# GDPR + email marketing — consent, data residency, and compliance GDPR doesn't make email marketing harder — it makes the sloppy parts illegal. Informational only — not legal advice. Consult your DPO or counsel for jurisdiction-specific decisions. ## Lawful basis For unsolicited marketing email to consumers, **consent (Article 6(1)(a))** is the only safe choice in most member states. Soft-opt-in (Article 6(1)(f) "legitimate interest") survives narrowly for existing-customer follow-ups but is defensible-but-fragile. Build for consent. Consent under GDPR must be: freely given (no pre-ticked boxes), specific, informed, unambiguous, and **documented** — you must demonstrate consent on request. Operational implication: store consent timestamp + IP + source URL + exact consent text at moment of opt-in. AcelleMail's subscriber model captures these by default. ## Data residency Article 44+ restricts transfers to "third countries" unless protected by SCCs or adequacy decision. After Schrems II (2020), the bar for US-bound transfers stays high. Three paths in 2026: 1. **EU-region self-hosting** — Hetzner Germany, OVH France, Scaleway Paris, AWS eu-central-1 / eu-west-1. Data never leaves EEA. No SCCs needed for the app layer; you DO need them for non-EU sending relays. 2. **EU-region SaaS** — Mailchimp EU data center, Brevo (FR), MailerLite (LT). One vendor relationship, one DPA. 3. **US SaaS + SCCs + supplementary measures** — possible but operationally heavy after Schrems II. For EU audiences, Path 1 — self-hosting AcelleMail on an EU VPS routed through AWS SES Frankfurt — is the lowest-friction GDPR posture. ## Processors & DPAs Article 28 requires a written DPA with every entity that processes personal data on your behalf. For a self-hosted AcelleMail stack, the typical processor chain is: - **VPS provider** (Hetzner / DigitalOcean / OVH / AWS) — they process DB rows. - **Sending relay** (SES / SendGrid / Mailgun / Postmark) — they process recipient email + subject + body during transit. - **Analytics / CRM tie-ins** — only if you forward subscriber data downstream. Sign each. With all-in-one SaaS, you sign the ESP's DPA + verify their sub-processor list. ## Subscriber rights The five rights that matter most for email marketing: - **Right to withdraw consent (Art. 7(3))** — one-click unsubscribe in every email. - **Right of access (Art. 15)** — copy of all data you hold. - **Right to erasure (Art. 17)** — delete the row + propagate to suppression list. 30-day SLA. - **Right to data portability (Art. 20)** — JSON or CSV export. - **Right to object (Art. 21)** — opt out of all marketing OR specific types. ## Operational patterns - **Double opt-in flow** — insert with `confirmed_at = NULL` → send confirmation email with signed-URL link → on click set `confirmed_at = now() + consent_ip + consent_user_agent + consent_source` → welcome series. - **Suppression list** — separate table storing email-hashes (not plaintext). Check before every send. - **Breach notification** — 72 hours to supervisory authority (Article 33). Audit-log + DB access log + written incident-response runbook. ## Where to go next - [Self-hosted pillar — full architecture](https://acellemail.com/guide-self-hosted.md) - [Stack guide — picking processors](https://acellemail.com/guide-stack-2026.md) - [Deliverability fundamentals](https://acellemail.com/guide-deliverability.md) - [Security & GDPR features](https://acellemail.com/security.md)