GDPR-Compliant Email Sending

GDPR-compliant email sending needs two legal bases working together, which is the detail most senders miss: a GDPR lawful basis to process the email address, and — under the ePrivacy rules (PECR in the UK) — consent or a valid soft opt-in to actually send marketing. Legitimate interest under GDPR is not enough on its own to hit send. Consent must be freely given, specific, informed, unambiguous, and documented; pre-ticked boxes and purchased lists do not qualify. Most of this is your process, not something a host provides. What infrastructure does provide is the reliable part — immediate suppression of opt-outs, durable consent and retention records, security, and data residency. MCSNET runs that on Canadian infrastructure in Toronto covered by Canada's EU adequacy decision.

Key takeaways

  • GDPR-compliant sending needs two bases: a GDPR lawful basis to process the address, and ePrivacy/PECR consent (or soft opt-in) to send — getting either wrong creates exposure.
  • Legitimate interest is not enough to send marketing email; ePrivacy requires consent or a valid soft opt-in regardless of your GDPR basis.
  • Valid consent is freely given, specific, informed, unambiguous and documented — pre-ticked boxes, bundled consent and purchased lists do not qualify.
  • Most GDPR compliance is your process — consent, lawful basis, legal advice — not something a host can supply.
  • What infrastructure provides is the reliable part: immediate suppression, durable consent and retention records, security, and EU-adequacy-covered Canadian data residency.

The single most common misunderstanding about GDPR and email is that it is one law with one rule — “get consent.” It is actually two legal frameworks working in parallel, and the one that governs whether you can press send is the one most senders overlook. Add the strict standard for what counts as valid consent, the narrow limits of the soft opt-in, and the fact that almost none of this is something a hosting provider can supply for you, and “GDPR-compliant sending” turns out to be mostly about your own process. This page lays out what GDPR and ePrivacy actually require, where the lines are, and — honestly — which parts are yours and which parts are the infrastructure we provide.

What does GDPR actually require for email?

GDPR treats an email address as personal data, which means sending email is processing personal data and triggers the regulation’s core obligations. You need a lawful basis to process the data; you must be transparent about what you collect and why; you must respect the data-minimization and purpose-limitation principles, collecting only what you need and using it only for what you said; you must honour individual rights — access, deletion, portability, and objection; and you must keep the data secure with appropriate technical and organizational measures. Crucially, GDPR applies based on whose data it is, not where you are: if you email or track people in the EU, GDPR can apply even if your company sits outside the EU entirely. So the starting point for any sender to European recipients is that the subscriber data behind your sending is regulated personal data, and every part of how you collect, store, use, and protect it falls within scope. That is the GDPR layer — but for marketing email, it is only half the picture.

Why isn’t GDPR consent the whole story?

Because a second framework governs the act of sending, and it operates alongside GDPR rather than inside it. The ePrivacy rules — the EU ePrivacy Directive, implemented in national law across member states, and PECR in the UK — specifically regulate electronic marketing. The result is that compliant marketing email needs two bases in parallel: a GDPR lawful basis to process the email address, and, under ePrivacy, consent or a valid soft opt-in to actually send the marketing message. These address different aspects of the same activity, and getting either wrong creates exposure regardless of which member state you or your recipient is in. The point that catches even careful senders is precedence: for marketing emails, the ePrivacy consent requirement effectively governs the send, so satisfying GDPR alone does not authorize the campaign. A business can lawfully hold an email address under GDPR and still violate ePrivacy by marketing to it without the required consent. Two frameworks, two questions: may I process this data, and may I send this message — both must be answered yes.

Not for everything, and the distinction matters operationally. Marketing email almost always requires consent or a valid soft opt-in. Transactional email — order confirmations, password resets, shipping updates — generally rests on contract or legitimate interest rather than consent, because it is necessary to deliver something the person asked for. The dangerous move is blending the two: a shipping notification is fine, but a shipping notification carrying a “you might also like” promotion needs consent for the marketing portion, because you have smuggled marketing into a transactional message. The other tempting shortcut is legitimate interest. Under GDPR, legitimate interest is a valid lawful basis for some processing, but ePrivacy requires consent or soft opt-in to send marketing regardless of your GDPR basis — so legitimate interest can cover internal handling but does not authorize a promotional send. Treating it as a catch-all to avoid getting consent is among the most common and most penalised errors. The clean rule: transactional rides on contract or legitimate interest; marketing needs consent or a qualifying soft opt-in.

