This checklist is provided for informational purposes only and does not constitute legal advice. If you have specific compliance questions, consult a qualified legal professional.
Who this checklist applies to
GDPR applies to any organisation that processes personal data about EU residents — regardless of where the organisation itself is based. If you send marketing email to people in Europe, GDPR obligations apply to you. Work through each section before your next campaign and treat any unchecked items as compliance gaps to address.
Section 1: Lawful basis
- You have identified the lawful basis for each email list or segment you send to
- If using consent: it was freely given, specific, informed and unambiguous — pre-ticked boxes do not qualify
- If using legitimate interest: you have completed and documented a Legitimate Interest Assessment
- Your lawful basis is recorded at the contact or segment level, not assumed globally
- You have a process to record when and how consent was obtained for each contact
Section 2: Consent collection
- Consent requests are presented separately from other terms and conditions
- The language clearly describes what the contact is signing up for
- You do not use consent obtained for one purpose to send email for a different purpose
- If you use double opt-in, the confirmation email contains no marketing content
- You record a timestamp and source for each consent record
Section 3: Unsubscribe and opt-out
- Every commercial email contains a working unsubscribe link
- Unsubscribe requests are processed promptly (best practice: immediately, GDPR requires within 30 days)
- Suppression lists are enforced — unsubscribed contacts cannot be re-added without fresh consent
- You have a process to handle unsubscribe requests received outside your email platform (by reply email, phone or in writing)
Section 4: Data minimisation and retention
- You only collect contact fields you actually use for sending or segmentation
- You have a defined retention period for contact data
- You have a process to review or remove contacts who have passed your retention period
- Inactive contacts who have not engaged within your retention window are reviewed regularly
Section 5: Rights of data subjects
- You can locate all data held about a specific individual within 30 days of a Subject Access Request
- You can export all data held about an individual in a readable format (Right of Access)
- You can permanently delete all data held about an individual (Right to Erasure)
- Deletion is permanent — deleted contacts cannot be reimported from the same source
- You have a documented process for handling Data Subject Access Requests (DSARs)
Section 6: Third-party processors
- You have a Data Processing Agreement with every tool or service that processes your contact data
- Your email platform has provided a DPA covering their role as data processor
- If your email platform is outside the EU, you have addressed the international transfer requirements
- You have reviewed the sub-processors list of your email platform
Section 7: Security
- Access to your email platform is protected by strong credentials and ideally two-factor authentication
- Access is limited to staff who need it for their role
- You have a process to revoke access for staff who leave the organisation
- You know the timeframe for notifying your supervisory authority in the event of a breach (72 hours under GDPR)
Section 8: Privacy policy and transparency
- Your privacy policy describes your email marketing data processing accurately
- It identifies the lawful basis for your email marketing
- It explains how contacts can unsubscribe and exercise their rights
- It was reviewed within the last 12 months
What NexusProMail handles automatically
If you use NexusProMail, several items on this checklist are handled by the platform: suppression list enforcement, signed unsubscribe links, DSAR tooling, hard bounce auto-suppression, erasure tombstones and full send audit logging. A Data Processing Agreement is available on request from support@nexuspromail.com. The items that remain your responsibility are lawful basis documentation, consent collection processes, retention policies and the security of your own systems and accounts.
Frequently asked questions
Does GDPR apply if my business is outside the EU? GDPR applies when you process personal data about EU residents, regardless of where your business is based. If you send marketing email to EU residents, GDPR applies to that processing.
What is the difference between consent and legitimate interest? Consent requires a positive opt-in action from the contact. Legitimate interest allows processing without consent if your interest in doing so is not outweighed by the individual's rights. For direct marketing, consent is generally the more straightforward and defensible basis.
How long can I keep contact data? GDPR does not specify a maximum retention period — you define your retention policy based on what is necessary for your purpose. For email marketing, most organisations use engagement-based retention: contacts who have not engaged within a certain period (often 12-24 months) are reviewed or removed.
What happens if I receive a DSAR? You have one month to respond (with a possible two-month extension for complex requests). You must provide all personal data you hold about the individual, explain what you are doing with it and why, and tell them their rights. If they request erasure, you must delete the data unless you have a legal obligation to retain it.
Do I need a DPA with my email marketing platform? Yes, if they are processing personal data on your behalf (which any email platform is). Under Article 28 GDPR, a written DPA is mandatory with all data processors. NexusProMail provides a DPA on request.