Privacy

Email marketing, GDPR and how Xendy complies

Introduction

The general data protection regulation (gdpr) has reshaped how businesses handle personal data. For email marketers, it emphasizes transparency, data security, and respecting user rights. These regulations are vital for maintaining trust and avoiding hefty penalties.

At Xendy, gdpr compliance is a core focus. We implement robust security measures, adhere to strict data processing standards, and provide tools to help users fulfill their gdpr obligations. However, compliance is a shared responsibility. While Xendy acts as the processor, users are the controllers of the personal data they upload, making it essential for both parties to adhere to gdpr principles.

In this article, we’ll explore how Xendy ensures gdpr compliance, the steps users need to take, and the resources available to simplify the process.

Understanding gdpr and your role

To fully comply with gdpr regulations, it’s crucial to understand the roles and responsibilities involved in processing personal data. In the context of Xendy, both you, the user, and Xendy, the platform, play distinct yet complementary roles in ensuring data protection and privacy.

What are the key roles?

  1. Controller (You):

    • As the controller, you collect and manage personal data from your customers or contacts.
    • You determine the purpose and means of processing this data, such as sending newsletters, promotions, or other communications.
    • It’s your responsibility to ensure data is collected lawfully and processed transparently.

  2. Processor (Xendy):

    • Xendy acts as the processor, meaning we handle data on your behalf.
    • Our role is limited to executing the tasks you instruct, such as storing contact information, sending emails, and processing analytics.
    • We follow strict security protocols and comply with gdpr standards to protect the data you entrust to us.

Key principles of gdpr relevant to email marketing

  1. Lawfulness, fairness, and transparency:

    • Data must be collected with proper legal consent and used in a way that is clear and fair to the individual.

  2. Purpose limitation:

    • Personal data should only be used for the specific purpose it was collected for.

  3. Data minimization:

    • Collect only the data you truly need for your email campaigns to minimize risks.

  4. Accuracy:

    • Ensure the data you upload is accurate and up to date.

  5. Storage limitation:

    • Retain data only for as long as necessary for the purpose it was collected.

  6. Integrity and confidentiality:

    • Personal data must be protected against unauthorized access, accidental loss, or destruction.

The importance of compliance

Complying with gdpr isn’t just a legal requirement; it also:

  • Builds trust with your customers.
  • Protects your brand reputation.
  • Reduces the risk of fines or penalties, which can amount to 4% of global annual turnover or €20 million, whichever is higher.

By understanding these roles and principles, you can create a foundation for gdpr compliance. In the next section, we’ll detail how Xendy ensures gdpr compliance through security measures, agreements, and tools.

How Xendy ensures gdpr compliance

Xendy is committed to helping you meet gdpr requirements by implementing robust measures to protect personal data. From technical safeguards to legal agreements, Xendy ensures compliance at every level, giving you peace of mind when managing your email marketing campaigns.

a. Data processing agreement (dpa)

To comply with gdpr, Xendy provides a data processing agreement (dpa) that outlines:

  • Purpose of processing: Xendy processes data only to execute the tasks you define, such as email campaigns or analytics.
  • Data retention: Personal data is stored only as long as necessary or required by law.
  • Customer rights: You retain full control of the data and can request access, deletion, or changes at any time.
  • Data protection measures: Details the technical and organizational measures Xendy employs to safeguard data.

The data processing agreement (dpa) is readily available for review and signing through your Xendy account.

b. Security measures

Xendy employs advanced security measures to ensure the integrity and confidentiality of your data:

  • Encryption: All data is encrypted during transmission and storage to prevent unauthorized access.
  • iso-27001 compliance: Xendy adheres to international standards for information security.
  • Daily backups: Regular backups ensure data can be restored in the event of accidental loss.
  • Access controls: Restricted access to data, ensuring only authorized personnel can handle sensitive information.

c. Data retention policies

Xendy maintains clear data retention policies to comply with gdpr principles:

  • Active campaigns: Data is retained for the duration of its use in active campaigns.
  • Account termination: Upon account closure, all data is deleted within 90 days unless otherwise required by law.

