Get AcelleMail — $80

Pillar guide · 14 min read · Updated May 2026

GDPR + email marketing — consent, data residency, and the discipline behind compliant sends.

GDPR doesn't make email marketing harder — it makes the sloppy parts illegal. This guide walks the lawful-basis options for marketing email, the double-opt-in evidence trail you need, the data-residency choices that determine whether you need SCCs, and the operational tooling that makes compliance a config rather than a project. Every claim is sourced to a specific GDPR article or a regulator guidance document.

Informational only — not legal advice. Consult your DPO or counsel for jurisdiction-specific decisions.

In this guide

  1. Lawful basis & consent
  2. Data residency
  3. Processors & DPAs
  4. Subscriber rights in practice
  5. Operator deep-dives
  6. FAQ

§1 · Lawful basis

Consent is your lawful basis. Make the evidence trail real.

GDPR Article 6 lists six possible lawful bases for processing personal data. For unsolicited marketing email to consumers, consent (Article 6(1)(a)) is the only safe choice in most member states. Soft-opt-in (Article 6(1)(f) "legitimate interest") survives narrowly for existing-customer transactional follow-ups in B2C and broadly for B2B in some jurisdictions, but it's a defensible-but-fragile posture. Build for consent.

Consent under GDPR must be: (1) freely given — no pre-ticked boxes (Article 7(2)); (2) specific — distinct from other agreements; (3) informed — the subscriber knows who is sending and what for; (4) unambiguous — affirmative action like a checkbox or sign-up. (5) Documented — you must demonstrate consent on request (Article 7(1)).

Operational implication: store consent timestamp + IP + source URL + the exact text of the consent statement at the moment of opt-in. Without these you cannot demonstrate consent under audit. AcelleMail's subscriber model captures all four by default via the import + sign-up form flows — see the KB for the schema.

§2 · Data residency

Where the data sits determines what paperwork you need.

Article 44+ restricts transfers of personal data to "third countries" (anywhere outside the EEA) unless protected by SCCs or an adequacy decision. After Schrems II (2020), the bar for US-bound transfers stays high — even SCCs require supplementary measures.

Three paths in 2026, in order of operational simplicity:

  1. EU-region self-hosting. Hetzner Germany, OVH France, Scaleway Paris, AWS eu-central-1 / eu-west-1, Hetzner Finland. Data never leaves the EEA. No SCCs needed for the application layer; you DO need them for any non-EU sending relay (most US-based SES + SendGrid). The Frankfurt / Dublin AWS regions of SES keep the relay in-EEA too.
  2. EU-region SaaS. Mailchimp EU data center (paid Premium feature), Brevo (FR-based), MailerLite (LT-based). One vendor relationship, one DPA. Per-subscriber cost runs higher than the EU-self-hosting path.
  3. US SaaS + SCCs + supplementary measures. Possible but operationally heavy after Schrems II. Most German DPOs steer away unless the SaaS has no EU alternative.

For most operators serving EU audiences, Path 1 — self-hosting AcelleMail on an EU VPS routed through AWS SES Frankfurt — is the lowest-friction GDPR posture. See the self-hosted pillar for the architecture and /security for the encryption-at-rest + audit-trail tooling.

§3 · Processors & DPAs

Map every processor. Sign a DPA with each.

Article 28 requires a written contract — a Data Processing Agreement — with every entity that processes personal data on the controller's behalf. The DPA fixes the scope, duration, sub-processors, security measures, and breach-notification obligations.

For a self-hosted AcelleMail stack, the typical processor chain is:

  • VPS provider — Hetzner / DigitalOcean / OVH / AWS. They process the DB rows. Each publishes a DPA template.
  • Sending relay — SES / SendGrid / Mailgun / Postmark. They process the recipient email + subject + body during transit. Each publishes a DPA template.
  • Analytics / CRM tie-ins — only if you forward subscriber data downstream (Segment, Mixpanel, your CRM). Sign DPAs accordingly.

