When does forwarding emails between departments violate the GDPR (using employee data as an example)?

Email exchanges between departments are part of everyday operations — especially when it comes to HR matters, salaries, absences, or performance evaluations. But do we always stop to consider whether the recipients truly need to see all the data included? The principle of data minimization is clear: we process only the information necessary to achieve a specific purpose. Forwarding emails “just in case” or “for the full picture” often breaks this rule and creates a risk of violating the GDPR.

Why does this matter?

Forwarding emails containing employee data between departments, without first limiting the scope to only what is necessary for the recipient, can lead to serious breaches of the “need-to-know” principle. Personal identifiers like national ID numbers (e.g., PESEL in Poland), contact details, or employment information should only be shared with employees who genuinely need them to perform specific tasks. For example, if the administration department sends the IT department a full list of employees with national ID numbers to set up technical accounts — even though only names and surnames are needed — this amounts to unauthorized disclosure of personal data. Such practices increase the risk of unauthorized access, make it harder to control who processes what information, and may result in employee complaints or the need to report a data breach to the supervisory authority.

What are the main risks?

  • Unauthorized access to employee personal data

The email recipient sees information that is not needed for their work — for example, salary details, absences, performance evaluations, or health information.

  • Loss of control over further data processing

You forward a message — but then what? You no longer control who else might see the forwarded information.

  • Increased risk of data protection breaches

The more people know employee data, the higher the chance of a breach, such as accidental disclosure to external parties.

How to forward employee data in compliance with the GDPR?

  • Think carefully: does the recipient truly need all this data?

If they only need specific information (e.g., that a system permission needs to be changed), don’t forward the entire HR conversation.

  • Limit the list of recipients

Send the email only to those who genuinely need the data. Avoid copying broad groups unless it is absolutely necessary.

  • Remove unnecessary data before forwarding

Before forwarding, delete parts of the conversation or attachments containing sensitive employee information.

  • Take responsibility

Just because someone asks you to forward something doesn’t automatically mean they have the right to see personal data. You are responsible for assessing what can and cannot be shared.

Summary

Forwarding emails with employee data is not just a matter of convenience or speed — it’s a matter of responsibility. To avoid unnecessary risks, always follow the principle of data minimization: limit the scope of shared information and carefully control who receives it.

If you have questions or need help implementing practical rules for internal data sharing, contact us — we can help you develop effective procedures.

Czytaj także:

Najczęstsze błędy przy zawieraniu umów powierzenia
Administratorem Twoich danych jest ODO 24 sp. z o.o. z siedzibą w Warszawie (03-812) przy ul. Kamionkowskiej 45. Twoje dane są przetwarzane w celu świadczenia usługi biuletyn informacyjny na zasadach określonych w Regulaminie ŚUDE. Więcej informacji na temat procesu przetwarzania danych osobowych oraz przysługujących Ci praw uzyskasz w Polityce prywatności.
Potwierdź swój adres e-mail
Wejdź na swoją skrzynkę pocztową, otwórz wiadomość od ODO 24 i potwierdź adres e-mail, klikając w link.
Jeżeli nie znajdziesz naszej wiadomości - sprawdź w folderze SPAM. Aby w przyszłości to się nie powtórzyło oznacz wiadomość jako pożądaną (klikniknij prawym przyciskiem myszy i wybierz "Oznacz jako wiadomość pożądaną").
Odbierz bezpłatny pakiet 4 poradników
i 4 szkoleń e-learningowych RODO
4x4 - Odbierz bezpłatny pakiet 4 poradników i 4 szkoleń RODO
Administratorem Twoich danych jest ODO 24 sp. z o.o. z siedzibą w Warszawie (03-812) przy ul. Kamionkowskiej 45. Twoje dane są przetwarzane w celu świadczenia usługi biuletyn informacyjny na zasadach określonych w Regulaminie ŚUDE. Więcej informacji na temat procesu przetwarzania danych osobowych oraz przysługujących Ci praw uzyskasz w Polityce prywatności.
Administratorem Twoich danych jest ODO 24 sp. z o. o. >>>