On August 29, 2023, the Danish data protection authority (Datatilsynet) published new guidance on the obligations of data controllers when the 'auto-complete' function is used in emails. In particular, the Datatilsynet explained that the guidance was informed by the increase in data breaches caused by users sending emails containing personal data to the wrong recipients due to the use of the 'auto-complete' function, which prefills the email addresses of recipients.

Notably, the Datatilsynet highlighted that under the new guidance data controllers who systematically use emails to send confidential and/or sensitive information must implement both technical and organizational measures to reduce the risk of sending errors as a result of the use of the 'auto-complete' function.

More specifically, the guidance suggests the following measures data controllers could implement:

• requiring that email addresses for external recipients be copied from a CRM system where they are already registered and confirmed;
• having a second person review emails containing personal data before sending;
• deleting stored email addresses that have not been used recently;
• applying a message delay function that allows emails to be deleted or edited after the send button is clicked;
• implementing technical measures that alert users when an email is about to be sent to an unauthorized recipient; and
• turning off the auto-complete function.

Data controllers have until March 1, 2024, to comply with the new guidance.

You can read the press release here and access the guidance here both only available in Danish.