Is Sending Files by Email GDPR Compliant in the EU?
Published on April 22, 2026
Is Sending Files by Email GDPR Compliant in the EU?
Sending files by email is not automatically GDPR non-compliant, but for documents containing sensitive personal data it is very difficult to meet GDPR's Article 32 security requirements using email alone. Email attachments lack access controls, cannot be revoked after delivery, provide no audit trail of who opened the file, and in many configurations transmit data through servers outside the EU. For low-risk, non-personal documents, email is generally acceptable. For anything containing personal data, a more controlled sharing method is required.
What GDPR Says About Sending Documents
GDPR does not ban email as a sharing mechanism. However, Article 32 requires organisations to implement technical and organisational measures appropriate to the risk of the data being processed. For documents containing personal data, those measures must address:
- Confidentiality — preventing unauthorised access
- Integrity — ensuring data is not altered in transit
- Availability — being able to restore access if lost
- Resilience — maintaining security under adverse conditions
Standard email — unencrypted SMTP delivery with no access controls — fails several of these requirements when applied to sensitive personal data.
The Specific Problems With Email Attachments
No access control after delivery Once a file is delivered to a recipient's inbox, you have no way to prevent them from opening it, forwarding it or retaining it indefinitely. If that recipient later leaves the organisation or their account is compromised, your document is exposed.
No audit trail GDPR's accountability principle requires you to demonstrate compliance. Email provides no log of who opened an attachment, when or how many times. You cannot answer a regulator's question about who had access to a sensitive document if you sent it as an email attachment.
No revocation If you discover that a document was sent to the wrong person, you cannot recall an email attachment. The document is permanently in that person's possession.
Routing through third-party servers Email frequently routes through servers outside the EU — including US-based Microsoft Exchange, Google Workspace or Yahoo infrastructure. Without specific configuration, this constitutes an uncontrolled international data transfer under GDPR Chapter V.
No encryption at rest on the recipient's device Even if email is encrypted in transit, the attachment is typically stored unencrypted in the recipient's email client and on their device storage.
When Email Attachments May Be Acceptable Under GDPR
Email attachments can be used compliantly in lower-risk scenarios:
- Non-personal documents — marketing materials, product brochures, publicly available information
- Encrypted attachments — files encrypted with AES-256 where only the intended recipient holds the decryption key, transmitted separately
- Within a fully managed EU corporate environment — where both sender and recipient use an EU-hosted managed email system with data loss prevention controls
- With documented lawful basis and minimisation — where the data shared is genuinely necessary and the sharing is documented
For most SMEs and professional services firms, achieving all of these conditions simultaneously for every outbound document is not practical. This is why purpose-built secure document sharing platforms exist.
The Compliant Alternative: Secure Document Links
Instead of attaching a file to an email, share a secure link that:
- Requires the recipient to authenticate before accessing the document
- Keeps the file on your controlled, EU-hosted server rather than delivering it to the recipient's device
- Records every access event in a full audit log
- Allows you to revoke access at any time
- Applies AES-256 encryption at rest to the document
SendNow operates exclusively on EU-based infrastructure and provides all of these controls. You send the link via email — which is fine — whilst maintaining full GDPR-compliant control over the document itself.
Related reading: GDPR and Document Sharing: Complete Guide | Best GDPR-Compliant File Sharing Tools for European Businesses (2026)
Email Attachment Risk Assessment by Document Type
| Document Type | Personal Data Risk | Suitable for Email Attachment? |
|---|---|---|
| Marketing brochure | None | Yes |
| Product specification | None | Yes |
| Contract with named parties | High | No — use secure link |
| Employee records | Very high | No — use secure link |
| Financial model with staff costs | High | No — use secure link |
| Invoice with client name | Medium | Encrypt or use secure link |
| Cap table | Very high | No — use secure link |
| Healthcare or legal report | Very high | No — use secure link |
How to Assess Your Current Email Sharing Practices
Review the types of documents your organisation regularly sends by email and ask:
- Does the document contain names, email addresses, financial data or any other information that can identify a living person?
- Does your email system encrypt data in transit and at rest throughout the full delivery chain?
- Can you produce a log of who received and opened the document?
- Can you revoke access if the document was sent incorrectly?
- Are all servers in the delivery chain located within the EU/EEA?
If you answer "no" to any of these questions for a document type containing personal data, transition that category to a secure link-based sharing method immediately.
Related reading: Build a GDPR Document Sharing Policy
Frequently Asked Questions
Is it illegal to send personal data by email in the EU? It is not automatically illegal, but it may violate GDPR Article 32 if the data is sensitive and appropriate security measures are not in place. Supervisory authorities have issued fines specifically for using insecure email to transmit personal data.
Does encrypting an email attachment make it GDPR compliant? Encryption significantly improves security, but you still lack an audit trail, revocation capability and control over retention after delivery. Encryption is necessary but not sufficient for high-risk documents.
What personal data is most commonly found in business documents? Names and contact details in contracts, financial information in invoices and reports, employee data in HR documents, and identity details in legal correspondence.
Can I use Gmail or Outlook to send GDPR-compliant documents? Consumer versions of Gmail and Outlook store data on US-based servers and provide limited audit logging. Business versions with EU data residency enabled are more compliant for lower-risk documents, but they do not provide the access controls needed for highly sensitive personal data.
How do I tell recipients to expect a secure link instead of an attachment? A brief note works well: "I have shared this document via a secure link rather than an attachment to ensure GDPR compliance. Click the link to access it securely." Most professional recipients appreciate the transparency.
Does GDPR apply if I send a document to another EU business? Yes. GDPR applies to you as the data controller regardless of whether the recipient is also EU-based. You are responsible for ensuring the transfer is lawful and secure.
What fine has the ICO or other EU regulators imposed for insecure email sharing? The UK ICO and EU data protection authorities have issued fines and reprimands for insecure email transmission of sensitive personal data including healthcare records, legal documents and financial information. Amounts vary based on the scale of the breach and the organisation's turnover.
What is the safest way to share a sensitive document with an external party? Use a secure document-sharing platform that provides per-recipient links, AES-256 encryption, EU data residency, a full audit trail and the ability to revoke access. SendNow provides all of these features at sendnow.live.
Ready to share documents smarter?
Start tracking who reads your documents, page by page. Free trial, no credit card required.
Get Started for Free →