Compliance · GDPR

GDPR Email Guide: Lawful Basis, Data Rights, and Transfers

GDPR treats email addresses as personal data, so sending marketing email to anyone in the EU or UK requires a lawful basis — usually explicit consent for marketing, contractual necessity for transactional mail, and occasionally legitimate interest for existing customers if carefully documented. Beyond the basis, you must honour data subject rights like access and erasure within thirty days, set retention limits, and report qualifying breaches within seventy-two hours. The piece most senders underestimate is data transfers: moving EU email data to a country without an adequacy decision requires Standard Contractual Clauses plus a transfer impact assessment, which makes where your email provider and servers physically sit a compliance question, not just a technical one. This guide is general information, not legal advice.

Key takeaways

  • Email is personal data. GDPR applies to anyone mailing EU or UK residents, wherever the sender is based.
  • Pick a lawful basis per stream. Consent for marketing, contract for transactional, legitimate interest only with documentation.
  • Rights have deadlines. Access, erasure, and portability requests must be executed within thirty days.
  • Transfers are the trap. Sending EU data to a non-adequate country needs SCCs and a transfer impact assessment.
  • Where data lives matters. Your provider’s and servers’ location is a GDPR question, not just an infrastructure one.

GDPR is the framework most email programs handle least confidently, partly because it operates on two levels at once — the law that governs processing the data, and the rules that govern actually sending the message. For senders whose data crosses borders, it adds a third dimension that’s easy to miss until an audit finds it. This guide walks the practical obligations, with particular attention to the data-handling and transfer questions that decide where your infrastructure can sit. It’s general information, not legal advice — confirm specifics with counsel.

GDPR’s two parallel frameworks

At its foundation, GDPR treats an email address as personal data deserving protection, which means anyone collecting, storing, or using the addresses of people in the EU or UK falls under it — regardless of where the sender is based. The crucial structural point that trips people up is that email marketing actually sits under two parallel frameworks operating simultaneously: GDPR provides the lawful basis to process the address, while the ePrivacy rules govern whether you may send the communication at all. Getting one right and the other wrong still creates legal exposure.

That dual structure explains a lot of the apparent contradictions in GDPR guidance. You can have a perfectly valid GDPR lawful basis for holding someone’s data and still lack the ePrivacy consent needed to email them marketing, or vice versa. Underneath both is a single principle the regulation keeps returning to: process data only with a clear justification, be transparent about it, and respect the individual’s control over their own information — the obligations that follow are all expressions of that idea.

How do you choose a lawful basis?

Every email you send needs a documented lawful basis, and the practical exercise is to categorise your email streams and assign one to each. Most marketing email relies on consent. Transactional email that’s necessary to deliver a service the user signed up for — receipts, password resets, shipping updates — relies on contractual necessity rather than consent. A narrow soft opt-in under legitimate interest can cover existing customers for similar products, but only if you document the reasoning and offer an opt-out on every send. The table maps the common streams.

Lawful basis by email stream under GDPR.
Email streamTypical lawful basisCondition
Marketing campaignsConsentFreely given, specific, logged
TransactionalContractual necessityRequired to fulfil the service
Existing-customer offersLegitimate interest (soft opt-in)Similar products, opt-out each send
Cold outreachConsent (usually)Rarely valid for purchased lists

Two cautions matter here. Legitimate interest is increasingly risky as a marketing basis: authorities and courts interpret it narrowly, you must demonstrate necessity and balance it against recipients’ reasonable expectations, and because recipients can object without justification you end up needing the same suppression infrastructure as consent anyway — which is why most operations default to consent. And purchased lists almost never work: buying addresses doesn’t transfer the consent under which they were collected, the buyer becomes a controller who must independently verify a valid basis, and that’s rarely possible.

Choosing consent as your basis is only half the obligation — you also have to prove it, and the consent record is where most programs quietly fail. A valid record is more than a checkbox state; it captures who consented, when, through which form, and the exact disclosure language they saw, all with a timestamp. Without that documentation you can’t defend a lawful basis under scrutiny, which is why consent metadata should be stored as a first-class part of the subscriber record rather than reconstructed later.

The collection point matters as much as the storage. A compliant signup form uses separate, unchecked checkboxes for each type of communication rather than one bundled opt-in, written in plain language that says exactly what the person will receive, with the privacy policy linked right next to the consent rather than buried in a footer. Pre-checked boxes and bundled consent are among the most common violations, because consent must be a clear affirmative action — and double opt-in, which adds a confirmation step, produces the cleanest record of all for EU subscribers.

