GDPR imposes strict requirements on the use of email. These regulations may affect your company even if it is outside of the EU. This article describes the implications on these laws and provides GDPR compliant email options for those who wish to comply.

What is the GDPR

The GDPR or General Data Protection Regulation is an EU law that regulates data protection and privacy for EU citizens. According to the law any company or individual that handles the personal data of customers (including email addresses and email content) must take reasonable and appropriate steps to protect said data.

What is "personal data"?

GDPR law takes a very wide view of what constitutes personal data. To be on the safe side anything attributable to a user in any way should be considered personal and thus under GDPR privacy laws: this includes email addresses, email contents, email attachments etc.

What are the GDPR rules for email

Email addresses, content, and attachments are considered personal data. If you store email addresses, send emails, receive emails, or manage email accounts on behalf of users within the EU then you must take steps to prevent any identification of that data with real people. You must also secure that data against theft or loss in a reasonable and appropriate technical or organizational way. (More on that later.)

Who does GDPR apply too?

GDPR applies to any individual or company (where ever it may be registered) that has data from users who are citizens of the EU or the EEA (European Economic Area). Here are the countries:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • and (for now) the United Kingdom.


As a business, if any one of your users is a citizen of a country listed above you are under GDPR obligations. For instance if you are an American software developer and you have users in Germany you are most likely obliged to comply with GDPR law (or you may at least face the consequences if you don't and you are audited).

What are the penalties

The penalty for GDPR breaches is a whopping €20 million or 4% of company revenue plus damages that victims of a breach may claim.

How is GDPR enforced?

Usually, GDPR is not actively enforced by an agency or the police. Instead, users of services will request an audit on a business if they suspect foul play or if they wish to review a businesses compliance. These are random and can cause big headaches for those that are unprepared.

How do I comply with GDPR email requirements?

The simplest way to comply with GDPR email regulations is to use a GDPR compliant email provider or email API. Alternatively you should encrypt all user databases and storage (including emails and attachments). For sending and receiving emails you should encrypt traffic end-to-end and allow consent based opt-ins.

Further reading

You can find more information on GDPR email requirements at these locations:

MailSlurp is a European email API service that is fully GDPR compliant. You can use MailSlurp with your business to ensure that email related processes you perform comply with GDPR email regulations and requirements. It's free for personal use so try it out today.