Does sharing an email address breach GDPR?

Published on : 23 Aug 2021

Email Address GDPR Breach

GDPR is a data protection law that is established to protect the privacy, confidentiality, and integrity of the personal data of citizens of the EU. So, that said if businesses are sending emails with personally identifiable information (PII) then they are required to take all the necessary measures to protect it. So, coming straight to the question of whether sharing an email address may result in a breach? Well, that depends on various factors and conditions. 

Firstly, in a scenario where the email id that is shared is a personal one, like a personal Gmail, then in that case it is a data breach. Again, if the company email address has your full name in it that is e.g. [email protected], and there is no explicit consent given then it is a GDPR data breach.

Also, does the person sharing personal data have a reasonable reason or permission to share the email id? If not, it is definitely a data breach. In scenarios where a person or business sends a mass email to people in BCC, it reduces the risk of a breach. But there is always a possibility of human error and so it is best to use an appropriate mailing program to ensure there is the disclosure of the email id.

Moreover, if a person has signed up for certain services and given consent to perform those services require them to share your email id, then this is not a data breach. On the contrary, if the email id is shared without consent for it and now the person is receiving marketing mails then it is a case of GDPR breach. It is also important to note that the person can respond to the company and request for the erasure of the email id from their marketing list. 

So, this gets us to the question when is a business allowed to share email addresses? Well, the answer is businesses are not allowed to unless they have explicit permission from the customer. That said, businesses can not automatically opt them in for something that the customers have not originally signed up for.

The only time they are allowed to share emails is when it is essential for the services that they have signed up for. For instance, sharing an email id to a courier company for delivery purposes is legit and cannot be considered a GDPR breach. But even then, the company must ensure that the third parties do not market or use the email id for a purpose other than the original business need that they signed up for.

As an organization if you are still puzzled about your current compliance status or would like to ensure that all the business operations and marketing strategies are in line with the GDPR then you can approach a consultant like us at VISTA InfoSec for specialized guidance and consultation. VISTA InfoSec is a multinational cybersecurity consulting firm having years of experience in this industry. Since 2004 the company has severed clients from around the world in their efforts of compliance.  So, if you have any queries doubts or would simply like to consult with a compliance expert then do drops us a mail at info[@]

3/5 - (2 votes)
Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.