Agree completely. Sending data to third party requires a processing agreement yes. Its even enough that a third party has administrative access to the server (and thus potentially have access to data) - then a processing agreement is required.
When the data leaves EU, then its prohibited in many cases as you can't fine a company in for example iran for have disclosed details to a fourth party, thus disclosing to a third-party outside EU is prohibited even with a data processing agreement.
You are also correct that they can't send these files to facebook or Google.
What I wanted to point out, is that when people hear the word "email" they think a large can of GDPR worms is opened, but as long as email is done right, with restricted access and encrypted transfer and for sensitive things - a restriction so email can only be internally sent, all external domains blocked/prohibited, you can even use email to send super sensitive details.
-----Ursprungligt meddelande----- Från: dovecot-bounces@dovecot.org dovecot-bounces@dovecot.org För Marc Roos Skickat: den 6 oktober 2020 23:42 Till: dovecot dovecot@dovecot.org; sebastian sebastian@sebbe.eu Ämne: RE: SV: How to Modify Message and add more Attachments
Thats because in your example the data is sent outside the facility to a
third party (in this case, wetransfer/outlook) And wetransfer/outlook is operated in third countries, which can cause GDPR problems as the legal protection for the data disappears.
That is just a part. We had to sign such agreement between companies in the same country, city even. Data is not even leaving the country. Putting personal data at a third party requires a processing agreement.
The OP were asking about a solution which modifies email which have already been received in a local, secure facility to add the voice mail to locally stored messages. Thats not prohibited.
That has not been questioned, sending that data to google is being questioned.
Imagine if the OP has a SIP server and email server inside the same physical machine. Do you really think it would be prohibited to move a file from "asterisk/vm" to "var/spool/mail/"?
No because it belongs to the expected necessary processing activities of a voip provider. This voip provider cannot just send these files to facebook that is easy to understand. So you can not send these files to google as well. Does not matter if they have some fancy AD processing api.
The security for the data is the same regardless of which format is used.
Obviously