Why Using Free Email Accounts for Your Business Is a GDPR Risk

If you’re running a business in the EU, using a free email account, like Gmail, Seznam, Centrum.cz, Hotmail, or their equivalents, as your main business contact may seem convenient. After all, they’re quick to set up and cost nothing. But when you use these services for business communication, especially with clients or partners in the EU, you’re exposing your business to more than just spam and lost credibility. You’re also likely violating the GDPR—and risking fines, legal trouble, and loss of client trust.

Let’s break down why this is a problem, and what you should do instead.

• When a client sends you personal data (name, address, email, phone number, a CV, etc), as a business, you are the controller of that data. You have very specific obligations when it comes to handling or processing the client's personal data.
• Third parties you work with, who will have access to that data, are considered processors of your client's personal data. Note that this processor will process the client's personal data on your behalf. There must be a contract or Data Processing Agreements (DPA) in place between you and the processor, that defines the relationship, which personal data will be processed by the processor, for what purpose, how and for how long the data will be kept. The security of that personal data is crucial, so having such a contract is also crucial.
• Personal data can be only used for the purpose for which it was given in the first place. Even then, some cases require specific consent from the user to process this data.
• You as controller need to let the user know how their personal data is going to be processed, stored and for what purpose.
• There should be some form of logging, monitoring or auditing that shows who accessed the personal data and what processing activities took place.
• Personal data should be either stored securely within the European Economic Area (EEA) or, if it's transferred outside the EEA, there need to be specific safeguards in place at the location where it's transferred to. You can't just store personal data from EU residents on a server in the US, for instance. You'll have to prove that you have all the needed safeguards in place.
• The GDPR also gives the user/client some rights, when it comes to their personal data. They have the right to ask which personal data you are keeping, and for what purpose. They have the right to have that data changed, or even deleted. Most importantly, they have the right to file a complaint with the Data Protection Authority (EU or their country's).

Most free email services are meant to be for personal use, not for business. So they are usually missing most of the safeguards that businesses would need to protect personal data.

While these services are offered for free, their providers still need some way to make money to keep everything running. Advertising is one of the most-used ways of doing this. Specifically targeted ads — ads that are only shown to people who fit a specific profile — can bring in a lot of money. To be able to create a profile of you, these providers will track your behaviour, your clicks, your searches or even scan your emails to get an idea of your preferences, your purchases, what you might be inclined to respond to. With this profile in place, it is easier to show you ads that target people or profiles like yours.

Now, imagine that a client or vendor sends you their personal data to one of these free email accounts that you use for business communication. Without their knowledge, or even their permission, the provider now has access to their personal data and can use that to build a separate profile for that user, by linking your email conversations. And you have no way of protecting your client from this, because the required safeguards are not in place.

The free email service providers make it clear that they are the data controllers for those free services. They decide for what purposes they will use data that goes through their services. If you don't agree with that, just don't use the services.

This is not a relationship where you are the controller and they are processors on your behalf, processing only what is agreed. No, they are the controller and you are the user. They are not responsible for protecting the data from others you communicate with through their services. They don't have an agreement with those people, they have one with you. One where you usually agree to their terms just by using their services. Remember, their position is "if you don't agree with our terms, just don't use our services."

And since they are the controllers, they decide where they will store your information. Even if it's stored in a country or region that lacks privacy protection laws, where your data can be sold, it doesn't matter, because "if you don't agree with our terms, just don't use our services." Since you are using their free email service, you did "agree".

But your clients haven't, so you are exposing their personal data to dangers without their knowledge or permission.

If your client would like to know what personal data of them you have and for what purposes it's being used or even worse, have it erased, you will have a problem. Free email services don't usually provide mechanisms or tools to accommodate these requests for your client's data. Mainly because they are for personal use, and what you need here are business processes. Your client, your responsibility. However, chances are that you won't be able to fully fulfill this request, because you might not have complete insight into how the free email provider is using, storing and processing this data.

Here’s a non-exhaustive list of GDPR articles you risk breaching by using a free email account for business:

• Article 5, 24, 32: Security of processing and responsibility of the data controller.
• Article 28: Data Processing Agreements (DPA) with processors.
• Articles 44–49: Transfers of data outside the EU/EEA.
• Articles 12–23: Fulfilling data subject rights.
• Articles 6, 7, 13, 14: Lawful basis, consent, and information duties.
• Article 30: Record of processing activities.
• Articles 33–34: Breach notification obligations.

Reference: The full text of the GDPR

This isn’t just a theoretical risk. Businesses have been fined for careless handling of email, and using a free account with no DPA or control over data location is a textbook example of non-compliance.

The chance of a random investigation into your business's GDPR compliance is small. Mind you: small, not non-existent! That's a prerogative of the Data Protection Authority (on Union or national level). However, there are two scenarios where you might be in big trouble:

A specific complaint

Someone (e.g. a client, a vendor, a former employee) files a complaint to the DPA about anything related to data protection. Maybe you failed to respond in time to their access request.

This could trigger an investigation, which in turn could bring your use of a free email service to light, which could have a significant impact on the outcome. This discovery could turn what might have been a simple "slap on the wrist" into a hefty fine, or at the very least be a major aggravating factor in the final penalty. In any case, even the legal process could have significant impact on your business.

A Serious Data Breach

There has been a serious data breach that affects your business. It could be within your business or outside, where your data is involved.

Important to note here is that, whenever your business suffers a data breach (e.g. phishing attack, ransomware, you send sensitive data to the wrong persons) you are often legally required to report this to the authorities.

There will be an investigation, and the use of a free, non-compliant email service essentially could nullify any "good faith" argument you might have. It demonstrates a foundational lack of due diligence. Rather than "An unfortunate accident happening despite having proper safety equipment", the regulator could compare this to "An accident happening because there was no safety equipment in the first place". The second case will always result in a far more severe penalty.

Simple: Switch to a professional email service designed for business. This means:

• Your own domain (e.g., yourname@yourcompany.cz)
• Hosted by a provider that gives you a DPA
• Data stored in the EU (or with clear legal safeguards)
• Security features and controls you can manage
• Real support, real accountability

Not only does this solve the GDPR headaches mentioned here, but it also makes your business look credible and trustworthy — something your clients will appreciate.

If you’re unsure where to start, or worried about migrating old messages, I can help. I specialise in setting up secure, professional business email for small businesses, handling the technical details so you don’t have to. Learn more about my business email setup service.

Don’t risk your business and your clients’ trust for the sake of convenience. Switch to a professional email service—and stay on the right side of the law.

While I've put significant research into this article to ensure its accuracy, it's important to note that I am not a lawyer. The information provided here is for educational purposes only and should not be considered legal advice. Every business situation is unique, so I strongly encourage you to consult with a qualified legal professional to discuss your specific GDPR compliance needs.