Find all the answers to your GDPR questions here:
- What is the GDPR?
- How does it impact email marketing and marketing automation?
- How does SendinBlue enable users to comply with this regulation?
- What measures do I need to take in order to be in compliance with the GDPR?
Please note: this page explains the impact of GDPR on the use of SendinBlue only and is not applicable for any other aspects of your business. It should not be considered as legal advice.
Frequently Asked Questions:
What is the GDPR?
The GDPR is the new European legislation meant to replace the 1995 Data Protection Directive
This regulation, which can be read in full on the CNIL website, is the new European law governing the use and handling of individuals’ personal data.
It has 3 primary objectives:
- To standardize European data protection regulations.
- To give citizens control over how their personal data is used.
- To make sure that companies are aware of their responsibilities regarding personal data.
To whom does the GDPR apply?
If you collect or process the personal data of any European citizen, regardless of the country in which your company is based, the GDPR affects your business.
The GDPR has also eliminated the distinctions between various types of businesses — including B2B, B2C, for-profit, and nonprofit — meaning the law applies equally to all organizations that process the personal data of European citizens.
When should you be ready for the GDPR?
All stakeholders must be in compliance with the GDPR since May 25, 2018. If you are not yet, it is important to start your compliance now!
What penalties will be applied within the new regulations?
In the event of non-compliance, companies may be fined from 2% to 4% of turnover and up to 20 million for the most serious offenses.
What are the changes to the old legislation?
One of the main goals of the GDPR is to extend the rights of European residents in regards to the handling of their personal data. This can be summarized as follows:
- More access and control over the storage and processing of personal data for consumers
- A tighter definition of consent and personal data
- More transparency into the use of their personal data once it has been collected
New rights for users
The GDPR has created new rights of access and data protection for “data subjects”:
- Right to rectification: The data subject may request that their personal data be updated or corrected.
- Right to be forgotten: The data subject may request that their personal data be permanently deleted.
- Right to portability: The data subject may request that their personal data be sent to another organization or competitor.
- Right to object: The data subject may object to specific types of processing or uses of their personal data.
- Right of access: The data subject has the right to be informed of any and all of their personal data that has been collected, as well as its intended use.
A new definition for consent
One of the big changes in the GDPR is the new definition of consent, which should now be “given freely” and provided in the form of a “positive action” for each planned use case involving the subject’s personal data.
Opt-out practices (whereby subjects are automatically subscribed to a list, leaving it up to them to unsubscribe) and passive opt-in practices (pre-checked boxes in subscription forms) are now prohibited under the new regulation.
Opt-in is now the only way to get explicit consent, and therefore the only legal means by which organizations can obtain and use customer contact information.
For you, this means that you must now:
- Provide additional opt-in forms for each of the different ways you plan to use personal data from your customers (e.g. newsletter, automated emails, profiling, etc.)
- Ask your users for permission each time you want to use their personal data in a new way.
It is important to note that this new definition of consent also applies retroactively to the personal data of European residents collected before May 28th, 2018.
If you have already received consent for the use of this data, you do not need to ask for it again. On the other hand, if your current lists are not up to GDPR standards, you must obtain consent again via an explicit opt-in form.
More transparency, new requirements for risk control…
This page is mostly concerned with summarizing the implications of your email marketing and marketing automation practices, but the GDPR also includes numerous other requirements: record keeping, nominating a Data Protection Officer, implementing a management risk process, etc.
Depending on your business and the nature of the personal data you process, the implications of the GDPR can be extremely far-reaching.
To better understand the requirements and legal ramifications for your organization, we recommend you consult a legal advisor specializing in personal data regulations.
What measures has SendinBlue put in place to ensure GDPR compliance?
Leading up to the implementation of the GDPR on 25 May 2018, SendinBlue took many necessary steps in order to ensure users’ rights in accordance with the new laws.
As a SendinBlue customer, the GDPR gives you new protection rights and assures better access to your personal data.
Right to rectification: Rectify your personal information at any time from your account settings. You can also contact us directly to edit or rectify your information.
Right to portability: Upon request, we will export your data so that it can be transferred to a third party or competitor.
Right of opposition: you can at any time unsubscribe from any specific uses we make of your information (newsletter, emails, etc.).
How can SendinBlue help you answer requests related to your customers’ data?
The GDPR provides new rights for your users and customers as well. Thanks to the measures that SendinBlue has taken to be compliant with the new regulations, you will be able to answer any requests from users who are looking to exercise their new rights regarding their personal data stored in your database.
Right to rectification: You can rectify your contacts’ information at any time. You can also contact us directly to ask us to rectify or delete your data.
Right to be forgotten: If one of your contacts wishes to exercise their right to be forgotten, you can simply delete them from your lists in SendinBlue. This will also erase all their personal data. If one of your contacts sends a valid request directly to us, we will inform you and remove their personal data from your account, as well as from any other SendinBlue accounts who have personal data on this contact, when applicable.
Right to portability: You can already export your contacts information as a csv file.
How to make sure you are in compliance with the GDPR?
Learn how to rectify and delete your contacts’ information
Update your subscription forms
We recommend that you study and update the wording of your subscription forms so that they are as explicit as possible regarding how requested information will be used. Include affirmative language that clearly states the user agrees to the stated terms.
We also recommend using a different opt-in for each of the different ways you plan to use personal data from users. For example, you should use two separate opt-in forms when gathering subscribers for a newsletter and subscribers to receive automated emails triggered by specific user actions (i.e. marketing automation).
Delete the contacts and lists you no longer need
One of the main objectives of the GDPR is to minimize the risks of data breaches or leaks and prevent the misuse of European residents’ personal data.
This is why it is better to delete all of your contacts who are inactive or those who have unsubscribed to your communications already. If you are not using this information, then it is more advisable to discard it.
Consult with your legal counsel
The information on this page is designed to help prepare SendinBlue users for the GDPR in the context of our services and should not be taken as legal advice. Additionally, there may be parts of the legislation that affect other aspects of your business as well.
We recommend you seek qualified legal counsel to determine what compliance measures you need to carry out to be fully compliant with the GDPR.
Recommended reading from our blog for more information about the GDPR:
How does the GDPR affect your email marketing?
Interview with GDPR Expert Thiébaut Devergranne on GDPR Compliance
[Infographic] How to adapt your email marketing in accordance with the GDPR
GDPR Checklist: Get ready for May 25th!