Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

GDPR Emailing - But what is GDPR really?

The acronym GDPR stands for "General Data Protection Regulation". It's a European regulation that strengthens and harmonizes the processing of personal data within all EU member states. To do GDPR mailing, you need to comply with the General Data Protection Regulation.

Under French law, the GDPR has amended the "Loi informatique et libertés" adopted in 1978, which was the origin of the creation of the Commission Nationale Informatique et LibertésCNIL (National Commission for Information Technology and Civil Liberties)NationalCNIL (National Commission for Information Technology and Civil Liberties)).

It harmonizes the rules in Europe by providing a single legal framework for professionals. It enables them to develop their digital activities within the EU on the basis of user confidence.

What it takes to launch a GDPR email campaign

GDPR emailing: To launch a GDPR emailing campaign, it's important to note that the rules are different for B2B and B2C. So it's going to depend on the type of commercial prospecting you're going to launch. This article explains these differences in detail

GDPR emailing: use in B2B

No need for prior consent in B2B

What is prior consent? Prior consent is a person's authorization allowing a commercial prospecting message to be sent to them. It is also one of the main principles of the GDPR. The rules of this prior consent are different in B2B (Business to Business) and B2C (Business to Consumer).

Contrary to popular belief, prior consent is not required for B2B. Yet this belief is widespread, even within the DPO community. This is due in part to erroneous articles on the subject, or to the fact that Opt in is "preferable". It is possible to carry out B2B commercial prospecting without authorization. There is no Opt in, but there are a few rules to observe: Informing people, the source of personal data or unsubscribing to comply with the GDPR.

GDPR Mailing: You need to inform your B2B prospects!

When you use someone's B2B email address to do GDPR mailing, you need to inform them. What does this mean in concrete terms? You need to inform prospects about the use and processing of their personal data. This is especially important if you've obtained your prospect's e-mail address indirectly via tools like DropContact.

Above is an example of how to inform your B2B prospects:

 "This email and all attachments are confidential and protected by professional secrecy. If you receive this message by mistake, please destroy it and notify the sender immediately.

Any reproduction, disclosure or use, even partial, of its content is strictly prohibited. We have obtained your contact details i) directly from you ii) via public informatione.g : trade fair and website) iii) via social networks (e.g : Linkedin) or iv) via tools authorized by the CNIL (National Commission for Information Technology and Civil Liberties) e.g : Drop contact), in accordance with the provisions of article L34-5 of the CPCE and the directives of the CNIL (National Commission for Information Technology and Civil Liberties).

If you no longer wish to receive information on our latest offers and promotions, please send a "stop" e-mail to contact@dipeeo.com. You can also request access to your data and stop the processing of personal data for commercial prospecting purposes at the same address. For more information on how your data is collected, please consult our privacy policy. " 

You must inform the source of your prospects' personal data

The GDPR requires that you inform people about the source of the data if you do commercial prospecting. You can prospect directly or indirectly.

If you carry out direct commercial prospecting, as is often the case in B2B, i.e. if you have collected the prospect's prior consent yourself, you don 't need to inform us of the source of the commercial prospecting data.

On the other hand, if you carry out commercial prospecting indirectly, i.e. you have obtained a prospect's data indirectly: e-mail generation tool, database purchase, you are provided with a database, etc., you are obliged to inform the sources of commercial prospecting data, and you must do so for each prospecting message.

GDPR emailing

GDPR Emailing: Setting up an unsubscribe facility in B2B

To use an e-mail to launch a sales prospecting campaign, you need to allow your prospects to unsubscribe. There are several ways to unsubscribe when you receive a commercial prospecting email: unsubscribe button, send "STOP" to a specific mailbox to stop receiving messages.

When a prospect requests to unsubscribe or opt out, you need to delete all their personal data and keep only the information that will enable you to keep track of the unsubscribe. This is proof that you have processed the request correctly. It also means you don't have to contact this person again.

Data retention retention period: How long can you keep an email in B2B?

Data retention periods are one of the main principles of the GDPR. It must therefore be respected in order to comply with GDPR. For this reason, you need to know the rules governing the duration of Data retention for personal data.

Personal data can only be kept for a limited period, which is set either by lawe.g laws, decrees, regulations) or directly by the French supervisory authority, the CNIL (National Commission for Information Technology and Civil Liberties), via recommendations, simplified standards, etc.

