MBF Knowledge Base

When an email is sent, it may pass through half a dozen systems. Do all of those systems now have to explicitly destroy any latent copies of the events in order to avoid a violation of GDPR? Does this apply even when that data is fundamental to properly tuning and operating those systems and the operators of those systems have no direct explicit relationship with the sender of the email?

Only if these latent copies contain either the subject or body content (e.g. the parts that may contain personal data).  If it is just email address, IP, date/time and other technical data then no, However you would still manage this by setting sensible retention periods on this sort of data.


To minimize your risk and ensure your compliance click here