GDPR, ePrivacy Directive, and Country-Specific Requirements for EU Markets
European email marketing regulations combine GDPR's data protection framework with national implementations of the ePrivacy Directive (often called the 'Cookie Law' but equally applicable to email marketing). Understanding both layers — and the country-specific variations — is essential for organizations sending marketing email to EU residents.
GDPR (General Data Protection Regulation, EU 2016/679) governs the processing of personal data — including the collection, storage, and use of email addresses. For email marketing, GDPR requires: a valid legal basis for processing (usually consent under Article 6(1)(a) for marketing), compliance with data subject rights, data minimization, purpose limitation, and data security.
The ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) governs direct marketing by electronic means. Article 13 requires prior consent for unsolicited commercial email. The Directive allows member states to implement exemptions — this is why implementations vary significantly across EU countries.
Important: the ePrivacy Directive is being replaced by the ePrivacy Regulation, which has been under negotiation since 2017. As of 2026, the Regulation has not yet been adopted; member states continue under the existing Directive and national implementations.
For marketing email to consumers (individuals acting in a personal capacity), virtually all EU member states require explicit consent before sending. The consent must be:
Double opt-in (confirmed opt-in) — where the subscriber must click a confirmation link after initial sign-up — is not legally required in all EU jurisdictions but provides the strongest consent documentation. In Germany, double opt-in has effectively become the practical standard for defensible consent. Cloud Server for Email configures MailWizz's double opt-in workflow for all clients targeting German-speaking markets.
B2B email marketing is treated differently across EU member states. The key distinction is whether the recipient's email address belongs to an individual (even if in a professional capacity) or is a generic business address (info@company.com).
Individual professional email addresses (firstname.lastname@company.com) in the EU are generally treated as personal data under GDPR, requiring a legal basis for processing. Most DPAs accept legitimate interest under GDPR Article 6(1)(f) for B2B marketing where: the email is relevant to the recipient's professional role, the sender has a plausible interest, and the recipient's interests don't clearly override the sender's interest. Legitimate interest requires a documented balancing test.
Generic business addresses (info@company.com, sales@company.com) are generally not personal data and can be used for marketing without a specific GDPR legal basis — though the ePrivacy Directive's consent requirements may still apply depending on member state implementation.
GDPR restricts transfers of personal data outside the EU/EEA to countries that provide an adequate level of data protection or where appropriate safeguards are in place (Standard Contractual Clauses, Binding Corporate Rules, etc.). EU-based email infrastructure — like Cloud Server for Email's Estonian servers — keeps subscriber data within the EU, eliminating the need for cross-border transfer mechanisms.
Email infrastructure providers that process subscriber personal data on behalf of a business are Data Processors under GDPR Article 28. A written Data Processing Agreement (DPA) is legally required between the data controller (the organization sending email) and the data processor (the infrastructure provider). Cloud Server for Email's DPA covers: processing purposes, security measures, sub-processor disclosure, data subject rights support, and breach notification.
For every list segment and sending purpose, document the legal basis: Is this marketing or transactional? Are recipients B2C or B2B? What is the specific legal basis (consent, legitimate interest, contract)? If legitimate interest — document the balancing test. This documentation is required for GDPR Article 30 records of processing activities.
For consent-based sending: document the consent moment (timestamp, IP, form URL), consent language (what exactly was displayed), and consent scope (what types of messages). MailWizz custom subscriber fields can store this data. For double opt-in: store the confirmation email timestamp separately from the initial opt-in. Retain consent records for the full duration of the relationship plus a reasonable period afterward (typically 3 years after last contact).
EU-compliant email infrastructure requires: EU-based servers for EU subscriber data (or SCCs if using US infrastructure), GDPR-compliant DPA with your infrastructure provider, unsubscribe mechanism that works immediately and for 60+ days, suppression list management to prevent re-mailing opt-outs, and data deletion capability to honor Article 17 right to erasure.
EU email compliance is not a one-time setup — it requires ongoing attention: reviewing new DPA guidance as it is issued, monitoring consent documentation for expiry (implied consent ages), updating processing records (Article 30) when practices change, and responding to data subject rights requests within 30 days.
All Cloud Server for Email managed infrastructure operates from EU servers (Estonia) with GDPR-compliant data processing. Data Processing Agreements under GDPR Article 28 are available for all clients. Our infrastructure supports CASL and CAN-SPAM compliance features in addition to EU requirements. Contact infrastructure@cloudserverforemail.com.
Cloud Server for Email operates managed PowerMTA + MailWizz infrastructure from EU servers.
Dedicated IPs, daily monitoring, GDPR compliance by design.
