What this is for#
The General Data Protection Regulation (GDPR) applies to any business that processes personal data of EU or UK residents — regardless of where the business is located. An email address is personal data. Sending marketing email to an EU recipient = processing personal data = GDPR applies.
The non-negotiables for email marketing are five: lawful basis for processing, right of access, right to erasure, right to portability, and a data-processing agreement with every third-party processor in the chain. This guide walks each one with the AcelleMail UI path.
1. Lawful basis (Article 6) — consent#
For marketing email, the only practical lawful basis is explicit consent. The legal bar is:
- Freely given — not bundled with terms of service, not a condition of purchase
- Specific — they consented to marketing email, not "communications"
- Informed — they knew who they were consenting to and what they'd receive
- Unambiguous — a clear affirmative action; pre-ticked boxes do not count
In AcelleMail:
- Open Lists → [your list] → Edit → Subscription settings
- Turn ON Double opt-in — this produces a server-side timestamped confirmation log for every subscriber, the strongest form of consent record
- In your signup form (Forms → [your form] → Edit), add an unchecked consent checkbox with explicit text — "I agree to receive marketing emails from [Company]. I can unsubscribe at any time." — linked to your privacy policy
The double opt-in confirmation timestamp is your audit trail. See Double Opt-In vs Single Opt-In for the full setup.
2. Right of access (Article 15)#
A subscriber can request all data you hold on them, free of charge, within one month.
In AcelleMail:
- Open Lists → [their list] → Subscribers
- Search for their email
- Open the subscriber detail page — the profile shows email, MERGE fields (name, company, custom fields), subscription date, source list, and engagement history (opens / clicks / bounces)
- From the subscriber's action menu, export the profile as CSV
If they're on multiple lists, repeat per list — or use Search → Subscribers to find every occurrence at once.
3. Right to erasure / "right to be forgotten" (Article 17)#
The subscriber asks to be removed; you have one month to comply and must purge:
- The subscriber row from every list they're on
- All custom field data tied to them
- (Where possible) engagement history
In AcelleMail:
- Search → Subscribers to find every occurrence of the email
- Open each occurrence and click Delete — confirm
- Subsequent campaign sends will not be able to target that email; AcelleMail's deduplication also prevents re-import as a "live" subscriber if they later try to re-subscribe via the same form (they'll need a fresh signup with a new confirmation).
Note: GDPR does not require you to delete from immutable system logs (e.g. webserver access logs, bounce-handler logs). Mainline subscriber records and your marketing CRM are what's in scope.
4. Right to portability (Article 20)#
They get their data in a "structured, commonly used, machine-readable format" — CSV satisfies this. The Article 15 export above is sufficient for portability requests too.
5. Data Processing Agreement (Article 28)#
If you use a third-party sending provider — Amazon SES, SendGrid, Mailgun, Postmark, SparkPost — that provider is a data processor and you must have a signed DPA with them. All the major SMTP providers publish their DPA online; sign once, retain a copy.
If you use AcelleMail self-hosted with your own SMTP and your own server, AcelleMail is not a processor of your subscriber data — your server is. You only need DPAs with services that touch the data downstream (e.g. your hosting provider, your bounce-handler IMAP host).
The self-hosted advantage#
GDPR has a "data residency" preference: keep EU residents' data inside the EU when practical. With AcelleMail self-hosted, you choose your server — put it in Frankfurt, Dublin, or Paris and you've solved data residency for free. SaaS competitors that run from US-only infrastructure complicate this; you don't have that complication.
Common issues#
| What you see |
What to do |
| Pre-ticked consent checkbox on legacy signup form |
Un-tick it. Re-permission anyone collected through it via a confirmation campaign. |
| Subscriber on 4 lists asks to be deleted; you delete from one and they keep getting email |
Use Search → Subscribers (global) to find every occurrence before clicking delete. |
| Lawful-basis question on cold B2B outreach |
"Legitimate interest" basis is debated for B2B; the safest read is to still use explicit opt-in. ICO (UK) guidance: B2B individual addresses still attract PECR / GDPR. |
| You're not sure whether your SMTP provider has a DPA |
Their compliance/legal page will publish it. Amazon SES, SendGrid, Mailgun, Postmark all have public DPAs you sign electronically. |
What to do after#
- Audit every signup form for un-pre-ticked consent + explicit text + privacy link.
- Turn on double opt-in for any list that collects EU/UK residents.
- If you use a third-party SMTP, sign their DPA today.
- If you don't know where your server is hosted geographically — find out. EU residency is a feature, US-only is a friction point.
Related articles#
