Newsletters and the Privacy Law: how you can become GDPR-proof

21 March 2018

Article written by Anja Meerding, Senior Consultant & Privacy Officer

“Do we actually need to do something about our newsletter, now the GDPR is here?”

GDPR stands for the General Data Protection Regulation. In other words, it is the new European privacy legislation.

If you are a database marketeer, this thought – or one like it – may have been resonating in your mind for some time now. What can you do, what can’t you do, and what steps need to be taken before 25 May 2018?

In this article we are going to help you make sure your newsletters are GDPR-proof. With reference to a practical example, we are going to explain step-by-step what is important and what you need to think about. Of course, the GDPR also contains many other aspects that we shan’t be discussing in this article.


Example case study

Our database marketeer Ilse is responsible for selection and transmission of the monthly customer newsletter. For many years, the marketing team have been carefully putting together a newsletter and e-mailing it to a broad audience. The newsletter contains information about new products and services and benefits for readers. All with the aim of making them interested in the product range. The broad audience comprises existing and past customers, prospects and contacts that have provided an e-mail address and that have not actively unsubscribed themselves.
Ilse is desperately looking for answers to the many questions she has about the new privacy legislation.


Basic question: is any personal data going to be processed?

Ilse is first going to determine whether or not any personal data is going to be processed. For the newsletter, the customer attributes required are indeed processed to determine the right content for the newsletter and to send it to the right customer. Therefore, the answer is “yes”.


Step-by-step plan for GDPR-proof newsletters

Below you can find an overview of the most important steps for a GDPR-proof newsletter.Stappenplan-AVGproof-nieuwsbrief

1. Permission

You need permission from the recipient before you can send the e-mail. However, there is a difference in obtaining this permission from customers and from prospects.

In the case of commercial e-mails to existing customers, the customer must have already stated that they are willing to receive an e-mail. At the beginning of a customer relationship, your organisation needs to have clearly stated for which purposes personal data (e-mail addresses) will be used. The purpose of sending the newsletter must be indicated. The newsletter must always include the option to unsubscribe (opt-out).

Ilse has checked the registration procedure for customers and it does unambiguously ask, not with an already pre-ticked box, for permission for the newsletter. And the newsletter contains an opt-out link. Luckily the registration procedure has remained unchanged for many years, otherwise Ilse would have had to investigate what the registration process was like for customers acquired longer ago.

The newsletter also goes out to prospects that were acquired from an external supplier. For these prospects, you need to check whether the supplier of the prospect data asked for permission to use their personal data, including supplying it to third parties. If this is the case, you still also need to explicitly ask for permission in the first e-mail exchange (opt-in).

Ilse knows the prospects are selected from an acquired address list according to specific attributes of where they live. Therefore they are not explicitly asked for permission and Ilse realises that these prospects must no longer be contacted. She removes the prospects from the selection and sets up a project to correctly obtain Opt-ins from prospects. So that she can continue to use this target audience again in the near future.

As well as obtaining the permission itself, the following things are important too:

  • For what exactly did they give permission?
  • To whom did they give permission?
  • When did they give permission?
  • How did they give permission?
  • Where is the data stored?
  • With whom is the data shared?

Answers to these questions need to be recorded in the processing register.

Schematic Overview of Permissions:



2. Justified interest

There needs to be a legal basis to process personal data. For Marketing & Sales, the basis for processing data could partly be to ensure the continuity of your organisation. To have a legitimate basis, you have balance your marketing interests against the interests of privacy. This means: when it is in the company’s interest to contact a customer to develop the commercial relationship, it is also equally in the customer’s interest to be contacted (e.g. because of benefits for the customer). And the recipient must, of course, be able to unsubscribe at any time free of charge.

Ilse is sure that the newsletter represents a justified interest and that it can be sent out as usual. It contains information about important product developments and exclusive offers for readers.


3. Data and process

Now it is a good idea to look at the data and the process for the e-mail. The data consists of contact details and personal data used to match the content of the newsletter and the selection to the customer profile. Offers for particular product groups will be included or not included in the newsletter, depending on attributes of the prospect. Important updates on products that the customer has bought in the past will always be included.

Ilse already checked the data details, now for the data for segmentation and personalisation. Has this data been recorded in the data processing register? The DPO (Data Protection Officer) states that all the personal data used for the newsletter has been included in the processing register.

So far so good, thinks Ilse! However, in her search for the GDPR legislation, she also frequently comes across the term DPIA (Data Protection Impact Assessment). This is a way to identify the risks to privacy from data processing before it happens. The results are input for measures to reduce risks. How does all that affect sending this newsletter? Ilse’s is a differentiated newsletter with profiling, and therefore she needs a DPIA. Luckily, the DPO is able to tell Ilse that this has already been carried out and recorded in the processing register. So, as far as the data is concerned, everything seems to be in order.

In order to be absolutely sure of whether a newsletter fully complies with the GDPR guidelines, Ilse does a final check with her DPO:

  • Is there a link to the GDPR-compliant privacy statement?
  • Is there a working unsubscribe?
  • Does the Privacy Statement:
    • indicate the type of usage of personal data (segmentation, profiling, sending commercial messages, etc.);
    • state who the third parties are and what they do with the data;
    • say whether the parties involved comply with the European legislation if the personal data is outside Europe.
  • Do the marketing/campaign tools comply with the GDPR requirements (licences, storage, usage, contract, logging, etc.)?
  • Has a policy been set for the Opt-in and Opt-out registration and is the processing performed properly?
  • Has the right to inspection, correction and deletion of personal data been procedurally arranged?

Ilse and her colleagues are now properly prepared for the GDPR and the requirements are met.



Ilse is pleased that most of the things have already been arranged properly. She just needs to get on with the Opt-in procedure for the acquired prospects. She has every confidence that this target group can also be correctly incorporated into the selection too in the near future.


Read more

If this article has caught your interest and you would like to know more, then you can read all the information about the GDPR on the website of the Dutch Data Protection Authority. Or look at an example of a (D)PIA on If you would like to find more examples and guidelines, you should definitely check Working Group 29.



The GDPR is a new piece of legislation and, as is often the case with legal matters, the devil is in the detail. If you want to make sure your model or processing methods comply with the GDPR guidelines and conditions, you should agree this with the personal responsible at your organisation.

Also read our article on how you can makes sure you (and your models) can strive to be GDPR-proof.


Do you want to know more about this subject? Please contact Anja Meerding using the details below

Anja Meerding, Senior Consultant & Privacy Officer

+31 6 54 78 04 24

Latest news

DDMA Customer Data Award Night on November 19th, 2020

29 April 2020

About the Award The field of data driven marketing is evolving fast. To honor these developments,... read more

Tell me what you read: online reading segmentation for marketing personalization

12 February 2019

During the MIE event 2019 on the 7th of Februari, Margot Rozendaal (De Persgroep) and Jurriaan... read more

Successful first match from the Match Exchange! “Who cares” helps the Eemstadboerderij City Farm

19 November 2018

With the “Who cares?” programme, Cmotions strives to make a positive contribution towards a better society.... read more

Subscribe to our newsletter

Never miss anything in the field of advanced analytics, data science and its application within organizations!