Diese Seite auf Deutsch anzeigen?

Email Archiving to Ensure Compliance With the GDPR and Other Privacy Laws

At the latest since the EU’s General Data Protection Regulation (GDPR) came into force, the subject of data privacy has been a key focus of attention for the business world. We explain how a professional email archiving solution can help you achieve these objectives.

What You Need to Know About the GDPR

Alongside national regulations on storing business-relevant data, the EU’s GDPR, in particular, sets out specific requirements governing how and in what circumstances critical data – in this case, personal data – may be processed. The GDPR came into force in the EU on 25 May, 2018 with the aim of harmonizing the laws on data privacy across the countries of the EU. In the past, the national laws in the individual EU countries had given rise to major discrepancies in privacy legislation, and the GDPR aimed both to standardize and to simplify existing processes. The regulations affect not only all companies within the Union, but also many non-EU companies that collect or process the data of EU citizens.

What Does the GDPR Regulate?
The GDPR harmonizes data privacy laws in Europe, placing an emphasis on the protection of personal data. In different areas, therefore, companies must ensure that personal data is handled in a manner that complies with the terms of the GDPR, and this applies equally to any emails containing personal data.

Is Implementation of the GDPR Mandatory?
Yes, it is. Not only are all European companies obliged to implement the GDPR, but also non-EU companies that do business with companies based in Europe. It should also be noted that the GDPR not only applies to the B2B sector but is also mandatory in the B2C sector.

Is There a Risk of Sanctions if the GDPR Is Violated?
Yes, there is. Breaches can attract fines of up to EUR 20 million or 4 percent of a company’s total global turnover of the preceding financial year, whichever is higher.

Archiving Emails Can Help a Company Comply With the GDPR

The process of complying with the GDPR constitutes a corporate-wide challenge involving numerous processes and procedures. Email archiving tools can help a business meet several core requirements of the EU regulation. When used appropriately, our software, MailStore Server, can help you comply with the following GDPR Articles, for example:

Right of Access (Art. 15 GDPR)

A powerful search function in our archiving solution allows any email and file attachment relating e.g. to a specific customer or employee to be located quickly and then extracted and made available in a common format. Companies are thus in a position to provide third parties with information whenever called upon to do so.

Right to Erasure (Art. 17 GDPR)

Individuals are entitled to request that their personal data be deleted (“the right to be forgotten”). The following requirements must be met in this case:

  • Emails must be irretrievably erased
  • Statutory retention periods must be observed
  • Database conformity must be guaranteed

By means of retention policies that can be configured on an individual basis, the software allows you to automate the process of deleting emails from the archive, i.e. including all and any stored personal data on a particular data subject. Furthermore, delete requests and legal tests relating to rights of erasure can be recorded by specifying the reason for the deletion as part of a manual delete procedure that is logged accordingly.

Right to Data Portability (Art. 20 GDPR)

Data subjects are entitled to receive personal data stored on them in a structured, commonly used and machine-readable format, and to transfer this data to another controller. MailStore Server complies with the right to data portability by providing an export function that supports all common email formats (EML, MSG, PST).

Right to Object (Art. 21 GDPR)

When a company processes personal data, it must demonstrate that it has obtained the consent of the data subject to do so. The data subject must also be able to withdraw this consent. As MailStore Server is an email archiving tool, any consent and the withdrawal of such consent expressed by email will be captured in an upstream system such as an online shop, email marketing system, and the like. Resulting transaction mails – for example opt-ins of email marketing systems or lead management systems – are all reproduced in the email archive.

Achieving GDPR Compliance With MailStore Server

MailStore Server has been inspected by an independent IT auditor and is officially GDPR-certified. This certification is proof positive that, when used appropriately, the software meets all the criteria for personal-data processing set out in the GDPR.

Interested customers and partners can ask to see the official certification of the audit results for MailStore Server by contacting [email protected].

Please Note

Compliance with the GDPR’s data privacy regulations should be seen as an enterprise-wide challenge that includes not only purely technical measures, but also organizational regulations in all areas of business. Professional GDPR-certified email archiving is just one small component of the raft of measures required to comply with the GDPR.

MailStore Server can support you by providing the following functions and features:

  • Archiving integrity maintained through journaling
    Emails are archived before they are even delivered to a mailbox.
  • Archiving remains faithful to the original
    The emails in the archive match the original in every respect.
  • Tamper-proof storage
    All archived data are protected from manipulation thanks to an encryption process.
  • Tamper-proof exporting
    Archived emails can be exported from the archive using tamper-proof, standard file formats.
  • Retention policies
    Retention policies can be applied to stipulate how long certain emails are archived.
  • Legal hold
    Irrespective of any retention policies, certain emails are prevented from being deleted.
  • Logging
    An integrated auditing function ensures that any changes are recorded in a log.
  • Auditor access
    External auditors can be granted access to the archive.


Become One of Over 100,000 Success Stories

With more than 80,000 customers, MailStore Server is one of the world’s leading email archiving solutions. MailStore is used by both small and mid-sized enterprises across all sectors of industry, as well as by numerous public authorities and educational institutions.

Logo Audible
Logo - Fraunhofer ILT
Logo - Valve
Logo - UniCredit
Logo - Guardian Credit Union
Logo - Brussel Parlament
Logo - San Diego Bloodbank
Logo - Losteria
Logo - HF Group
Logo - PGA Australia
Ready to Optimize Your Email Archiving?

Get started today with our free 30-day trial and see the benefits for yourself.

  • Supports up to 2,000 users out-of-the-box
  • GDPR-certified
  • Compatible with Microsoft 365
  • Simple to set-up with modest system requirements
  • Starting from $ 259.00 (plus VAT), incl. 1 year Update & Support Service
Productbox - MailStore Server

Audit Compliance and Privacy – Are Retention Policies and Data Protection Compatible?

In many countries around the world, national legislation includes rules on the retention of business-critical email data that are important for taxation and the filing of companies’ annual financial statements. Besides invoices, these can include supply contracts or just general correspondence with customers, all of which need to be stored safely for many years.

The problem: Is the Obligation to Retain Certain Emails Compatible With Data Privacy Rules if Emails Containing Business-Critical Data Also Harbor Personal Data?

The “principles relating to processing of personal data” as set out in Article 5 of the GDPR require, among other things, that processing is “adequate, relevant and limited to what is necessary in relation to the purposes for which the data are being processed (‘data minimization’)” and, further, that these data are stored “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. For many entrepreneurs, Article 5 of the GDPR is irreconcilable with the retention obligations imposed by the legislator.

The Solution: Individually Definable Retention Policies

The apparent conflict between retention obligations and data privacy necessitates a detailed inspection of the retention policies in question because the criteria for audit-compliance can be fulfilled only within the context of the defined retention periods. Since data do not need to be retained indefinitely, retention obligations and data privacy rules can be met in equal measure by using software with the appropriate functionality.

In MailStore Server, administrators can use individual retention policies to define how long different types of email are archived, i.e. whether and when emails should be automatically deleted from the archive, thus complying with both the GDPR and the various retention periods stipulated by law.