Direct Mail is compliant with the GDPR and related privacy laws and regulations. This document is not a comprehensive guide to the law, but does help answer questions related to Direct Mail's compliance with the GDPR.
Who does the GDPR apply to?
The law applies not only to organizations that are located in the EU, but also to any organization that processes the personal data of EU citizens, even if that organization is not located in the EU. This means that organizations both in and out of the EU should take the time to understand the law and how it may impact the way they handle personal data. Since the definition of “personal data” includes email addresses, it is a good idea for Direct Mail customers to learn about the law.
What is “personal data”?
The GDPR is intentionally broad in its definition of personal data. It is any information that could be used to identify a natural person. This could include information like names and email addresses.
What does it mean to “process” personal data?
The GDPR defines the processing of personal data as any operation involving the collection, storage, use, or destruction of personal data. Direct Mail customers that collect the names, email addresses, or other personal data of EU citizens on their mailing lists would be considered by the GDPR to be processing personal data.
What is the difference between “controller” and “processor”?
The GDPR draws a distinction between two roles that one may have when accessing personal data: controller and processor.
The controller of personal data is a person, agency, or organization that (1) controls or determines the purposes of processing personal data, (2) determines what personal data is collected, and (3) determines the means of processing that data. As a Direct Mail user, you would be considered to be the controller of the personal data contained in your mailing lists and campaign reports.
A processor of personal data is a person, agency, or organization that processes personal data on behalf of the controller. e3 Software (the makers of Direct Mail) is the processor of the personal data contained in your mailing lists and campaign reports. This means that we process personal data at the direction of our customers, who are the controllers of that personal data. For example, our customers decide what mailing lists to import into Direct Mail, what personal data is collected on email signup forms, and which contacts to send email to.
What does the law require of me?
The GDPR lays out many requirements, but the ones most relevant to email marketing can be found below. We’ve also included below details on how Direct Mail can help you, as a the controller, meet these requirements.
Requires organizations to have a lawful basis for processing personal data
Under the GDPR, processing personal data is lawful only if at least one of the following is true:
- The subject has given their consent. See below for more information on consent.
- It is necessary for the performance of a contract to which the subject is party, or in order to take steps at the request of the subject prior to entering into a contract.
- It is necessary for compliance with a legal obligation to which the controller is subject
Please see Article 6 of the GDPR for the full list of acceptable legal bases.
Requires organizations to respect the following rights of the individual
-
Right to be forgotten. An individual has the right to have their personal data erased or deleted without undue delay.
How to permanently remove all personal data for a contact for a contact.
-
Right to object. An individual has the right to object, at any time, to the processing of their personal data and also has the right to withdraw consent.
Contacts can unsubscribe from your list by using the unsubscribe link found in the email campaign. You can unsubscribe contacts by selecting them and checking the "Unsubscribed" checkbox in the inspector. In accordance with our privacy policy, individuals may also contact us to delete data that we may have collected about them on your behalf.
-
Right to restriction. An individual has the right to restrict the controller from processing their personal data.
Direct Mail does not use your contact's personal data for any data science, data mining, machine learning, marketing, research, or other purposes. You remain in full control of the personal data for the individuals on your mailing lists. You should honor requests from your subscribers that pertain to the restriction of their personal data.
-
Right to rectification. An individual has the right to require the controller to rectify or correct inaccurate personal data concerning him or her.
You can update the personal data for a contact by selecting the contact and updating the information in the inspector. In accordance with our privacy policy, individuals may also contact us to rectify data that we may have collected about them on your behalf.
-
Right of access. An individual has the right to know what personal data about them is being processed and for what purpose.
As described below, when obtaining consent, you should make it clear to your contacts what you are planning to use their personal data for (e.g. marketing emails, announcements, etc.). You can also create a personal data report for any contact on your list. In accordance with our privacy policy, individuals may also contact us to access data that we may have collected about them on your behalf.
-
Right to data portability. An individual has the right to obtain their personal data from the controller in a format such that they could transfer it to a different controller if desired.
You can create a personal data report for any contact on your list. In accordance with our privacy policy, individuals may also contact us to obtain a copy of data that we may have collected about them on your behalf.
Imposes strict consent requirements
As mentioned above, the GDPR requires that you have a legal basis for processing an individual’s personal data. For Direct Mail users, the most common legal basis will be that you have obtained the individual’s consent to use their personal data (i.e. they gave you permission to use their email address to send them email). The GDPR imposes strict new requirements on what counts as legal consent. In order to comply, the individual:
- Must have consented to give you their personal data for a particular purpose. In other words, once you have an individual’s personal data, you can only use it for the purposes that they originally consented to (e.g. joining your mailing list to receive marketing emails).
- Must have explicitly opted-in. Silence, failure to opt-out, or inactivity does not constitute consent. Pre-checked “join my mailing list” checkboxes do not count as consent.
You should ensure that, for each person on your list, you have a record of how and when you obtained their consent to send them email.
Direct Mail’s built-in, easy-to-use email signup forms provide a straightforward way for you to obtain lawful consent. Subscribers who join your mailing list via an email signup form will automatically have their proof-of-consent recorded (including date, time, email address, and IP address). We encourage you to take care when designing your subscribe form that the description shown to the user clearly explains the intended use of the information you are soliciting.
Can I use Direct Mail if I am located in the EU?
Yes. You can lawfully use Direct Mail even if you are located in an EU member state.
The GDPR does not require that the personal data of EU citizens (e.g. email addresses and other mailing list data) be stored only in EU member states, nor does it require that processors or controllers of personal data be located only inside a member state. Instead, it sets forth certain legal bases that allow personal data to be lawfully transferred outside of the EU. One such legal basis is that the country where the data is being transferred to maintains adequate privacy protections, as determined by the European Commission. The publishers of Direct Mail, e3 Software, are full participants in the cross-border Privacy Shield framework, which the European Commission recognizes as meeting this legal basis for adequate privacy protections. You can rely on our participation in the Privacy Shield framework as your legal basis for using Direct Mail for the processing of personal data.
Additional Resources
Please feel free to contact our support team at any time with questions you may have. You may also wish to take a look at the following resources:
- General Data Protection Regulation in a easily browsable, searchable format
- Information Commissioner's Office Guide to the GDPR
- GDPR on Wikipedia
- Our Privacy Policy
- Our Data Processing Addendum