Every time a message arrives at a mail server it is full of data covered by the GDPR. Not only the contents of the message, but even the IP of the connecting server; or all the IPs in the headers; or DNS names etc... with that being said, how can anybody processing email properly handle that information?
IT Service providers are classified as “data processors” under GDPR, this carries less responsibility than “data controllers”. Data processors are responsible for ensuring sufficient guarantees to the data controller to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR.
In other words data processors are responsible for keeping the data secure, and to not share the data with anyone else without the data controller’s agreement.
You are not responsible for ensuring consent, nor do you control the content of the email, the controller is responsible for that. For most email services the data controller is the individual who sent it, as they control what happens to it on the server.
To minimize your risk and ensure your compliance click here