Legislation GDPR (General Data Protection Regulation) and email marketing

Disclaimer: The content of this page does not constitute legal advice. This page is for informational purposes only, and we strongly recommend seeking independent legal advice to understand how your organisation needs to comply with the GDPR.


Legislation GDPR (AVG) & Email Marketing from 2018

Entry into Force of the General Data Protection Regulation

  • On 14 April 2016, the European Parliament adopted the General Data Protection Regulation, hereinafter referred to as 'GDPR'. From 25 May 2018, the GDPR applies throughout the European Union. 
  • This article provides an update from MailBlue on this legislation and what MailBlue/ActiveCampaign have done to comply with the law. Additionally, we provide tips on what you as a business owner can do to comply with the legislation.
  • Ensure that your organisation complies with the new legislation. Failure to comply with the GDPR can result in a fine of up to €20 million or 4% of your total worldwide turnover.


What does the GDPR entail?

Enhancing Personal Data Protection

  • The GDPR is a European regulation designed to enhance the protection of the processing of personal data of individuals in the European Union.

Who does the GDPR apply to?

  • The GDPR applies to any organisation in the European Union that processes personal data. The regulation also applies to any organisation that processes personal data of European individuals, regardless of whether the organisation is based in the European Union. If any type of personal data, including email addresses, is collected, managed, or analysed, the GDPR is likely to impact your organisation.

Please note: This section covers many of the changes brought about by the GDPR but is not an exhaustive list. We strongly recommend seeking independent advice to determine the extent to which the GDPR affects your business.


Changes due to the GDPR

The GDPR includes a series of requirements regarding consent, rights of data subjects, and data processing. The following overview is a non-exhaustive summary of the most important requirements of the GDPR.


Consent of the Data Subject

Consent, originally defined in Article 4, is addressed throughout the text of the GDPR. Overall, the GDPR establishes a much higher standard for the concept of 'consent' compared to the Data Protection Directive.

Under Article 12 of the GDPR, consent must be both informed and explicit. Organisations have an obligation to present information about processing "in a concise, transparent, intelligible and easily accessible form, using clear and plain language".

When data processing is based on consent, organisations need explicit consent from individuals in accordance with Article 7 of the GDPR and must also be able to demonstrate that individuals have given consent. When organisations collect personal data, they are required to disclose certain information in accordance with Article 13 of the GDPR.


Rights of the data subject

Articles 12 to 23 of the GDPR contain the rights of the data subject. In general, the GDPR expands these rights regarding personal data.


Right of access

Under Article 15 of the GDPR, the right of access is the right of the data subject to request information about how their data is being used, as well as to obtain a copy of the data itself.


Right to rectification

According to Article 16 of the GDPR, individuals may contact a data controller to obtain rectification of incorrect personal data. Article 16 reads as follows:

Article 16 of the GDPR (Rectification): 'The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement'.


Right to erasure

According to Article 17, data subjects can request the erasure of personal data under certain specific circumstances. These circumstances include, but are not limited to:

  • When the personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • When the data subject withdraws their consent.
  • When the personal data has been unlawfully processed.


Right to restriction of processing

According to Article 18, data subjects have the right to obtain restriction of processing in certain circumstances.


Right to data portability

Data subjects have the right under Article 20 to receive their personal data and the right to use that data elsewhere.


Right to object

Article 21 states that data subjects have the right to object to the processing of their personal data in certain cases, 'unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims'.


Data processing

The GDPR specifies a variety of requirements regarding the processing of personal data. This section explores some requirements of personal data processing and provides links to relevant sections of the GDPR text.

Data Controller and Processor

A data controller is the organization that determines how personal data is used. A data processor is the organization that processes personal data on behalf and under the instructions of the data controller. The specific responsibilities of each party are set out in Articles 24-43.

In most cases, MailBlue is a processor and the customer is the controller. Note that it is possible for one organization to be both processor and controller.

Data Processing Agreements

Article 28 states that the data controller must have a clearly documented agreement with the processor that defines the scope of the processing. These agreements are to be 'in writing, including in electronic form'. Requirements for processing agreements can be found in Article 28.

Data Protection Officers

In accordance with Article 37, many organizations are required to appoint a data protection officer. The specific responsibilities of a data protection officer are listed in Article 39. In general, the data protection officer is responsible for GDPR compliance.

Transfer of Personal Data to Third Countries or International Organisations

Articles 44-50 of the GDPR include specific requirements on the transfer of personal data to third countries or international organisations. The GDPR does not require personal data of EU citizens to stay exclusively in the EU, but it does set some requirements for such transfers.

Consult a Legal Professional

DISCLAIMER: The content of this page is informative and is explicitly not advice to you as a reader. To fully understand the effects of the GDPR on your organization, we strongly recommend seeking legal advice from a legal professional. MailBlue B.V. accepts no liability arising from consulting and using this specific article. The use of this article is entirely at the user(s) own risk.

We will announce GDPR-related changes/updates on an ongoing basis through our website.

