Skip to main content

Understand what Mailchimp does for GDPR compliance

Our guide walks you through information about the GDPR, what steps Mailchimp takes towards complying, how we keep your data safe, and how we lawfully access data in the US.

Start free trial

This page is for informational purposes only. If you are seeking legal advice, please contact legal counsel.

Mailchimp GDPR Friendly Tools
GDPR-Friendly Tools

Let’s start at the beginning, what is General Data Protection Regulation (GDPR)?

We suspect you’ve heard of it, but the GDPR is a European privacy law that came into force in May 2018. It was designed to strengthen, harmonize, and modernize the EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right.

The GDPR regulates how individuals and organizations may obtain, use, store, and share personal data.

Why data privacy is important to us

We’ve always valued data privacy and GDPR is the gold standard. Mailchimp belongs to Intuit, and we believe in protecting your customer’s data and giving you control over your information. The data that you entrust with us belongs to you and your customers, and we take this seriously.

We’ve maintained from our founding that Mailchimp will not sell the personal information of our members, our members’ distribution lists, or our members’ contacts. That’s why our strong Data Stewardship Principles and implementation of tools that you can use to help meet GDPR requirements have enabled us to continually earn the trust of our customers for years.

You can trust Mailchimp to handle your audience's data responsibly and securely.

How does it affect me and my business when it comes to email marketing?

When it comes to electronic marketing regulations in Europe, GDPR isn’t the whole story. The e-Privacy Directive adds supplemental rules for consent regarding marketing via channels like phone, fax, email, and SMS. These rules require businesses to obtain opt-in consent for email and SMS marketing.

Mailchimp adopts opt-in as the global standard for emails sent through our service. We don’t allow spam to be sent through our service, which helps your emails land in your customers’ inboxes. Learn more here

Person using laptop

How does Mailchimp comply with GDPR even though its servers are located in the US?

The GDPR enforces strict rules on sending personal data outside the EU to ensure it’s protected wherever it goes. As a US-based company, Mailchimp is committed to maintaining high data protection standards for all of our users’ data.

So how do we ensure the privacy of your EU subscribers' data when Mailchimp is a US-based company? The answer lies in the EU-U.S. Data Privacy Framework (EU-US DPF). This agreement was signed in July 2023 and it allows certified companies to transfer personal data between the EU and the US.

Mailchimp is certified under the EU-US DPF, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. This enables your transfer of personal data from the EU, UK or Switzerland to Mailchimp, so you can focus on growing your business, knowing your customers’ data privacy is in safe hands.

Want to learn more about how Mailchimp keeps your data secure? Check out our EU-US DPF certification and our Global Privacy Policy.

Checklist of Mailchimp’s compliance

Certify annually with the EU-U.S./Swiss-U.S. Data Privacy Framework and continue to protect EEA, UK, and Swiss data in compliance with the Data Privacy Framework. You can view our Data Privacy Framework certification here.

Appointed a Data Protection Officer (DPO) to oversee our compliance program.

Continuously review our security measures to ensure any personal data we collect and process on our systems is adequately protected.

Ensure our Global Privacy Statement clearly explains Mailchimp's commitment to the GDPR, is transparent about how we use personal data, and gives individuals information about how they can exercise their data subject rights.

Incorporate the EU's Standard Contractual Clauses in our Data Processing Addendum which automatically forms part of our Standard Terms of Use (our contract with you) and applies to customer data protected by EU laws.

Provide our customers with GDPR-ready terms in our Data Processing Addendum and update our contracts with third party vendors to ensure they are GDPR-compliant.

Maintain formal processes around data subject rights to ensure we can help customers fulfill requests they receive.

Respond to and fulfill data subject rights requests in our role as a controller.

Complete Data Protection Impact Assessments to identify and minimize any risks from our processing activities.

You can exercise your GDPR rights on this page.

Person analyzing SMS settings in Mailchimp

What about countries with additional requirements?

Some countries, including Austria, Germany, and Norway, require "double opt-in" consent for email marketing. This process adds an extra confirmation step to verify each email address, demonstrating a higher diligence in obtaining consent. Mailchimp supports these features to help you comply with the strictest standards.

Although the GDPR does not mandate double opt-in, and not every EU member state requires it, we recommend enabling this feature when sending electronic marketing communications to EU individuals. It enhances compliance and builds trust with your audience. You can find out more about our double opt-in features here.

Does EU data have to be stored in the EU?

