GDPR Compliance

Password sharing and GDPR:
what your business needs to know

Sharing passwords by email is one of the most frequent — and risky — breaches under GDPR. Legal framework, fines, compliant method: all here.

Enterprise solution Legal framework
Legal framework

What GDPR says about passwords

The General Data Protection Regulation (EU 2016/679), in force since May 2018, strictly regulates the processing of personal data. Credentials and passwords are personal data as soon as they are linked to an identifiable natural person.

Article 5.1.f

Security and confidentiality principle: data must be processed in a manner that ensures appropriate security.

Article 32

Security of processing: appropriate technical and organizational measures, including encryption and pseudonymization.

Article 33

In case of data breach, the organization has 72 hours to notify the supervisory authority.

Concretely: sending a password by unencrypted email may be qualified as failure of appropriate technical measure, and the resulting incident becomes a notifiable breach.

Risks

Fines and notable incidents

€20M or 4%

Maximum fine for failure of security measures, under article 83 GDPR.

+12,000

Inspections by the French CNIL since GDPR took effect, increasingly focused on technical measures.

72h

Deadline to report a personal data breach to the supervisory authority.

To avoid

Bad practices

  • Password sent in plain text in an email body
  • Password sent in an attached file (PDF, Excel)
  • Password shared in a public Slack channel
  • Password stored in a shared Google Doc
  • Password dictated by phone without secure context
  • Password on a post-it or notebook

Each constitutes a GDPR risk and can be flagged during an audit.

To adopt

The GDPR-compliant method

  • Use a end-to-end encryption service (zero-knowledge)
  • Prefer an EU-hosted publisher
  • Configure a short validity (24h max recommended)
  • Limit to one view when possible
  • Add a secondary password protection
  • Keep an audit trail of the sending
Use Seecret.it
Compliance by design

Why Seecret.it is GDPR-compliant

France / EU hosting

Servers located in France, no transfers to the United States.

Zero-knowledge AES-256

Server never sees plaintext content. Technical details.

Auto-destruction

Immediate deletion after viewing, minimization principle respected.

No profiling

No advertising tracking, no data reselling.

Open notification

Audit trail proving you put a followed procedure in place.

Sovereign hosting

French infrastructure, compliant with European digital sovereignty.

FAQ

Password sharing and GDPR

Yes, as soon as it's linked to an identifiable natural person (login, email). It's even considered sensitive data because its compromise can lead to access to other personal data.

Article 83 GDPR provides up to €20M or 4% of global revenue for failure of security measures. Average sanctions observed in 2024-2025 range between €5,000 and €250,000 depending on company size.

No. TLS only encrypts transport. Once the email arrives, it's stored in plain text in mailboxes, backups and intermediate servers. GDPR recommends end-to-end encryption for sensitive data.

Make your organization compliant today

Discover the Seecret.it Enterprise offer: team management, audit, French hosting.

Discover Enterprise