Well-prepared for GDPR Legislation

Set up an opt-in confirmation

Enabling a double opt-in is a good start that can help you comply with the 'unambiguous consent' requirement of the GDPR. With opt-in, the owner of an email address has explicitly given permission to receive emails from a specific mailing list. When a double opt-in is enabled, contacts will need to confirm their email address before receiving further messages. You can learn how to enable a double opt-in via this help document(please note: using a double opt-in is not mandatory but is recommended).

Know how to edit and delete contacts

Under the GDPR, contacts have the right to request correction or deletion of their personal data. If you are familiar with processing and deleting contact information, you can comply with such requests.

Know how to export contact data

The right to data portability and the right to access allow contacts to request their personal data. Exporting data can help you comply with these requests. You can learn how to export contact data via this help document.

Add user statements to opt-in forms

The GDPR requires you to inform people how you will use their personal data and when you collect it. This is part of the new requirements for unambiguous consent.
While the exact statements to be included depend on how you use the data, you can include any desired instructions by using an HTML block or text block in the MailBlue forms. Additionally, you can use custom fields to add an extra checkbox indicating explicit consent. You can learn how to add custom fields via
this help document.

Obtain consent evidence from existing contacts

The GDPR requires you to be able to demonstrate evidence of explicit and unambiguous consent from data subjects. This also applies to contacts from whom you collected personal information before the GDPR was introduced. If you are currently unable to demonstrate double opt-in consent from these contacts, you must urgently reach out and request consent again. The process is explained in this help document.

Delete contacts and lists you no longer need

The GDPR aims to protect the privacy of data subjects, including minimising the risk of data misuse. It may be advisable to delete unsubscribed contacts and lists that you no longer use to limit risks.

Request, use, and store only necessary data

Often, companies still request unnecessary data. You should only ask for and store the data you need for the original purpose for which you wanted to collect the data.

For example, in an online store, you need address details to deliver an order, but you do not need the same data to send someone an email newsletter. When the data is no longer necessary, you can also delete this data. Therefore, also document how long you will keep the requested data.


Place a privacy policy on your website

To collect email addresses, it is important to have a privacy policy on your website. In this privacy policy, you state how the data is processed and for what purposes it is used. The privacy policy should include, among other things, the following details:

  • The identity and contact details of the data controller and, if applicable, your representative in the EU;
  • The contact details of the Data Protection Officer if you have one;
  • The purposes and legal basis of the processing, and if you rely on legitimate interests: which interest you are relying on;
  • The (categories of) recipients of the personal data;
  • Whether you intend to transfer the personal data outside the EU or to an international organisation and on what legal basis;
  • The retention period of the data;
  • The rights of the data subject, such as the right of access, rectification, and erasure. See also step 10;
  • The data subject's right to withdraw consent for a specific processing at any time;
  • That the data subject can lodge a complaint with the relevant privacy supervisory authority;
  • Whether and why the data subject is obliged to provide the personal data and what the consequences are if the data is not provided;
  • Whether you use automated decision-making, including profiling, and how you make decisions;
  • If the data is obtained from another organisation: the source of the personal data and, if applicable, whether they originate from public sources.

(Source: autoriteitpersoonsgegevens.nl)


Consult a legal professional

DISCLAIMER: The content of this page is informative and is explicitly not advice to you as a reader. To fully understand the effects of the GDPR on your organisation, we strongly recommend seeking legal advice from a legal professional. MailBlue B.V. accepts no liability arising from consulting and using this specific article. The use of this article is entirely at the user's risk and expense.

We will announce GDPR-related changes/updates on an ongoing basis through our website.


The preparation of ActiveCampaign & MailBlue

Now that the GDPR is in effect, we want to assure our users that we will fully comply with the regulation. To better facilitate compliance, ActiveCampaign will implement updates for both products and non-products before the GDPR comes into effect. These updates will not only ensure our compliance, but will also make it easier for our customers to comply. Below is the list of relevant updates that ActiveCampaign will make:


Product Updates

  • Improving contact deletion capabilities to comply with data erasure requests.
  • Enhancing site tracking to meet compliance requirements for your website.
  • Enhancing the double opt-in feature to reference the required GDPR-related registration system.
  • Referring cookie compliance for www.activecampaign.com through website functionality.

Non-Product Updates

  • Updating the Data Processing Agreement.
  • Creating new content for training purposes related to how users can use ActiveCampaign / MailBlue to comply with GDPR principles.
  • Updating our Privacy Policy to reflect changes related to the GDPR.

While the purpose of these updates is to help our customers comply with the GDPR without compromising the usability of the platform, we recommend that customers consult a legal advisor if they have questions about how the GDPR will impact a business. In the future, the product will be developed with the GDPR in mind. This means an emphasis on flexibility regarding data.

(This article was compiled by MailBlue in collaboration with ActiveCampaign and reviewed and rectified by Precise and Wise Lawyers)

Was this article helpful?
0 out of 0 found this helpful