Everything an email marketer needs to know about the GDPR

Written by Femke van Zelst

The GDPR (General Data Protection Regulation) influences virtually all digital marketing activities, including email marketing. Starting 25 May 2018, all records that you send commercial emails to have to comply with this legislation. In this blog we will tell you what you as an email marketer needs to know about the GDPR.


The GDPR came into effect on 25 May 2016, but is actually being enforced since 25 May 2018. The GDPR replaces previous legislation to protect personal data and influences all companies that process European citizens’ personal data. From 25 May onwards, companies will sometimes have to be able to show they have permission to process the data subject’s personal data.

From 25 May onward, you are required to have much more specific permission from the end user when your organisation works with personal data or information that can be traced back to an individual person.

1. What information is considered ‘personal data’ under the GDPR?

The definition of the idea of ‘personal data’ is sharpened with the introduction of the GDPR. Personal data includes: ‘any information relating to an identified or identifiable natural person’. As soon as it is possible to identify someone, you’re dealing with personal data. When processing personal data, a distinction can be made between non-anonymous personal data, pseudonymous personal data and anonymous personal data.

Personal data

Data relating to an identified or identifiable person. Examples: name, address, city, phone number, email address, IP address, birth date and location information.

Pseudonymous data

Data that cannot be traced back to a natural person without additional information, but can be individualised. Examples include: hashed email address, order number, customer number and username. Encrypting personal data is also a form of pseudonymising the data.

Anonymous data

If identification is not possible and cannot be made possible, it no longer falls under personal data. This is called anonymous data. This data is outside of the scope of the GDPR.

2. What are the data subject’s rights?

The person concerned, or: the person whose data is processed, is given additional rights under the GDPR. We discuss two of them below.

Right to erasure/right to be forgotten

Data subjects now have the right to request companies to remove their data. From 25 May onwards, they can also demand that the company pass on that removal to all companies that obtained that data through this company.

Right to data portability

Data subjects also have the right (under certain circumstances) to request their personal data from companies in a standard format.

3. Am I required to have a double opt-in?

It is not necessary to have a double opt-in. The GDPR only deals with data processing. Considering the fact the Dutch legislation had been fairly strict before, the GDPR doesn’t change much in this regard for companies already complying with the previous Dutch legislation.

4. What requirements do my opt-ins have to meet?

This is what the GDPR says about the e-mail opt-in:

  • The e-mail opt-in must be a clear and concise consent message.
  • The opt-in must be separate from other conditions and cannot be a condition for the supply of goods or services. This means the ‘upon accepting the terms and conditions you will automatically be registered for our newsletter’ is forbidden.
  • It is forbidden to automatically check the opt-in checkbox. This is called ‘Privacy by default’.
  • You are required to have segmented opt-ins when you use the data in more than one way, i.e.: when you use the same data for various purposes. This is called ‘purpose limitation’.
  • Your database needs to track the opt-in, so you can show you received permission from the person involved..
  • Recipients reserve the right to withdraw their opt-in. You have to make clear to the recipient how they can unregister. This can be included in a ‘Privacy Statement’.

5. What do I do if my opt-ins do not meet the requirements?

If you have acquired the email addresses legitimately and have documented this properly, there is no reason to panic. If this is not the case, there is work to be done. You can do two things:

  1. Deleting your database and creating a whole new database;
  2. Ensuring valid opt-ins for your current database.

We feel option 1 is very rigorous. That is why we prefer option 2. Below we will explain to you how to get valid opt-ins through a Permission Passing Campaign. This campaign means emailing your database with the question of whether or not they still wish to receive your emails. The recipient can give permission using a button in the email. When you document this in your database, the opt-in will be considered valid.

6. Can I still profile?

Profiling is the automatic processing of personal information, allowing you to evaluate and attempt to predict people’s behaviour. You can still profile, but there are requirement you have to meet in order to safeguard the rights of the data subject. Firstly, you require explicit permission for profiling. This is a special type of granting permission, where the action is specifically aimed at granting permission. You are also required to inform the data subject of the fact that you are profiling, as well as explaining the basic logic behind profiling, and the importance and consequences of profiling. You are also required to inform the data subject that they can add their own points to the profile you created. Naturally, you are also required to be able to facilitate this process.

