Why does this matter?
Forwarding emails containing employee data between departments, without first limiting the scope to only what is necessary for the recipient, can lead to serious breaches of the “need-to-know” principle. Personal identifiers like national ID numbers (e.g., PESEL in Poland), contact details, or employment information should only be shared with employees who genuinely need them to perform specific tasks. For example, if the administration department sends the IT department a full list of employees with national ID numbers to set up technical accounts — even though only names and surnames are needed — this amounts to unauthorized disclosure of personal data. Such practices increase the risk of unauthorized access, make it harder to control who processes what information, and may result in employee complaints or the need to report a data breach to the supervisory authority.
What are the main risks?
-
Unauthorized access to employee personal data
The email recipient sees information that is not needed for their work — for example, salary details, absences, performance evaluations, or health information.
-
Loss of control over further data processing
You forward a message — but then what? You no longer control who else might see the forwarded information.
-
Increased risk of data protection breaches
The more people know employee data, the higher the chance of a breach, such as accidental disclosure to external parties.
How to forward employee data in compliance with the GDPR?
-
Think carefully: does the recipient truly need all this data?
If they only need specific information (e.g., that a system permission needs to be changed), don’t forward the entire HR conversation.
-
Limit the list of recipients
Send the email only to those who genuinely need the data. Avoid copying broad groups unless it is absolutely necessary.
-
Remove unnecessary data before forwarding
Before forwarding, delete parts of the conversation or attachments containing sensitive employee information.
-
Take responsibility
Just because someone asks you to forward something doesn’t automatically mean they have the right to see personal data. You are responsible for assessing what can and cannot be shared.
Summary
Forwarding emails with employee data is not just a matter of convenience or speed — it’s a matter of responsibility. To avoid unnecessary risks, always follow the principle of data minimization: limit the scope of shared information and carefully control who receives it.
If you have questions or need help implementing practical rules for internal data sharing, contact us — we can help you develop effective procedures.