E Mail handling as a Personal Data Process: Does DPDPA apply?

Every organization handles Corporate E Mail process. Just as having a website is one of the Digitization steps taken by all companies, having a corporate e-mail system is another early step in the process of digitization of business.

I would like to raise some issues on the application of DPDPA compliance related to handling of the E Mail system by a company for the industry professionals to debate.

For handling the email requirements, an organization sets up an e-mail server often in the domain name which is also used for its corporate website. For example abc.in is the domain name of the company and @abc.in is the email IDs used by the company.

The @abc.in emails are allocated to the employees such as vijay@abc.in. It is also allocated to certain positions in the company such as dpo@abc.in.

Outward emails are sent by different designations such a hr@abc.in or purchase@abc.in or marketing@abc.in, service@abc.in or support@abc.in etc.

Outsiders send e-mails to these email addresses and also to employees such as vijay@abc.in. E Mails to vijay@abc.in may be personal or business related. It may also contain a CV requesting for job. This could result in accumulation of unstructured personal data in the company’s assets.

Many companies are using and will continue to use “E-Mail Marketing” as a part of its corporate strategy where they will send out e-mails to their prospective customers.

In such cases different compliance issues may arise.

If a Company has to be compliant with DPDPA 2023, it has to therefore develop a policy for handling the e-mail identity of the employees.

We may recall the case of Cavauto S.R.L where the regulator fined the company for accessing the email customercare@cavouto.com in the PC of the Company allocated to the employee under the premise that there was no proper notice to the employees that their personal emails could be accessed even in the company asset and business email.

Can such a situation arise in India under DPDPA 2023?

If so, what compliance measures could mitigate this risk?

Let’s debate. Send your views …to naavi ..or comment below..

Ujvala/FDPPI ‘s service “E Mail DTS” is designed to evaluate the risk mitigation efforts towards meeting the challenge of Personal Data Processing in the E Mail management process.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.