Short answer: If you want to run email marketing legally, you need valid consent – or an existing customer relationship with clear exceptions. You must clearly inform the recipient, make it easy to unsubscribe, and be able to document the entire process. The GDPR and marketing laws go hand in hand, and violations can result in fines and loss of trust.
Possibly the most effective marketing channel
Do you send newsletters to your contacts with free tips and product updates? Email marketing can be one of the most effective and affordable ways for a company to communicate with its audience. All it takes is an email tool, a contact list, and some relevant content. But when doing email marketing, it’s essential to handle the personal data you use with care. This post explores what GDPR means for email marketing – and how to stay compliant.
Did you know that data leaks that include personal data lead to customer loss and impact on business sustainability?
Ponemon Institute
What does the GDPR say about email marketing?
An email address is considered personal data, which means it falls under the GDPR. When you send newsletters, offers or campaigns to an email address, you must have a lawful basis for doing so. The most common basis is consent – meaning the individual has actively agreed to receive marketing from you. But it doesn’t stop there.
In addition to GDPR, email marketing is also regulated by marketing laws, which have their own rules on when and how you can send electronic marketing. In the UK and across the EU, both sets of rules must be followed – meaning, among other things, that:
-
Consent must be freely given, informed and explicit
-
The recipient must understand what they’re agreeing to
-
It must be easy to unsubscribe at any time
-
You must be able to document the entire process
Stop the GDPR monster before it gets its hold of your personal data
When are you allowed to send marketing emails?
You may send marketing emails to individuals under the following conditions:
With valid consent – The person has freely, clearly and actively consented to receive marketing from you – and you can document this consent.
Without consent – if all of the following criteria are met (known as soft opt-in):
-
The recipient is an existing customer
-
The marketing relates to your own similar products or services
-
The recipient was given the opportunity to opt out at the time of sign-up – and in every subsequent email
In all other cases, consent is required. This includes situations where you’ve obtained someone’s email address at a trade show, through LinkedIn, or via a contact form without explicit marketing consent.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
What do you need to document – and how?
If you want to send email marketing in compliance with GDPR, you must have a secure mail and be able to document every single consent you rely on. That means it’s not enough to simply have consent – you need to be able to show exactly how and when it was given, and under what conditions. You must be able to document:
-
That the consent was given freely and with full information – without coercion or hidden conditions
-
What information the recipient was informed about – e.g. purpose, data processing, and their rights
-
When and how the consent was given – including date, time and technical method
-
That it is just as easy to withdraw consent as it was to give it
-
That every email includes a clear and accessible unsubscribe link
This documentation must be easy to retrieve – whether a recipient asks to see it or the authorities require proof of your practices.
FAQ on Email Marketing and GDPR
1. Can we email leads from trade shows or networking events?
Only if they’ve given consent – or if there’s an existing customer relationship and the soft opt-in exception applies.
2. Can we collect emails from social media?
No, not without consent. This applies even if the email address is publicly visible.
3. What if the recipient doesn’t open the email – do the rules still apply?
Yes. It’s the act of sending marketing that matters – not whether the message is read.
How to run compliant email marketing
Email marketing isn’t just about great content – it’s about knowing your consents. Who said yes? When? To what? And can you prove it if someone asks? Too many businesses lose track because consents are scattered across systems – or never properly recorded. That leaves you exposed to complaints, audits, and a loss of customer trust.
At Safe Online, we’ve developed RequestManager – a tool that helps you collect, log, and document consent in one place. You can track exactly who gave which permissions – and when – directly from your dashboard. This makes GDPR compliance easier and gives you peace of mind when sending marketing emails.
Read more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