This ensures no unnecessary data is stored, reducing risks and maintaining compliance.

d. Sub-processors and international data transfers

Xendy works with trusted sub-processors, such as cloud hosting providers, to deliver its services. Key points include:

  • Transparency: A list of sub-processors is provided to users for full visibility.
  • gdpr compliance: All sub-processors are contractually bound to comply with gdpr.
  • International transfers: When data is transferred outside the eu, Xendy ensures compliance with standard contractual clauses (sccs) to maintain data protection standards.

e. Incident response and breach notification

Xendy has a dedicated process for identifying and responding to data breaches:

  • Detection: Continuous monitoring ensures any potential breaches are identified quickly.
  • Notification: Users are notified within 24 hours of a breach, along with guidance for notifying authorities or affected individuals.
  • Resolution: Immediate action is taken to secure systems and prevent recurrence.

How these measures benefit you

By using Xendy, you benefit from a secure platform that actively prioritizes data protection. These measures not only ensure compliance but also build trust with your customers, reassuring them that their data is safe.

In the next section, we’ll explore the principles of privacy by design and default and how Xendy incorporates these into its platform.

Privacy by design and default

The principles of privacy by design and default are central to gdpr compliance. These principles ensure that data protection is considered at every stage of product development and that default settings prioritize user privacy. Xendy integrates these principles into its platform to provide a secure and compliant experience.

What is privacy by design?

privacy by design ensures that data protection measures are embedded into the development and operation of systems from the very beginning. This proactive approach minimizes risks and enhances data security.

How Xendy implements privacy by design:

  • Built-in security measures: Encryption, access controls, and regular updates are part of Xendy’s core infrastructure.
  • Minimized data collection: Xendy only collects data necessary for email marketing purposes.
  • Continuous improvement: Xendy updates its platform to stay aligned with evolving data protection standards.

What is privacy by default?

privacy by default means that systems are configured to protect data with the highest privacy settings as the default. Users don’t need to take additional steps to secure their information.

How Xendy implements privacy by default:

  • Default opt-in for data collection: Only data explicitly provided by users is processed.
  • Secure default settings: Features like domain authentication and encrypted connections are enabled by default.
  • Clear consent management: Tools for managing opt-ins and consent are straightforward and compliant.

Examples in action

  1. Opt-in marketing:

    • Contacts must provide explicit consent before being added to mailing lists.
    • Double opt-in functionality ensures valid consent, reducing the risk of gdpr violations.

  2. Data access and control:

    • Customers can easily access, update, or delete their data through user-friendly tools in the Xendy platform.

  3. Automated compliance checks:

    • Xendy flags any data or configurations that may not meet gdpr standards, prompting users to take corrective action.

Benefits of privacy by design and default in Xendy

  • Enhanced security: Proactive measures reduce the risk of data breaches.
  • Ease of compliance: Built-in tools simplify meeting gdpr requirements.
  • User trust: Prioritizing privacy builds credibility with your contacts and customers.

By embedding these principles into its platform, Xendy ensures that privacy and data protection are always a priority. In the next section, we’ll discuss user responsibilities under gdpr and how you can align your practices with these regulations.

User responsibilities under gdpr

While Xendy provides a secure and gdpr-compliant platform, users have an important role to play as data controllers. Understanding and fulfilling your responsibilities ensures compliance with gdpr and protects the trust of your contacts.

a. Gaining consent

Consent is a cornerstone of gdpr compliance, especially for email marketing.

  • Collect explicit consent:
    • Use clear, specific language when asking for permission to email your contacts.
    • Example: “Sign up for our newsletter to receive updates and promotions.”
  • Double opt-in:
    • Enable double opt-in to verify that recipients genuinely want to subscribe.
    • This reduces the risk of complaints and ensures a clean email list.

b. Managing data rights

gdpr grants individuals specific rights regarding their personal data. As a controller, you must facilitate these rights.

  • Right to access:
    • Provide contacts with a copy of their data upon request.
    • Xendy allows you to export data in machine-readable formats.
  • Right to rectification:
    • Update or correct inaccuracies in contact data when requested.
  • Right to erasure (right to be forgotten):
    • Remove personal data from your database upon request, unless legal grounds exist to retain it.
  • Right to restrict processing:
    • Temporarily pause data processing activities when requested.

c. Avoiding unauthorized data use

  • Upload contacts with consent only:
    • Ensure that every contact in your database has given explicit permission to receive your emails.
  • Regularly clean your contact list:
    • Remove inactive, bounced, or unsubscribed contacts to maintain a healthy list.
  • Avoid purchased lists:
    • Sending emails to purchased lists violates gdpr and can harm your sender reputation.

d. Securely managing personal data

  • Use Xendy’s encryption:
    • All data is encrypted during transmission and storage, providing a secure foundation for your campaigns.
  • Limit data access:
    • Restrict access to sensitive data to only those team members who need it for legitimate purposes.

e. Maintaining a record of processing activities (ropa)

As a controller, you should document:

  • The data you collect and process.
  • The purpose of processing activities.
  • Any third parties involved in data processing.

f. Managing unsubscribe requests

  • Make it easy to opt-out:
    • Include an unsubscribe link in every email campaign.
    • Use Xendy’s automated tools to immediately remove unsubscribed contacts from future campaigns.
  • Respect opt-outs:
    • Once a contact unsubscribes, do not send them further marketing emails.