No, the rules regarding the transfer of personal data outside the EU remain unchanged. Personal data is allowed to be transferred abroad as long as it is "adequately protected." The EU allows data to be transferred abroad to 16 countries that it deems to have “adequate” data protections. And the US is one of them.

Mobile phone with "data protection" rules on screen

How does Mailchimp comply with GDPR when transferring data to the US?

The GDPR establishes rules for transferring personal data outside the EU, and Mailchimp adheres to these regulations through two main ways.

We are certified under the EU-US Data Privacy Framework (DPF), allowing Mailchimp to receive personal data from the EU in the US. Additionally, we utilize Standard Contractual Clauses (SCCs) in our Data Processing Addendum. SCCs are standardized terms approved by the European Commission that offer legal safeguards for data transfers, adding a second basis to support transferring personal data to Mailchimp in the US.

You can learn more about our EU-US DPF certification here as well as our European Data transfers here.

Why have I seen stories about Mailchimp and the GDPR?

In March 2021, the Bavarian Data Protection Authority (DPA) ruled on the use of Mailchimp's services by a German publishing company. It’s crucial to note that the decision was not about Mailchimp’s compliance measures, but focused on the customer’s failure to conduct a required data transfer assessment under GDPR.

This requirement arose before the current Data Privacy Framework was put in place, and after the previous EU-US Privacy Shield framework was invalidated by the Court of Justice of the European Union (CJEU) in 2020 (known as Schrems II). This ruling created uncertainty and significant implications for companies transferring personal data from the EU to the US. It mandated that data exporters, such as the German publishing company using Mailchimp, perform additional assessments before transferring data to the US. The Bavarian DPA found that the company had not conducted this assessment, ruling the data transfer unlawful.

The establishment of the EU-US Data Privacy Framework (EU-US DPF) in July 2023 changed the dynamic of personal data transfers, allowing personal data to flow seamlessly across the Atlantic. The EU-US DPF serves as a mechanism for lawfully transferring personal data from the EU to Mailchimp in the US, and indicates that we meet high standards for data transfers. This enables you to focus on growing your business and connecting with your audience, confident that your data privacy needs are addressed.

EU-US and Swiss-US Data Privacy Framework Certification on laptop

What does this mean for UK and Swiss customers?

Mailchimp is certified under the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. You can view our listing by searching “Intuit” on the official register here, and read the Intuit Data Privacy Framework certification page here.

In addition, should the Data Privacy Framework ever be invalidated, Mailchimp contractually commits to transfer and process all of its customers’ European data in compliance with the Standard Contractual Clauses (SCCs), which continue to give our customers the ability to lawfully transfer data that is subject to applicable data protection laws (including the GDPR) outside of Europe to Mailchimp in the United States. The SCCs automatically apply in accordance with Mailchimp's Data Processing Addendum.

GDPR Compliance: Understanding Mailchimp's responsibilities vs. your responsibilities as a customer

Mailchimp acts as a data processor when you use our platform. We help you store and process data on your behalf, according to your instructions. Our GDPR responsibilities include:

  • Keep data safe: We have strong security measures to protect the information you put in Mailchimp.
  • Tell you about problems: If there's a data breach (like someone hacking in), we'll let you know right away.
  • Give you tools to comply: We provide features that help you follow the GDPR rules, for example features like double opt-in, unsubscribe links, and data export options.
Mailchimp employee speaking with customers
Man using laptop

You, as a Mailchimp customer, act as a data controller

This means you determine the purposes and means of processing personal data. Your GDPR responsibilities include:

  • Have a good reason: You need a valid reason to collect someone's information, like they signed up for your newsletter or bought something from you. You can't just collect data without a reason.
  • Be upfront: Tell people clearly how you're using their data. This is usually done with a privacy policy.
  • Respect people's wishes: If someone wants to see what information you have about them, change it, or delete it, you have to let them.
  • Keep data safe too: You're also responsible for keeping the data you collect safe, including how you use Mailchimp (e.g. strong passwords and 2FA).
  • Only keep what you need: Don't keep information longer than you need it.

Where can I find more information about Mailchimp and GDPR compliance?

We’ve compiled a useful list of additional resources for more information. Please feel free to check them out.

What can I do?

If you are still concerned about your data being processed in the US, you can contact Mailchimp directly to discuss your concerns. Our customer team may be able to provide further information to address your specific concerns.

Talk to Sales