GDPR's impact on email marketing is often misunderstood. Marketers worry primarily about the consent question — do I need permission to email this person? — while missing the equally important questions around data retention, right of access, data processor agreements, and the technical infrastructure that handles personal data. This guide addresses all four, with specific attention to how EU-based dedicated email infrastructure differs from US-hosted ESPs in its GDPR compliance implications.

Article 6
Legal basis for processing — consent OR legitimate interest for B2B
Article 28
Data processor agreements required with all email infrastructure providers
72 hours
Maximum time to notify supervisory authority of a data breach
€20M / 4%
Maximum GDPR fines — higher of €20M or 4% of global annual turnover

The legal basis for sending commercial email differs significantly between B2B (business email addresses) and B2C (consumer/personal email addresses) under GDPR's interaction with the ePrivacy Directive.

B2C email to consumers at personal addresses typically requires explicit, freely given, specific, informed, and unambiguous consent under ePrivacy Article 13. A generic "I agree to terms and conditions" checkbox that bundles marketing consent does not meet the specificity requirement. Consent must be a separate, affirmative action specifically for marketing communications. You must also be able to demonstrate consent with a timestamp, IP address, and the specific consent text that was shown.

B2B email to business contacts at work email addresses operates under a different rule in most EU member states. The ePrivacy Directive allows B2B email marketing based on Legitimate Interest (GDPR Article 6(1)(f)) provided you: have conducted and documented a Legitimate Interest Assessment (LIA), the contact is relevant to your business offering, the email is clearly identifiable as commercial, and you provide an easy opt-out mechanism. The key caveat is that national implementation of ePrivacy varies — Germany requires opt-in for B2B email; France, Italy, and Spain allow legitimate interest for B2B with proper opt-out.

CountryB2C emailB2B emailKey local rule
GermanyOpt-in requiredOpt-in required (UWG §7)Strictest in EU — both B2B and B2C require prior consent
FranceOpt-in requiredLegitimate interest OKCNIL guidance: B2B LI acceptable with documented LIA
NetherlandsOpt-in requiredLegitimate interest OKACM: B2B cold email allowed with easy unsubscribe
SwedenOpt-in requiredLegitimate interest OKIMY guidance follows general ePrivacy B2B exception
UK (post-Brexit)Opt-in required (PECR)Corporate subscribers: soft opt-in OKICO: UK PECR applies, similar to EU with some differences

Valid GDPR consent for email marketing is not just a checkbox — it requires a technical implementation that records and stores proof of consent in a form that can be produced to a supervisory authority on request. The WP29 (now EDPB) guidelines on consent specify that you must be able to demonstrate: who consented, when they consented, what they were told at the time of consent, and how consent was obtained.

▶ Technical consent record — required fields
1
Subscriber identifier — email address (hashed or plain) plus any internal ID linking the record to the subscriber profile.
2
Consent timestamp — UTC timestamp of the consent action, to millisecond precision. Form submission timestamp for single opt-in; confirmation click timestamp for double opt-in.
3
IP address — the IP address from which the consent action was taken. Combined with timestamp, this enables cross-referencing with server logs if consent is challenged.
4
Consent text version — a hash or version ID of the exact consent language shown at the time of signup. Consent text changes must trigger re-consent if the change is material.
5
Source/method — the specific form, landing page URL, or acquisition channel where consent was obtained. Essential for audits of list segments.
6
Withdrawal record — when and how the subscriber withdrew consent (unsubscribe, FBL complaint, manual removal). Consent withdrawal must be as easy as giving consent.

Infrastructure and Data Residency

Where your email infrastructure is hosted determines where subscriber personal data is processed. Under GDPR, personal data transferred outside the EU/EEA requires either: the destination country has an adequacy decision from the European Commission, Standard Contractual Clauses (SCCs) are in place with the data processor, or another valid transfer mechanism applies.

Most major US-based ESPs (Mailchimp, Klaviyo, Salesforce Marketing Cloud, HubSpot) offer SCCs and GDPR-compliant data processing agreements. However, the Schrems II judgment (2020) invalidated the Privacy Shield framework and placed additional obligations on organisations conducting impact assessments for US data transfers. For organisations with EU-resident subscriber data, EU-hosted dedicated email infrastructure eliminates the transfer question entirely — there is no data export, no adequacy assessment required, and no risk from future regulatory changes affecting US-EU data transfer frameworks.

Right of Access and Right to Erasure

GDPR Articles 15 and 17 give subscribers the right to request a copy of their personal data held by your organisation (Subject Access Request) and the right to have their data deleted (Right to Erasure/Right to be Forgotten). Both rights apply to email marketing data. A subscriber can request to see all data you hold about them — including email addresses, consent records, campaign engagement history, suppression list entries, and any preference data — and can request complete deletion.

For email operations, erasure requests present a specific challenge: suppression lists contain email addresses specifically to prevent future sending. If you erase an address from your suppression list in response to an erasure request, you lose the record that prevents re-adding that address to future list imports. The EDPB guidance addresses this: you may retain a minimal record (typically just the hashed email address and a flag indicating it was erased/opted-out) in your suppression system for the sole purpose of preventing re-addition. This is consistent with both the erasure right and your legitimate interest in honoring the original opt-out.

📋 Client case — SaaS platform, regulatory audit, 180K EU subscriber list

Situation: French CNIL audit following a subscriber complaint about receiving marketing email without recollection of consenting. The client needed to produce consent records for 23 specific subscribers named in the complaint.
Consent documentation state: Single opt-in with no timestamp or IP logging. Only record was the email address in the database. No LIA documentation for B2B contacts.
Outcome: CNIL issued a formal warning and required implementation of consent logging within 90 days. No fine in this instance due to first-time offence and prompt remediation. Client implemented double opt-in with full consent logging, suppression list management, and a documented LIA for B2B outreach. Reconfirmation campaign to existing list: 64% re-confirmed, 36% suppressed.
Cost of compliance retrofit: Significantly higher than building it in from the start. The reconfirmation campaign alone reduced the active list from 180K to 115K — a 36% reduction in list size that could have been avoided with compliant acquisition practices from the beginning.