EU-Based Dedicated Sending Infrastructure for GDPR Compliance
Cloud Server for Email operates dedicated email sending infrastructure from data centers in Estonia (EU). For organizations sending email to EU residents, this means subscriber data — email addresses, behavioral data, delivery records — is processed entirely within the European Union, eliminating the data transfer complexity that arises with US-based email service providers.
GDPR does not prohibit email marketing. It requires that email marketing be based on a valid legal basis under Article 6 — typically explicit consent (Article 6(1)(a)) for marketing communications or legitimate interest (Article 6(1)(f)) for B2B outreach. The infrastructure layer's GDPR obligations are separate from the legal basis question.
For email infrastructure, GDPR creates obligations around: data processing agreements with infrastructure providers, data residency for subscriber personal data, retention limits for delivery logs, and data subject rights implementation (access, deletion, portability). Shared US-based ESPs address these obligations through Standard Contractual Clauses (SCCs) — a legally valid but administratively complex approach. EU-based infrastructure eliminates the SCCs requirement.
| Data Category | Location | GDPR Status | Retention |
|---|---|---|---|
| Subscriber email addresses | EU (Estonia) | EU-resident data, no transfer required | Per client retention policy |
| SMTP delivery logs (per-message) | EU (Estonia) | Operational data, EU-resident | 90 days active, 2 years archived |
| Open/click behavioral data (MailWizz) | EU (Estonia) | EU-resident, subscriber behavioral profile | Per client configuration |
| Complaint/FBL data | EU processing | Processed in EU before ISP relay | 30 days operational |
| Authentication keys (DKIM) | EU server only | Infrastructure data, not personal | Until rotation (min. annually) |
Cloud Server for Email acts as a Data Processor under GDPR Article 28 for client subscriber data. A formal Data Processing Agreement is available upon request and is required for all clients sending to EU residents. The DPA covers: processing instructions, security measures, sub-processor notification, data subject rights support, and breach notification procedures.
Our sub-processors are limited to EU-based datacenter infrastructure providers operating under equivalent data protection standards. We maintain a sub-processor registry and provide 30-day advance notice of any sub-processor changes.
For marketing email, explicit, specific, and documented consent is the most defensible legal basis. MailWizz on dedicated infrastructure supports consent documentation through: subscription timestamp recording, IP address capture at opt-in, consent source tracking (custom fields), and double opt-in confirmation emails.
B2B outreach to business contacts can be based on legitimate interest when: the contact is relevant to your business (professional role alignment), a balancing test supports the processing, and an easy unsubscribe mechanism is provided. Our infrastructure supports legitimate interest B2B sending with proper suppression management and unsubscribe processing.
Transactional email related to a contract or service a recipient has entered into does not require separate consent. Order confirmations, account notifications, and service communications based on a contractual relationship are permitted without opt-in consent.
GDPR's storage limitation principle requires deleting personal data when it is no longer needed for the original purpose. Our infrastructure supports configurable retention periods:
| Country/Region | Key Regulation | Primary ISPs | Notes |
|---|---|---|---|
| Germany | GDPR + BDSG (Federal Data Protection Act) | GMX, Web.de, T-Online, Telekom.de | Strict; explicit consent required; German DPA active enforcement |
| France | GDPR + CNIL guidelines | Orange, Free, SFR | CNIL B2B legitimate interest guidance differs from some interpretations |
| Netherlands | GDPR + AP enforcement | XS4ALL, Ziggo, KPN | Telecommunications Act supplements GDPR for direct marketing |
| Spain | GDPR + LOPDGDD | Telefonica, ONO | AEPD enforcement; high fines for non-compliance |
| Poland | GDPR + Polish DPA | Onet, WP.pl | UODO enforcement growing; transactional email clearer than marketing |
| Sweden | GDPR + IMY guidance | Telia, Bahnhof | Conservative interpretation; explicit consent standard |
| European overall | GDPR (Regulation 2016/679) | All EU ISPs | Unified regulation; national DPA enforcement varies |
This page provides infrastructure context for GDPR compliance. It does not constitute legal advice. Your organization should consult qualified legal counsel for specific GDPR compliance requirements for your email program and recipient base.
Dedicated EU infrastructure with a Data Processing Agreement for organizations sending to EU residents.
Request DPA and Assessment