What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation that governs how personal data is collected, processed, and stored. It took effect on May 25, 2018, and is one of the strictest data protection laws in the world. For email sending, GDPR sets strict rules about consent, data handling, and the rights of your recipients.Who does GDPR apply to?
GDPR applies to you if:- Your business is based in the EU/EEA
- You process personal data of individuals in the EU/EEA — regardless of where your business is located
- You send emails to recipients in the EU/EEA
Key principles for email
1. Lawful basis for processing
You need a lawful basis to send someone an email. For email marketing, the relevant bases are: Consent — the recipient has explicitly opted in to receive your emails. This is the most common and safest basis for marketing emails. Legitimate interest — you have a genuine business reason to contact the person, and their privacy rights don’t override that interest. This is harder to rely on and requires a documented assessment. For transactional emails (order confirmations, account notifications), the lawful basis is typically contract performance — the email is necessary to fulfill a service the recipient signed up for.2. Explicit consent for marketing
GDPR requires explicit, informed, freely given consent for marketing emails. This means: Must do:- Use a clear opt-in mechanism (unchecked checkbox, separate signup form)
- Explain what the recipient is signing up for (“Weekly product updates from SendKit”)
- Keep records of when and how consent was obtained
- Use pre-checked checkboxes
- Bundle consent with terms of service (“By creating an account, you agree to receive marketing emails”)
- Use vague language (“We may contact you from time to time”)
3. Right to withdraw consent
Recipients must be able to withdraw consent as easily as they gave it. In practice, this means:- Every marketing email must have an unsubscribe link
- Unsubscribing must be a one-click or two-click process
- Withdrawal must be processed promptly
4. Right to access
Recipients can request a copy of all personal data you hold about them. For email, this includes:- Their email address and any associated data (name, preferences)
- Email sending history
- Consent records
- Any tracking data (opens, clicks)
5. Right to erasure (Right to be forgotten)
Recipients can request that you delete all their personal data. When a request is received, you must:- Delete their contact record
- Remove them from all lists
- Delete any associated tracking data
- Confirm deletion to the recipient
6. Right to data portability
Recipients can request their data in a commonly used, machine-readable format (like CSV or JSON) so they can transfer it to another service.Consent records
GDPR requires that you can prove consent was given. For each subscriber, you should store:| Data point | Example |
|---|---|
| What they consented to | ”Weekly product newsletter” |
| When they consented | 2026-01-15 14:32:00 UTC |
| How they consented | Signup form on acme.com/newsletter |
| IP address (optional) | 203.0.113.42 |
| Double opt-in confirmation | Confirmed on 2026-01-15 14:35:00 UTC |
Double opt-in
Double opt-in is a two-step process:- Recipient enters their email in your signup form
- They receive a confirmation email with a link
- They click the link to confirm their subscription
- It proves the email address owner actually consented (not someone else using their address)
- It creates a clear consent record
- It reduces bounces and fake signups
- Regulators view it favorably
Data processing agreements
If you use a service like SendKit to send emails, you’re a data controller and SendKit is a data processor. GDPR requires a Data Processing Agreement (DPA) between controller and processor. A DPA defines:- What data is processed
- How it’s processed
- Security measures in place
- What happens to data when the agreement ends
Email tracking and GDPR
Open tracking (via pixel) and click tracking collect personal data (the recipient’s behavior). Under GDPR:- You should disclose tracking in your privacy policy
- Consider whether tracking is necessary (data minimization principle)
- Provide a way for recipients to opt out of tracking
SendKit allows you to enable or disable open tracking and click tracking per domain from the domain configuration page. If tracking raises GDPR concerns, you can disable it.
Checklist for compliance
- Marketing emails only go to recipients who explicitly opted in
- Consent was recorded with what, when, and how
- Every marketing email has a working unsubscribe link
- You can process data access, erasure, and portability requests
- A Data Processing Agreement is in place with SendKit
- Your privacy policy covers email data collection and tracking
- You don’t use pre-checked checkboxes or bundled consent
FAQ
Does GDPR apply to transactional emails?
Does GDPR apply to transactional emails?
Transactional emails don’t need marketing consent — they’re sent under the “contract performance” lawful basis. However, GDPR’s data protection principles still apply to transactional emails. You must still handle the recipient’s data securely and respect their rights (access, erasure, etc.).
Can I email existing subscribers who didn't give GDPR-compliant consent?
Can I email existing subscribers who didn't give GDPR-compliant consent?
Technically no. If you collected email addresses before GDPR without explicit consent, you need to re-obtain consent. Many companies sent “re-consent” campaigns when GDPR took effect. If you haven’t done this, you should stop emailing those contacts for marketing purposes.
What are the penalties for GDPR violations?
What are the penalties for GDPR violations?
GDPR fines can reach up to 20 million euros or 4% of annual global turnover, whichever is higher. In practice, fines vary based on the severity of the violation, the number of people affected, and the organization’s cooperation with regulators.