IT is common and normal to have user data itself protected with depending on which level the normal or most strict reasonable protection.
That is also FOR admins.
Sorry don't agree in Germany for more then 30 Years in IT now.
Even other custommers or members from that company / custommer is not allowed to get direct easy acces to such (personal) data.
Other software as told emailserver David/TOBIT has such option ( completly protect access/reading against admins and co) for over25 years now.
As administrators you have always access, but no right to read without permission! ( is not only GDPR !)
Ask you lawyer again while this is already since 1977 or so in Germany and other countrys as >
het briefgeheim the confidentiality of mail
briefgeheim inviolability of the mail
And yes i have experience beeing "punished" for such things already in real live for more then 20 years ago!
Please don't give wrong Juristic advice, i am also not a Lawyer or Jurist so i can't do to.
ONly posting some more info and links and out of my own experience.
Al these are not JURISTIC LEGAL advice ! only pointing out some links and info for discussion
After lot of search, i have see that the law allow to have one or more administrator (depending of the size of the company) with full access to the user and company files (including emails) in order to do all admin tasks etc.
This admins is responsible in order to make good use of the data. Always is good to limit access when is possible but the law not say that need to block a administration from the access to user data. As the lawyers tell me this is clean. The company need to limit the full access only to a limited number of people but even for this the responsibility is in the customer, not the web hosting company.
.
So SURE for Medical personal DAta and also Financial personal data and lot more this is against the LAW and not true , i''m no LAWYER but you can read a part here if you want>
https://digitalguardian.com/blog/he...mpliance-and-its-role-patient-data-protection
There is and be noway never need to read usermails, if problems with typical mails you can ask them before and have some tests with permission and so on.
So it should not be the other way arround! ( even if someone died, you have to ask for special permission to have emails read! )
So it is a v ery easy reasonable technical and organisational possible to noy have the option to void this
het briefgeheim the confidentiality of mail
briefgeheim inviolability of the mail
Then you have to take care for that.
That mails are in clear txt on server yup is other thing you have to take care of depending which level the DATA itself is. (For medical also not allowed)
Arcg you can read the starting post links here then you have if reading clear how LAW in Germany / EU handling such for IT.
OYEA and if they do there reading and so, then has to be a very very good reason and also impossible to delete LOG / AUDIT for such actions from sysadmins. ( permission should be there before mostly to)
No need you can do your tasks without! ( that it is only more easy with is no reason at all )
Then this aply's also:
Das Fernmeldegeheimnis untersagt, sich oder anderen über das für die geschäftsmäßige Erbringung der Telekommunikationsdienste einschließlich des Schutzes ihrer technischen Systeme erforderliche Maß hinaus Kenntnis vom Inhalt oder den näheren Umständen der Telekommunikation zu verschaffen (§ 88 Abs. 3 S. 1 TKG).
https://dejure.org/gesetze/TKG/88.html so simple it is.
If you have such option button and klick you can see direct forbidden content for your eyes or the eyes for that account! i don't think that is OK.
( so you have that option but the moment you klick you're mayby allready in problems even if you didn't want to read mails at all.
Every ADMIN or User wo has such option can become in VERY BIG problems when a Company have Legal problems and therefore insight in DATA and who has ACCESED.
( if leaked information no one knows who then you admin can be hold responsable even if you didn't leak)
So very very high LEGAL risks with such options possible even if switched of you can enable easy!
Normally everytime someone not having special permission reading or accesing personal DATA or mail.
Then you have to make a reporting of data breaches , your BOSS COMPANY and your Users has to!
HOW do you know you have that permission from the mailsenders?
Dutch email >
https://www.rijksoverheid.nl/actuee...dwet-bij-de-tijd-e-mail-ook-onder-briefgeheim
So simpel it is a "postmen" and POSTAGE Firms aren't allowed to open/read any letters without personal permission, only special condition by LAW for national security and co. Permission sender and receiver!
