1. Overview

The Fax2Mail and Mail2Fax services from peoplefone enable the sending and receiving of fax messages via email. Since personal data may be processed in this context, the question regularly arises whether a data processing agreement (DPA) pursuant to Article 28 GDPR is required for the use of these services.

This article summarizes the legal classification and provides a clear and consistent answer for customers, partners, and internal staff.

2. Does the GDPR apply to Fax2Mail / Mail2Fax?

Yes. Personal data can be processed during fax transmission. Therefore, the GDPR is generally relevant.

HOWEVER: peoplefone is a telecommunications provider and is also subject to special legal requirements:

• Telecommunications Act (TKG)

• Telecommunications Digital Services Data Protection Act (TDDDG)

• Secrecy of telecommunications pursuant to Section 3 of the Telecommunications Act (TKG)

These regulations take precedence over the GDPR (Art. 95 GDPR).

3. Why peoplefone is not a data processor for fax services

The processing of fax data during transmission by peoplefone is not carried out on behalf of the customer , but rather:

• to fulfill one's own legal obligation (§ 167 TKG)

• within the framework of telecommunications secrecy

• without the ability to read or process content

However, order processing requires:

• Obligation to follow instructions

• Purpose-bound by the customer

• Processing of personal data for the customer

This is not possible with telecommunications services.

Consequence:

👉 Fax transmission itself is not data processing. 👉 A data processing agreement (DPA) is not legally required.

4. peoplefone practice: Data processing agreement (DPA) available upon request, but not mandatory.

peoplefone follows the common practice in the telecommunications industry:

• A data processing agreement (DPA) is not mandatory for all Fax2Mail/Mail2Fax customers.

• A data processing agreement (DPA) will be provided upon request, clearly distinguishing between: a) telecommunications services (not relevant for DPA) b) other data processing (relevant for DPA)

For this purpose, a TKG protection clause is used in the AVV, e.g.:

"The telecommunications services provided via peoplefone – including Fax2Mail and Mail2Fax – are subject to the confidentiality of telecommunications (§ 3 TKG) and do not constitute data processing on behalf of a controller within the meaning of Art. 28 GDPR. Data processing on behalf of a controller only takes place for data that is not directly related to the telecommunications transmission (e.g. contract, billing or administration data)."

5. Summary

6. Recommendation for customer communication

When customers or data protection officers ask for a data processing agreement (DPA), the official peoplefone answer is:

"The fax transmission itself is subject to telecommunications secrecy according to the German Telecommunications Act (TKG) and the German Telecommunications Data Protection Act (TDDDG) and is therefore not a data processing activity within the meaning of the GDPR. However, we will gladly provide you with a data processing agreement for the other, non-telecommunications processing activities (e.g., master data, invoicing) upon request."

This statement is legally sound, technically correct, and reflects industry practice.