Per the German DSK (the Conference of Independent German Federal and State Data Protection Supervisory Authorities), emails need to be encrypted in order to meet the minimum requirements of Article 32 of the General Data Protection Regulation (GDPR).

This means:
  • TLS (transport layer encryption) at minimum
  • Additional measures like end-to-end encryption and qualified transport encryption if sensitive data is being sent
  • Controllers must implement a policy that enables all employees who use e-mail communication and similar media to determine which safeguards need to be taken for each medium and class of communication or transmitted personal data.
  • They must regularly monitor compliance with this policy.
  • They must notify recipients so that they can adapt to the technical conditions and implement any technical precautions they may need to take for their part.

Read the full advisory.