GDPR and Email: What Your Provider Really Knows About You

What the GDPR Actually Requires

The General Data Protection Regulation (GDPR) came into force in May 2018. It gives EU residents several important rights regarding their personal data:

• Right to access — you can request all data a company holds about you
• Right to erasure — you can request deletion of your personal data
• Right to portability — you can export your data in a machine-readable format
• Right to object — you can object to certain types of data processing
• Data minimisation — companies should only collect data necessary for their stated purpose

What Email Providers Collect Beyond Your Emails

The content of your emails is only part of what providers store. Most major providers also collect:

• IP addresses at login and message sending
• Device information (OS, browser, screen resolution)
• Geographic location data
• Message metadata (who you email, when, how often)
• Read receipts and engagement data
• Linked account activity across other services

Under the GDPR, all of this is personal data requiring a lawful basis for processing. Most providers use "legitimate interests" or your consent — buried in terms and conditions — as that legal basis.

US Companies and GDPR: The Ongoing Conflict

US email providers like Google and Microsoft have historically struggled with GDPR compliance. The core problem: US law (including the CLOUD Act and FISA) requires these companies to provide data to US authorities on request. This conflicts with GDPR's requirement that EU citizens' data not be transferred to countries without adequate protection.

After years of legal battles, the EU-US Data Privacy Framework (2023) provides a new basis for data transfers. But privacy advocates argue it doesn't resolve the fundamental conflict between US surveillance law and EU privacy rights.

The safest solution is simple: use an email provider based in the EU, subject only to EU law, with no US corporate parent.

What "GDPR Compliant" Really Means for Email

A provider claiming "GDPR compliance" is stating that they meet the minimum legal requirements. This is a low bar. Compliance means:

• They have a lawful basis for every type of data processing
• They honour data subject requests within the required timeframes
• They have appointed a Data Protection Officer (for larger organisations)
• They notify authorities of data breaches within 72 hours

It does not mean they collect as little data as possible. It does not mean your emails are private. A provider can be fully GDPR-compliant while still reading every email you send and building a detailed profile of your behaviour.

What True Privacy Looks Like Under the GDPR

The best privacy-respecting email providers go far beyond GDPR minimum requirements. They apply the principle of privacy by design — building systems where collecting private data is technically impossible, not just policy-prohibited.

When your email is end-to-end encrypted with zero-knowledge architecture, GDPR data subject requests become almost trivially simple: there is no readable content to disclose. The provider can only hand over encrypted blobs that are meaningless without the user's key.

enemail is built on this principle. We are based in Austria — firmly within EU jurisdiction — and our systems are designed so that personal data is minimised at the architectural level, not just by policy. Our email infrastructure runs on dedicated servers provided by Evolushost, located in Frankfurt, Berlin and Vienna, ensuring your data never physically leaves the EU.