GDPR applies to any org with EU subscribers — regardless of where your company is based.
Valid consent = freely given, specific, informed, unambiguous, and withdrawable. Pre-ticked boxes are invalid.
You must store consent records (date, form version, what was consented to) — subscription status alone is not enough.
Every email must have a one-click unsubscribe. Purchased lists and assumed consent are clear violations.
Self-hosted email (e.g. MisarMail) eliminates the third-party data processor relationship entirely — the simplest GDPR posture.
The General Data Protection Regulation has been in force since May 2018, and regulators are still actively enforcing it. In 2024 alone, GDPR fines across the EU exceeded €1.5 billion — and email marketing is one of the most commonly cited areas of non-compliance.
This guide covers what GDPR actually requires for email marketing, what constitutes compliant consent, how to handle data subject requests, and what to look for in an email platform from a data protection perspective.
GDPR applies to any organization that:
Is established in the EU, regardless of where it processes data
Offers goods or services to individuals in the EU (even if the company is based elsewhere)
Monitors the behavior of individuals in the EU
If any of your email subscribers are EU residents, GDPR applies to you — regardless of whether your company is incorporated in India, the United States, or anywhere else.
The regulation's extraterritorial scope is not theoretical. Non-EU companies have received substantial fines for GDPR violations related to EU resident data.
GDPR requires a lawful basis for every instance of personal data processing. For email marketing, two bases are relevant:
Consent is the most common legal basis for marketing email. GDPR sets a high bar:
Consent must be:
Freely given: No bundling with terms of service or making consent a condition of service
Specific: The person must know exactly what they're consenting to (e.g., "marketing emails about our products")
Informed: Clear explanation of who is sending email and how data will be used
Unambiguous: Requires a clear affirmative action — pre-ticked checkboxes do not constitute valid consent
Withdrawable: Must be as easy to withdraw as it was to give
What this means in practice:
Separate checkboxes for different types of email (newsletter, promotional, product updates)
Unchecked by default
"I agree to receive marketing emails from [Company]" — specific enough
"I agree to the terms and conditions" — not enough to cover email marketing
Record when consent was given, what was shown, and what was consented to
Legitimate interests can sometimes justify email marketing to existing customers (the "soft opt-in" concept), but this requires a balancing test and doesn't work for cold email lists or new subscribers.
The soft opt-in scenario: A customer buys from you. You can email them about similar products without separate consent, provided you offered an opt-out at point of purchase and offer it in every subsequent email.
Legitimate interests does NOT justify:
Cold email marketing to purchased lists
Email marketing to scraped addresses
Bulk promotional email to people who haven't engaged with your business
Article 7(1) of GDPR requires data controllers to demonstrate that consent was given. You must be able to prove:
When the person consented
What consent mechanism was used (the form, checkbox, or sign-up flow they saw)
What they consented to (the exact wording presented)
The IP address at time of consent (for web sign-ups)
This means your email platform or CRM needs to store consent records, not just subscription status. "Is subscribed: yes" is not sufficient. You need "subscribed on 2024-03-15 via website sign-up form v3, consented to newsletter and promotional email, IP: [address]."
MisarMail stores full consent audit trails in your database. Because you control the database, this data is always accessible and exportable.
GDPR grants subscribers several rights you must honor:
Subscribers can request all personal data you hold about them. For email marketing, this includes:
Their email address and any other personal data (name, preferences)
Consent records
Campaign interaction history (opens, clicks, if you track at individual level)
Any segmentation or profiling data
You must respond within 30 days and provide the data in a portable format.
The "right to be forgotten" means a subscriber can request complete deletion of their data. For email marketing, this means:
Remove from all active lists
Delete their personal data from your database
BUT: You may retain a suppression record (just the email address and deletion date) to ensure you don't accidentally re-add them
The suppression list retention exception is important — without it, you can't comply with future consent requirements because you won't know the person asked to be forgotten.