What rights do subscribers have?

GDPR gives data subjects a set of rights you must be able to honour operationally, not just acknowledge in a privacy policy. The core ones for email are the right of access (provide all data you hold on them), the right to erasure (delete it), the right to data portability (export it in a usable form), the right to restriction, and the right to object to processing. For email specifically, the right to withdraw consent must be as easy as it was to give — which in practice means a working unsubscribe and preference management, processed immediately.

The operational demand behind these rights is a deadline and a capability. You generally have thirty days to execute a data subject request, and meeting that requires being able to locate a person’s data across whatever disconnected platforms hold it — your ESP, CRM, analytics, and backups — and act on it. Regulators explicitly weigh your response capability when assessing penalties, so a centralised process for finding and deleting or exporting a subscriber’s data is itself a compliance control, not just good hygiene.

How do international data transfers work?

This is the obligation email senders most often overlook, and it’s where the location of your infrastructure becomes a legal question. Whenever EU personal data moves to a country outside the EEA, GDPR requires a valid transfer mechanism. The simplest is an adequacy decision: the European Commission has recognised a short list of countries — only around fourteen as of early 2026, including the UK, Switzerland, Japan, New Zealand, South Korea, and Canada for commercial organisations — as providing equivalent protection, allowing free transfer. The US is covered conditionally through the Data Privacy Framework, but only for vendors that are specifically certified. The flow below shows the decision.

Transferring EU email data abroadEU dataleaving the EEAAdequacy?~14 countries + US/DPFYes → transfer freelyadequacy covers itNo → SCCs + TIAtransfer impact assessment +supplementary measures (encryption)
Adequacy allows free transfer; everywhere else needs Standard Contractual Clauses plus a transfer impact assessment and technical safeguards.

When there’s no adequacy decision — which covers most of the world, including countries with strong laws like Brazil, plus Australia and India — you need Standard Contractual Clauses, the Commission-approved model contracts that bind the recipient to GDPR-level protection. But since the Schrems II ruling, SCCs alone aren’t enough: you must conduct a transfer impact assessment evaluating whether the destination’s surveillance laws undermine those protections, then add supplementary measures like encryption and pseudonymisation. This is exactly why data residency has become a live concern for email programs.

Why provider and server location matters

Putting the transfer rules together produces a conclusion that’s easy to miss: your choice of email provider and the physical location of your sending servers is a GDPR decision. If your ESP processes data in the US without Data Privacy Framework certification, or routes through a non-adequate country, you’ve created an international transfer that needs SCCs and an assessment — and the largest GDPR penalty ever issued, well over a billion euros, was for transfer violations specifically. The location of the infrastructure isn’t a back-office detail; it’s the front line of transfer compliance.

This is the practical reason European and EU-resident senders increasingly favour providers and infrastructure that keep data within the EEA or in adequate jurisdictions. Keeping EU data in the EU sidesteps the transfer machinery entirely — no SCCs, no transfer impact assessment, no supplementary-measures analysis — which is both simpler and less legally exposed. Choosing where your servers sit, and verifying your provider’s certifications and transfer mechanisms, is the kind of decision our sovereign cloud guide works through for data-sensitive operations.

Controller versus processor responsibility

GDPR splits responsibility between the controller, who decides why and how data is processed, and the processor, who handles it on the controller’s instructions — and in email, you’re usually the controller while your ESP or agency is the processor. That relationship has to be formalised in a data processing agreement, and the controller carries a duty of due diligence: you must verify that your processor has appropriate transfer mechanisms in place, holds relevant certifications, and can support the rights and security obligations you’re accountable for. You don’t outsource the responsibility by using a vendor.

That due-diligence duty is why vendor selection is a compliance act. Before choosing an email platform, you need to confirm where it processes data, what transfer safeguards it uses, whether it’s Data Privacy Framework certified if it’s US-based, and how it handles data subject requests and breaches. A processor with weak safeguards becomes your liability, since you remain the controller answerable to the supervisory authority — a point that matters whether you’re evaluating a managed platform or, as our hosting migration guide covers, moving infrastructure between providers.

