Is ProtonMail GDPR compliant?

As a privacy and encryption company, ProtonMail has complied with the GDPR from the start. This article explains how ProtonMail complies and how using our services can contribute to your organization’s security and privacy strategy. For legal advice, it is important to consult with your attorney.

About the GDPR

The General Data Protection Regulation (GDPR) is a European Union privacy law effective May 25, 2018. Any organization that collects, stores, or uses the personal data of EU citizens or residents must comply with the GDPR. Penalties for violations can be as high as 4% of global revenue or €20 million, whichever is higher. Learn more about how ProtonMail complies with the GDPR. You can also read our GDPR overview on GDPR.eu, a resource website operated by ProtonMail and supported in part by the Horizon 2020 Framework Programme of the European Union.

ProtonMail encryption satisfies data protection requirements

The GDPR requires organizations to implement technical measures to protect the personal data in their possession: pseudonymization, anonymization, or encryption. The objective of these techniques is to reduce the potential for harm if personal data were to be breached.

ProtonMail uses end-to-end encryption and zero-access encryption to protect emails at all times. We cannot access users’ encrypted emails because we do not have access to users’ private encryption keys or passwords. These security measures guarantee that messages cannot be read, even if our servers were somehow breached.

If your organization shares or may share personal data via email, then using ProtonMail will ensure your email practices are compliant with the GDPR.

ProtonMail Data Processing Agreement

For organizations using ProtonMail, we provide a Data Processing Agreement, which the GDPR requires for organizations that use third-party services. This agreement establishes the rights and obligations of both parties under the law. You can download our Data Processing Agreement.

ProtonMail Professional is flexible and affordable

We offer ProtonMail Professional, an easy-to-use enterprise solution, for organizations with multiple users under your own domain. This ensures that you can benefit from both end-to-end encryption and still keep your existing business email address. Learn more about ProtonMail for businesses.

If you have specific questions about our service or the GDPR, send us an email.

Further resources:
Full text of the GDPR
GDPR checklist