Understanding the GDPR and making your email campaigns compliant

Reinforced on May 25, 2018, the GDPR or General Data Protection Regulation is a regulation that applies to all companies operating in the countries of the European Union. The main objectives of this legal framework are to allow European Internet users (adults and minors) to better control their personal data and companies to operate under fair conditions in terms of competition. Faced with this change, marketers must add changes to their strategy as is the case with email campaigns.

What exactly is the GDPR?

Adopted in 2016, the GDPR underwent a reform in 2018 given the evolution of the digital age and the significant adoption of digital by European citizens. The GDPR, or also called GDPR in English (General Data Protection Regulation), is a European law that aims above all to protect the personal data of Internet users. It has, however, had a significant impact on companies’ collection of prospect data.

This legal framework applies to any organization that is in need to process personal data, regardless of its size, whether public or private. Personal data may be of a different nature, such as the name and surname of the person, telephone number, IP address of a computer, email address,…

The flagship measures mentioned by the GDPR

The GDPR sets out several measures but what we are going to present to you are only those that really have an impact on the activities of companies.

Traceability of collected data

Any company that collects personal data must guarantee (supporting evidence) that the processing of personal data is compliant and secure throughout the process. This processing must be traceable. This makes it possible to justify the deployment of legal practices during all the manipulations carried out: collection, storage, use and sharing or destruction of the personal data of the person.

Mandatory appointment of a Data Protection Officer (DPO)

The Data Protection Officer ensures the application of all measures relating to the GDPR within your company. Its roles are to:

  • Keep informed and advise all responsible persons in the handling of personal data on their regulatory obligations.
  • Be the representative of the company during the inspections carried out by the supervisory authority.
  • Provide advice on impact assessment in relation to data protection.

Full transparency when processing personal data

You may not collect personal data without the consent of the individual. This is mandatory before collecting any data. Also, you must keep the person informed of the purpose of this data collected. The controller and the processor are obliged to be able to demonstrate by all means and at any time, that the rules have been followed.

Right to data portability

The data collected can be retrieved by the data subject. A request for access to data may be submitted to the company. This means that the latter must prepare for a possible restitution of data in digital and unencrypted format. The individual is also free to transmit this data to another organization.

Notification of Privacy Violations

In the event of a data breach, the CNIL must be notified as soon as possible, no later than 72 hours after the incident. Fines of up to €20 million or 4% of the company’s turnover are among the possible sanctions.

Do’s and don’ts to make your email campaigns GDPR compliant

In emailing marketing, the personal data collected is the email address of visitors or subscribers to the company’s website. Every day, more than 260 billion emails are sent, a figure that continues to increase as the years go by. Hence the need to follow the following steps to avoid a penalty that could be expensive.

User account

Things allowed

When creating user accounts, the boxes that are required to request your customer’s consent must be non-pre-checked. The text must also be easy to understand. The customer or prospect is free to unsubscribe at any time and you must inform them of this.

Things not to do

During account creation, you must not use pre-ticked boxes or exploit silence and inactivity. The exploitation of silence is the fact of taking advantage of the user’s habits without their knowledge, such as checking a box to say « yes » (affirmation) and yet it must be the opposite given the content of the text.


Things allowed

Mention to the person the purpose of the collection when subscribing to your newsletter. This purpose is often to receive commercial proposals. Also indicate where they can change their information or how they can unsubscribe.

Things not to do

You are prohibited from offering any discount on your commercial offers in order to be able to bring your visitors to subscribe to your newsletter. Let’s take an example, this kind of offer cannot be offered: « Receive a 10% discount on your next purchase if you subscribe to the newsletter ».

Sending emails

The first thing to do is to obtain the consent of your subscribers for the collection of their email addresses. You need to store this proof somewhere in your database, because there will be controls. Sending emails is legal when consent is obtained.

Use the « Double Opt-in »

In general, double opt-in consists of having a double confirmation of registration from your subscribers. The person indicates for the first time on your site that they are interested and wants to receive your newsletter.

Then this person automatically receives an email that asks him a second time to reconfirm his subscription to your newsletter from a click on a link attached to the email. The subscription will not be validated if the person does not click on the link.

The GDPR aims to create an environment of trust within companies and its consumers. Stick to the rules and grow your business while earning the trust of your customers.

How does Magileads comply with the RGPD regulation?

– Our database is hosted on a secure, dedicated server located in France.

– We have several partner websites from which we collect opt-in data.

– Our activity is declared to the CNIL: DEPOSIT N ° 1982723.

– All our contacts have a right of inspection and can request to be deleted from our database.

We do not hold any sensitive data that would allow the clear identification of a natural person (medical data, identity number, personal address, etc.).

See the detailed article on the CNIL website: ).

Nos derniers billets de blog