Retention, breaches, and ongoing obligations

Two ongoing obligations round out the operational picture. The first is retention: GDPR’s storage-limitation principle means you should hold personal data only as long as you have a reason to, deleting it when the purpose ends or consent is withdrawn. A documented retention policy — often tiered by engagement and consent status — is both required and useful, since indefinitely hoarding engagement histories accumulates liability without adding value. The second is breach notification, and the terminal captures the timeline.

gdpr-email-obligations
# Ongoing GDPR obligations for an email program
LAWFUL BASIS .. documented per email stream
CONSENT LOG … timestamp + source + language shown
DSAR … locate + act within 30 days
RETENTION … delete when purpose ends / consent withdrawn
TRANSFERS … adequacy, or SCCs + transfer impact assessment
DPA … processor agreement with every vendor
BREACH … notify authority within 72 hours
# High-risk breach: notify affected individuals directly, too.

The breach rule is strict and time-bound: you must detect, investigate, and report a qualifying personal data breach to your supervisory authority within seventy-two hours, and where the breach poses a high risk to individuals — leaked passwords or financial data — you must notify those people directly as well. Regulators expect contemporaneous logs rather than reconstructed timelines, so the procedure has to exist before you need it. With breach notifications now running into the hundreds per day across the EU, the assumption should be that the process will be used.

Is GDPR worth the effort?

Here’s the honest framing, and it’s more encouraging than the penalty headlines suggest. The fines are real and tiered — process failures like missing consent records or undocumented lawful basis can reach ten million euros or two percent of turnover, with the top tier at twenty million or four percent — but for most senders the larger costs are invisible. Mailing people who never genuinely opted in generates complaints that poison your sender reputation, draw fast action from blocklists, and damage trust, and those deliverability harms often outweigh any fine for a mid-market sender.

Which points to the genuinely useful conclusion: GDPR-compliant email is also better-performing email. The discipline it forces — explicit consent, clean lists, honoured preferences, sensible retention — produces exactly the engaged, permission-based list that deliverability depends on, so compliance and performance pull in the same direction rather than against each other. If you send internationally, the simplest operating rule is to follow the strictest standard you touch, which is usually GDPR. For EU-resident senders who want to keep data in adequate jurisdictions and avoid the transfer machinery entirely, our PowerMTA server hosting gives you control over exactly where your sending infrastructure and data sit — while the underlying discipline of permission and hygiene does the work that protects both compliance and the inbox.

Frequently asked questions

Does GDPR apply to my email if I’m not in the EU?
Yes, if you’re emailing people in the EU or UK. GDPR governs the personal data of EU and UK residents regardless of where the sender is based, and email addresses count as personal data. So a US or Canadian company mailing EU subscribers must comply — establishing a lawful basis, honouring data subject rights, and meeting transfer rules. If you market internationally, the practical approach is to follow the strictest standard you touch, which is usually GDPR.
What lawful basis do I need to send marketing email?
Usually consent. Most marketing email relies on freely given, specific, documented consent, while transactional email necessary to deliver a service — receipts, password resets — relies on contractual necessity instead. A narrow legitimate-interest soft opt-in can cover existing customers for similar products if documented with an opt-out on every send, but authorities interpret it narrowly for marketing and recipients can object freely, so most operations default to consent. Purchased lists almost never provide a valid basis.
Can I transfer EU email data to a US provider?
Only with a valid transfer mechanism. The US has conditional adequacy through the Data Privacy Framework, but only for vendors specifically certified under it — so check your provider’s certification individually. If the provider isn’t certified, you need Standard Contractual Clauses plus a transfer impact assessment evaluating whether US surveillance laws undermine the protection, and supplementary measures like encryption. The simplest way to avoid this entirely is keeping EU data with EU-based or adequate-jurisdiction infrastructure.
How fast must I respond to a data deletion request?
Generally within thirty days. GDPR data subject rights — access, erasure, portability, restriction, objection — must be executed within that window, which requires being able to locate a person’s data across all the platforms that hold it: your ESP, CRM, analytics, and backups. Regulators weigh your response capability when assessing penalties, so a centralised process for finding and acting on a subscriber’s data is itself a compliance control, not just good practice.
What happens if I have a data breach?
You must notify your supervisory authority within seventy-two hours of becoming aware of a qualifying personal data breach, with contemporaneous logs of what happened, when, what data was affected, and what you did. If the breach poses a high risk to individuals — such as leaked passwords or financial data — you must also notify the affected people directly. The procedure needs to exist before the breach, since reconstructing a timeline after the fact won’t satisfy regulators.