GDPR-Compliant Email Infrastructure
EU-Based Dedicated Sending Infrastructure for GDPR Compliance
Cloud Server for Email operates dedicated email sending infrastructure from data centers in Estonia (EU). For organizations sending email to EU residents, this means subscriber data — email addresses, behavioral data, delivery records — is processed entirely within the European Union, eliminating the data transfer complexity that arises with US-based email service providers.
GDPR and Email Infrastructure: What It Means
GDPR does not prohibit email marketing. It requires that email marketing be based on a valid legal basis under Article 6 — typically explicit consent (Article 6(1)(a)) for marketing communications or legitimate interest (Article 6(1)(f)) for B2B outreach. The infrastructure layer's GDPR obligations are separate from the legal basis question.
For email infrastructure, GDPR creates obligations around: data processing agreements with infrastructure providers, data residency for subscriber personal data, retention limits for delivery logs, and data subject rights implementation (access, deletion, portability). Shared US-based ESPs address these obligations through Standard Contractual Clauses (SCCs) — a legally valid but administratively complex approach. EU-based infrastructure eliminates the SCCs requirement.
Data Residency: What Stays in the EU
| Data Category | Location | GDPR Status | Retention |
|---|---|---|---|
| Subscriber email addresses | EU (Estonia) | EU-resident data, no transfer required | Per client retention policy |
| SMTP delivery logs (per-message) | EU (Estonia) | Operational data, EU-resident | 90 days active, 2 years archived |
| Open/click behavioral data (MailWizz) | EU (Estonia) | EU-resident, subscriber behavioral profile | Per client configuration |
| Complaint/FBL data | EU processing | Processed in EU before ISP relay | 30 days operational |
| Authentication keys (DKIM) | EU server only | Infrastructure data, not personal | Until rotation (min. annually) |
Data Processing Agreement (DPA)
Cloud Server for Email acts as a Data Processor under GDPR Article 28 for client subscriber data. A formal Data Processing Agreement is available upon request and is required for all clients sending to EU residents. The DPA covers: processing instructions, security measures, sub-processor notification, data subject rights support, and breach notification procedures.
Our sub-processors are limited to EU-based datacenter infrastructure providers operating under equivalent data protection standards. We maintain a sub-processor registry and provide 30-day advance notice of any sub-processor changes.
GDPR Legal Basis for Email Sending
Consent-Based Sending (Article 6(1)(a))
For marketing email, explicit, specific, and documented consent is the most defensible legal basis. MailWizz on dedicated infrastructure supports consent documentation through: subscription timestamp recording, IP address capture at opt-in, consent source tracking (custom fields), and double opt-in confirmation emails.
Legitimate Interest for B2B (Article 6(1)(f))
B2B outreach to business contacts can be based on legitimate interest when: the contact is relevant to your business (professional role alignment), a balancing test supports the processing, and an easy unsubscribe mechanism is provided. Our infrastructure supports legitimate interest B2B sending with proper suppression management and unsubscribe processing.
Transactional Email (Article 6(1)(b))
Transactional email related to a contract or service a recipient has entered into does not require separate consent. Order confirmations, account notifications, and service communications based on a contractual relationship are permitted without opt-in consent.
Data Retention and Deletion
GDPR's storage limitation principle requires deleting personal data when it is no longer needed for the original purpose. Our infrastructure supports configurable retention periods:
- SMTP accounting logs: Configurable 90-day to 2-year retention; can be restricted to aggregate data only for compliance
- Subscriber behavioral data (opens/clicks): Configurable per client in MailWizz settings
- Unsubscribed contacts: Suppression record retained (to prevent re-mailing), full profile deleted on request
- Complaint records: Processed and anonymized; used for suppression only
Compliance for EU Markets: Key Regions
| Country/Region | Key Regulation | Primary ISPs | Notes |
|---|---|---|---|
| Germany | GDPR + BDSG (Federal Data Protection Act) | GMX, Web.de, T-Online, Telekom.de | Strict; explicit consent required; German DPA active enforcement |
| France | GDPR + CNIL guidelines | Orange, Free, SFR | CNIL B2B legitimate interest guidance differs from some interpretations |
| Netherlands | GDPR + AP enforcement | XS4ALL, Ziggo, KPN | Telecommunications Act supplements GDPR for direct marketing |
| Spain | GDPR + LOPDGDD | Telefonica, ONO | AEPD enforcement; high fines for non-compliance |
| Poland | GDPR + Polish DPA | Onet, WP.pl | UODO enforcement growing; transactional email clearer than marketing |
| Sweden | GDPR + IMY guidance | Telia, Bahnhof | Conservative interpretation; explicit consent standard |
| European overall | GDPR (Regulation 2016/679) | All EU ISPs | Unified regulation; national DPA enforcement varies |
This page provides infrastructure context for GDPR compliance. It does not constitute legal advice. Your organization should consult qualified legal counsel for specific GDPR compliance requirements for your email program and recipient base.
EU Infrastructure for GDPR Compliance
Dedicated EU infrastructure with a Data Processing Agreement for organizations sending to EU residents.
Request DPA and Assessment