Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

GDPR Email Marketing [Guidelines]

GDPR email marketing

Even with the popularity of mobile messengers and chat apps, email continues to be a crucial part of our daily online activities. In 2022, the number of global e-mail users amounted to 4.26 billion and is set to grow to 4.73 billion users in 2026

We are all a part of that communication, and we receive daily emails for services or products, offers, and sales from different companies. However, how many of those are sent in a GDPR-compliant way?

Statistics show that 73% of EU citizens aged 16-74 are sending and receiving emails! Those are some significant numbers considering that the EU is – the world’s third-largest population after China and India.

We are trying to make the point that the EU market should not be disregarded, and processing EU citizens’ data makes you obligated to comply with the GDPR.

What happened after the GDPR?

Switching to GDPR-compliant email campaigns caused many companies to lose a lot of their contact database, but whether those databases were any good, to begin with, is an entirely different story.

For some, it is company profits before GDPR compliance. For others, those two terms are intertwined. Many companies that have put emphasis on PRIVACY are thriving.

You can find out more about how much companies are investing in privacy and what are the outcomes and ROI of investments in our blog; Why companies are investing in GDPR compliance

Six steps to GDPR-compliant email marketing

GDPR-compliant marketing means respecting the privacy of your contacts and their GDPR rights.

Not contacting people who have opted-out from your marketing communications, deleting contacts when there is no reason to keep their records, not having pre-ticked consent boxes, and having a record of consent for each and every purpose.

GDPR marketing should be transparent, trustworthy, and straightforward when communicating what you do with personal data.


You can process personal data under only six legal bases. In marketing, you will most probably rely on two lawful bases – consent and legitimate interest.

Consent should be a freely given, specific, informed, and unambiguous indication of an individual’s wishes by which he or she, by a statement or by clear affirmative action, gives agreement to the processing of personal data.

This means you have presented an individual with a genuine choice and withdrawal of consent at any given time.

If you need to notify your existing customers about new features of the product, new policies being applied, and updates that they could benefit from, you can rely on legitimate interest.

Also, if you offer downloadables on your website, you can use legitimate interest as your lawful basis. It is implied that the data subject gave you his/her email address so you can send them the content.

However, you can’t use that personal information in your marketing campaigns later.


Make sure you explain who collects data, which data is collected and for what purposes, how you will process that data, and if any third parties are involved.

In the research “State of Connected Customer by Salesforce, 86 % of surveyed individuals said that explaining how a company is using their information to give them a better customer experience, makes them more likely to trust that company with their personal information.

You don’t have to stuff all the information in your consent box or email. Elaborate them in your Privacy Policy, and refer your contact to learn more about how you process personal data.


Remember, you have to enable your contacts to opt-out (unsubscribe) as easily as they opted-in (subscribed). Ideally, it is done through the self-service interface, which creates unique hashed links for each data subject, and allows your contacts to manage their requests and communicate their preferences in a GDPR-compliant way.

If that is not an option, provide enough info in your privacy policy on how to unsubscribe, and make sure you have the “unsubscribe” button in your emails.


Pre-ticked consent forms are a big NO! All marketing platforms now have an easy way for you to set it up. Silence, pre-ticked boxes, or inactivity are not considered consent.

GDPR opt-in example:


This is the data minimization principle, which dictates you have to limit personal data you collect, store, or use to data that is absolutely necessary for you to provide service or fulfill a specific purpose.

For example, if you have a newsletter subscription form on your website, it would be compliant if you only ask for an e-mail and possibly a name (if you have personalized email campaigns).

You don’t need to know anything else about the contact to send an email.

Make an email address required field, while a name can be given optionally.


The most common marketing practice before the GDPR was to combine all consents together, along with privacy terms and conditions.

For example, the consent text would be: “By clicking the submit button below, you agree to receive marketing communication and personalized ads, and you agree to our terms and services.”

The GDPR-compliant version would let the contact choose which one of those consents he/she is willing to give.

If your website offers downloadable content like e-books, templates, or whitepapers, you can not conditionally download the content by leaving consent for marketing communication.

If the contact did not opted-in for marketing communication, he/she would receive the download, but that is it.

Operationalization of GDPR in Email Marketing

It is not just about collecting data in a GDPR-compliant way. You have to manage consent as well. This means keeping track of contact preferences, opt-ins, and opt-outs.

Remember, when a contact unsubscribes, every email you send after that point means a violation of the GDPR.

Unfortunately, when a contact unsubscribes, that information can stay “locked” in that system, meaning Marketing uses a list that is not automatically updated across multiple marketing layers. So even if you have collected valid consents, you will also have to know if your lists are compliant and register consents.

Find out what a consent management platform is and why you need it?

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top