Make sure your business is GDPR-compliant

FAQs

• What is the GDPR?

  We suspect you’ve heard of the GDPR. The General Data Protection Regulation (or “GDPR” for short) is a European privacy law that came into force on May 25, 2018, and was intended to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates how individuals and organizations may obtain, use, store, and share personal data. As a regulation, it must be followed in its entirety throughout the EU.

• Does the GDPR apply to me?

  The scope of the GDPR is very broad. It applies to (1) all organizations established in the EU, and (2) all organizations that target or monitor individuals in the EU. Essentially, this means the GDPR will apply to most organizations that process personal data of EU individuals regardless of where the organization is established, and regardless of where their processing activities take place. This means the GDPR could apply to any organization anywhere in the world, across all industries and sectors. You should perform your own analysis to determine to what extent (if any) your organization may be subject to the GDPR.

• What is considered “personal data”?

  Personal data is any information relating to an identified or identifiable individual; meaning information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the extremely broad reach of that definition—it includes not only information that’s commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more. This means that, for Mailchimp customers, at least a majority of the information that you collect about your contacts will be considered personal data under the GDPR.

  The broad definition encompasses work email addresses containing an individual’s name or any business contact information tied to or related to an individual, such as the individual’s name, job title, company, business address, work phone number, etc. In contrast, personal data doesn’t include generic business names, business addresses, generic email addresses or any other general business information, as long as this information hasn’t been linked to an individual. So, for example, “John.Smith@mailchimp.com” would most likely be considered “personal data” governed by the GDPR whereas “contact@mailchimp.com” wouldn’t.

  It’s also important to note that even information that cannot identify a particular individual on its own but which could be combined with other information to identify an individual (known as “pseudonymous data”) is considered personal data. So, for example, a hashed email address will still be considered personal data, albeit pseudonymized.

  Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, requires even greater protection. You must not store data of this nature within your Mailchimp account.

• What does it mean to “process” data?

  Processing is any operation which is performed on personal data, whether or not by automated means. This includes collecting, recording, organizing, structuring, storing, adapting, retrieving, using, combining, erasing, destroying, disclosing, disseminating, or otherwise making available personal data.

  Basically, if you’re collecting and managing any personal data of individuals physically residing in Europe (even if they’re not citizens), you’re processing personal data within the meaning prescribed by the GDPR. This means, for example, that if any of your Mailchimp audiences contain the email address, name, or other personal data of an individual located in Europe, then you’re processing personal data under the GDPR.

• What’s the difference between a data controller and a data processor?

  If you process personal data, you do so either as a controller or a processor, and there are different requirements and obligations that will apply to you depending on which role you perform. It’s important to understand whether you are acting as a controller or a processor and to familiarize yourself with the responsibilities that apply to you.

  A controller is the organization that determines the purposes and means of processing—they make the important decisions like what personal data is collected, what the data is used for, how long it’s retained and who it’s shared with. A processor is an organization that processes the data on behalf of the controller and only under the controller's instructions. This typically means a processor can’t use personal data for any other purpose than to provide a service to the relevant controller.

  Controllers retain primary responsibility for compliance with the GDPR (including, for example, the obligation to give notice to individuals about processing, respond to individuals exercising their privacy rights, and report security breaches to data protection authorities); however, the GDPR also places some direct responsibilities on processors.

  In the context of Mailchimp, in the majority of circumstances our customer acts as the controller. Our customers, for example, decide what information from their contacts is uploaded or transferred into their Mailchimp account; direct Mailchimp, through our application, to send emails to certain contacts on their email distribution lists; and instruct Mailchimp to place advertisements on their behalf on third party platforms such as Facebook or Instagram.

  Mailchimp acts as a processor by performing these and other services for our customers. There are certain cases where we act as a controller, such as where we process customer information for our own business purposes (like account management and billing) and for our data analytics project. You can find more information about our data analytics projects, including how you can opt out from data analytics, here.

