6 July 2018
If bulk e-mail messages are sent from a work e-mail address (see Officer’s Guideline 3) to more than one person (data subjects) at their private e-mail addresses, it is recommended to use only the “blind copy” function. Disclosure of private e-mail addresses by adding them to the addressee field (“To”) or copying them (“Copy”) and sending the e-mail to other addressees is not admissible under the GDPR.
Example: when an instructor communicates with students in a seminar, the students’ private e-mail addresses are commonly used for sending messages. When sending an e-mail to more than one address, one must ensure that a student does not have access to the addresses of the other students. A similar example could be a group e-mail addressed to participants of a conference, etc.
The guideline does not apply to work communication during which an e-mail is sent to other work e-mail addresses or is sent as a part of a cooperating group where the members know each other and normally communicate with each other by e-mail.
Examples where a list with copied recipients is permitted:
The head of an office sends a message from a work e-mail address to all its employees using their work e-mail addresses.
Any work communication when using work e-mail addresses.
When an instructor communicates with a group of students as a part of a project, joint activity, or other situation involving a group of people who know each other.
A private e-mail address is personal data. Hence disclosure of this address by e-mail is in contradiction with the GDPR.