HomeBlogGDPR-Compliant Newsletter Marketing — the Basics
Back to blog
Compliance4 min readDecember 5, 2025

GDPR-Compliant Newsletter Marketing — the Basics

The GDPR principles for email marketing distilled: consent, documentation, withdrawal, third-country transfer and legal notice.

M

Mailaura Team

Mailaura.io

GDPR-Compliant Newsletter Marketing — the Basics

GDPR-compliant newsletter marketing is not a nice extra, it is a requirement. Taking it seriously prevents warning letters, fines and reputation damage — and also builds a higher-quality list. This intro post covers the basics every newsletter sender in the European market needs to know. A detailed step-by-step is in our GDPR checklist.

Who is affected?

Practically anyone who sends emails with commercial intent. This includes:

  • Online shops
  • SaaS companies
  • Agencies with their own newsletters
  • Self-employed professionals with customer communication
  • Associations and NGOs (yes, even non-commercial ones, because GDPR applies independently of profit motive)

Not covered: purely private, non-commercial sending.

The five core principles

1. Lawfulness: consent

Every recipient must have actively consented. In DE/AT this means Double Opt-In (DOI):

  • Stage 1: form submission
  • Stage 2: confirmation click in a separate email

Only after stage 2 may you send. Details: Double opt-in explained.

2. Documentation

Per subscriber, you store:

  • Email address
  • Sign-up timestamp
  • IP address
  • Form used
  • Consent text
  • DOI confirmation timestamp

In a dispute, you must present this data. Mailaura stores it automatically per contact.

3. Right to withdraw

Subscribers must be able to withdraw at any time and easily:

  • One-click unsubscribe link in every email.
  • No login required.
  • No forms requiring "please state reason".
  • List-Unsubscribe header set.

4. Data minimisation

Collect only data you actually use. Birth date only for birthday mails, industry only for segmentation.

5. Transparency

The privacy policy lists what you collect, for which purpose, how long and whom you share it with. Update whenever your processes change.

Data Processing Agreement (DPA)

If you use an external newsletter tool (true in 99 % of cases), that tool processes personal data on your behalf. That requires a DPA per Art. 28 GDPR. Mailaura provides one automatically in the account — individual points adjustable, all mandatory items included.

Without a DPA, the data processing is unlawful.

Third-country transfer (US issue)

After Schrems II (CJEU 2020), transfer of personal data to the US is no longer automatically permitted without additional safeguards. This affects:

  • Mailchimp (US servers)
  • HubSpot (even EU variant, US parent)
  • Klaviyo (US servers)

Solutions: EU-based tools (Mailaura, MailerLite, CleverReach, Brevo) or comprehensive additional contracts (SCC, TIA) with US tools. For many small and medium businesses, the EU alternative is legally simpler.

Legal notice obligation

Every commercial newsletter must contain a complete legal notice (§5 TMG in DE, §5 ECG in AT). Mandatory:

  • Company name and legal form
  • Address
  • Authorised representative
  • Contact (email + second option)
  • Commercial register with number
  • VAT ID (if applicable)

Details: Newsletter legal notice.

What happens on violation?

  • Warning letter from competition associations or individuals: 300–2,500 € penalty + legal fees.
  • Fine from the data-protection authority: theoretically up to €20 M. In DACH practice usually < €50,000 for newsletter violations.
  • Injunction from affected individuals.
  • Reputational damage from public violations.

In practice, warning letters happen more often than many think — competition associations and specialised law firms systematically scan newsletters for violations.

Setup steps for legal safety

  1. Enable Double Opt-In in the tool.
  2. Sign the DPA.
  3. Adjust the privacy policy (tool, retention, third-country transfer).
  4. Legal notice footer in every template.
  5. Test unsubscribe link — functional.
  6. Define the withdrawal process (what happens on deletion?).
  7. Add the newsletter entry to your records of processing activities.

On list migration

If you take contacts from an old tool: do not import blindly. Without documented DOI this is a legal grey area. Recommendation:

  • Quarantine list.
  • Re-confirmation campaign: "please confirm again so we may write to you".
  • Move confirmed to the main list, delete non-confirmed.

Common misconceptions

"You may write to customers without opt-in." — Wrong. §7 UWG does permit advertising to your own customers for similar products — but only with a right to object and only when clearly communicated at address collection.

"We have a DPA, so we are GDPR-safe." — Wrong. DPA is one building block. Consent, documentation, withdrawal and legal notice come on top.

"The DPA will never audit us." — Maybe not. But any recipient can file a complaint, and law firms look specifically.

Conclusion

GDPR-compliant newsletter marketing is structured discipline, not wizardry. Double opt-in, documented consent, easy withdrawal, transparent privacy policy, complete legal notice. With Mailaura most of this runs out of the box. For detailed points see the 17-point checklist.

Also available in:

Deutsch

Ready for your next newsletter?

Mailaura makes newsletter marketing easy, GDPR-compliant and AI-powered. Start for free.

Start for free

More articles

Newsletter & GDPR: The 2026 Checklist
Compliance

Newsletter & GDPR: The 2026 Checklist

5 min read

Double Opt-In Explained
Compliance

Double Opt-In Explained

5 min read

Newsletter Legal Notice: Mandatory Information
Compliance

Newsletter Legal Notice: Mandatory Information

4 min read