At first glance, the spam folder in the e-mail client does not indicate a data privacy breach. However, if e-mails that are supposed to be deleted are inadvertently marked as spam, they may be manually checked by the e-mail provider, resulting in a data protection breach.

Everything you need to know about the privacy risk of being marked as spam can be found here.

What happens when marking as spam?

It happens often enough that users mark an email as spam instead of deleting it. On the surface, the e-mail has merely been moved to the spam folder. However, some email providers still process the email in question. If this is an e-mail with confidential or personal data, this can develop into a data protection problem.

Some e-mail providers simply store a hash value of the e-mail when it is marked as spam, which should help in the further development of the spam filter if, for example, e-mails with the same fingerprint are marked more frequently. In such cases, no third party reads the e-mail itself and the data it contains is safe.

Other providers check each e-mail for compliance with predefined information to decide whether it is spam. In cases where the provider from which the e-mail originates is deemed trustworthy, general information about the mail (time, sender and type of content) can be forwarded to the provider (so-called feedback loop).

With some e-mail providers, the user can also consent to additional spam protection. In this case, the e-mail provider may also use the content of the e-mail to train spam detection. This may involve both automated and manual processing of the e-mail.

What can you do?

If e-mails are accidentally marked as spam, this can have serious consequences under data protection law, depending on the provider and the content of the e-mail. These must be prevented.

The reason for the incorrect marking could be that the buttons for deleting and marking as spam are too close to each other or look too similar or misleading. If employees are not sensitized to this issue, a mishap can quickly occur.

Spam filters are useful and important despite everything. Doing without them is therefore not a viable solution. However, it should be investigated how the selected e-mail provider handles spam and whether the company should change providers if necessary. In addition, most incidents can be prevented by providing employees with appropriate training on data protection and awareness. Complete privacy is only offered by end-to-end encryption. Communication via e-mail is not unjustifiably compared with communication via postcards.

Would you like advice on data protection and data security in your company? Our team of experts will be happy to help you! We also offer training on data protection and awareness. Feel free to contact us!

en_USEnglish