How does GDPR influence email marketing?

Updated on August 4, 2021

EU General Data Protection Regulation

You may already know about General Data Protection Regulation (GDPR), but you might still have a few questions about it. 

Here is some information about this European law and how it affects your email marketing campaigns.

This article is presented as a resource, it’s not legal advice. If you need more information we recommend that you speak with a lawyer to learn how GDPR affects your company.

What is GDPR (General Data Protection Regulation)?

When the internet was introduced the EU issued the 1995 European Data Protection Directive. As technology advanced it was replaced by GDPR, which was introduced on May 25, 2018 and is a regulation that applies to any data collected, stored and used on citizens of the European Union, even if they are not based there.

Whilst it is a long and complex regulation, we can help you better understand the key factors that you need to observe, up to date as at the time this article was written, August 2021.  

The 7 Principles

Article 5  of the GDPR regulation includes the 7 principles to follow, summarised here:

Lawfulness, fairness and transparency — whatever the use of someone’s personal data, it  must be lawful, fair, and transparent to that individual.

Purpose limitation —  only use the data for the purpose you stated when getting it and it must be legitimate and legal.

Data minimization — limit the use of the data to the absolute minimum for what you need to achieve.

Accuracy — if you save the data, it must be kept accurate and up to date.

Storage limitation — personal data must be safely deleted once you’ve used it for the purpose stated when you collected it.

Integrity and confidentiality — appropriate security must be used when processing the data, ensuring integrity and confidentiality, eg, data encryption.

Accountability — the owner of the business, or “data controller”  must be able to demonstrate GDPR compliance with all of these principles.

Let’s take a closer look at some of this to help understand how to apply the regulation in your business.


Personal data, identifying data, has to be processed lawfully, fairly, securely, and transparently, meaning the individual for whom it concerns must be aware of its use. Data has to be collected legitimately and you have to be explicit on how you are going to use it, and be able to demonstrate the relevance, limiting the use to that purpose only. 

An important fact to remember is that all personal data must be stored securely and cannot be kept longer than it is necessary to complete the purpose for which you collected it in the first place. The owner of the business, the “controller” is responsible for complying with the regulations and must be able to demonstrate compliance.

EU General Data Protection Regulation

Conditions of consent

“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data” (2016, Gdpr.EU). 

Therefore you have to prove that the individual consented to the processing, when they did, what they were told at that time, how they consented to it, and if they have since withdrawn consent. An opt-in tick box should be used to indicate consent. Moreover, you could also offer a double opt-in, which, whilst not legally required, may increase your email deliverability, with the individual agreeing for you to use their email address and sign up to your emails.

If the consent was given in the context of a written declaration, it needs to be clear and easy to understand, otherwise it’s likely to be considered as an infringement of this Regulation.

The data subject has to have the opportunity, at any time, to withdraw consent. So you have to give them the opportunity to opt-out and stop their data from being used anymore, with an “unsubscribe” button in the footer of a promotional email, for example.

The fourth condition is “When assessing whether consent is freely given, utmost account shall be taken of whether […] the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” (2016, Gdpr.EU). 

Therefore the consent requests must be separate from other terms and conditions, which should not be dependent on GDPR consent.

Here you can see examples of consent (Iubenda): 

Example of conditions of consent for GDPR

Deleting personal data

Article 17 of the GDPR says that a person has the right to have their personal data deleted, and that the organization is obliged to delete that person’s data without undue delay, providing one of the following conditions is met: 

the personal data is no longer needed for what it was originally collected for;

the individual withdraws their consent, and it is not legally required for anything else, see Article 6(1) and Article 9(2);

the data subject objects to the processing pursuant to Article 21;

the personal data had been processed illegally;

it has to be erased in order to comply with a legal obligation under Union or Member State law to which the organization is subject;

the collection of the personal data was done in relation to the offer of information society services referred to in Article 8.

Data breaches

The personal data breach according to GDPR means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (2016, GDPR). 

Generally, one of the principal reasons for data breaches is when an unauthorised data subject receives personal data by mistake. Moreover, It can happen that there is a modification in the personal data without consent, the technology instruments that contain the personal data were stolen or lost, or accidental action by the controller.

Can I still use email marketing?

Yes, you may. In short, GDPR applies to particular individuals.

This law doesn’t harm email marketing campaigns, it is just a new way to protect more of the consumer’s data. But the service providers always filter those emails considered as spam. So if you do well in email marketing you don’t have anything to worry about, just follow our recommendations. 

What the GDPR is to clarify the terms and put them in words. You have to ask your receptors if they want to be in your opt-in in order to be able to have interactions with them. Moreover, you also have to with them the choice to switch and be in opt-out.

Therefore, you may still cold email in a B2B context while respecting some rules:

EU General Data Protection Regulation
Do you need professional help to
adapt your email campaigns with the GDPR?

Target your prospect carefully

It is on a legal basis. You need to prove that the person may actually benefit from your email, so make sure you keep your lists clean and updated. It doesn’t make sense to send emails to a person who isn’t interested in them, they are going to interact with you. So, therefore, your engagement will be lower and you will suffer damage to your IPs reputation and domain reputation. Besides at the end, will carry you to the spam folder. If you have doubts about how to maintain a quality list, check this article.

Be transparent

It is an information duty. But make sure you let them know how you got their emails, have a very clear unsubscribe link, and be ready to remove contacts from your audience if they ask. 


How to ask audience to subscribe in your newsletter

One example really useful for you is the case of SuperOffice. They give the chance to the users to fill out a web form and choose if they want to subscribe to the newsletter (option on the right) or receive email marketing (on the left).

Don’t use personal information longer than needed

We recommend unsubscribing the inactive contacts in your database after 30 days or 3 emails without answers. It is an information duty but you really have to do it if you want to succeed. 

GDPR mostly restricts bulk emailing and spamming, but targeted cold email campaigns are still efficient, in fact, statistics suggest that cold emailing has never been more efficient and widely used among the online sales channels that companies use.

As you see, you do not need consent to email someone as long as the content is highly relevant, that you provide a clear unsubscribe link and reason to contact, and that you don’t overuse your data.

To conclude, frequently asked questions that you may have

If I use an outsourced list, does the GDPR still apply?

Yes, as GDPR is about data storage and its use, not data gathering, the origin of your data does not matter too much.

Are follow-ups GDPR compliance?

Yes, the same rule applies as to the first email, although we do recommend limiting the number of follow-ups, to avoid frustrating your audience. Our campaigns are designed with 3-5 follow-ups, depending on how busy your recipient is.

My company is based outside of the EU, is GDPR affecting me?

GDPR applies to any company that uses and processes data from EU citizens and residents. So, even if your organisation is in, say, Australia, you need to comply.

If you think you may have issues with your email deliverability, but you are not sure what is causing it, we can help you with an audit. Having ongoing support will ensure everything is compliant, and continues to work smoothly and efficiently.

Share This Post

More To Explore

Phishing: recognizing and protecting against it

Phishing is a technique used by cybercriminals to try to steal your personal information. This type of attack can come in many different forms, but often takes the form of an email. Learn how to protect from them

Do you want to grow your business with emailing?

we can do it together

Book a meeting now