Message typeePrivacy requirementLikely GDPR basis
Marketing to individualsConsentConsent
Marketing to existing customersSoft opt-in (if it qualifies)Legitimate interest
Transactional (receipts, resets)NoneContract
Internal data processingn/aLegitimate interest

Consent under GDPR is not a box you can quietly assume; it has a precise quality standard. It must be freely given, specific, informed, unambiguous, and expressed through a clear affirmative action — and you must be able to prove it. Concretely, that is an unchecked opt-in box the person actively ticks, kept separate from accepting your terms, with plain language stating what they will receive and from whom, and a linked privacy notice. Several practices fail this standard everywhere in the EU: pre-ticked boxes, because silence is not consent; bundled consent, where ticking marketing is a condition of buying or signing up; and vague language that does not specify the marketing. You must also document the consent — timestamp, mechanism, and what was agreed — and store it securely, because the burden of proof sits entirely on you. And withdrawal must be as easy as the original opt-in. The hard implication for established programs is that a list built before these standards, or one where you cannot show what people agreed to, is not safe to keep mailing; the compliant move is to re-permission rather than rely on consent you cannot evidence.

The soft opt-in, and its real limits

The soft opt-in is the one route to emailing people without fresh consent, and it is narrower than most senders treat it. It applies only when all of its conditions hold: the recipient is an existing customer whose details you obtained during a sale or the negotiation of a sale; you are marketing your own similar products or services; and you gave a clear opportunity to opt out both when you collected the address and in every message since. The word that does the work is similar — and it means similar. A customer who bought your accounting software can be told about accounting features; they cannot be enrolled, under the soft opt-in, into marketing for an unrelated product line. It also does not stretch to cover people who merely downloaded a guide, attended a webinar, or filled in a form without buying, because they are not customers. Used inside its limits, the soft opt-in is a legitimate and useful basis for customer marketing; applied to prospects or unrelated products, it is one of the violations supervisory authorities most often act on.

Why you can’t email a purchased list

This deserves stating plainly because it remains widespread: buying a list of email addresses does not give you a basis to email them. Consent does not transfer with the data — the consent (if any) those people gave was to the party that collected it, for that party’s purposes, not for yours. When you buy the list you become a controller in your own right and must independently establish a valid basis to send to each address, which you cannot do for contacts whose collection circumstances you never controlled and cannot evidence. The same logic applies to scraped addresses and to inherited lists from an acquisition where the consent records did not come with them. There is rarely a lawful way to make a purchased list work for marketing under GDPR and ePrivacy, and the attempt tends to produce exactly the spam complaints and traps that wreck deliverability as well. The honest position is that list buying is both a compliance failure and a deliverability one, and the only durable list is one you built yourself with consent.

GDPRmay I process this address?lawful basisconsent · legitimate interest · contractePrivacy / PECRmay I send this marketing?consent OR soft opt-inlegitimate interest does NOT sufficeboth must be YES to send compliant marketingtwo parallel frameworks, two separate questions
GDPR governs whether you may process the address; ePrivacy governs whether you may send the marketing — both must be satisfied.

Unsubscribe and data-subject rights

Two ongoing obligations are where infrastructure and process meet, and where lapses generate the most complaints. Unsubscribe must be as easy as opting in, must be honoured promptly, and continuing to send after someone opts out is the single most common source of supervisory complaints — so suppression has to be immediate and durable, with a simple unsubscribe-from-all always available even if you also offer a preference centre. Beyond unsubscribe, individuals hold data-subject rights: access to their data, deletion, portability, and the right to object, and you must respond within one month. Honouring these reliably is partly a process question — having a path to receive and action requests — and partly an infrastructure one, because deleting a person’s data and ensuring they are not re-mailed depends on your systems doing it correctly and permanently. The recurring failure pattern is old records finding their way back into campaigns after an opt-out or deletion, which is both a compliance breach and a deliverability risk. Reliable, global, durable suppression is the technical backbone that makes the unsubscribe and deletion promises real.