With all-in-one SaaS (Mailchimp / Brevo / Klaviyo), the ESP itself is a processor and you sign their DPA — but it's worth verifying their sub-processor list to know what's downstream of them.

§4 · Subscriber rights

The eight subscriber rights — and the operational hooks that satisfy them.

GDPR Chapter III lists eight individual rights. For email marketing specifically these matter most:

  • Right to withdraw consent (Article 7(3)) — one-click unsubscribe link in every email. AcelleMail ships this on all templates.
  • Right of access (Article 15) — give the subscriber a copy of all data you hold. Operational hook: a /me page after sign-in OR an email-based export-on-request flow.
  • Right to erasure (Article 17) — delete the row + propagate to the suppression list. Time limit: 30 days.
  • Right to data portability (Article 20) — JSON or CSV export of subscriber data on request.
  • Right to object (Article 21) — opt out of all marketing OR specific message types. Preference center.

For a complete operational walkthrough including SQL queries and the audit-trail schema, see the knowledge base + /security.

§5 · Operator deep-dives

Implementation patterns for the engineer wiring compliance.

The double-opt-in flow — exact sequence

(1) Visitor submits sign-up form. (2) Insert row with `confirmed_at = NULL`. (3) Send confirmation email with a signed-URL link. (4) On link click, set `confirmed_at = now()` + `consent_ip`, `consent_user_agent`, `consent_source`. (5) Subscriber receives welcome series. Unconfirmed rows are pruned after a 7-day window. AcelleMail ships this as a form opt-in setting; toggle it on for any EU-targeted list.

Suppression list — design + maintenance

A separate table that stores email-hashes (NOT plaintext) for unsubscribed addresses. Before EVERY send, the application checks the recipient address hash against the suppression list and skips matches. The hash (vs plaintext) means an erasure request can wipe the suppression row WITHOUT exposing the plaintext to a future leak. AcelleMail's `subscribers.status = 'unsubscribed'` row plus the dedicated suppression-list pivot covers both reads at send-time.

Breach notification — Article 33 in practice

A breach of personal data must be notified to the supervisory authority within 72 hours (Article 33). For email-marketing systems, "breach" most commonly = exfiltrated subscriber list. Operational hooks: (1) audit logging of admin actions, (2) DB-level access logging on the subscribers table, (3) a written incident-response runbook with the 72-hour timer + DPO contact. Documents to keep: data-flow map, processor list, last DPIA. /security covers the audit-trail tooling shipped by default.

Cross-border B2B sends — does GDPR even apply?

GDPR applies if (1) you're established in the EU OR (2) you offer goods/services to EU subjects OR (3) you monitor EU subjects' behaviour. A US-based SaaS mailing US-only customers can fall entirely outside GDPR. But the moment one EU contact lands in your list, that contact's data is in-scope. Cleanest path: route EU contacts through an EU-region AcelleMail instance + apply GDPR to that instance only; route US-only through your existing US setup.

§6 · FAQ

Common GDPR + email questions.

