Author: Sebastian Nielsen Date: To: 'Cyborg via Exim-users' Subject: Re: [exim]
for europeans only: EU GDPR and mitigation of CVE-2019-15846
You just said it about contact form. A bigger corp yes, which may handle like 50-100 emails a day. They handle lots of personal details. Thus they need to protect their contact forms. A sole proprietor who propably get 1-2 business email per week doesn't need to.
A bigger corp is expected to protect data, even harmless data, and also cough up for a real certificate if letsencrypt says domain is no-issue due to policy, more than a smaller 1-person company.
Do you know how many sole proprietors in sweden who use gmail/hotmail - and also unencrypted contact form (because the webhotel charges extra money for SSL) for their business communication? Almost everyone does. And gmail/hotmail doen't disable cleartext.
And the data protection government entity here in sweden says its explicitly allowed to use cleartext for harmless details. Harmless details is explicitly full name, email and IP adress only. Nothing else.
Its all boils down to what personal details you process, and whats expected. If you operate a concrete mixing firm, you don't expect to get some medical details in the email. If someone sends it anyways, it isn't a GDPR violation, provided you immidiately delete the information. Thus you don't need to prepare for that. But you would expect to get emails from customers who want concrete mixed, thus you need to protect personal details about that.
But if you operate a healthcare facility, you must of course protect your email system because there its actually expected that someone mails in a question about their disease and include full personal details, even when told not to do so.