How Xendy supports your responsibilities

  • Xendy provides tools for consent management, data export, and deletion to help you fulfill gdpr requests.
  • Automated compliance checks flag potential issues, ensuring your practices align with gdpr standards.

By taking these responsibilities seriously, you can maintain compliance while building trust and engagement with your audience. In the next section, we’ll explore how Xendy supports gdpr requests, helping you navigate specific scenarios with ease.

How Xendy supports gdpr requests

Xendy offers powerful tools and features to help you comply with gdpr requirements when your contacts exercise their data rights. These capabilities streamline the process of responding to requests and maintaining compliance while reducing manual effort.

a. Data access and portability

Xendy makes it easy to provide contacts with a copy of their personal data.

  • Exporting data:
    • Use the “export” feature in Xendy to download all data associated with a contact.
    • The export is provided in a machine-readable format, such as csv, to meet gdpr portability requirements.
  • Use cases:
    • When a contact requests to see what data you hold about them.
    • When a contact wishes to transfer their data to another service provider.

b. Data deletion (right to be forgotten)

gdpr grants individuals the right to have their data erased under certain circumstances.

  • How to delete data in Xendy:
    • Navigate to the contact profile in Xendy.
    • Select the option to permanently delete the contact’s data.
  • What happens next:
    • The data is removed from your active database and backups in accordance with Xendy’s retention policies.
    • You’ll receive a confirmation of the deletion for your records.

c. Data rectification

Ensure that your contact data is accurate and up to date.

  • Edit contact data:
    • Access the contact profile in Xendy to update or correct any fields, such as name, email address, or preferences.
  • Real-time updates:
    • Changes are immediately reflected in your campaigns and automations, ensuring the accuracy of future communications.

d. Managing processing restrictions

Sometimes, a contact may request that their data only be stored and not actively used in campaigns.

  • How Xendy helps:
    • Mark contacts as “inactive” to pause all processing activities without permanently deleting their data.
    • Reactivate the contact later if the restriction is lifted.

e. Handling unsubscribe requests

Xendy automates the process of managing opt-out requests to ensure compliance with gdpr:

  • One-click unsubscribe:
    • Every email includes a clear and visible unsubscribe link.
  • Immediate action:
    • Once a recipient unsubscribes, Xendy marks them as inactive and ensures no further emails are sent.

f. Breach notifications

In the rare event of a data breach:

  • Xendy will notify you within 24 hours with details about the incident.
  • Guidance will be provided on how to communicate with affected individuals or regulatory authorities.

User-friendly dashboard for gdpr management

Xendy’s dashboard provides an intuitive interface for handling gdpr-related tasks:

  • Search contacts: Quickly locate specific individuals based on email or other data fields.
  • Audit logs: Track all actions related to data access, deletion, and updates for compliance records.

By leveraging Xendy’s gdpr tools, you can efficiently respond to data requests while ensuring compliance. In the next section, we’ll look at common gdpr scenarios and how to handle them effectively using Xendy.

Common gdpr scenarios and how to handle them

Managing gdpr requests is a routine part of responsible email marketing. Here are some common scenarios you might encounter and how Xendy can help you handle them efficiently and compliantly.

Scenario 1: A contact requests to access their data

What the gdpr says:
Contacts have the right to know what personal data you hold about them.

How to handle it in Xendy:

  1. Use the search feature to locate the contact in Xendy.
  2. Select the export option to download their data in a machine-readable format (e.g., csv).
  3. Provide the data to the contact within the legally required timeframe (typically one month).

Scenario 2: A contact requests to delete their data

What the gdpr says:
Contacts can request their data to be erased under certain conditions.

How to handle it in Xendy:

  1. Locate the contact’s profile in the “all contacts” section.
  2. Choose the delete option to permanently remove their data.
  3. Ensure the data is erased from both active databases and backups according to Xendy’s retention policy.

