Agencies managing client email marketing under GDPR act as data processors while the client is the data controller. Compliance requires a signed Data Processing Agreement (DPA), a lawful basis for sending (usually consent or legitimate interest), documented opt-in records, secure data handling, and clear sub-processor disclosure. Both parties share liability, so contracts must define responsibilities precisely.
Who is the controller and who is the processor?
Under GDPR Article 4, the controller decides why and how personal data is processed. The processor acts on the controller's instructions. When an agency runs email campaigns on behalf of a client, the client owns the relationship with the contacts and sets the purpose, so the client is the controller. The agency processes that data and is the processor.
This distinction matters because Article 28 requires a binding contract between controller and processor. Most teams get this wrong by assuming the agency carries no liability. It does. Article 82 lets data subjects claim damages from either party, and regulators can fine processors directly.
What if the agency builds its own lists?
If the agency collects contacts, sets sending logic, and decides targeting without client instruction, it may become a joint controller under Article 26. Joint controllers need an arrangement document defining who handles consent, access requests, and breach notifications. Get legal review here before assuming you're just a processor.
Sign a Data Processing Agreement (DPA)
The DPA is non-negotiable. Article 28(3) lists exactly what it must cover:
- Subject matter, duration, and purpose of processing
- Types of personal data and categories of data subjects
- The processor acts only on documented instructions
- Confidentiality obligations for staff
- Security measures (Article 32)
- Sub-processor rules and authorization
- Assistance with data subject requests and breach reporting
- Deletion or return of data at contract end
- Audit rights for the controller
Most email platforms publish their own DPAs. Mailchimp's data processing addendum and similar documents from SendGrid or HubSpot cover the platform as a sub-processor. The agency still needs its own DPA with the client on top of these.
Generate Proposals with AI in seconds.
Try now
Establish a lawful basis for every send
No email goes out without a lawful basis under Article 6. For B2C marketing in the EU, that almost always means consent that meets the GDPR standard: freely given, specific, informed, and unambiguous. Pre-ticked boxes don't count.
Consent vs. legitimate interest
B2B email sometimes relies on legitimate interest (Article 6(1)(f)), but you must run and document a Legitimate Interest Assessment (LIA). The ePrivacy Directive and national laws like Germany's UWG often still require consent for marketing emails regardless of GDPR's lawful basis, so check the destination country.
Keep records that prove consent: timestamp, source form, IP address, and the exact wording the contact agreed to. If the client hands over a list, ask for that proof before the first campaign. No proof, no send.
Handle data subject rights
Contacts can request access, erasure, or objection at any time. The agency must build workflows to act fast since GDPR gives controllers one month to respond. Practical steps:
- Honor every unsubscribe immediately and suppress permanently
- Forward access and erasure requests to the client controller
- Maintain a suppression list that syncs across all campaigns
- Document each request and the action taken
