Privacy policy when providing email as a service

I’m providing MIAB as a email service to customers. I have been asked for a privacy policy.

Does anyone have any good resources for this? I’m used to writing policies for websites and SaaS applications where the content required by the site/app is well known, but in the case of a mail server, potentially I have full access to the user’s email - which could contain anything

Of course I have no interest in their email, but how can I put this in a policy, and what if some authorities come knocking?

Your privacy policy can be in written form, or you can modify (fork) MIAB on GitHub and add your Privacy Policy.

Thanks for taking the time to respond, but its not at all relevant to the question.

Sorry: Is a good legal resource if you are in the US.

Do not be overawed by the GDPR Read the official EU site It is very straightforward what you are responsible for and what you are NOT. It is really common sense and things you should already be doing.

Firstly you are only responsible for the PI that you collect, especially anything you ask for. Names, ages, address etc of your clients. All PI collected must be justified. All PI should be stored securely. All owners of the PI have the right to ask to be forgotten, correct/delete their PI (there are exceptions, but you better have a good reason). All breaches in security must be notified. You must designate a Data Controller (contact person), in theory the EU could contact to ask for processes for above.

You are not liable for the content of your users emails. But beware local country laws may override this.

As usual a lot of lawyers will be making big bucks from all the nonsense. I’ve already had several companies attempting to scam $$$Mega just for offering to review site policies.

KISS - no visitor is going to spend more than a few seconds reading your Privacy Policy, too much legal gibberish - especially in-yer-face as they arrive at the site will drive visitors away.

and, remember that the IP address is as good as a street address and you will collect those in your logs. But how else does the internet work? Which just goes to show yet again what a dumb piece of legislation this is (typical for the EU)

and, if you are outside the EU what do you feel about a bunch of bureaucrats dictating laws of global impact on your country. I thought the US won it’s independence in 1776 !

Thanks but this generic advice misses what I was looking for as a data PROCESSOR I have access to the data the customer is the controller for. As the data processor, the client wants to know how the data that is in my care will be looked after.

For instance, to comply with the regulations, the data must be accurate. It’s no good if the Processor allows anyone to tamper with the data. As the processor, I’m not responsible for the collection of PI data but I am responsible for its safe keeping, that it remains accurate and that it is deleted correctly when the time is right.

I need to have a contract between my business and the data controller that explains what is expected.

  1. Safe keeping. Is this not rather obvious? Encryption, backup, recovery, deletion, access procedures. How, who, when, where.
  2. Accuracy. This is not your responsibility. The GDPR is pretty clear that the accuracy is from the owner of the PI. They have access to it and can request correction and even deletion. You have the responsibility to provide that process, have good reason to refuse or request proof and must maintain the accuracy. So if others have access to that data and the ability to change it then there must be some process control, record and reversal.

It is all about more documentation and having controlled processes! Keeping records of what, when and who
does anything. Remember where this GDPR has been brewed up. Most of the things that are in it should really already be in place as good practice.

I agree on all points. Its putting that into a privacy statement that my customer can understand and can decide that their own responsibilities as data controller are being dealt with correctly.

As the mail data appears to be just laid out in plain text I cannot claim that I have no access to the plain text emails that they recieve and store in MIAB.

Contact a lawyer for a proper answer.