Help Documentation 〉Compliance 〉

Comply With GDPR and Other Privacy Regulations

GDPR, UK GDPR, and Swiss FADP Compliance

Direct Mail is compliant with the General Data Protection Regulation (GDPR), UK GDPR, and Swiss Federal Act on Data Protection (FADP), along with related privacy laws and regulations. This document provides an overview of Direct Mail’s compliance with these regulations and answers common questions for our users. It is not a comprehensive guide to the law but serves as a resource for understanding how Direct Mail supports compliance.

Who do the GDPR, UK GDPR, and Swiss FADP apply to?

The GDPR applies to organizations located in the European Union (EU) and to any organization worldwide that processes personal data of EU residents. The UK GDPR applies similarly for UK residents, and the Swiss FADP applies for Swiss residents. This means businesses in and outside the EU, UK, or Switzerland must comply if they handle personal data from these regions. Since “personal data” includes email addresses, Direct Mail customers should familiarize themselves with these laws.

What is “personal data”?

The GDPR, UK GDPR, and Swiss FADP define personal data broadly as any information that can identify a natural person, such as names, email addresses, or location data. This applies to data in your Direct Mail mailing lists or campaign reports.

What does it mean to “process” personal data?

Processing personal data includes any operation involving the collection, storage, use, or deletion of personal data. Direct Mail customers who collect names, email addresses, or other personal data of EU, UK, or Swiss residents on their mailing lists are considered to be processing personal data under these regulations.

What is the difference between “controller” and “processor”?

The GDPR, UK GDPR, and Swiss FADP distinguish between two roles:

  • Controller: The person, agency, or organization that determines the purposes and means of processing personal data, decides what data is collected, and how it is processed. As a Direct Mail user, you are the controller of the personal data in your mailing lists and campaign reports, as you decide what data to collect and how to use it (e.g., sending marketing emails).
  • Processor: The person, agency, or organization that processes personal data on behalf of the controller. e3 Software, the makers of Direct Mail, is the processor of the personal data in your mailing lists and campaign reports. We process data at your direction, such as importing mailing lists, managing signup forms, or sending email campaigns.

What do these laws require of me?

The GDPR, UK GDPR, and Swiss FADP impose several requirements for email marketing. Below are the most relevant ones for Direct Mail users, along with how Direct Mail helps you, as the controller, meet these obligations.

Requirement: Have a lawful basis for processing personal data

Processing personal data is lawful only if at least one of the following applies:

  1. The data subject has given explicit consent (see below for consent requirements).
  2. Processing is necessary for the performance of a contract with the data subject or to take steps at the data subject’s request before entering a contract.
  3. Processing is necessary to comply with a legal obligation of the controller.

See Article 6 of the GDPR for the full list of lawful bases, which also apply under the UK GDPR and Swiss FADP with minor variations.

Requirement: Respect individual data subject rights

Individuals have the following rights, which you, as the controller, must honor:

  1. Right to be forgotten: Individuals can request the deletion of their personal data without undue delay. Direct Mail supports this by allowing you to permanently remove all personal data for a contact.
  2. Right to object: Individuals can object to or withdraw consent for processing their personal data at any time. Contacts can unsubscribe via the unsubscribe link in your email campaigns. You can also mark contacts as “Unsubscribed” in the Direct Mail inspector. Per our privacy policy, individuals may contact e3 Software to request deletion of data we hold on your behalf.
  3. Right to restriction: Individuals can restrict the processing of their personal data. Direct Mail does not use your contacts’ personal data for data science, marketing, or other purposes beyond your instructions. You control the data and should honor restriction requests from subscribers.
  4. Right to rectification: Individuals can request correction of inaccurate personal data. You can update contact information in the Direct Mail inspector. Individuals may also contact e3 Software per our privacy policy to rectify data we hold on your behalf.
  5. Right of access: Individuals can request information about what personal data is processed and for what purpose. You should disclose the purpose of data collection (e.g., marketing emails) when obtaining consent. You can create a personal data report for any contact. Individuals may contact e3 Software per our privacy policy to access data we hold on your behalf.
  6. Right to data portability: Individuals can obtain their personal data in a transferable format. You can create a personal data report for any contact. Individuals may contact e3 Software per our privacy policy to obtain data we hold on your behalf.

Requirement: Obtain valid consent

For many Direct Mail users, consent is the primary lawful basis for processing personal data (e.g., obtaining permission to send marketing emails). The GDPR, UK GDPR, and Swiss FADP impose strict consent requirements:

  1. Consent must be specific to the purpose of processing (e.g., receiving marketing emails). You cannot use personal data for purposes beyond what the individual agreed to.
  2. Consent must be explicit and affirmative (e.g., an unchecked “join my mailing list” box that the individual actively checks). Silence, pre-checked boxes, or inactivity do not constitute consent.

Direct Mail’s email signup forms help you obtain lawful consent. When subscribers join your mailing list via these forms, Direct Mail automatically records proof of consent (date, time, email address, and IP address). Ensure your signup form clearly explains the intended use of the data (e.g., “Join our newsletter for product updates and promotions”).

You should maintain records of how and when consent was obtained for each contact on your list.

Can I use Direct Mail if I am located in the EU, UK, or Switzerland?

Yes, you can lawfully use Direct Mail from EU member states, the UK, or Switzerland.

The GDPR, UK GDPR, and Swiss FADP do not require that personal data (e.g., email addresses in mailing lists) be stored only in the EU, UK, or Switzerland, nor do they mandate that controllers or processors be located in these regions. Instead, they require adequate safeguards for cross-border data transfers. e3 Software, the publishers of Direct Mail, is certified under the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, which the European Commission, UK, and Swiss authorities recognize as providing adequate privacy protections for data transfers from the EU, UK, and Switzerland to the United States. You can rely on our DPF certification as a legal basis for using Direct Mail to process personal data.

For additional safeguards, e3 Software offers a Data Processing Addendum (DPA) for customers processing personal data subject to the GDPR, UK GDPR, or Swiss FADP. The DPA outlines our obligations as a processor and ensures compliance with these regulations.

How does e3 Software handle complaints under the DPF?

e3 Software complies with the DPF Principles for handling personal data from the EU, UK, and Switzerland. If you have a privacy-related complaint, contact our support team via our support page or U.S. mail (see our privacy policy). We will respond within 45 days. Unresolved complaints can be escalated to JAMS, our independent dispute resolution provider, at no cost to you. For human resources data complaints, we cooperate with EU data protection authorities, the UK Information Commissioner’s Office, or the Swiss Federal Data Protection and Information Commissioner, as applicable. As a last resort, you may seek binding arbitration through the DPF Panel (see DPF Annex I).

Additional Resources

Contact our support team with any questions via our support page. You may also find these resources helpful:

Did you find this article helpful? Yes | No