7. What is a record of data processing activities?

A record of data processing activities is an overview of the processing of personal data done as an organisation. This does not only include processing done for your own organisation, such as employee administration, but processing of clients’, prospects’ and contacts’ personal data. That is why the creation of a record of data processing activities is relevant for an email marketer. The record of data processing activities documents the purposes for which personal information is processed, which risks come with the processing, and which security measures have been taken to protect the personal information.

8. Do I need a record of data processing activities?

The answer is: yes! From 25 May onwards, you are required to create a record of data processing activities that records structural processing, such as your database of clients, prospects and contacts. If you do not have a record of data processing activities, you are not in compliance with the GDPR, and run the risk of sanctions. So always make sure to create a record of data processing activities.

9. Am I required to appoint a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) is an internal or external compliance officer for privacy regulations within an organisation. Appointing a Data Protection officer is a requirement for specific organisations or when a certain type of personal data processing is conducted. Three types of organisations are required to appoint a DPO:

  1. Government institutions;
  2. Organisations carrying out large-scale and structural observation;
  3. Organisation carrying out large-scale and structural processing of special categories of personal data.

10. What does the documentation requirement entail?

The previous Dutch Privacy Act required you to report to the Dutch Personal Data Authority when processing personal data. Under the GDPR, as a processer you are required to instead comply with the documentation requirement. This means you are required to document all data processing taking place within your organisation, how you do it, and that you are able to secure the rights of the data subject when doing so. This means you have to be able to show that in compliance with the provisions of the GDPR, you have taken the correct organisational and technical measures and comply with the regulation.

11. What is meant by a legitimate interest?

Under the GDPR, you are allowed to process personal data based on a legitimate interest, when necessary. Processing can only be done if the fundamental rights and liberties of the person concerned do not outweigh the purpose of the data processing and the processing itself. This means you have to be able to show that your purpose is not outweighed by the interests of the data subject. The GDPR states that processing personal data for marketing purposes can be a form of processing with a legitimate interest. A web shop, for instance, can have a legitimate interest when it uses an email address for targeted ads. This is not allowed when the data subject objects to this.

12. What are the consequences of non-compliance?

If you do not meet GDPR requirements by 25 May 2018, you risk a fine. A distinction is made between upper level and lower level infringements.

Upper level infringements

In case of upper level infringements, fines of up to 20 million euros or 4% of global annual turnover (whichever is higher) can be imposed. Upper level infringements include::

  1. Infringement upon the basic principles of the GDPR, such as obtaining and documenting a valid opt-in.
  2. Infringement upon the obligations relating to the rights of the recipient, such as the right to resist or the right to data portability.

Lower level infringements

In case of lower level infringements, fines of up to 10 million euros or 2% of global annual turnover (whichever is higher) can be imposed. Lower level infringements include:

  • Not reporting a data breach to the Dutch Personal Data Authority (AP) and, where necessary, the persons concerned.
  • Not having the permission of a parent for the opt-in of a child under 16.

13. Is there anything else to take into account?

Indeed there is! A few things are listed for you below.

  • You can no longer use a noreply address as a sender address. It has to be possible to respond to an e-mail.
  • When signing up for a mailing list, the name and the email address are the only data that are considered ‘regular information.’ Data such as birth date, gender and address cannot be requirements for sign-up.
  • When collecting email addresses, you are always required to refer to the Privacy Statement, for instance as part of the terms and conditions, where the recipient is explained how the data will be used.
  • You do not need an opt-in to send transactional emails, provided you do not place any commercial content.

We hope that this blog has answered your most important questions concerning the GDPR. If you have any questions, please contact us.

Don't miss a blog?

Then sign up for our newsletter!

  • By subscribing to our newsletter, you agree to e-Village's Privacy Statement and your data can be used for marketing purposes. You can unsubscribe from this at any time.

Known from: