GDPR Email Marketing Compliance Checklist

Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
GDPR Email Marketing Compliance Checklist
For EU-Targeted Email Marketing Programs
Version 2026-04 · Cloud Server for Email
Legal disclaimer: This is an operational reference, not legal advice. Consult qualified EU data protection counsel for your specific situation.

1. Legal Basis (Article 6)

  • Legal basis documented for each list and sending purpose
  • B2C marketing: express consent (Art. 6(1)(a)) with documented opt-in record per subscriber
  • B2B marketing: legitimate interest (Art. 6(1)(f)) with completed balancing test
  • Transactional email: contract basis (Art. 6(1)(b)) documented

2. Consent Records

  • Each consent record includes: timestamp, IP address, form URL, exact consent text shown
  • Consent text is specific, freely given, and separate from T&Cs (no pre-ticked boxes)
  • Double opt-in for high-risk markets: Germany, Netherlands, Austria
  • Consent records retained for duration of relationship plus 3 years minimum

3. Data Subject Rights

  • Right of access (Art. 15): subscriber data exportable on request within 30 days
  • Right to erasure (Art. 17): subscriber data deletable; suppression record retained
  • Right to portability (Art. 20): data exportable in machine-readable format (CSV)
  • All requests acknowledged within 72h, fulfilled within 30 days

4. Data Processing Agreement (Art. 28)

  • DPA signed with email infrastructure provider (Cloud Server for Email provides DPA on request)
  • DPA covers: purposes, security, sub-processors, breach notification
  • For US-based ESPs: current adequacy mechanism documented (EU-US DPF or SCCs)

5. Data Residency

  • EU subscriber data processed within EU: Cloud Server for Email — Estonia (EU member state) OR
  • Non-EU processing: adequate protection mechanism documented
  • Data flow mapping complete — all sub-processors documented

6. Unsubscribe and Suppression

  • Unsubscribe link in every commercial email
  • RFC 8058 List-Unsubscribe-Post header (required for Gmail bulk senders 2024+)
  • Unsubscribes processed immediately (MailWizz processes on click)
  • Suppression record retained to prevent re-mailing

7. Privacy Notice

  • Privacy notice at point of consent (web opt-in form)
  • Includes: controller identity, purposes, legal basis, retention period, rights, third-party processors
  • Marketing notice explains: how to unsubscribe, how long data is kept, who else receives it
Cloud Server for Email provides a GDPR Article 28 DPA to all infrastructure clients on request. Contact infrastructure@cloudserverforemail.com for DPA documentation.