I’ve been asked to create a website to allow people to email from our server to a specific consultation response. In the past when i’ve done this i’ve stored peoples responses along with their IP address as they can edit the email being sent and although it looks like it came from whatever email address they put in obviously it could be traced back to our server.
My question is do i have a duty of care to store these details in case someone abuses the systems and sends abusive/threatening emails for example? Is there a legal responsibility or can I just say it’s not up to us to police what is sent?
At the moment i’m being told not to bother as if we don’t know what is sent we aren’t responsible for it. But this seems wrong to me.
how so? do you mean you think its likely i should store details or that i shouldn’t.
My understanding of gdpr is that you should only really store data that you have to store, either to achieve something a user has requested eg a shopping order requires an address or where there is a legal responsibilty Eg an adult only forum can ask for age as a required field.
I’m not sure if i ‘have’ to store any email content that has been sent from our server. My thinking is that i should as i have a responsibility to ensure the recipients email that i have hard coded into my site is not being abused. But i’m not sure if that translates to an actual law or just a moral responsibility?
No GDPR is about processing/storing personal details. That includes email addresses. Before you store someone’s personal information, you need to have explained to them what it will be used for, how long it will be kept and how and where it will be stored. And they have to explicitly agree to their data being used in that way.
So, if you decide to store the emails you must explain that, and obtain their permission first.