GDPR · Shadow IT · Data Governance
Forwarding Company Email to a Personal Gmail
Auto-forwarding to a private Gmail looks like a harmless shortcut. In reality it is a continuous replica of company data outside the perimeter the organisation controls. And the issue is not how secure Google is: it is that corporate Workspace and consumer Gmail belong to two different legal perimeters.
The scenario is mundane and extremely common. An employee receives mail on the company account and, for convenience, sets up an automatic forward to their personal Gmail: that way they read it more easily from their phone, or from an interface they are used to. No malicious intent, just practicality. And yet, from that moment, every company message is steadily duplicated into a mailbox the company does not administer, does not monitor and cannot delete. What looks like a usage preference is, technically, a continuous data leak.
Two perimeters compared
| Corporate Google Workspace | Consumer Gmail | |
|---|---|---|
| Legal relationship | Business contract + DPA between Google and the company | Terms and privacy policy between Google and the individual user |
| Who controls | The company admin | The employee, owner of the account |
| Retention | Company policy, Vault, defined retention | At the user's discretion |
| Logs and audit | Admin logs, DLP, alerts | No visibility for the company |
| Offboarding | Access revocation and data recovery | The data stays in the (former) employee's account |
01 / The legal point — the controller loses control
If personal data travels through the email, the company remains the controller of the processing. It is the controller who must determine the means, purposes and security measures. The moment the employee forwards everything to a personal account, they introduce a processing operation neither foreseen nor governed by the controller: a destination for the data that nobody assessed, authorised or documented.
Article 28 GDPR requires that processing by a processor be governed by a contract or another binding legal act, setting out the subject matter, duration, nature, purpose, categories of data and the processor's obligations. Article 32 GDPR mandates technical and organisational measures appropriate to the risk — confidentiality, integrity, availability, the ability to restore. The employee's personal Gmail is covered by neither safeguard: there is no legal act framing it, nor measures the company can impose or verify.
Once the data lands in a personal mailbox, the company no longer fully governs access, does not control synced devices, does not apply its own retention, cannot impose certain deletion, does not see everything in the logs, does not apply DLP and classification, does not properly handle offboarding. In a word: it can no longer demonstrate effective control over the data's lifecycle — which is precisely what the accountability principle requires of it.
02 / Corporate Workspace ≠ personal Gmail
This is the heart of the matter, and the false equivalence to dismantle: “it's all Gmail anyway”. Google Workspace is governed by business contract terms and by a Data Processing Amendment regulating Customer Data and the processing carried out within the relationship between Google and the corporate customer. Personal Gmail, by contrast, is governed by the terms and privacy policy of the relationship between Google and the individual user — a policy built around the user's individual control over their own data: managing, exporting, updating, deleting.
Same technology vendor does not mean same legal perimeter. Saying “it's all Google anyway” means confusing a corporate service under a DPA with a consumer service governed by the personal relationship between user and platform.
The difference is not cosmetic: it changes who is party to the contract, which privacy roles apply, which logs exist, which retention is in force, how offboarding works, whether there is DLP, whether there is audit, whether deletion is demonstrable, who has administrative access and who answers for incident handling. All of this exists in the Workspace perimeter and vanishes in the consumer one.
03 / The problem of the user's rights
In personal Gmail the account holder is the employee. The company cannot directly administer that mailbox, and this creates an obvious friction: the content is corporate, the container is personal, the contractual relationship is between the employee and Google, and effective control no longer belongs to the company.
The consequences surface in the moments that matter. In the event of termination of employment, litigation, audit, a deletion request, the exercise of a data subject's rights or a cyber incident, the company may be unable to reconstruct where the data ended up, how long it stayed there, who accessed it and on which devices it was synced. This is not distrust of the employee: it is a plain technical and legal inability to answer questions the controller must be able to answer.
04 / Not just GDPR — trade secrets and security
The GDPR concerns personal data. But forwarding can be serious even when there is no personal data at all. Company email routinely carries commercial offers, contracts, source code, credentials, technical specifications, roadmaps, confidential attachments, customer data, project documentation, NDA-covered information, outright trade secrets.
In these cases the problem changes name but not gravity: information security, confidentiality, intellectual property, trade secrets, contractual obligations toward customers and suppliers. Forwarding to a personal Gmail is, in essence, a form of shadow IT: it almost never starts with malicious intent, but it produces the same technical effect as a persistent copy of company information beyond control.
05 / When it becomes a data breach
Not every forward is automatically a notifiable breach. But every unauthorised forward containing personal data should be treated as a possible security incident, not dismissed as “user error”. The minimum assessment covers: which data was forwarded, whether it was personal data, whether it fell into special categories, the volume of messages, the duration of the forward, the recipients involved, the synced devices, any onward forwarding, the possibility of recovery or deletion, the risk to the data subjects and, consequently, any obligation to notify the supervisory authority and to communicate to the data subjects.
An abusive or unauthorised forward should not be trivialised as “user error”. It must be handled as a security event, because it may have produced a loss of confidentiality.
06 / The correct policy
A clear, reusable clause puts the prohibition in writing and defines its governed exception:
“It is prohibited to automatically or systematically forward company email, attachments or confidential information to personal accounts or unauthorised services, including Gmail, Outlook, iCloud accounts or equivalents, save for formal, prior and documented company authorisation.”
“Version for those using Google Workspace: the use of personal Gmail accounts to receive, store or process company communications is prohibited even when the company uses Google Workspace. Consumer accounts fall outside the organisation's contract, DPA, technical measures, administrative controls and retention policies.”
07 / The technical controls you need
Policy alone is not enough. You need technical enforcement, and it is within reach for those using Workspace: admins can manage or disable users' automatic forwarding and inspect forwarded messages via Email Log Search. The controls to deploy:
- ·disable automatic forwarding to external domains and block unauthorised user forwarding rules
- ·enable alerts on external forwarding and monitor bulk exports
- ·apply DLP to attachments and sensitive content, with classification of email and documents
- ·restrict POP/IMAP, enforce MFA and use MDM on devices
- ·configure Google Vault (or equivalent tools) and define company retention
- ·train employees, manage approved exceptions and fold the scenario into the incident response procedure
If forwarding is prohibited only in the policy but technically possible and unmonitored, the measure is weak. The control must be technical, not merely disciplinary.
A matter of perimeter
Forwarding to personal Gmail is not a matter of trust in the employee, nor an abstract judgement on Google's security. It is a matter of perimeter. Corporate Google Workspace is inside the controller's perimeter; personal Gmail is outside. The data can even stay within Google's infrastructure and still leave the company's control: that is the point many organisations underestimate. Compliance does not depend only on the cloud provider, but on the contractual relationship, the administrative controls and the effective governance of the data.
This article is for informational and educational purposes and does not constitute legal advice, nor does it replace professional consultancy calibrated to the specific case. The positions expressed reflect Tomato Blue RegTech's analysis. © 2026 Tomato Blue.
Do you really know where your company's data leaks out?
Tomato Blue maps shadow IT, writes policies that hold up under audit and configures the technical controls on Google Workspace — from blocking external forwarding to DLP, from retention to incident response — to bring the data back inside the controller's perimeter.
Talk to us →Sources
Arts. 28 and 32 Reg. EU 2016/679 (GDPR); Google Workspace, Data Processing Amendment (Customer Data and processing within the Google–corporate customer relationship); Google Privacy Policy (consumer relationship between Google and the user); Google Workspace Admin Help, managing/disabling users' automatic forwarding and Email Log Search.