What’s your process, and what’s infrastructure?

Here is the honest division, because it determines what we can and cannot do for you. The compliance core is your process: choosing and documenting a lawful basis, designing valid consent capture, qualifying the soft opt-in correctly, writing your privacy notice, and getting legal advice on your specific situation — none of which a hosting provider supplies, and we will not pretend otherwise. What infrastructure provides is the reliable execution of the parts that are technical: immediate, durable, global suppression so opt-outs and deletions actually stick; secure storage of consent and retention records so you can prove what was agreed and enforce your retention policy; the security measures GDPR’s Article 32 expects, with encryption and access controls; and data residency, where Canadian infrastructure under the EU adequacy decision gives a lawful transfer basis for ordinary commercial personal data. In short: we do not make you GDPR-compliant — your consent practices and legal posture do that — but we make the infrastructure under your sending support compliance rather than undermine it. Confusing those two is how senders buy a “GDPR-compliant” product and still get fined for their own process.

How we support GDPR-compliant sending

With MCSNET, we run the infrastructure side properly so your compliant process has a foundation it can rely on. Suppression is immediate, durable, and global across your sending, so an unsubscribe or deletion is honoured at once and stays honoured — the recurring failure that generates complaints simply does not happen. Consent and retention records are stored securely, so you can evidence what was agreed and enforce your retention policy rather than keep data indefinitely by default. The data is protected with the encryption and access controls GDPR expects, and it resides on Canadian infrastructure covered by Canada’s EU adequacy decision, giving ordinary commercial personal data a lawful transfer basis without Standard Contractual Clauses. The same foundation carries your deliverability, so the clean, consented list that compliance requires is also the list that reaches the inbox. We are clear about the boundary: the consent, the lawful basis, and the legal judgement are yours, and we will point you to counsel for them — but every technical part that compliance depends on, we run to the standard it deserves.

Why work with us?

Because we tell you the truth about where compliance lives and then run our part of it correctly. Plenty of providers sell a “GDPR-compliant” badge that quietly implies they handle obligations only you can meet; we draw the line explicitly between your process — consent, lawful basis, legal advice — and the infrastructure we provide. On our side, suppression is immediate and durable, consent and retention records are secure, the data is encrypted and access-controlled, and it resides on adequacy-covered Canadian infrastructure with a lawful transfer basis. That same foundation is what makes a consented list deliver, so compliance and performance reinforce each other. We will send you to a lawyer for the parts that need one, because the goal is a sending operation that survives a regulator’s question — not a label that does not.

# gdpr sending · your process vs our infrastructure
your process   lawful basis · consent capture · soft opt-in
your process   privacy notice · legal advice  we don’t supply
infra          suppression immediate · durable · global  we run
infra          consent + retention records secure
infra          encryption + access control (Art. 32)
infra          data residency · canada EU-adequacy basis
boundary       a host can’t make your process compliant

Who this is for, and who it is not

It is for senders to EU and UK recipients who want the infrastructure under their email to support GDPR and ePrivacy compliance reliably — immediate suppression, secure consent and retention records, encryption, and a lawful data-residency basis — and who understand that the consent and lawful-basis work is theirs to own. It is for teams who would rather build a clean, consented, well-suppressed list than gamble on legitimate interest or a purchased list, and who value that the same discipline improves deliverability. It is explicitly not a substitute for legal advice on your consent design, lawful basis, or privacy notice, and it is not a way to make a non-compliant process compliant by changing hosts — no infrastructure can do that. GDPR-compliant sending sits alongside the EU-sovereign and data-residency questions it touches, and mirrors, for Europe, the consent discipline of CASL in Canada. Own your consent and your lawful basis, run them on infrastructure built to honour them, and GDPR stops being a threat to your email and becomes the reason your list is worth sending to.

