https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/jul/klage-over-manglende-kryptering/
The Data Inspectorate has in this regard emphasized that Lowell Danmark A / S stated that a risk assessment has been carried out, in which the concrete procedure is deemed to be appropriate assurance that opportunistic TLS was used when transmitting the relevant emails 1.2 encryption based on AES256, that X’s e-mail client supported this encryption form and that the 2 e-mails sent were encrypted on the transport layer.
The Data Inspectorate notes that the supervision in general – when processing e-mail with sensitive and / or confidential information – encourages the data controller to set up his mail server in order to enforce TLS (Forced TLS), as a minimum in version 1.2. However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.
However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.
In the specific case, the Data Inspectorate has not found evidence that could override the risk assessment made by Lowell Danmark A / S in relation to the use of encryption form. However, in the specific case, the Data Inspectorate must emphasize that a risk assessment cannot be based on what the data subject itself may have authorized, since such acceptance cannot be equated with what level of security is appropriate.