Whereas a few years ago a fax was still considered a relatively secure method for transmitting even sensitive personal data, this situation has changed fundamentally.
The core of the problem is “the other side”: Senders can never be sure what technology is being used on the receiving end.
The real fax machine has meanwhile been superseded. Very occasionally they may still exist, but mostly they are photocopiers with fax function or fax servers. They convert incoming faxes into e-mail and forward them to e-mail inboxes.
But the “fax machine” could also be a fax service, such as a cloud fax service: a virtual fax server that also converts incoming faxes into e-mails and forwards them. Whether and, if so, how the e-mails are encrypted in the process cannot be determined by the sending office. Nor can the sender technically “force” encryption. Nor can the sender determine whether the cloud services used are “European clouds” operated in compliance with the GDPR.
Due to these imponderables, a fax has the same level of security with regard to the protection goal of confidentiality as an unencrypted e-mail, which is rightly regarded as the digital equivalent of a postcard that can be openly viewed.
Fax services generally do not contain any security measures to ensure the confidentiality of the data. They are therefore generally not suitable for the transmission of personal data. The Bremen administration expects to have replaced all fax machines with more secure technologies by the end of 2022. Until then, its employees are required to no longer use fax technology for the transmission of personal data.
For the transmission of special categories of personal data pursuant to Article 9, para 1 of the GDPR the use of fax services seems not to be permitted.
ARNECKE SIBETH DABELSTEIN is happy to assist in finding the right way to cope with this issue that has recently been taken up in Bremen. To find out more, contact our expert Thomas Hertl.