Data Protection & Privacy Laws and Email Service Providers

Tanel Rand
4 min readJul 12, 2021

On May 25, 2018, the European privacy regulation, the GDPR or General Data Protection Regulation, came into effect. GDPR aims to have better control over personal data and to ensure that this data is protected and secure. Multiple studies and discussions looked into the importance of many GDPR aspects, such as the critical double opt-in. This time, we’d like to show you why you should learn more about your Email Service Provider. Businesses must know how their Email Service Providers follow data protection and privacy laws and understand their data storage, processing and transfer processes.

GDPR and Local Data Protection Authorities

Many companies spent a lot of effort on ensuring good GDPR compliance. Today, however, we want to remind you that DPAs, or Data Protection Authorities, still play significant roles. The DPAs are independent public authorities that oversee the application of data protection laws.

Data Protection Authorities can provide expert guidance on both GDPR regulations as well as the relevant national laws. There is one DPA in each of the EU Member State. For example, in Estonia, there is “Estonian Data Protection Inspectorate”, in France, there’s the “Commission Nationale de l’Informatique et des Libertés — CNIL”.

Germany, for example, has the “Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit”. However, their competence and capabilities for complaints are divided among different data protection supervisory authorities within Germany. This illustrates the complexities involved — companies must be aware of local authorities, local regulations and understand and comply with the GDPR at the same time.

If you’re interested in learning more, you can find National Data Protection Authorities online here.

Keep Personal Data Secure and Protected

Let’s say you have an e-commerce shop and you’re selling to the EU regions. You are most likely collecting personal information. For example, you capture email addresses to send out your newsletter email using an email marketing platform.

You already know that data protection and security is essential. However, it’s also vital to understand if and in what way the regulations affect how you store and sync, process and archive that customer data. For example, information such as names, email addresses, location details, and much more are considered personal data.

Suppose you’re operating within the EU or EEA. In that case, the safest option for your email marketing is to find a local Email Service Provider that stores data in the EU. It can save you a lot of trouble going forward. For example, quite recently, Mailchimp was in the spotlight — so let’s see what happened.

Bavarian DPA Case Regarding Mailchimp Use

The Bavarian DPA is the Data Protection Authority for the German state of Bavaria. Recently, they’ve investigated a complaint by a data subject. The company (or the “controller”) used Mailchimp to send out its newsletter to the subscribers.

Mailchimp is a popular Email Service Provider and a US company. It means that Mailchimp would theoretically process, transfer and store data in the United States. Thus, using Mailchimp would involve subscribers’ data being transferred from the EU to the USA. And, the Bavarian DPA identified that, in this case, the use of Mailchimp was not compliant.

Their findings reveal that Mailchimp data can potentially be accessed by US surveillance agencies. In addition, the DPA concluded that the company in question had not assessed if there were any additional measures required to ensure that the data in Mailchimp was protected from such access.

The company has stopped using Mailchimp. Luckily, the Bavarian DPA agreed that the breach was minor and no fine was imposed, assuming the company stopped using the tool, which they have.

Local DPAs Play a Significant Role

The ruling we’ve described above does not mean that Mailchimp per se is unlawful. Instead, the issue here was that the company failed to assess whether any additional measures were required to protect customer data from being accessed by the US surveillance agencies.

Similar rulings could be applied to other ESPs that are US companies. For example, SendGrid has its data centres located in the US. Therefore, the customer data would be forwarded to these data centres for processing and sending. Unfortunately, they don’t appear to have European servers, and it looks like there are no plans to have any in the near future.

We’ve learned that Klavyio uses SendGrid infrastructure, so their EU/EEA users might be facing similar challenges. Klavyio users would see their customer personal data transferred out of the EEA to the US. Of course, these Email Service Providers put a lot of effort to be compliant with GDPR and the data transfer rules. They have Data Protection Addendums in their Terms of Service to ensure this. However, they still recommend consulting legal teams to determine the best and safest data transfer mechanisms.

That said, we just want to stress that while GDPR compliance is essential, the DPA decision we’ve discussed above shows that the local laws and authorities are also fundamental to understand and adhere to.

Be Thorough When Selecting Your Email Service Provider



Tanel Rand

Sales & Marketing Director at Smaily! 𝐃𝐫𝐢𝐯𝐞𝐧 𝐛𝐲 𝐬𝐮𝐜𝐜𝐞𝐬𝐬, 𝐩𝐨𝐰𝐞𝐫𝐞𝐝 𝐛𝐲 𝐞𝐦𝐚𝐢𝐥 𝐦𝐚𝐫𝐤𝐞𝐭𝐢𝐧𝐠!