Compliance · GDPR
GDPR Email Guide: Lawful Basis, Data Rights, and Transfers
GDPR treats email addresses as personal data, so sending marketing email to anyone in the EU or UK requires a lawful basis — usually explicit consent for marketing, contractual necessity for transactional mail, and occasionally legitimate interest for existing customers if carefully documented. Beyond the basis, you must honour data subject rights like access and erasure within thirty days, set retention limits, and report qualifying breaches within seventy-two hours. The piece most senders underestimate is data transfers: moving EU email data to a country without an adequacy decision requires Standard Contractual Clauses plus a transfer impact assessment, which makes where your email provider and servers physically sit a compliance question, not just a technical one. This guide is general information, not legal advice.
Key takeaways
- Email is personal data. GDPR applies to anyone mailing EU or UK residents, wherever the sender is based.
- Pick a lawful basis per stream. Consent for marketing, contract for transactional, legitimate interest only with documentation.
- Rights have deadlines. Access, erasure, and portability requests must be executed within thirty days.
- Transfers are the trap. Sending EU data to a non-adequate country needs SCCs and a transfer impact assessment.
- Where data lives matters. Your provider’s and servers’ location is a GDPR question, not just an infrastructure one.
GDPR is the framework most email programs handle least confidently, partly because it operates on two levels at once — the law that governs processing the data, and the rules that govern actually sending the message. For senders whose data crosses borders, it adds a third dimension that’s easy to miss until an audit finds it. This guide walks the practical obligations, with particular attention to the data-handling and transfer questions that decide where your infrastructure can sit. It’s general information, not legal advice — confirm specifics with counsel.
GDPR’s two parallel frameworks
At its foundation, GDPR treats an email address as personal data deserving protection, which means anyone collecting, storing, or using the addresses of people in the EU or UK falls under it — regardless of where the sender is based. The crucial structural point that trips people up is that email marketing actually sits under two parallel frameworks operating simultaneously: GDPR provides the lawful basis to process the address, while the ePrivacy rules govern whether you may send the communication at all. Getting one right and the other wrong still creates legal exposure.
That dual structure explains a lot of the apparent contradictions in GDPR guidance. You can have a perfectly valid GDPR lawful basis for holding someone’s data and still lack the ePrivacy consent needed to email them marketing, or vice versa. Underneath both is a single principle the regulation keeps returning to: process data only with a clear justification, be transparent about it, and respect the individual’s control over their own information — the obligations that follow are all expressions of that idea.
How do you choose a lawful basis?
Every email you send needs a documented lawful basis, and the practical exercise is to categorise your email streams and assign one to each. Most marketing email relies on consent. Transactional email that’s necessary to deliver a service the user signed up for — receipts, password resets, shipping updates — relies on contractual necessity rather than consent. A narrow soft opt-in under legitimate interest can cover existing customers for similar products, but only if you document the reasoning and offer an opt-out on every send. The table maps the common streams.
| Email stream | Typical lawful basis | Condition |
|---|---|---|
| Marketing campaigns | Consent | Freely given, specific, logged |
| Transactional | Contractual necessity | Required to fulfil the service |
| Existing-customer offers | Legitimate interest (soft opt-in) | Similar products, opt-out each send |
| Cold outreach | Consent (usually) | Rarely valid for purchased lists |
Two cautions matter here. Legitimate interest is increasingly risky as a marketing basis: authorities and courts interpret it narrowly, you must demonstrate necessity and balance it against recipients’ reasonable expectations, and because recipients can object without justification you end up needing the same suppression infrastructure as consent anyway — which is why most operations default to consent. And purchased lists almost never work: buying addresses doesn’t transfer the consent under which they were collected, the buyer becomes a controller who must independently verify a valid basis, and that’s rarely possible.
What a compliant consent record looks like
Choosing consent as your basis is only half the obligation — you also have to prove it, and the consent record is where most programs quietly fail. A valid record is more than a checkbox state; it captures who consented, when, through which form, and the exact disclosure language they saw, all with a timestamp. Without that documentation you can’t defend a lawful basis under scrutiny, which is why consent metadata should be stored as a first-class part of the subscriber record rather than reconstructed later.
The collection point matters as much as the storage. A compliant signup form uses separate, unchecked checkboxes for each type of communication rather than one bundled opt-in, written in plain language that says exactly what the person will receive, with the privacy policy linked right next to the consent rather than buried in a footer. Pre-checked boxes and bundled consent are among the most common violations, because consent must be a clear affirmative action — and double opt-in, which adds a confirmation step, produces the cleanest record of all for EU subscribers.
What rights do subscribers have?
GDPR gives data subjects a set of rights you must be able to honour operationally, not just acknowledge in a privacy policy. The core ones for email are the right of access (provide all data you hold on them), the right to erasure (delete it), the right to data portability (export it in a usable form), the right to restriction, and the right to object to processing. For email specifically, the right to withdraw consent must be as easy as it was to give — which in practice means a working unsubscribe and preference management, processed immediately.
The operational demand behind these rights is a deadline and a capability. You generally have thirty days to execute a data subject request, and meeting that requires being able to locate a person’s data across whatever disconnected platforms hold it — your ESP, CRM, analytics, and backups — and act on it. Regulators explicitly weigh your response capability when assessing penalties, so a centralised process for finding and deleting or exporting a subscriber’s data is itself a compliance control, not just good hygiene.
