AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

GDPR Email Marketing [Guidelines]

GDPR email marketing

In 2019, the number of global email users was 3.9 billion. This figure is set to grow to 4.3 billion users in 2023. Approximately half of the global population.

We are all a part of that communication and a lot of emails we receive daily are from companies. Living in a digital (marketing) world, this shouldn’t come as a shocker. However, how many of those are sent in a GDPR compliant way?

Statistics show that in 2019, 73% of EU citizens aged 16-74 are sending and receiving emails! Those are some significant numbers taking into consideration that the EU is – the world’s third-largest population after China and India.

The point we are trying to make is that the EU market should by no means be disregarded, and processing data of EU citizens makes you obligated to comply with the GDPR. Check and see if GDPR applies to you!

What happened after the GDPR?

Switching to the GDPR compliant email campaigns caused many companies to lose a lot of their contact database, but were those databases any good to begin with, is an entirely different story.

For some, it is company profits before GDPR compliance. For others, those two terms are intertwined. Many companies that have put emphasis on PRIVACY are thriving.

You can find out more about how much companies are investing in privacy and what are the outcomes and ROI of investments in our blog; Why companies are investing in GDPR compliance

6 steps to GDPR compliant email marketing

GDPR compliant marketing means respecting the privacy of your contacts and their GDPR rights.

Not contacting people who have opted-out from your marketing communications, deleting contacts when there is no reason to keep their records, not having pre-ticked consent boxes and having a record of consent for each and every purpose.

GDPR marketing should be transparent, trustworthy and straightforward when communicating what you do with personal data of your contacts.


You can process personal data under only 6 legal bases. In marketing, you will most probably rely on two lawful bases – consent and legitimate interest.

Consent should be freely given, specific, informed, and unambiguous indication of an individual’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data.

This means you have presented an individual with a genuine choice and withdrawal of consent at any given time.

If you need to notify your existing customers about new features of the product, new policies being applied and updates that they could benefit from, you can rely on legitimate interest.

Also, if you are offering downloadables on your website, you can use legitimate interest as your lawful basis. It is implied that the data subject gave you his/her email address so you can send them the content. However, you can’t use that personal information in your marketing campaigns later. 


Make sure you explain who collects data, which data is collected and for what purposes, how are you going to process that data and if there are any third-party involved.

In the research “State of Connected Customer” by Salesforce, 86 % of surveyed individuals said that explaining how a company is using their information to give them a better customer experience, makes them more likely to trust that company with their personal information.

You don’t have to stuff all information in your consent box or email. Elaborate them in your Privacy Policy, and refer your contact to learn more about how you process personal data.


Remember, you have to enable your contacts to opt-out (unsubscribe) as easily as they opted-in (subscribed). Ideally, it is done through the self-service interface, that creates unique hashed links for each data subject, and allows your contacts to manage their requests and communicate their preferences in a GDPR compliant way.

If that is not an option, provide enough info in your privacy policy on how to unsubscribe and make sure you have the “unsubscribe” button in your emails.


Pre-ticked consent forms are a big NO! All marketing platforms now have an easy way for you to set it up. Silence, pre-ticked boxes or inactivity are not considered consent.

GDPR opt-in example:


This the data minimization principle, which dictates you have to limit personal data you collect, store or use to data that is absolutely necessary for you to provide service or fulfill a specific purpose.

For example, if you have a newsletter subscription form on your website, it would be compliant if you would only ask for an e-mail, and possibly name (if you have personalized email campaigns). You don’t need to know anything else about the contact in order for you to send an email.

Make an email address required field, while name can be given optionally.


The most common marketing practice before the GDPR was to combine all consents together, along with privacy terms and conditions.

For example, the consent text would be: “By clicking the submit button below, you agree to receive marketing communication, personalized ads, and you agree to our terms and services.”

GDPR compliant version would let the contact choose which one of those consents he/she is willing to give.

If your website offers downloadable content like e-book, templates or whitepapers, you can not condition downloading the content by leaving consent for marketing communication.

If the contact did not opted-in for marketing communication, he/she would receive the downloadable, but that is it.

Operationalization of GDPR in email Marketing

It is not just about collecting data in a GDPR compliant way, you have to manage consents as well. This means keeping track of contact preferences, opt-ins, and opt-outs.

Remember, when contact unsubscribed, every email you sent after that point means violation of the GDPR.

Unfortunately, when a contact unsubscribes, that information can stay “locked” in that system, meaning Marketing uses a list that is not automatically updated across multiple marketing layers. So even if you have collected valid consents, you will also have to know if your lists are compliant and register consents.

Find out what is consent management platform and why you need it?

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top