• What are the key principles under the GDPR?

  The GDPR contains a number of key principles that must be followed when processing personal data to ensure compliance. It’s a controller's responsibility to ensure compliance with these key principles.

  • Personal data must be processed in a fair, legal, and transparent way: Individuals should be informed about how their personal data will be used and you should never use data in any way that the individual would not reasonably expect. You must also have a legal basis for processing personal data, such as with the individual's consent, to satisfy a contract, or based on your legitimate interests.
  • Personal data must be collected for specific, explicit, and legitimate purposes: You should only collect personal data to fulfill specific purposes and not use data in a way that is incompatible with those purposes.
  • Personal data should be relevant and limited to what is necessary: You should only collect the information you need and not collect or use unnecessary or redundant data.
  • Personal data should be accurate and kept up to date: You should ensure that the data you hold is accurate and take steps to review and update information when necessary.
  • Personal data should only be kept for as long as necessary: You should only store personal data for as long as you need it and shouldn’t keep personal data indefinitely or “just in case”.
  • Personal data must be kept safe and secure: You must implement technical and organizational measures to protect personal data according to the type of data you process and the resources and technology available.

  Most importantly, you must be able to demonstrate how you comply with these principles and show how you’re accountable.

• What rights do individuals have under the GDPR?

  The GDPR gives individuals a number of rights in relation to their personal data. You must ensure that you can accommodate these rights if you’re processing personal data of EU individuals.

  • Right of access: Individuals have the right to be given certain information about how their data has been collected and used and to obtain a copy of their data from you.
  • Right to rectification: Individuals can request that their data be corrected or updated at any time.
  • Right of erasure (the “right to be forgotten”): In certain circumstances, individuals can request that their data be deleted entirely.
  • Right to withdraw consent: If you have obtained an individual’s consent to process their personal data, they can withdraw their consent at any time.
  • Right to object: Alternatively, if you rely on your legitimate interests to process an individual's data, the individual can object to your processing and you must stop doing so unless you can demonstrate that your interests override the interests and rights of the individual.
  • Right to object to marketing: Individuals have an absolute right to object at any time to processing of their personal data for marketing purposes.
  • Right of portability: Individuals can request that you transfer their data to another organization.

  Organizations must respond to these requests within 1 month or, in exceptional cases, within 3 months. Except the right to object to marketing (which is absolute and must therefore always be complied with), certain exemptions to the above rights may apply. All requests should therefore be carefully reviewed.

• How does the GDPR apply to email marketing?

  When it comes to email marketing regulation in Europe, the GDPR is only half the story. Europe also has a separate law, the Privacy and Electronic Communications Directive (or e-Privacy Directive), that contains supplemental rules governing consent requirements for e-marketing—i.e., marketing sent over electronic communication channels (such as phone, fax, e-mail and SMS). When sending e-marketing, these supplemental consent rules apply in addition to the need for businesses to identify lawful processing grounds under the GDPR.

  Put simply, these rules require opt-in consent for email and SMS marketing, unless an individual’s contact details were collected in the context of a sale and the individual was given the ability to opt out at that time. If so, first party email and SMS marketing is possible on an opt-out basis (though third party email and SMS marketing still require opt-in).

  As the e-Privacy Directive is a Directive, meaning it has to be implemented into each member state's local law, you should check local member state law to double check the local requirements. For example, some countries (like the UK) are more relaxed about B2B email marketing (which can be done on an opt-out basis), while other countries (like Germany) have a stricter double opt-in requirement (see more on this below).

  However, the GDPR is still relevant because most email addresses will be considered personal data and therefore also subject to the GDPR's requirements. In particular, where you’re required to obtain an individual's consent, you must do so in accordance with the GDPR.

• What does the GDPR say about consent?

