Whereas a few years ago a fax was still considered a relatively secure method for transmitting even sensitive personal data, this situation has changed fundamentally.
One question in particular has come into enormous focus as a result of the changes in communication channels in the wake of the Corona Academy:
May personal data be transmitted by fax?
Opinion of the Data Protection Commissioner for Bremen in May 2021:
At the heart of the problem is "the far end" of the fax machine: Senders can never be sure what technology is being used on the receiving end.
The real fax machine has now been superseded. They may still exist in isolated cases, but mostly they are photocopiers with fax function or fax servers. They convert the incoming faxes into an e-mail and forward them to e-mail inboxes. But the "fax machine" could also be a fax service, such as a cloud fax service: a virtual fax server that also converts incoming faxes into e-mails and forwards them. Whether and, if so, how the e-mails are encrypted in the process cannot be determined by the sending office. The fact that encryption is used cannot be technically "enforced" by the sender.
And whether the cloud services used in the process are GDPR-The sender's side is also unable to determine whether the clouds are operated in a "European" compliant manner.
Because of these imponderables, a fax has the same security level in terms of the protection goal of confidentiality as an unencrypted e-mail, which is rightly regarded as the digital equivalent of the openly viewable postcard. That's all. Fax services generally do not contain any security measures to ensure the confidentiality of the data. They are therefore generally not suitable for the transmission of personal data. The Bremen administration expects to have replaced all fax machines with more secure technologies by the end of 2022. Until then, its employees are required to stop using fax technology for the transmission of personal data (compare point 3 of the 3rd Annual Report under the European Data Protection Regulation, reporting year 2020 - pdf, 923.7 KB).
For the transmission of special categories of personal data pursuant to Article 9, paragraph 1 of the General Data Protection Regulation, the use of fax services is not permitted.
Therefore, alternative, secure and thus suitable methods, such as end-to-end encrypted e-mails or - in case of doubt - conventional mail, must be used to send personal data.
What does this mean in practice?
The comments of other federal states have not yet been made in writing - however, some have already confirmed the assessment at least in part verbally.
If you send faxes via the Internet or receive them via the Internet, a fax is equivalent to an unencrypted e-mail in terms of data protection. Most fax services today do not have any security measures, so that confidential data is relatively open.
In Bremen, fax machines are banned in public areas.
How should the data be transmitted alternatively?
Data protection experts are now advising users to use alternative, secure and therefore suitable methods for sending personal information. Examples include e-mails with end-to-end encryption or - quite simply - conventional mail.