Frequently asked questions

Does GDPR ban email marketing?
No — it bans careless email marketing. GDPR treats an email address as personal data, so sending marketing is processing personal data and needs a lawful basis, and the ePrivacy rules add that marketing emails generally require consent or a valid soft opt-in to send. What GDPR ended is lazy practice: buying lists, pre-ticked boxes, burying marketing consent in terms of service, and emailing people who never asked. Done properly, GDPR-compliant marketing tends to be better marketing, because a list of people who actively chose to hear from you engages more, converts better, and deliverability improves as a result. The penalties are real — thousands of fines totalling billions of euros have been issued — but the path to compliance is not exotic: get clear opt-in or a valid soft opt-in, document it, make leaving easy, honour opt-outs immediately, and keep the data secure and no longer than necessary.
Can I rely on legitimate interest instead of consent?
Not to send marketing email — this is the trap that catches the most senders. GDPR gives you several lawful bases for processing personal data, including legitimate interest, and you can use legitimate interest for some processing around your marketing infrastructure. But the ePrivacy rules govern the act of sending the marketing message, and they require consent or a valid soft opt-in regardless of your GDPR lawful basis. Article 13 of the ePrivacy Directive effectively takes precedence over GDPR for marketing emails on this point. So legitimate interest can cover internal data handling, but it does not give you permission to press send on a promotional campaign to someone who has not consented or who does not qualify under the soft opt-in. Treating legitimate interest as a catch-all for marketing sends is one of the most common and most penalised mistakes, which is why the honest answer is: for marketing, get consent or a valid soft opt-in.
What makes consent valid under GDPR?
Consent must be freely given, specific, informed, unambiguous, and given by a clear affirmative action — and you must be able to prove it. In practice that means an unchecked opt-in box the person actively ticks, separate from accepting your terms, with plain language stating what they will receive and from whom, and a linked privacy notice. Several things are invalid everywhere: pre-ticked boxes, because silence or inactivity is not consent; bundled consent, where agreeing to marketing is tied to completing a purchase or accepting terms; and vague catch-all language. You also have to document the consent — the timestamp, the mechanism, and what the person agreed to — and store those records securely, because the burden of proving valid consent rests entirely on you, the sender. Withdrawing consent must be as easy as giving it. If you built a list before these standards or cannot show what people agreed to, the safe path is re-permissioning rather than assuming the old consent holds.
What is the soft opt-in and when can I use it?
The soft opt-in is a narrow exception that lets you email existing customers without fresh consent, but its conditions are stricter than most senders apply. It works only when the person is an existing customer whose contact details you obtained in the course of a sale or negotiation of a sale, when you are marketing your own similar products or services, and when you gave them a clear chance to opt out both at the point of collection and in every message since. The phrase that trips people up is similar: similar means similar. If someone bought your CRM tool, you cannot use the soft opt-in to market an unrelated HR product. It also does not cover prospects who merely downloaded content or attended a webinar without buying — they are not customers. Used within its real limits, the soft opt-in is legitimate; stretched beyond them, it is one of the more common violations regulators act on.
How long can I keep subscriber data under GDPR?
There is no fixed number in GDPR — the rule is that you keep personal data no longer than necessary for the purpose you collected it for, which means you need a documented retention policy and you need to follow it. For an active subscriber, that is for as long as they remain subscribed and engaged. When someone unsubscribes, you stop using their data for marketing, and you generally delete it unless you have another lawful reason to retain part of it — notably, you keep enough on a suppression list to ensure you do not email them again, which is itself a compliance requirement. Lapsed contacts matter too: a list segment with no engagement for roughly a year is a re-permissioning candidate rather than something to keep mailing on the assumption the old consent still holds. Data-subject requests add a hard timer — access, deletion, and portability requests must be answered within one month. The practical posture is to retain deliberately, delete when the purpose ends, and keep the records that prove you did.
Talk to the team that runs the MTA, not just the box.
Toronto-based, PIPEDA-aligned email infrastructure — licensed, configured, and monitored.
Configure a server