
TTDSG: Germany’s new data privacy law
Background
Germany is a pioneer in data privacy protection. The country’s state of Hesse enacted the world’s first data protection law in 1970, and other states soon followed its initiative. Then, in 1978, the first German Federal Data Protection Act (BDSG) took effect.
From 2018-2021, data protection was governed by a combination of the EU’s General Data Protection Regulation (GDPR), an updated version of BDSG, and the local state laws.
Then, having seen a need to unify the country’s data laws and bring them in line with GDPR, Germany’s parliament introduced a new Data Protection Act in 2021: TTDSG.
The new law was intended to merge different data protection rules into one law.
While most of its provisions deal with cookies, TTDSG has also tightened regulations concerning email data. If you operate a business in Germany, it’s important to make sure you comply with them.
Email and TTDSG
The good news is that if you’re already compliant with GDPR, TTDSG doesn’t require you to do much more, though there are some stipulations regarding accessing email that are worth knowing about.
According to the new law, if a person is not involved in an email/web-based message, then they are forbidden to view it.
Some commenters suggest there are exceptions though. A German compliance management firm called JOWECON has written about TTDSG and email here.
They say that if a company allows its employees to use the corporate email system to send private messages, then, in certain circumstances, the company might be lawfully entitled to access those messages.
For example, if a particular member of staff is absent, or the company has reason to believe an employee’s private messages contain evidence that an offence has been committed, then the company would be allowed to view the messages.
There is another view, though, suggesting that by taking such action this company might be breaking the law. International law firm Herbert Smith Freehills says:
“If employers want to have legally secure access to email communication in company email systems, they have the option on the one hand, to completely prohibit the private use of official devices and infrastructure by employees.” (Herbert Smith Freehills Data notes)
So, there seems to be no consensus yet about whether employers can or cannot access an employee’s private emails without that person’s consent. If and when we gain clarity on this, we’ll update you.
In the meantime, you can help your organisation stay compliant with German laws with our Business Email Retention guide and by storing and accessing emails securely with Cryoserver.
Read
More

The Benefits of Archiving Emails
There were more than 281 billion consumer and business emails sent per day in 2018, and this figure…

How to Archive in Outlook
Want to free up space on your mail server? First you’ll need to archive Outlook emails. Here’s the…

Archiving, Recordkeeping and Email Data Management for FinTech
As we know, the finance industry is heavily regulated when it comes to retaining data and…

How to Best Manage FOI Requests
Freedom of Information requests are a key element of the Freedom of Information Act 2000. Any…

Employee email blunders: how to stop them causing reputational damage
Email mistakes like the ones described here can hurt your organisation’s reputation and cost you…