  We’re glad you asked. Consent isn’t always required to process an individual's personal data. However, where you’re required to obtain the individual's consent (which may apply if you’re carrying out certain email marketing) you must ensure that you obtain consent in accordance with the GDPR’s strict requirements:

  • Consent must be opt-in: Individuals must explicitly opt-in to the collection and use of their personal data. This means that silence, pre-checked boxes, and implied opt-ins (i.e., inactivity) aren't valid.
  • Consent must be informed: This means you must provide meaningful information to individuals about why you're collecting the information and clearly explain how you plan to use it. This information should be provided at the time individuals give their consent.
  • Consent must be specific: This means separate consent should be obtained for different processing activities and you shouldn’t try to bundle different purposes within 1 consent.
  • Consent must be freely-given: This means individuals must have a genuine choice when consenting and their consent should not be conditional on receiving a product or service.
  • Consent must be demonstrable: Don't forget you must be able to demonstrate that you've obtained consent, including who consented, when, and what information was given to the individual at the time.

  Lastly, keep in mind that certain countries require "double opt-in" consent to carry out email marketing. Double opt-in involves an extra confirmation step that verifies each email address. Although this is not required by the GDPR, or by every EU member state, we recommend you enable double opt-in when sending electronic marketing communications to EU individuals.

• Does the GDPR say anything about cross-border data transfers?

  Yes, the GDPR contains provisions that address the transfer of personal data from EU member states to third-party countries, such as the United States. The GDPR doesn’t contain any specific requirement that the personal data of EU individuals be stored only in EU member states. Rather, the GDPR requires that certain conditions be met before personal data is transferred outside the EU, identifying a number of different mechanisms that organizations can use to perform cross-border data transfers: adequacy decisions, standard contractual clauses, binding corporate rules, certification mechanisms, and codes of conduct. The primary purpose of these mechanisms is to ensure that when the personal data of Europeans is transferred abroad, the protection travels with the data.

  An adequacy decision is a decision by the European Commission that the country or territory where the personal data is being transferred provides an adequate level of protection. Prior to the 2020 decision invalidating the EU-US and Swiss-US Privacy Shield Frameworks, the EU-US Privacy Shield framework was one such example of an adequacy decision.

  Effective July 10, 2023, the European Commission adopted a new EU-US Data Privacy Framework (DPF), granting adequacy to the United States. Parties previously certified under the EU-US Privacy Shield Framework and committed to upholding the DPF Principles may now rely on this adequacy decision to transfer data from the EU to the US. Mailchimp is one such company and will continue to protect EEA, UK, and Swiss data in compliance with its certification obligations.

  In addition, Mailchimp contractually commits to transfer and process all of its users’ EU, Swiss, and UK data in compliance with the EU’s standard contractual clauses, which remain a valid data export mechanism and which automatically apply in accordance with Mailchimp's Data Processing Addendum. You can learn more about our DPF certification here.

  If you are transferring personal data to other organizations that are located outside the EU, then you should ensure you have an appropriate ground to perform the cross-border data transfer, such as an adequacy decision or standard contractual clauses approved by the European Commission.

• Does the GDPR still apply to the UK after Brexit?

  The EU GDPR is an EU Regulation and it no longer applies to the UK. However, any business that operates inside the UK must comply with UK data protection law. The GDPR has been incorporated into UK data protection law as the UK GDPR—so in practice there is little change to the core data protection principles, rights and obligations found in the UK GDPR.

  Also, remember that if you’re based in the UK but target or monitor EU individuals you’ll still be subject to the GDPR even after the end of the transition period.

• What happens if you don’t comply with the GDPR?

  Non-compliance with the GDPR can result in large financial penalties. Sanctions for non-compliance can be as high as 20 million Euros or 4% of global annual turnover, whichever is higher.

• Why is data protection important?

  Aside from the fact that you may be required to follow certain data protection laws based on your business operations, data protection offers several benefits. Following data protection best practices is especially important if your business deals with customers’ personal data.

