GDPR Email Compliance
What the General Data Protection Regulation requires from email senders, and exactly what MailRadar checks to verify your compliance.
What is GDPR?
The General Data Protection Regulation — Regulation (EU) 2016/679 — is the European Union’s primary data protection framework. It came into force on 25 May 2018 and replaced the 1995 Data Protection Directive.
GDPR applies to any organisation that processes the personal data of EU residents, regardless of where that organisation is based. A company in the United States, Brazil, or Australia is bound by GDPR if it sends marketing email to people in the EU.
Personal data includes email addresses, names, IP addresses, and any other information that can identify a natural person directly or indirectly. Sending a marketing email constitutes processing personal data.
Max fine
€20M or 4% global turnover
Whichever is higher
Jurisdictions
30 countries
EU/EEA member states
In force since
May 2018
Regulation (EU) 2016/679
How GDPR applies to email marketing
Every marketing email sent to an EU resident involves processing their personal data. GDPR imposes four core obligations on email senders:
Lawful basis for processing
You must have a valid legal basis before sending marketing email. For most marketing use cases, that basis is consent (Art. 6(1)(a)). Legitimate interest (Art. 6(1)(f)) may apply in narrow B2B contexts but rarely justifies unsolicited bulk marketing.
Conditions for consent
Consent must be freely given, specific, informed, and unambiguous. It cannot be inferred from inaction, pre-ticked boxes, or acceptance of general terms. You must be able to demonstrate that consent was given.
Right to withdraw consent
The data subject must be able to withdraw consent at any time. Withdrawing consent must be as easy as giving it — meaning a single click, not a multi-step form. You must stop processing their data promptly after withdrawal.
Transparency and information
When collecting an email address, you must provide information about who is collecting the data, why, on what legal basis, how long it will be retained, and the data subject's rights. A link to a compliant privacy policy in the email satisfies part of this requirement.
What MailRadar checks for GDPR compliance
When you send a test email to MailRadar, the scanner automatically inspects the following elements for GDPR compliance:
List-Unsubscribe header
Enables mail clients to surface an unsubscribe button. Required to support the right to withdraw consent at any time without detriment.
List-Unsubscribe-Post header
Enables one-click unsubscribe directly from the mail client without redirecting to a webpage. Required by Gmail and Yahoo since February 2024.
Visible unsubscribe link
A clearly visible unsubscribe link in the email body itself, accessible to recipients whose mail client does not render header-based unsubscribe UI.
Privacy policy link
A link to your privacy policy fulfils the transparency requirement — recipients must be informed of the purposes and legal basis for processing their data.
Physical mailing address
The identity and contact details of the data controller must be provided. A physical mailing address is the standard way to satisfy this in commercial email.
Data controller identification
Company registry number, VAT number, or equivalent identifier that unambiguously identifies the legal entity responsible for processing personal data.
Technical note
List-Unsubscribe and List-Unsubscribe-Post are parsed directly from the raw email headers. Body checks use structured HTML parsing to locate links, address blocks, and registration identifiers — not simple keyword matching.
Common GDPR email violations
These are the violations supervisory authorities most frequently cite in GDPR enforcement actions involving email marketing:
Missing or broken unsubscribe
No List-Unsubscribe header and no visible link in the body. The most common and most penalised GDPR email violation.
No privacy policy link
Sending marketing email without linking to a privacy policy violates the Art. 13 transparency obligation.
Pre-ticked consent boxes
Consent under Art. 7 must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not constitute valid consent.
Purchased or rented email lists
Emailing people who never consented to hear from your specific organisation. Legitimate interest rarely applies to cold marketing email.
Bundled consent
Tying email marketing consent to acceptance of terms of service. GDPR Art. 7(4) requires consent to be separable from other conditions.
No data controller details
Omitting your company name, registration number, or physical address removes the ability for recipients to exercise their rights.
How to fix GDPR email issues
Six practical steps to bring your email marketing into GDPR compliance:
Add List-Unsubscribe headers
Configure your ESP (Mailchimp, Brevo, SendGrid, etc.) to include both List-Unsubscribe and List-Unsubscribe-Post headers. Most major ESPs support this natively in their settings.
Add a visible unsubscribe link to every template
Every marketing email template should contain a clear, one-click unsubscribe link — not buried in grey 8px text at the bottom. Make it easy to find.
Link to your privacy policy
Add a link to your privacy policy in the email footer. The policy itself must describe what data you collect, why, and how long you retain it.
Include your physical address and company details
Add your registered company name, address, and company registration or VAT number to the email footer. This satisfies Art. 13(1)(a) controller identification.
Audit your consent records
Ensure every contact on your list gave explicit consent to receive marketing email from your organisation specifically. Document when, how, and what they consented to.
Honour unsubscribes within 10 days
GDPR requires you to stop processing data for the original purpose once consent is withdrawn. Industry practice is to process unsubscribes within 10 business days.
Ready to check?
Test your email now
Send a real email to MailRadar and get an instant scored report covering all six GDPR checks above, plus DMARC, SPF, DKIM, blacklists, and EU country-specific rules.
Test your email — it’s freeNo signup · No cookies · Results in seconds