What does GDPR require for email marketing specifically?
Three obligations dominate: (1) a lawful basis for processing personal data — for marketing email, that's almost always consent (Article 6(1)(a)); (2) demonstrable consent — you must be able to prove WHEN and HOW each subscriber opted in; (3) the right to withdraw consent — one-click unsubscribe in every email + a preference center. Data minimization (Article 5) and breach notification (Article 33) sit alongside these.
Is double opt-in required by GDPR?
Not explicitly required by GDPR text, but practically essential for proving consent and avoiding regulator scrutiny. Several EU member states (Germany via UWG, Austria) interpret consent strictly enough that single opt-in carries real risk. Best practice for any EU-targeted send: double opt-in for new subscribers + timestamp + source URL stored alongside the contact.
Where can I store EU subscribers' data?
GDPR (Article 44+) restricts personal data transfers outside the EEA unless protected by SCCs (Standard Contractual Clauses) or operator-to-operator agreements. Self-hosting on an EU-region server (Hetzner Germany, OVH France, Scaleway Paris) removes the cross-border transfer question entirely — the data never leaves the EU. SaaS vendors typically offer EU data residency as a paid upgrade. AcelleMail self-hosted in eu-central-1 (AWS) or any EU VPS satisfies this with no extra paperwork.
What is a DPA and do I need one?
A Data Processing Agreement (DPA) is a contract between the data controller (you) and any processor that touches personal data on your behalf. Required by GDPR Article 28 for every processor in the chain. With self-hosted AcelleMail, your processors are: (1) your VPS provider (Hetzner, DigitalOcean, AWS), (2) your sending relay (Amazon SES, SendGrid, Mailgun), (3) any analytics tool. Sign DPAs with each. With SaaS, the ESP itself is also a processor — you sign their DPA.
How long can I keep subscriber data?
GDPR Article 5(1)(e) says only as long as necessary for the purpose. Practically: keep active subscribers as long as the relationship is active; delete or anonymize after a defined inactivity period (typically 24–36 months from last engagement). Document the retention policy in your privacy notice + apply it via a scheduled job. AcelleMail supports automatic suppression and deletion via segment + automation triggers.
Do I need to disclose every email tool I use in my privacy notice?
Yes — Article 13(1)(e) requires you to disclose the recipients (processors) of personal data. List every tool that touches subscriber data: ESP, sending relay, analytics, CRM. Some teams group these under generic categories ("infrastructure providers"); strict-interpretation member states want named processors. When in doubt, name them.
What about ePrivacy / PECR for tracking pixels?
In addition to GDPR, the ePrivacy Directive (UK PECR, EU equivalent) regulates cookies and tracking technologies — including open-tracking pixels. Most regulators treat open-tracking as low-risk if consent for marketing was obtained, but the UK ICO and Germany have flagged aggressive click-tracking as needing separate consent. Plan: disclose pixel use in your privacy notice, allow recipients to opt out of tracking (preference center), and minimize click-tracking on transactional emails.
What's the difference between unsubscribe and erasure under GDPR?
Unsubscribe = end of marketing consent (Article 7(3) — right to withdraw). The contact moves to a suppression list (you keep the email hash to prevent re-mailing). Erasure (Article 17, "right to be forgotten") = delete ALL personal data including the suppression entry. AcelleMail separates these: an unsubscribe sets the subscriber state, a full-erasure GDPR request deletes the row entirely + propagates to your suppression mirror.

Trusted by operators worldwide

A 10-year track record. Real customers. Verified reviews.

6,690+ verified CodeCanyon sales · 4.8★ across 568 reviews · trusted since :founded.

6,690+
Verified sales
CodeCanyon-recorded
4.8★
Average rating
across 568 reviews
6 mo.
Support included
free 6 months on every license
2016
Trusted since
shipping the same product for 10 years
Trusted since 2016

What CodeCanyon buyers say

Verbatim excerpts from public CodeCanyon reviews. Read the full 568-review thread on the listing page.

“Best email marketing application I have ever used. Customer support is responsive and the platform has every feature we need.”
— verified CodeCanyon review
“Excellent piece of software. Easy to install, easy to configure, and the SaaS multi-tenant support saved us months of work.”
— verified CodeCanyon review
“One-time payment beats every monthly SaaS we evaluated. The code is clean, the docs are thorough, and updates are regular.”
— verified CodeCanyon review
Read all 568 reviews on CodeCanyon →
Run compliant from day one

Own the data. Pick the region. Sign the right DPAs.

AcelleMail self-hosted on an EU VPS routes through any sending relay you choose and gives you the encryption-at-rest, audit log, and full DB access GDPR audits expect.

Security & GDPR features See pricing

Informational only — not legal advice. GDPR interpretation varies by member state; consult counsel or your DPO for binding decisions.

Run your email marketing on your own server, your own terms

Join thousands of companies that have taken control of their email marketing with full source code, no recurring fees, and unlimited sending. One-time $80 license, lifetime updates.

Get AcelleMail — $80 one-time

Get the AcelleMail newsletter

Monthly issue with new releases, deliverability tips, and self-hosting playbooks. No spam.