How do international data transfers work?
This is the obligation email senders most often overlook, and it’s where the location of your infrastructure becomes a legal question. Whenever EU personal data moves to a country outside the EEA, GDPR requires a valid transfer mechanism. The simplest is an adequacy decision: the European Commission has recognised a short list of countries — only around fourteen as of early 2026, including the UK, Switzerland, Japan, New Zealand, South Korea, and Canada for commercial organisations — as providing equivalent protection, allowing free transfer. The US is covered conditionally through the Data Privacy Framework, but only for vendors that are specifically certified. The flow below shows the decision.
When there’s no adequacy decision — which covers most of the world, including countries with strong laws like Brazil, plus Australia and India — you need Standard Contractual Clauses, the Commission-approved model contracts that bind the recipient to GDPR-level protection. But since the Schrems II ruling, SCCs alone aren’t enough: you must conduct a transfer impact assessment evaluating whether the destination’s surveillance laws undermine those protections, then add supplementary measures like encryption and pseudonymisation. This is exactly why data residency has become a live concern for email programs.
Why provider and server location matters
Putting the transfer rules together produces a conclusion that’s easy to miss: your choice of email provider and the physical location of your sending servers is a GDPR decision. If your ESP processes data in the US without Data Privacy Framework certification, or routes through a non-adequate country, you’ve created an international transfer that needs SCCs and an assessment — and the largest GDPR penalty ever issued, well over a billion euros, was for transfer violations specifically. The location of the infrastructure isn’t a back-office detail; it’s the front line of transfer compliance.
This is the practical reason European and EU-resident senders increasingly favour providers and infrastructure that keep data within the EEA or in adequate jurisdictions. Keeping EU data in the EU sidesteps the transfer machinery entirely — no SCCs, no transfer impact assessment, no supplementary-measures analysis — which is both simpler and less legally exposed. Choosing where your servers sit, and verifying your provider’s certifications and transfer mechanisms, is the kind of decision our sovereign cloud guide works through for data-sensitive operations.
Controller versus processor responsibility
GDPR splits responsibility between the controller, who decides why and how data is processed, and the processor, who handles it on the controller’s instructions — and in email, you’re usually the controller while your ESP or agency is the processor. That relationship has to be formalised in a data processing agreement, and the controller carries a duty of due diligence: you must verify that your processor has appropriate transfer mechanisms in place, holds relevant certifications, and can support the rights and security obligations you’re accountable for. You don’t outsource the responsibility by using a vendor.
That due-diligence duty is why vendor selection is a compliance act. Before choosing an email platform, you need to confirm where it processes data, what transfer safeguards it uses, whether it’s Data Privacy Framework certified if it’s US-based, and how it handles data subject requests and breaches. A processor with weak safeguards becomes your liability, since you remain the controller answerable to the supervisory authority — a point that matters whether you’re evaluating a managed platform or, as our hosting migration guide covers, moving infrastructure between providers.
Retention, breaches, and ongoing obligations
Two ongoing obligations round out the operational picture. The first is retention: GDPR’s storage-limitation principle means you should hold personal data only as long as you have a reason to, deleting it when the purpose ends or consent is withdrawn. A documented retention policy — often tiered by engagement and consent status — is both required and useful, since indefinitely hoarding engagement histories accumulates liability without adding value. The second is breach notification, and the terminal captures the timeline.
# Ongoing GDPR obligations for an email program LAWFUL BASIS .. documented per email stream CONSENT LOG … timestamp + source + language shown DSAR … locate + act within 30 days RETENTION … delete when purpose ends / consent withdrawn TRANSFERS … adequacy, or SCCs + transfer impact assessment DPA … processor agreement with every vendor BREACH … notify authority within 72 hours # High-risk breach: notify affected individuals directly, too.
The breach rule is strict and time-bound: you must detect, investigate, and report a qualifying personal data breach to your supervisory authority within seventy-two hours, and where the breach poses a high risk to individuals — leaked passwords or financial data — you must notify those people directly as well. Regulators expect contemporaneous logs rather than reconstructed timelines, so the procedure has to exist before you need it. With breach notifications now running into the hundreds per day across the EU, the assumption should be that the process will be used.
Is GDPR worth the effort?
Here’s the honest framing, and it’s more encouraging than the penalty headlines suggest. The fines are real and tiered — process failures like missing consent records or undocumented lawful basis can reach ten million euros or two percent of turnover, with the top tier at twenty million or four percent — but for most senders the larger costs are invisible. Mailing people who never genuinely opted in generates complaints that poison your sender reputation, draw fast action from blocklists, and damage trust, and those deliverability harms often outweigh any fine for a mid-market sender.
Which points to the genuinely useful conclusion: GDPR-compliant email is also better-performing email. The discipline it forces — explicit consent, clean lists, honoured preferences, sensible retention — produces exactly the engaged, permission-based list that deliverability depends on, so compliance and performance pull in the same direction rather than against each other. If you send internationally, the simplest operating rule is to follow the strictest standard you touch, which is usually GDPR. For EU-resident senders who want to keep data in adequate jurisdictions and avoid the transfer machinery entirely, our PowerMTA server hosting gives you control over exactly where your sending infrastructure and data sit — while the underlying discipline of permission and hygiene does the work that protects both compliance and the inbox.