means that we can now demonstrate to all our MailStore Server customers and partners that our product is an essential aid, given the increasingly complex compliance requirements governing email processing.”
The official certificate on the audit results for MailStore Server can be requested by our interested customers and partners via firstname.lastname@example.org.
More information on the GDPR and email archiving in general can be found here:
Download MailStore GDPR-Advisory for free
The 4-page Advisory is meant to help you meet legal requirements with the compliance features from MailStore Server.