How to send GDPR-compliant marketing emails

GDPR emails compliant banner
Back to main blog
Veronika Belova
by Veronika Belova

2 Min. Read

GDPR compliant marketing: Send compliant marketing emails with ease in no time.

Emailing prospects, leads, and clients is really important, whether it be specific, personal emails, or general marketing campaigns/newsletters. Sending just the right email may help turn a prospect into a client, funnel a client further down the sales pipeline, or even close a deal. But when you send out newsletters, email campaigns, or follow-ups, it’s essential to comply with GDPR rules and regulations to respect your prospects’ personal data.

As the 5th article in our GDPR playbook, this article will help you better understand how to send GDPR-compliant emails to ensure your clients’ data is always protected. For more information about sending GDPR-compliant LinkedIn messages, refer to our GDPR compliant outreach templates.

Yes, emails count as personal data when it comes to GDPR

Work email addresses do indeed count as personal data. Most individuals’ professional email addresses are something like [email protected], and these are considered personal data. However, if you are sending an email to a general email address, like [email protected], this is not considered personal data (info is not a person, after all!) so GDPR rules don’t apply.

For most email marketing campaigns, you’ll likely be targeting specific prospects, so it’s best to just stick with the idea that professional emails are personal data belonging to specific people and comply accordingly. This way, you won’t run into trouble when it comes to GDPR rules.

How many emails are too many emails?

Our GDPR playbook has gone through how to organize, manage, and process data, in addition to explaining that you should only be emailing prospects that have legitimate business purpose and who opt-in (for more on opt-in/opt-out and how this applies to different countries, make sure to read our article here).

But what about these emails? How many can you send without violating GDPR rules? Well, first it’s important to note that although GDPR has changed email marketing, compliance can actually help you best target your audience so the right emails go to the right people. Because users will be opting in and out, you can feel better about those who have opted in — these people really do want to receive your emails and may be more inclined to buy what you’re selling.

Thanks to GDPR, your contact list may be smaller, but a more refined list focuses on quality, not quantity, which could actually lead to greater selling success. After all, more targeted and engaged leads are much more likely to read these emails and become clients.

Once you have the list of prospects that do want to receive those emails, you can send them as many emails as you want, assuming they’ve opted in.

But, you should only be sending about one marketing email per week. Less is actually more when it comes to email campaigns, as prospects may get frustrated if you’re sending out more than one email per week and unsubscribe. After all, one of the top reasons people unsubscribe from mailing lists is because they are receiving too many emails. As we all know, receiving too many emails from one sender feels spammy and can get annoying.

Note that if you’re sending out personalized emails to prospects in reference to specific information, you can reply to and send emails as needed based on your impending deal, not just once per week.

The segment below about the GDPR email element is contributed by our DPO, Raphaël Buchard.

Raphaël Buchard profile picture
  • 6 months at the EU Commission
  • 5 years as IP / IT & Data Protection lawyer
  • 4 months as advisor at Accor Hotel
  • 2 years as a DPO trainer for Lamy
  • Co-founder & CEO of Dipeeo

GDPR compliant marketing: Your emails need these elements

We’ve already covered that to be compliant with Data Protection rules, you can only email prospects that have opted in. But what happens when prospects don’t want to get these emails anymore? They need to be able to unsubscribe (“opt out”). According to Data Protection Rules, any person who wants to send a commercial email needs to make unsubscribing easy in their emails. Here are some examples of how you can word an unsubscribe button in your emails:

  • Click here to unsubscribe.
  • To stop receiving emails from us, click here.
  • Tired of our emails? Unsubscribe here.
  • Don’t want to get our emails? Unsubscribe here.

You should never charge a fee for unsubscribing, and the option to do so should be clear.

We’ve stressed this repeatedly, it’s best to send marketing emails to prospects that have opted in (and it’s a must for B2C emails). Make it easy for prospects to opt-out via unsubscribe buttons (see above). Don’t use pre-ticked boxes for opt-in, and always save proof of consent. This is extremely important because GDPR is based on accountability which means that companies have to demonstrate to supervising authorities that they are complying with GDPR provisions . If you need to regain consent, do so, and give subscribers options for managing content they want to receive.

Moreover, even if you have the consent to send a commercial email, you cannot use such consent ad vitam eternam. After a few years, which are different between member states of the EU (e.g. 3 years in France), you have to gather the consent of individuals once more to continue such prospecting action.

Finally, you have to inform individuals about the processing of personal data done to do marketing actions within the email you sent.

What happens if prospects opt-out or unsubscribe?

If a prospect opts out of receiving your emails, don’t stress. They probably weren’t going to buy what you were selling anyway. Remember, it’s best to email people that actually want to be reading your content and have a valid interest in your product.

When a prospect does opt-out, it’s important to store their data in a specific opt out database for a few years (e.g. 5 years in France) to demonstrate that you are complying with the opt out obligation and stop sending them emails in order to comply with GDPR. It’s best to do this within 48 hours or less. After a few years, you can then delete the personal data from your information system.

Attract qualified leads for your email marketing list without violating GDPR using Surfe

Using Surfe can help you find verified email addresses on LinkedIn and save them to your CRM hassle-free. It can take a while to source even one single email address on LinkedIn for a prospect and if you’re sourcing several a day, this time can really add up. But, finding verified emails is important — as we suggested earlier, quality contacts are the best kind to have because they’ll show a valid interest in your product and won’t unsubscribe to your emails.

You can link Surfe with an email finder tool such as Dropcontact. Once on LinkedIn, Surfe sends a prospect’s information (name and company) to Dropcontact, which finds their current email (they don’t work with a database, so emails are always current) and adds it directly to your CRM through Surfe.

In fact, Surfe integrates with several different email finder tools to help you search for prospects and build an accurate and relevant contact list easily and quickly. This information is available on your Surfe dashboard under Tools & Apps. For more information on how to use Surfe to find and save verified email addresses, watch this video.

Send GDPR-compliant emails with ease — and get replies, too

Using the above information, you’ll not only be able to curate and maintain a relevant mailing list of trusted contacts but also be able to send the right emails without violating GDPR regulations. Just make sure not to send too many emails, and always stop sending emails if requested from a contact in order to stay within Data Protection rules.

When emailing prospects with marketing emails, try not to sound too sales-ey, and stay relevant. Explain how your product can help a prospect, and be polite and professional, but as personal as possible. If you are emailing with a specific contact, make sure to focus specifically on that client, even if you’re using a template. This encourages contacts to reply if they feel that you care about them.

For more information on managing your clients’ data and GDPR-compliant templates, take a look at our blog. Ready to join Surfe’s newsletter?


This article provides general advice and information about emailing within the GDPR sphere but is not official legal advice. Please contact your legal provider for specific information or legal issues.