In B2B, there are no Data retention limits. So you can use an e-mail address, except for those who have requested an opt-out. Similarly, there are many different interpretations on the subject. You can read that the Data retention period is three years. However, since B2B e-mail addresses can be used freely and without prior consent, this period lapses and can be renewed.

GDPR emailing: Is it possible to send an email to anyone?

To send a GDPR business prospecting mailing, you need to make sure you're addressing someone who has a connection with your business. This means you can only send a prospecting message to potential clients . It's important to target your commercial prospecting campaigns well in order to get positive responses and comply with the GDPR.

Use a generic e-mail address for commercial prospecting

Generic e-mail addresses do not contain any personal information, as there is no information that can be used to identify an individual. Addresses such as info@societe.fr, contact@societe.fr or commande@societe.fr are not personal data. 

The GDPR will only apply to personal data. You can therefore use generic email addresses for commercial prospecting. However, if you receive an unsubscribe request via a generic email address, you must respect the request.

Use a generic e-mail address in B2B public spaces

When an email address is available on a public space (public websites, social networks like LinkedIn or Facebook, GDPR tools like Drop contact), it's perfectly possible to use this email address. 

The fact that this address is available in a public space makes it accessible. So, of course, the address is still personal data, but it's public. Every user can have it. You therefore have the right to use it for commercial prospecting purposes.

Buy or rent a B2B e-mail address

In B2B, you have the right to buy, lend or sell a prospect database. A lot of people think it's forbidden to buy or sell an e-mail address for commercial prospecting and GDPR mailing. But this is a false belief.

Legally, there's no such thing as prior consent or Opt-in in B2B, which means you have the right to prospect as long as the database has been legally constituted. However, prospects must be informed of the source of personal data collection in every e-mail.

GDPR Emailing: B2C email use

The obligation of prior consent in B2C

What is prior consent? Prior consent is a person's authorization allowing a commercial prospecting message to be sent to them. It is also one of the main principles of the GDPR. The rules of this prior consent are different in B2B (Business to Business) and B2C (Business to Consumer).

Contrary to popular belief, prior consent is not required for B2B. Yet this belief is widespread, even within the DPO community. Not least because of erroneous articles on the subject, or those that mention that Opt in is "preferable".

It is possible to carry out B2B commercial prospecting without authorization. Therefore, there is no Opt in, but however some rules to respect: Informing people, the source of personal data or unsubscribing to comply with the GDPR.

You need to inform your B2C prospects!

Whether you're in B2B or B2C, you need to keep your prospects informed. As we saw earlier, you need to inform prospects about the use and processing of their personal data. It's important to mention why the prospect is receiving your commercial prospecting e-mail.

Above is an example of how to inform your B2C prospects:

"You are receiving this offer because you have agreed, in store or online, to receive personalized information from "company A" by email. "Company A" is responsible for this processing. You may, at any time, choose to be permanently removed from our mailing lists.

Contact us at contact@sociétéA.com to exercise your right of access, rectification, portability, erasure, restriction of processing and opposition to the processing of your personal data. For more information on how your data is collected, you can consult our privacy policy. "

You must inform prospects of the source of B2C personal data

To properly launch your sales prospecting email campaign and make GDPR mailing, it's necessary to mention the source of personal data in B2C. It's easier to do this in B2C because if you send an e-mail, it means that your prospect has ticked a box in amant that authorizes you to send him this message.

You need to keep a record of this agreement. You must have proof that a prospect has ticked a box stating that they authorize you to send them commercial offers. A prospect may ask you for this proof, or the CNIL (National Commission for Information Technology and Civil Liberties) ) may request it in the event of an audit. So you need to be able to justify your prospecting message.

Your GDPR compliance
hassle-free and limitlessRequest a demo

Setting up a B2C unsubscribe right

To use an e-mail to launch a sales prospecting campaign, you need to allow your prospects to unsubscribe. There are several ways to unsubscribe when you receive a commercial prospecting email: unsubscribe button, asking prospects to send "STOP" to a specific box to stop receiving messages.

When a prospect asks you to unsubscribe or opt out, you need to delete all the prospect's personal data and keep only the information that will enable you to keep track of the unsubscribe. This is proof that you have processed the request correctly. It also means you don't have to contact this person again.

