How secure is the fax really? Data protection, GDPR and modern alternatives

In many German offices, a certain sound remains part of the furniture: the rhythmic whirring and beeping of the fax machine. Particularly in hospitals and government agencies, this technology is considered a reliable constant. People trust that the document will arrive directly. A look at the public sector reveals just how deeply rooted this habit is: in the ministries of Baden-Württemberg alone, over 1,400 fax machines are currently in use – 568 of them are located, of all places, in the Ministry of the Interior, the very body tasked with driving the state's digitalisation forward.

But does this technology still fit into today's world? While the fax machine rattles away in the anteroom, the threat landscape has intensified massively. Cybercrime causes annual damages of around €267 billion in Germany. Furthermore, the Secure Data Report 2025 shows that while 76 per cent of companies want to minimise data protection risks, 34 per cent paradoxically still cling to the very analogue processes that offer the largest points of entry for attacks.

In this article, we answer the question: how secure is the fax really? We examine GDPR compliance, compare fax vs. email, and show how you can ensure data protection when sending documents by using modern alternatives such as FTAPI.

TL;DR – the essentials at a glance:

• Technical fallacy: Today, faxing uses unencrypted internet protocols (VoIP) and offers no end-to-end encryption. Technically speaking, it is as insecure as a postcard.

• Legal risk: Supervisory authorities and courts classify the fax as non-compliant with data protection regulations for personal data (especially Article 9 GDPR).

• The solution: With FTAPI, replacing fax machines succeeds without disrupting processes; either by connecting existing hardware or switching directly to fully digital workflows.

Why the fax is a security risk today

The myth that the fax is secure persists stubbornly. The argument: a point-to-point connection via the telephone network is harder to intercept than digital data traffic. However, this view is outdated. The fax's good reputation dates back to the era of analogue copper lines, which could only be wiretapped with physical access. Today, the technical foundation has fundamentally changed.

VoIP makes the fax insecure

Modern telephone connections operate digitally via the internet using Voice over IP (VoIP). Accordingly, fax transmission is usually implemented based on these infrastructures via Fax over IP (FoIP). A fax is broken down into digital data packets and often sent unencrypted. The transmission path is as easy for attackers to view as an open postcard.

• No end-to-end encryption: By default, a traditional fax offers no cryptographic protection. The data remains exposed throughout the entire transmission path.

• Lack of confidentiality: Documents often lie openly in the output trays of multi-function printers (MFPs) for hours, freely accessible to unauthorised persons.

• Susceptibility to error: A simple typo in the fax number is enough for highly sensitive health data to end up with a completely wrong recipient.

Fax and GDPR: is it permissible to send personal data via fax?

Legally, the fax is on extremely thin ice today. The GDPR requires technical and organisational measures (TOMs) that correspond to the current state of the art. A fax no longer meets these requirements. Anyone still faxing today is working with the state of the art from 1980.

Legal clarity from supervisory authorities

The assessments of data protection officers and courts regarding faxing and data privacy are clear:

• Non-compliant with data protection: For special categories of personal data (Art. 9 GDPR, e.g. health data or client data), fax transmission lacks the necessary encryption. Several data protection authorities (e.g. Bremen, NRW, Hesse) classify the fax as non-compliant for these types of data.

• Court ruling: The Higher Administrative Court (OVG) of Lüneburg (decision of July 2020) stated that the unencrypted transmission of personal data via fax services is inadmissible if more secure alternatives are available.

• Liability risk: Those who continue to rely on the fax are ignoring the state of the art. In the event of data breaches, they face fines under the GDPR and a massive loss of trust.

In short: the fax is not GDPR-compliant as soon as personal information is involved. Companies should switch to more secure channels such as encrypted emails or protected data rooms.

Strategic risks: why the fax is holding you back

Beyond technical and legal risks, the fax acts like an anchor, keeping your organisation stuck in the past. This endangers more than just compliance: it jeopardises the company's future operational viability.

• You are falling behind: Anyone still faxing information manually today is working significantly slower and at a higher cost than the competition. While other companies automate their processes, manual tasks consume your valuable time and money. This makes your organisation sluggish and less productive.

• You are gambling with trust: Today, clients (and citizens) expect you to protect their data using modern, secure methods—especially in security-critical sectors such as finance, healthcare, or public administration. However, the fax conveys the image of a backward-looking partner. Sending sensitive documents unprotected appears unprofessional. In the worst-case scenario, clients will move to competitors who demonstrate greater digital sovereignty.

• You are slowing down your partners: Modern companies work in digitally networked environments. When you force your business partners to interrupt their digital workflows for a fax, you create unnecessary overhead and provoke errors. This can lead to partners finding collaboration with you tedious, causing them to look elsewhere in the long term.

Fax vs. Email: which is more secure?

The fax is often still defended as the "lesser of two evils" compared to unencrypted standard email. From a technical perspective, however, this is a comparison between two insecure worlds unless an additional solution is used. Both send data packets through the internet without cryptographic protection and are therefore equally vulnerable.

Securely replacing the fax with FTAPI: how to succeed in the transformation

The transition often fails not due to a lack of will, but because of concerns regarding complicated new processes. Many companies cling to the fax because the scanning process at the multi-function printer (MFP) is so firmly established. This is exactly where FTAPI comes in: we digitalise the process in the background without requiring your employees to abandon existing habits immediately. The solution adapts to your workflows, not the other way around.

1. Choose the right transition

You decide how deeply the changeover integrates into your workflows:

• The hybrid path: Your employees continue to use the familiar scanner on the multi-function printer. The device is connected to the system in the background, and FTAPI recognises and takes over the document for further processing. Instead of being sent as an insecure fax, it is automatically transmitted as an encrypted digital message. The result: the same manual step, but full GDPR compliance.

• The fully digital path: You say goodbye to paper entirely. Transmission takes place directly and digitally via FTAPI (via the web interface or an Outlook add-in). This is location-independent and saves time spent walking to the machine.

2. Automate security and accountability

The platform handles data security without any manual effort:

• Automated encryption: As soon as a document is captured (via scan or upload), end-to-end encryption is applied. Sensitive information leaves the building exclusively in a protected state.

• Digital log: An audit-proof digital log replaces the insecure paper transmission report. It precisely documents when documents were sent and when they were accessed by the recipient.

3. From data transfer to automated workflow

True efficiency is created when data does not just arrive securely but is processed immediately:

• Data extraction instead of manual typing: With SecuFlows Advanced, incoming data from documents or online forms can be automatically validated and transferred directly into your specialist systems (e.g. ERP or HIS).

• Digital accessibility: Existing fax numbers can often be retained as a digital input channel. Your partners continue to send to the familiar number, while you process the data internally in a fully digital and GDPR-compliant manner.

Through this automated workflow, you eliminate media disruptions and ensure that no document ever ends up unprotected in a paper tray again.

Conclusion: the fax is an avoidable risk

Bottom line, the fax is the "digital ghost ship" of modern communication: it is still sailing, but nobody knows exactly who is reading along or where the cargo will end up. It no longer meets the state of the art and represents a wide-open door for data breaches.

The transition with FTAPI is not a radical break, but a necessary professionalisation. Whether as a hybrid solution or a fully automated workflow, you regain legal security and valuable time. Do not wait for your first data breach; lay the foundation for sovereign communication now.