Skip to content
GDPR & Compliance

GDPR and email marketing: the complete compliance guide

What's allowed and what's not? Consent, data residency, right to erasure, and audit trails — explained without legal jargon. A practical guide to email marketing that follows the law.

HT
Hermod Team · AI-powered email marketing

You know you need to comply with GDPR. Everyone does. But when it comes to the day-to-day reality of email marketing, things get murky fast: When exactly do you need consent? What about existing customers? How much do you need to document? And what actually happens if you get it wrong?

This guide is written for businesses that use email marketing and want to do it legally — without drowning in legal text.

GDPR boils down to three things when it comes to email marketing:

1. Consent. You need permission to send. And that permission must be given freely, with clear information about what the person is agreeing to. The official GDPR text spells out the conditions for consent in Article 7.

2. Transparency. Your contacts need to know what you do with their data. Who is the data controller? What do you use data for? How long do you keep it?

3. Control. Your contacts must be able to withdraw consent, request access to their data, and request deletion. Not tomorrow — now.

The most misunderstood area. Here are the rules in practice:

What counts as valid consent:

  • A checkbox that is NOT pre-checked, with clear text about what the person is signing up for
  • Double opt-in (confirmation email after signup) — not a requirement in itself, but the strongest form of documentation
  • Separate consent per purpose — one consent for newsletters, another for product updates
  • Timestamp, IP address, and the exact text shown at the time of signup

What does NOT count:

  • Pre-checked boxes — invalid consent under GDPR
  • “By using this website you agree to…” — too vague and passive
  • Bundled consent (“accept our newsletter to download the ebook”) — must be voluntary
  • Verbal consent without documentation — cannot be proven

What about existing customers?

This is where it gets more nuanced. If a person is already a customer, you may in some cases send emails about related products or services based on “legitimate interest” — but only for B2B and only if:

  • You clearly informed them at the time of purchase that you would send marketing
  • The content relates to what they already bought
  • They can easily unsubscribe (unsubscribe link in every email)
  • You have a documented balancing test (legitimate interest assessment)

For B2C, the rules are stricter. You should always have explicit consent.

Data residency: where is your contacts’ data?

It’s not enough for your email platform to be “GDPR-compliant.” You also need to know where data physically resides.

Questions you need to be able to answer:

  • In which country does your email platform host your contacts?
  • Is data transferred to countries outside the EU/EEA?
  • If yes, under what legal basis? (Standard Contractual Clauses? EU-US Data Privacy Framework?)
  • Do you have a Data Processing Agreement (DPA) with your platform?

Most American platforms (Mailchimp, ActiveCampaign, HubSpot) process data in the USA. This is technically legal under the EU-US Data Privacy Framework — but it’s the third agreement of its kind. The previous two were struck down by the European Court of Justice.

EU-hosted platforms (Brevo, MailerLite, Hermod) eliminate this question entirely.

Right to erasure: it’s not optional

When a contact requests deletion, you have 30 days to delete all personal data. Not just unsubscribe them — delete them. This includes:

  • Contact information (name, email, address, phone)
  • Engagement data (what they opened, clicked, purchased)
  • Custom fields and tags
  • Historical data in reports (must be anonymized)

Most email platforms make this a manual process. You have to find the contact, delete them, and document that it’s done. Modern platforms automate it.

Audit trail: document everything

If a data protection authority comes knocking, you need to be able to prove compliance. An audit trail documents:

  • When each consent was given
  • The exact text that was shown
  • IP address and source (which form, which page)
  • When consent was withdrawn (if applicable)
  • When data was deleted on request
  • Who performed the action (person or system)

Unsubscribe: make it easy

Every marketing email must have a visible unsubscribe link. No exceptions. And unsubscribe must work with one click — not a survey, not an “are you sure?” page, not a login.

Technically, RFC 8058 requires emails to include a List-Unsubscribe header that allows one-click unsubscribe directly from the email client. Gmail and Apple Mail use this to show an “unsubscribe” button at the top of the email.

Practical checklist

Here’s what you need to have in place:

Collecting contacts:

  • Opt-in form with clear consent text (not pre-checked)
  • Separate consent per purpose (newsletter, product updates, etc.)
  • Document when, where, and how consent was given
  • Consider double opt-in for extra documentation

Sending emails:

  • Unsubscribe link in every email
  • List-Unsubscribe header for one-click unsubscribe
  • Clear sender identification
  • Physical address in email footer (required in many jurisdictions)

Data management:

  • Data Processing Agreement (DPA) with your email platform
  • Know where your contacts’ data physically resides
  • Process for right to erasure (preferably automated)
  • Regular cleanup of inactive contacts

Documentation:

  • Audit trail for consent
  • Documented balancing test (if you use legitimate interest)
  • Privacy policy that covers email marketing
  • Overview of data processors (your email platform, analytics, etc.)

Hermod AI Insight

Hermod handles consent tracking, audit trails, and right-to-erasure automatically. Every consent is logged with timestamp, IP address, and the exact text shown — ready if regulators ask.

Ofte stillede spørgsmål

Do I need consent to send marketing emails?
Yes. In the EU, GDPR and the ePrivacy Directive require explicit consent (opt-in) before you send marketing emails. Consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes do not count.
What is the difference between consent and legitimate interest?
Consent requires active action from the contact (opt-in). Legitimate interest is a different legal basis that can be used for B2B communication under certain conditions, but it requires a documented balancing test and does not apply to cold B2C emails.
How long can I store contact data?
GDPR doesn't specify a fixed number of days. But you need a data minimization policy that ensures you don't store data longer than necessary for its purpose. A rule of thumb: delete inactive contacts who haven't engaged in 12-24 months.
What happens if I violate GDPR?
Data protection authorities can issue fines up to 20 million EUR or 4% of global annual turnover (whichever is higher). In practice, fines vary by jurisdiction, but enforcement has intensified significantly across Europe since 2023.