At the end of 2018, the Data Protection Authority of North Rhine-Westphalia (LfDI NRW) published its position (German) on the technical requirements for technical and organisational for e-mail transmission.
In the opinion of the LfDI NRW, a fundamental distinction is made between encryption at content level and encryption at transport level for the transmission of e-mails. Encryption at the content level encrypts the texts of an e-mail as well as attachments. According to the authority, the S/MIME and OpenPGP standards are the most suitable. However, metadata is not captured by content encryption. With transport level encryption, both metadata and content data are encrypted on the connection between mail client and server or between different mail servers.
The LfDI NRW then sets out its positions to be applied 'in the choice of technical and organisational measures': "Communication by e-mail requires at least transport encryption, as offered as standard by the well-known European providers".
LfDI NRW therefore assumes that without exception at least transport encryption must always be implemented. As mentioned above, such a mandatory encryption obligation does not result from the GDPR. One could therefore argue that this view goes beyond the requirements of the GDPR. In its assessment, the authority may assume that transport encryption is now the "state of the art" mentioned in Art. 32 para 1 GDPR. This could be supported by the reference to the European providers. Nevertheless, Art. 32 para 1 GDPR provides, in addition to the feature "state of the art", for further criteria which must be taken into account for the measures to be implemented, such as in particular the risk of varying likelihood and severity for the rights and freedoms of natural persons. Thus, under the GDPR, controllers and processors should still be able to assess whether encryption of the data is absolutely necessary on the basis of these characteristics. Unfortunately, the opinion of the authority does not go into the individual criteria mentioned in Art. 32 para 1 GDPR in detail and does not justify its opinion.
Regarding the type of transport encryption, the LfDI NRW is of the opinion that this should be implemented in accordance with the Technical Guideline "BSI TR-03108 Secure E-Mail Transport" of the German Federal Office for Information Security. However, deviations may be possible.
If "particularly sensitive data" are to be transmitted by e-mail, the LfDI NRW understandably demands higher requirements. The authority understands this data as "account transaction data, financing data, health status data, client data from lawyers and tax consultants, employee data". In this case, transport encryption alone may not be sufficient. The authority apparently also refers here to the "special categories of personal data" mentioned in Art. 9 para 1 GDPR.
Finally, it should be pointed out that the LfDI NRW is of the opinion that the subject line of the e-mail should not contain any personal data.
Using TLS with SMTP is pretty much a table stake, but I don’t think that control wise it’s all you need to do, if it’s got personal data in it you could argue that content should be encrypted - wondering about OpenPGP or S/MIME being state of the art... but layered encryption of the message body, the datastore and the tansport together makes sense from a defence depth standpoint.
@QuisUtDeus yeah, Amex once sent me my PAN, expiry date and name in an email to confirm it was the right one - I gleefully used it as an ice breaker in talks for about a year...