  A commitment to protecting customers’ data helps build trust with your customers, which helps you keep customers around for a long time and reduces customer acquisition costs.

  Data protection is also great because it can help you change the way you manage your data and ensure it’s secure but always readily available. Proper data collection and management are cornerstones of data protection, so protecting your data and implementing things like GDPR consent can help you improve your data management as a whole. This means data is always available when you or your customers need it, so business operations aren’t interrupted.

• What are the benefits of GDPR consent?

  First and foremost, it’s essential that you’re following the GDPR if you’re required to based on the data you collect. If your business collects personal data from anybody in the EU, GDPR consent may be an important part of making sure you’re collecting that data legally.

  Improved data management is a benefit of GDPR compliance. When you use GDPR consent and collect data according to the GDPR, you also have the opportunity to adopt data management best practices that you may not have used before. And because GDPR compliance requires you to collect, store, and manage data in a particular manner, it helps improve your data management by default. If you’re already overhauling your data collection and management processes, you can take the opportunity to make sure you’re on top of GDPR compliance as well.

• Do I, as an individual, have to comply with GDPR?

  As an individual, you are required to maintain GDPR compliance as long as you meet the criteria. As long as you collect personal data from people who are residents of the EU, you’re required to follow the GDPR when it comes to the collection, storage, and management of that personal data. That being said, there are certain cases where an individual isn’t required to maintain GDPR compliance even if they’re collecting data from people in the EU.

  One of the most important things to keep in mind is that certain types of data collection are exempt from the GDPR. Essentially, you’re only required to follow GDPR guidelines if you’re collecting personal information from people located in the EU for business purposes. Other types of data collection aren’t subject to GDPR guidelines. This includes personal data collection, such as lists of phone numbers, addresses, and other information that is intended for personal or household use. That being said, it’s still a good idea to maintain GDPR compliance if you’re collecting any type of data from EU residents. At the very least, maintaining GDPR compliance will help you make sure your data protection and management systems are up to date.

  If you’re an individual, but you’re not collecting data from people in the EU, you don’t have to worry about GDPR compliance. However, following GDPR marketing and data protection guidelines can help you make sure you’re protecting customers’ private data, which goes a long way toward increasing customer loyalty and boosting your brand’s reputation.

  Even as an individual, it’s important to understand whether or not you’re required to maintain GDPR compliance. You might think you’re collecting a small amount of data that isn’t particularly valuable, but data protection is crucial when you’re dealing with any type of personal data.

• Are there data protection regulations besides GDPR that I need to follow?

  The GDPR may be just one of the laws you will need to understand for your business, especially if you are processing the personal data of individuals outside of the EU. Different states, provinces, and countries have different laws, so the regulations you have to follow vary depending on your business operations and the type and kind of data you process.

  For example, California has what may be the most well-known data protection law in the United States, which is called the California Consumer Privacy Act (CCPA). Several states other than California also have data protection laws which are modeled similarly to the CCPA or the GDPR. Of course, you may still be required to maintain GDPR compliance and follow other regulations if you’re operating outside of the United States, but collecting data from customers in certain states will impose additional requirements to those under the GDPR.

  There’s also a Canada law regarding data protection that’s called the Personal Information Protection and Electronic Documents Act (PIPEDA). This law is often referred to as the Canadian equivalent of GDPR, so maintaining PIPEDA compliance is also important for many businesses. Like GDPR compliance, you’re required to maintain PIPEDA compliance if you collect, use, or disclose the personal information of Canadian citizens for business purposes. And, as with the United States, there are also provincial data protection laws within Canada that may impact your business activity

  Lastly, there are countless regulations when it comes to running a business, whether you’re running an online business or not. For example, if you have an email marketing campaign in the US, you have to follow the CAN-SPAM Act of 2003, and there are equivalent laws in many other countries. . If you’re doing a lot of business internationally, it is worth talking with an expert about which laws you’re required to follow to keep your customers’ data protected.