All articles Email Security

GDPR and Business Email: What Every Sender Needs to Know

SSam wallness07 Jul 2026
GDPR and Business Email: What Every Sender Needs to Know

GDPR and Business Email: What Every Sender Needs to Know

GDPR — the General Data Protection Regulation — has been in effect since 2018, but confusion about what it actually requires from email senders remains widespread. Some businesses treat it as something that only affects companies headquartered in Europe. Others apply so many restrictions to themselves that they're over-complying in ways that don't serve anyone.

Here's a clear look at what GDPR actually requires, where email fits, and what practical steps reduce your compliance risk without paralyzing your operations.

Who GDPR Applies To

GDPR applies to any organization that processes personal data of EU and EEA residents — regardless of where the organization is located. If you send email to someone in Germany from your company in Texas, GDPR applies to that send. The regulation is based on where the recipient is, not where the sender is.

Email addresses are personal data under GDPR. So are names, IP addresses, and any behavioral data tied to email: opens, clicks, device type, geographic location derived from IP. If you collect, store, or use any of this from EU residents, GDPR governs how you do it.

Lawful Basis for Sending

GDPR requires that processing personal data has a lawful basis. For email, the two most commonly used are:

Consent: The person explicitly agreed to receive email from you. This consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes don't count. "By signing up you agree to receive marketing emails" buried in terms of service doesn't count.

Legitimate interest: You have a genuine business interest in sending the email, and this interest isn't overridden by the recipient's rights. Transactional email — order confirmations, service notifications — typically qualifies. Unsolicited marketing email to cold contacts generally does not.

For marketing email to EU residents, explicit consent is by far the safest basis. Legitimate interest for marketing is defensible in some cases but requires a formal balancing test and opens you to more regulatory scrutiny.

What Consent Records You Need to Keep

If you're relying on consent, you need to be able to prove it. That means recording:

  • When consent was given
  • What the person consented to — the specific wording they saw
  • How consent was obtained — signup form URL, opt-in checkbox text
  • Whether consent has since been withdrawn

This data needs to be stored securely and accessible if a regulator or the individual ever asks you to demonstrate it. Many email service providers include consent logging — use it.

The Right to Erasure

Under GDPR, individuals can request deletion of their personal data — the right to be forgotten. For email, this means deleting their email address, any behavioral data associated with it, and any segmentation profiles tied to their identity.

One nuance worth knowing: you can retain a record that someone unsubscribed (a suppression record), because you have a legitimate interest in not contacting them again. What you can't retain is the full marketing profile built around them.

Make sure your unsubscribe process triggers actual data removal, not just a "do not email" flag that leaves all their engagement history intact in your platform.

Data Processing Agreements

When you use an email service provider, that provider is processing personal data on your behalf. Under GDPR, this requires a Data Processing Agreement (DPA). Most reputable email hosting and SMTP providers have standard DPAs available.

If you're using MailDog for your email infrastructure, check the terms of service and privacy policy for data processing details, and contact the team to arrange a DPA if required for your compliance documentation.

Cross-Border Data Transfers

If you're storing email data — addresses, engagement records — outside the European Economic Area, GDPR requires that transfers to those countries meet specific conditions. Countries the EU has deemed adequate can receive data more freely. Others require additional safeguards such as Standard Contractual Clauses.

If your email provider stores data on servers in countries without an adequacy decision, this is worth reviewing. Your provider should be able to tell you where data is stored and what legal mechanism covers cross-border transfers.

GDPR vs. CAN-SPAM

Many US businesses are more familiar with CAN-SPAM, which allows opt-out marketing — sending to anyone who hasn't specifically told you not to. GDPR's approach is the opposite: opt-in is required before marketing sends. If you're sending to a mixed global list, applying GDPR's opt-in standard across the whole list is the safest approach, even if it means a smaller list size.

A compliant, engaged list consistently outperforms a larger non-compliant one across every meaningful metric: open rates, click rates, conversions, and sender reputation.

Practical Compliance Checklist

  • Use double opt-in for all EU marketing lists
  • Record consent with timestamp, wording, and source
  • Include a clear one-click unsubscribe in every marketing email
  • Honor unsubscribe requests promptly — immediately is best practice
  • Implement a data erasure workflow triggered by unsubscribe or direct request
  • Sign a DPA with your email provider
  • Document your lawful basis for each type of email in a privacy notice
  • Review your list retention practices to avoid storing stale data indefinitely

For additional guidance on email compliance topics, explore the MailDog blog — and for questions about how MailDog's infrastructure handles data on your behalf, the contact page is the right starting point.

Related articles

How Hackers Compromise Business Email Accounts and How to Stop Them
Email Security
Sam wallness

How Hackers Compromise Business Email Accounts and How to Stop Them

Business email account compromise doesn't require exotic hacking techniques — most attacks succeed through phishing, reused passwords, and social engineering. This guide covers how attackers actually get into business email accounts, what they do once inside, and what defenses actually work.

Read article