SV: SV: How to Modify Message and add more Attachments

Sebastian Nielsen sebastian at sebbe.eu
Wed Oct 7 00:54:15 EEST 2020


Agree completely.
Sending data to third party requires a processing agreement yes. Its even
enough that a third party has administrative access to the server (and thus
potentially have access to data) - then a processing agreement is required.

When the data leaves EU, then its prohibited in many cases as you can't fine
a company in for example iran for have disclosed details to a fourth party,
thus disclosing to a third-party outside EU is prohibited even with a data
processing agreement.

You are also correct that they can't send these files to facebook or Google.


What I wanted to point out, is that when people hear the word "email" they
think a large can of GDPR worms is opened, but as long as email is done
right, with restricted access and encrypted transfer and for sensitive
things - a restriction so email can only be internally sent, all external
domains blocked/prohibited, you can even use email to send super sensitive
details.


-----Ursprungligt meddelande-----
Från: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> För Marc
Roos
Skickat: den 6 oktober 2020 23:42
Till: dovecot <dovecot at dovecot.org>; sebastian <sebastian at sebbe.eu>
Ämne: RE: SV: How to Modify Message and add more Attachments

 >
 >Thats because in your example the data is sent outside the facility to a
third party (in this case, wetransfer/outlook) And wetransfer/outlook is
operated in third countries, which can cause GDPR problems as the legal
protection for the data disappears.
 >

That is just a part. We had to sign such agreement between companies in the
same country, city even. Data is not even leaving the country. 
Putting personal data at a third party requires a processing agreement.

 >The OP were asking about a solution which modifies email which have
already been received in a local, secure facility to add the voice mail to
locally stored messages.
 >Thats not prohibited.

That has not been questioned, sending that data to google is being
questioned.

 >Imagine if the OP has a SIP server and email server inside the same
physical machine. Do you really think it would be prohibited to move a file
from "asterisk/vm" to "var/spool/mail/"?

No because it belongs to the expected necessary processing activities of a
voip provider. This voip provider cannot just send these files to facebook
that is easy to understand. So you can not send these files to google as
well. Does not matter if they have some fancy AD processing api.

 >The security for the data is the same regardless of which format is used.

Obviously


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5715 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20201006/21f46433/attachment-0001.p7s>


More information about the dovecot mailing list