Withdrawal must be as easy as giving consent. A single-click unsubscribe link in every email satisfies this requirement. Requiring people to log in to unsubscribe does not.
As of February 2024, Gmail requires one-click unsubscribe in the email header (RFC 8058) for senders sending more than 5,000 emails/day. This aligns directly with GDPR requirements.
Subscribers can request their data in a machine-readable format. For most email marketing use cases, a CSV export of their subscription data and preferences satisfies this.
If you use a third-party email marketing platform, you're adding a data processor — an organization that processes personal data on your behalf. GDPR requires a written Data Processing Agreement (DPA) with every processor.
Most reputable email platforms offer DPAs: Mailchimp, Brevo, Kit, and others have standard DPAs available. You need to execute the DPA, not just assume it applies.
If you self-host your email marketing, you eliminate the third-party processor relationship entirely. Your subscriber data stays in your database, on your server. The only DPA you might need is with your cloud hosting provider — and those providers typically offer standard DPAs. See MisarMail vs Mailchimp and MisarMail vs Brevo for a detailed comparison of data ownership models.
Common violations that attract regulatory attention:
Purchased lists: Buying email lists and sending to them without consent is a clear violation. The fact that a data broker sold you the list doesn't transfer consent — the individuals never consented to receive your email specifically.
Assumed consent: "They gave us their email when they downloaded our whitepaper, so we can send them marketing email." Not without explicit marketing consent at the time of download.
Pre-ticked boxes: Any sign-up form with a pre-ticked "receive marketing emails" checkbox uses invalid consent. Every email sent to that list is potentially a violation.
Hidden consent language: Burying marketing consent in terms of service paragraphs doesn't constitute valid consent.
No unsubscribe mechanism: Every marketing email must include a working unsubscribe link.
Ignoring unsubscribes: Re-adding someone who unsubscribed — even accidentally — is a violation. Proper suppression list management is mandatory.
Questions to ask when evaluating email marketing tools:
Where is subscriber data stored? EU data stored in the US may require additional transfer mechanisms (Standard Contractual Clauses).
Do they offer a DPA? Without one, you can't use them compliantly for EU subscriber data.
Do they store consent records? You need audit trails, not just subscription status.
How are data subject requests handled? Can you extract all data about a subscriber? Can you permanently delete them?
What do they do with your subscriber data? Some platforms use customer data to train models or share aggregated data. Read the privacy policy carefully.
Self-hosted email marketing sidesteps most of these questions:
Data stays in your database, in your jurisdiction
No third-party processor relationship for subscriber data
Full control over consent records and audit trails
Data subject requests handled directly in your own database
No concerns about vendor data monetization
MisarMail is built with GDPR compliance as a core design requirement. Consent records are stored with full audit trails. Unsubscribes are processed immediately. Suppression lists persist. Data deletion removes personal data while maintaining the suppression record.
Use this before your next campaign:
Valid consent exists for every subscriber on your send list
Consent records include date, form version, and what was consented to
Sign-up forms use unchecked checkboxes and clear consent language
Every email includes a working one-click unsubscribe link
Unsubscribes are processed within 48 hours (immediately is better)
A suppression list prevents re-adding people who unsubscribed
You have a DPA with your email marketing platform
You can respond to data subject access requests within 30 days
You can permanently delete a subscriber's data on request
Your privacy policy accurately describes your email marketing practices
GDPR compliance for email marketing isn't optional, and the "we didn't know" defense doesn't hold up with regulators. The good news is that compliant practices — clean lists, confirmed opt-in, easy unsubscribe — also produce better marketing results. Engaged subscribers who actually want your email convert better than lists padded with contacts who never asked for it.
If you're evaluating email platforms with data sovereignty in mind, MisarMail's self-hosted approach eliminates most of the third-party compliance burden by design.
1 followers
AI systems builder · 7 years in production. RAG, self-hosted infra, agent architecture. 📬 Deep-dives → mrgulshanyadav.substack.com
Comments
Sign in to join the conversation
No comments yet. Be the first to share your thoughts!