Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
Operating Since 2015
GDPR Email Marketing Compliance Checklist
For EU-Targeted Email Marketing Programs
Version 2026-04 · Cloud Server for Email
Legal disclaimer: This is an operational reference, not legal advice. Consult qualified EU data protection counsel for your specific situation.
1. Legal Basis (Article 6)
- Legal basis documented for each list and sending purpose
- B2C marketing: express consent (Art. 6(1)(a)) with documented opt-in record per subscriber
- B2B marketing: legitimate interest (Art. 6(1)(f)) with completed balancing test
- Transactional email: contract basis (Art. 6(1)(b)) documented
2. Consent Records
- Each consent record includes: timestamp, IP address, form URL, exact consent text shown
- Consent text is specific, freely given, and separate from T&Cs (no pre-ticked boxes)
- Double opt-in for high-risk markets: Germany, Netherlands, Austria
- Consent records retained for duration of relationship plus 3 years minimum
3. Data Subject Rights
- Right of access (Art. 15): subscriber data exportable on request within 30 days
- Right to erasure (Art. 17): subscriber data deletable; suppression record retained
- Right to portability (Art. 20): data exportable in machine-readable format (CSV)
- All requests acknowledged within 72h, fulfilled within 30 days
4. Data Processing Agreement (Art. 28)
- DPA signed with email infrastructure provider (Cloud Server for Email provides DPA on request)
- DPA covers: purposes, security, sub-processors, breach notification
- For US-based ESPs: current adequacy mechanism documented (EU-US DPF or SCCs)
5. Data Residency
- EU subscriber data processed within EU: Cloud Server for Email — Estonia (EU member state) OR
- Non-EU processing: adequate protection mechanism documented
- Data flow mapping complete — all sub-processors documented
6. Unsubscribe and Suppression
- Unsubscribe link in every commercial email
- RFC 8058 List-Unsubscribe-Post header (required for Gmail bulk senders 2024+)
- Unsubscribes processed immediately (MailWizz processes on click)
- Suppression record retained to prevent re-mailing
7. Privacy Notice
- Privacy notice at point of consent (web opt-in form)
- Includes: controller identity, purposes, legal basis, retention period, rights, third-party processors
- Marketing notice explains: how to unsubscribe, how long data is kept, who else receives it
Cloud Server for Email provides a GDPR Article 28 DPA to all infrastructure clients on request. Contact infrastructure@cloudserverforemail.com for DPA documentation.