Scenario 3: A contact requests to update their information

What the gdpr says:
Contacts have the right to correct inaccuracies in their data.

How to handle it in Xendy:

  1. Open the contact’s profile in Xendy.
  2. Edit the fields that require updates (e.g., name, email address, preferences).
  3. Save the changes to ensure they are applied to future campaigns and automations.

Scenario 4: A contact requests to restrict processing

What the gdpr says:
Contacts can ask you to temporarily stop processing their data while certain issues are resolved.

How to handle it in Xendy:

  1. Mark the contact as “inactive” to pause all processing.
  2. Update their status when the restriction is lifted or resolved.
  3. Keep a record of the restriction and its resolution for compliance purposes.

Scenario 5: A contact unsubscribes from emails

What the gdpr says:
Contacts must be able to withdraw consent to receive marketing emails at any time.

How to handle it in Xendy:

  1. Xendy automatically marks contacts as inactive when they click the unsubscribe link in an email.
  2. No further emails will be sent to unsubscribed contacts.
  3. Use the unsubscribe analytics to monitor opt-out rates and refine your email strategy.

Scenario 6: Reporting a data breach

What the gdpr says:
You are required to notify authorities and affected individuals if a data breach occurs.

How to handle it with Xendy:

  1. Xendy will notify you within 24 hours of detecting a breach.
  2. Use the provided information to notify the appropriate authorities and affected contacts.
  3. Implement any recommendations to secure your systems and prevent recurrence.

Scenario 7: Responding to a portability request

What the gdpr says:
Contacts have the right to receive their data in a portable format.

How to handle it in Xendy:

  1. Export the contact’s data in a format like csv or json.
  2. Provide the file to the contact so they can transfer it to another service.

Scenario 8: A contact complains about consent

What the gdpr says:
You must demonstrate that valid consent was obtained for processing personal data.

How to handle it in Xendy:

  1. Review the consent records associated with the contact.
  2. If consent cannot be verified, remove the contact’s data to maintain compliance.

Scenario 9: Verifying compliance records

What the gdpr says:
Businesses should keep detailed records of data processing activities.

How to handle it in Xendy:

  1. Use Xendy’s audit logs to view and export records of data access, updates, and deletions.
  2. Maintain these logs as part of your compliance documentation.

Scenario 10: A contact questions data security

What the gdpr says:
You must provide assurance about the security of stored data.

How to handle it with Xendy:

  1. Explain Xendy’s security measures, including encryption, access controls, and regular backups.
  2. Offer to share details of your data processing agreement (dpa) to demonstrate compliance.

Handling these scenarios promptly and transparently builds trust with your audience and ensures gdpr compliance. In the next section, we’ll highlight the support resources Xendy offers to assist with gdpr-related tasks.

Frequently asked questions

gdpr (general data protection regulation) is a regulation designed to protect the privacy and personal data of individuals in the eu. For email marketing, it ensures that data is collected, processed, and stored responsibly, with explicit consent from contacts.

  • Controller: You, the user, are the controller who decides how and why personal data is processed.
  • Processor: Xendy acts as the processor, executing tasks like sending emails and storing data on your behalf.

Xendy provides tools to:

  • Manage consent and handle gdpr requests (e.g., data access, deletion).
  • Secure data with encryption and access controls.
  • Ensure lawful processing with the verwerkersovereenkomst and clear data retention policies.

The data processing agreement (dpa) is Xendy’s data processor agreement, outlining how we handle data on your behalf. It is available in your Xendy account under the “compliance” section or upon request.

  • Use the search feature to locate the contact.
  • Export their data for access requests or delete their profile for erasure requests.
  • Mark contacts as inactive to pause data processing if needed.

Xendy employs:

  • Encryption for data in transit and at rest.
  • iso-27001-compliant security standards.
  • Regular backups and restricted access controls.

Xendy has a proactive breach notification process:

  • Users are notified within 24 hours of a breach.
  • Guidance is provided to notify authorities and affected individuals.
  • Immediate steps are taken to secure data and prevent future breaches.
  • Use explicit opt-in forms with clear language about what recipients are signing up for.
  • Enable double opt-in to confirm genuine consent.
  • Document consent for every contact to ensure compliance.

No, Xendy does not allow the use of purchased email lists. Sending emails to contacts without explicit consent violates gdpr and can harm your sender reputation.

Xendy retains data only as long as necessary for the purposes defined in your campaigns. Upon account closure, all data is deleted within 90 days unless otherwise required by law.