The Danish Data Protection Authority has issued guidance on the transmission of personal data via text messages (SMS).

Key takeaways:

  • Sending personal data by SMS is risky as it entails transmission in clear text, over networks over which the data controller has no control.
  • When conducting its risk assessment, the data controller should take into consideration the likelihood of spoofing or interception.
  • Transmitting sensitive or confidential information by SMS constitutes high risk to the data subjects’ rights and freedoms and should not be done.
  • Confidential information is not regulated in GDPR but required special measures. It includes: information on income and assets, employment, education and employment conditions; information on internal family relationships.
  • SMS is useful for reminders and short service messages. Do not include specific medical treatments or addresses.
  • To comply with the GDPR duty of data minimization, data controllers should remove all sensitive and confidential elements from the SMS text. Alternatively, they should use services with encryption in transit but preferably also of content.

Details from the Danish Data Protection Authority.