Send appointment invitations DSGVO-compliant

Björn Holeschak, Leiter Datenschutz EIKONA Systems GmbH
Employee sends an appointment invitation via his laptop, which is GDPR-compliant

Who hasn't experienced it in their everyday working life: I have to arrange ONE appointment with various external participants. The quickest way to do this is to send a few appointment proposals in an email to all potential participants. The appointment with the most responses is chosen, but how do I send the invitation email? Do the participants have to be sent to the BCC or is the CC sufficient?


What should be paid attention to?

In principle, in the case of an invitation to an appointment sent by e-mail, there is no need for each participant to be in CC and thus for the partly name-related e-mail addresses of the participants to be mutually disclosed. Even if all participants in this meeting are probably involved in a joint project, this does not absolve us from complying with data protection.

Of course, it is also possible that some of the participants already know each other, but this is often not known with certainty. Moreover, it is not always clear whether, for example, Mr. Huber from company A does not want his name-related e-mail address to be known to Mr. Meyer from company B. Perhaps Mr Meyer should only communicate with the scheduling department of company A.

How can I send an invitation to an appointment by e-mail without unnecessarily disclosing personal data of the participants? There is a "milder means" of data processing here, namely the BCC and not CC. The DSGVO says that if you process data, then do so in a protected and data-minimised manner and only with the data that is necessary for the purpose.

There is nothing wrong with asking the participants at the first meeting (e.g. a kick-off) if they agree to open email communication. If, for example, you send appointment invitations via Outlook, there is no other way to do this. But you cannot take this consent for granted. Please remember that the name-related e-mail address is a "one-to-one personal data". A particular e-mail address exists only once in this world.


Data protection legal basis

Of course, you can communicate with project stakeholders via e-mail and Outlook appointment invitations and can also use this in the CC (for e-mail) or "required/optional" (for calendar invitations). In terms of data protection law, this can be interpreted to mean that the "protection interest" of the persons involved takes a back seat to the common economic interest of "generating turnover" and that it is therefore in the interest of ALL participants to take part in open communication, both in terms of process organisation and business management. However, just because other companies do it this way does not mean that it is handled properly in terms of data protection. Without consent to open communication, they are committing a data protection violation that only "works" until one of the actors complains about it.


Björn Holeschak
Björn Holeschak
Team Lead, Data Protection

Drawing on his profound data protection expertise, he tackles data protection challenges with renewed vigor every single day. He understands the dangers and stumbling blocks in intimate detail and gives customers practical advice.


Add a comment

What is the sum of 9 and 7?