GDPR and Email Compliance: What Every Sender Needs to Know

The General Data Protection Regulation changed how businesses that email European residents must handle personal data. For email senders specifically, GDPR isn't just a compliance checkbox. It reshapes what's allowed when collecting addresses, what you can send, and how long you can keep subscriber data. Getting it wrong can mean significant fines, but more practically, it means sending email to people who didn't genuinely want it — which hurts your deliverability just as much as your legal standing.
Who GDPR Applies To
GDPR applies to any organization that processes personal data of people located in the European Union, regardless of where the organization itself is based. If you're a company in the United States, Canada, or Australia and you email people in Germany, France, or Spain, GDPR applies to those interactions.
An email address is personal data under GDPR. So is any information you associate with that address — name, purchase history, open rates, location. The moment you collect a European email address, GDPR requirements apply.
The Consent Question
The most immediate GDPR question for email senders is whether you have a lawful basis for sending to each person on your list. The two most common bases for email marketing are:
- Consent: The person explicitly agreed to receive marketing email from you in a clear and unambiguous way
- Legitimate interests: You have a genuine business reason to contact them, it doesn't override their rights, and you've documented that assessment
Legitimate interests is often misunderstood as a blanket license to email anyone you've done business with. It isn't. It requires a proper balancing test, and for cold outreach to purchased lists, it almost never holds up to scrutiny.
Consent under GDPR is more demanding than pre-GDPR standards. A pre-ticked checkbox doesn't count. Bundling consent into terms and conditions doesn't count. The consent must be freely given, specific, informed, and unambiguous — and you need to be able to prove it on request.
What GDPR Consent Actually Looks Like
A compliant email opt-in:
- Uses an unticked checkbox that the user actively selects
- Has plain-language text describing what they're signing up for (e.g., "I'd like to receive weekly product updates and offers from [Company]")
- Records the timestamp and method of consent in your database
- Makes withdrawing consent as easy as giving it
Double opt-in — sending a confirmation email that requires the subscriber to click a link before being added to your list — isn't strictly required by GDPR, but it's a strong best practice. It creates a clear audit trail and filters out mistyped addresses at the same time.
The Right to Erasure
GDPR gives individuals the right to request that their personal data be deleted. For email senders, this means you need a process to handle erasure requests and act on them within 30 days. "Unsubscribed" and "erased" are not the same thing. An unsubscribed contact is still in your database; an erased contact's data must be removed entirely (or anonymized past the point of identification).
There's a practical tension with suppression lists here. You need a record that someone asked not to be emailed so you don't accidentally re-add them — but you may not need to keep their actual email address to do this. A hashed identifier can serve the same purpose without retaining the address itself. For more on managing unsubscribes compliantly, see how to handle unsubscribe requests.
Data Minimization and Retention
GDPR's data minimization principle says you should only collect and store the personal data you actually need. In email terms, that means not asking for a phone number on a newsletter signup form if you're only going to send email. It also means not keeping subscriber data indefinitely.
Storage limitation requires that you don't hold personal data longer than necessary for the purpose it was collected. For email marketing, that means inactive subscribers shouldn't sit in your database forever. Setting a retention policy — for example, removing contacts who haven't engaged in 24 months — is both a GDPR requirement and a deliverability best practice. It aligns with what email archiving best practices recommend for business records more broadly.
Email Service Providers as Data Processors
If you use a third-party platform to send email — including an SMTP relay or email hosting provider — that provider is a data processor under GDPR and you are the data controller. This means you need a Data Processing Agreement (DPA) in place with your email provider, and you're responsible for choosing providers who implement appropriate security measures.
Review MailDog's privacy policy and terms of service for details on how subscriber data is handled. Reputable email infrastructure providers maintain GDPR-compliant practices and make DPAs available on request.
GDPR Alongside Other Regulations
GDPR isn't the only email compliance framework. If you send to Canadian addresses, CASL applies. US recipients are covered by CAN-SPAM. These laws have different consent requirements and enforcement mechanisms, and the strictest standard that applies to your list is the one you need to follow.
If you email internationally and aren't certain where all subscribers are located, applying GDPR-level consent standards across your entire list is the safest approach — and the one most likely to keep your deliverability healthy. People who actively consented to receive your email are far more likely to engage with it. For questions about your specific situation, contact the MailDog team.