GDPR Emailing

Data retention period for B2C e-mail addresses

The Data retention period for B2C personal data is 3 years from the last contact. After this period, you no longer have authorization to use the prospect's e-mail address.

Each time you contact a person by e-mail, this period resets to zero and you can contact them for 3 years.

For people whose Data retention period has expired, you can send an e-mail to the prospects concerned to ask them whether they agree to their data still being used and processed. If so, you can use their e-mail addresses.

See our article on Data retention periods for human resources, marketing, sales prospecting, marketing, accounting, etc. (Table of Data retention periods for personal data)

Use an e-mail address available on the public B2C space

Unlike B2B, you're not allowed to collect e-mail addresses from public sites, social networks or authorized tools. You must have a prospect's consent to use his or her e-mail address to send him or her a commercial prospecting e-mail.

Buying or selling a B2C e-mail address

It's possible to buy a B2C prospect database, but there's one condition: you have to be careful about who sells you the prospect database.

In B2C, you can't prospect without prior consent (Opt-in). This means that if someone has sent you a database, you are not allowed to prospect the people in that database. After all, these people don't know you. BUT there is an exception!

If these people have given their consent by means of a checkbox authorizing them to send their personal information to partners or third parties, there's no problem. The person who sold you the database must therefore have obtained the prior consent of all the prospects contained in this database, and must be able to prove it.

It must also commit to the GDPR and demonstrate that its data sources are GDPR. When you do database acquisition, you need to make sure that whoever sold you the database is GDPR compliant and that the database source is GDPR compliant.

GDPR Emailing

Database loans and B2C partnerships

In B2C, it's possible to lend a prospect database in the same way as a sale. To do so, you need to obtain the prospect's prior consent. However, beware of ethics: in B2C, people no longer accept to receive a prospecting message or email without their consent, and they don't understand and are unhappy.

On the other hand, in B2C, you have the right to hold a joint communication or event such as a webinar.

Assert the rights of your B2B and B2C prospects

All users have specific rights that they can use at any time and free of charge to control the use of their personal data. These rights are granted by applicable data protection regulations.

Here are the rights a person has when you do GDPR mailing:

Right to access and copy personal data :

Each user has the right to request information on all processing of his or her personal data, provided that this request does not conflict with business secrecy, confidentiality or the secrecy of correspondence.

According to the CNIL (National Commission for Information Technology and Civil Liberties), here are all the elements elements that must be provided to a user when requesting access rights

Right to rectify personal data :

All users have the right to rectify, add to, update, lock or delete any personal data that may be incorrect, obsolete or incomplete.

Right to object to processing :

Right to object to the processing of personal data for commercial prospecting purposes: Each user has the right to unsubscribe from a commercial prospecting campaign (Opt-out).

Right to request erasure :

The right to request the deletion ("Right to be forgotten") of personal data that is not essential to the proper functioning of a structure's services.

Right to the limitation of personal data :

The right to limit personal data, which allows the use of data to be photographed in the event of a dispute over the legitimacy of processing.

Right to data portability :

The right to data portability, which makes it possible to recover part of your personal data so that it can be easily stored or transmitted from one information system to another.

Right to give instructions on the fate of data :

Right to give instructions on the fate of data in the event of death, either through an intermediary, a trusted third party or a beneficiary.

To enable users to assert their rights, we need to set up an e-mail address, for example, to which they can send their requests.       

GDPR Mailing: You must use GDPR tools

A GDPR email campaignrequires GDPRtools. Controlling your technical providers is one of the main principles of the GDPR. You must ensure that your service providers are GDPR. It's your Accountability !

A technical service provider is a person, structure or tool that processes data on your behalf. Controlling your service providers will greatly reduce the risk of a data breach.

Here's a list of GDPR tools to launch your first email campaign:

Tips to find out if a tool is GDPR compliant ?✨

If you have a working remotely tool that doesn't have a data protection officer (DPO), that means it's most likely not GDPR compliant.

The CNIL (National Commission for Information Technology and Civil Liberties) has put a list of DPOs online. You can therefore go and check on this file whether the tool has a DPO. If the tool's DPO isn't on this list, you may want to question the tool's GDPR compliance.