GDPR for Email: Consent, Lawful Basis, and Data Subject Rights

Published

If you email Europeans, this applies to you

The General Data Protection Regulation (GDPR) is the European Union’s data privacy law. It applies to any organization that processes the personal data of individuals in the EU — regardless of where the organization is based. If your email list includes even one subscriber in the EU, GDPR applies to how you collected their data, how you use it, and how you’d respond if they asked you to delete it.

GDPR is not a suggestion. Violations can result in significant fines — up to 4% of annual global revenue or 20 million EUR, whichever is higher. But beyond the legal risk, GDPR represents a broader principle: treating people’s data with respect. Good email practices and GDPR compliance largely overlap.

What GDPR means for email marketing

GDPR is built on a few core principles that directly affect how you collect and use email addresses:

  • Lawful basis for processing. You need a legal reason to process someone’s personal data (their email address is personal data). For email marketing, the most common lawful basis is consent — the subscriber explicitly agreed to receive emails from you. Another possible basis is legitimate interest, but it’s harder to justify for marketing and comes with stricter conditions.
  • Explicit, informed consent. Consent must be freely given, specific, and informed. The subscriber must know what they’re agreeing to (receiving marketing emails from your brand) and actively opt in. Pre-ticked boxes, assumed consent, or “by signing up you agree to our terms” do not meet the standard.
  • The right to withdraw consent. Subscribers must be able to withdraw consent as easily as they gave it. This is why every email must include a working, easy-to-find unsubscribe link. See Email Unsubscribe Best Practices.
  • The right to access. Subscribers can ask what personal data you hold about them. You must provide a copy of their data.
  • The right to erasure (“right to be forgotten”). Subscribers can ask you to delete their personal data. For email marketing, this means removing them from your list and deleting their associated data from your systems.
  • Data minimization. Collect only what you need. If you’re running an email newsletter, you need the email address. You may not need their phone number, physical address, or job title unless you have a specific use for each.

Why it matters

  • The legal risk is real. GDPR enforcement is active, and fines are significant. Even small organizations are not exempt — the regulation applies based on the data subject’s location, not the sender’s size.
  • EU subscribers are common. If your email list is publicly available, you likely have EU subscribers even if you don’t actively market to Europe. Assuming you don’t have EU subscribers is risky.
  • Consent-based lists perform better. Lists built on genuine opt-in consent have higher engagement, lower unsubscribe rates, and fewer spam complaints than lists built on assumptions or purchased data. GDPR compliance and email performance are aligned, not opposed.
  • Trust is a competitive advantage. Readers who trust you with their data are more likely to engage with your emails. Transparent data practices build that trust.
  • The principles are becoming global. GDPR set the standard that other regulations (California’s CCPA, Brazil’s LGPD, and others) followed. Building GDPR-compliant practices prepares you for a world where privacy regulation is expanding, not contracting.

How to comply with GDPR in email marketing

  1. Use explicit opt-in. When someone subscribes, they must actively agree to receive emails. Use an unchecked checkbox with clear language: “Yes, I’d like to receive marketing emails from [Your Brand].” Don’t pre-tick the box.
  2. Document consent. Keep a record of when, how, and what the subscriber consented to. If a subscriber asks, “when did I sign up for this?” you should be able to answer. Your ESP should handle this, but verify that it does.
  3. Use double opt-in. After someone subscribes, send a confirmation email with a link they must click to finalize their subscription. This prevents fake sign-ups, typos, and malicious subscriptions — and it creates an additional consent record. See Email List Hygiene.
  4. Include a clear unsubscribe link in every email. The link must be easy to find and work immediately. Don’t require the reader to log in, fill out a form, or explain why they’re leaving. See Email Unsubscribe Best Practices.
  5. Honor data subject requests promptly. If a subscriber asks for their data (access request) or asks you to delete it (erasure request), respond within one month. Your ESP should support data export and deletion.
  6. Minimize data collection. At signup, ask only for what you need. Email address is required; first name is common and useful; anything beyond that needs a specific purpose. Don’t collect data “just in case.”
  7. Be transparent about data use. Link to your privacy policy at signup and in every email. The policy should explain what data you collect, why you collect it, how long you keep it, and who you share it with.
  8. Don’t use purchased lists. GDPR requires consent from the individual. Purchased lists don’t have it. Sending to a purchased list is a GDPR violation — and a deliverability disaster. See Email List Hygiene.
  9. Review your privacy policy regularly. Update it when your data practices change. A stale privacy policy that doesn’t match your actual practices is a compliance risk.

Common mistakes

  • Pre-ticked opt-in boxes. The subscriber didn’t actively consent — they failed to uncheck a box. This doesn’t meet GDPR’s standard for freely given, explicit consent.
  • No record of consent. You can’t prove when or how a subscriber opted in. If a complaint is filed, you have no defense.
  • Buried unsubscribe links. The unsubscribe link is hidden in tiny text in the footer, or it requires logging in to an account. This violates the “easy to withdraw” requirement.
  • Slow processing of opt-outs. A subscriber clicks unsubscribe but keeps receiving emails for days or weeks because the list isn’t synced. Process opt-outs immediately.
  • Collecting more data than needed. You ask for date of birth, gender, and phone number at signup for a newsletter. Unless you have a specific, disclosed purpose for each, this violates data minimization.
  • Assuming GDPR doesn’t apply. “We’re a US company; GDPR doesn’t affect us.” If you have EU subscribers — and you probably do — it does.
  • Purchased lists. You bought a list that “complies with GDPR.” It almost certainly doesn’t — consent isn’t transferable, and the individuals on the list didn’t consent to receive emails from you.

How GDPR relates to Temway

Temway is a builder and exporter — it produces the HTML for your emails. GDPR compliance happens at the data collection and sending level (your signup forms, your ESP, your subscriber database), not in the email builder itself.

What Temway does help with is the content side: every email you build should include an unsubscribe link (usually in the footer block) and a link to your privacy policy. Build these into a reusable layout so every email starts with compliance built in — not as an afterthought added per email.

The workflow: build your email in Temway with the compliance elements in place, export the HTML or push it to your ESP, and your ESP handles the subscriber data, opt-out processing, and consent records that GDPR requires.

Where to go next