Consent, legal basis, proof, retention period, unsubscribe, European hosting: the practical guide to sending campaigns without risking a regulator's fine.
Updated on June 22, 2026
Sending a newsletter or email campaign in Europe means processing personal data — and therefore complying with the GDPR. In 2026, European regulators keep sanctioning the most common failings: shaky consent, missing unsubscribe, indefinite retention. The good news: compliance comes down to a handful of habits. Here is the practical checklist, point by point, to get started with peace of mind.
This guide is informational and does not constitute legal advice. For a specific case, consult a legal professional or your data protection officer (DPO).
The GDPR requires consent that is freely given, specific, informed and unambiguous. In practice: an unticked checkbox, a clear purpose ("receive our newsletter"), and no disguised obligation. No "bundled" consent with the terms of service, no pre-validated box.
Collecting consent is not enough: you must be able to prove it. In the event of an audit, you have to show who consented, when, to which purpose and through which channel. Keep the date, the source (form, import, double opt-in), the IP address where relevant and the version of the policy accepted.
Double opt-in (a confirmation email after sign-up) is not strictly mandatory, but it remains best practice: it validates the address, eliminates typos and provides solid proof. It also improves your deliverability by filtering out unengaged contacts.
Every processing activity rests on a legal basis. For electronic commercial prospecting, it is usually consent; for existing customers, legitimate interest may apply under conditions (similar products or services, systematic unsubscribe). Document the purpose of each collection: a contact who signed up for a white paper has not necessarily consented to your commercial offers.
Every marketing email must include a simple, free and immediate way to unsubscribe. Unsubscribe requests must be handled without delay (and logged). A 6-pixel link hidden in pale grey is not compliant: it must be visible and functional. Ideally, your tool removes the contact from future sends as soon as they click.
You cannot keep data "forever". Set a justified period and reassess inactive contacts (regulators cite roughly three years without interaction for prospecting). On expiry: delete, anonymise, or re-collect consent. Be ready to respond quickly to access and erasure requests — within one month as a rule.
Where does your data live? Providers subject to the US Cloud Act can be legally compelled to transfer data, even when stored in Europe. To reduce legal uncertainty and reassure your contacts, favour European hosting with clear oversight of sub-processors. It is not an absolute guarantee, but it is the most defensible choice.
In the event of a breach, regulators can issue a warning, a formal notice, then a fine of up to EUR 20 million or 4% of annual worldwide turnover, whichever is higher. Beyond the figure, it is mainly trust and reputation that are at stake. Most sanctions target fundamentals: unproven consent, unhandled unsubscribe, excessive retention.
| Control point | GDPR requirement | Status to verify |
|---|---|---|
| Consent | Explicit opt-in, unticked checkbox | To check |
| Proof | Date, source, purpose, version retained | To check |
| Records of processing | Processing documented and up to date | To check |
| Legal basis | Consent or justified legitimate interest | To check |
| Mandatory notices | Controller, purpose, rights, policy | To check |
| Unsubscribe | Visible, free link, handled without delay | To check |
| Retention period | Limited and justified, inactive contacts purged | To check |
| Access / erasure rights | Response within one month | To check |
| Hosting | Data in Europe, sub-processors overseen | To check |
Key takeaway. GDPR compliance is not a one-off project but ongoing hygiene. Collect explicit consent, keep proof of it, offer a real unsubscribe, limit retention and host in Europe. With these habits, you send with confidence — and strengthen your contacts' trust.
Part of this checklist can be handled by the tool rather than by hand. MarketingAtelier's CRM manages granular consent per channel and per purpose with a proof registry (date, source, policy version). The forms apply systematic GDPR consent — a contact collected without explicit agreement is created but excluded from marketing. Sending includes automatic unsubscribe that removes the contact from campaigns as soon as they click. And everything is hosted in Europe, away from the Cloud Act.
Compare the plans or create a free account to set up compliant collection from your very first contacts.
MarketingAtelier brings email, CRM, sites, forms, social and AI visual creation into a single platform. Try it for free.