GDPR and EU Data Protection
Learn what you need to know about GDPR and how it impacts your email strategy.
Mailgun has your back with numerous features designed to give you more data control and help you achieve GDPR compliance.
Mailgun is a strong advocate for privacy and user rights. Leading up to the implementation of the GDPR, we’ve been hard at work building numerous features that give customers more control of the data that is stored on the platform. We’ve designed and enabled these features for all customers, regardless of whether the GDPR specifically impacts you.
We built this page to outline some of the key GDPR principles and terms and present how they apply to your use of Mailgun. Please review this carefully and share it with your privacy team with the legal documents listed below.
Disclaimer: EU data protection laws, including the GDPR, are complex. This guide should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your business.
We have an updated data processing agreement that is available below, and we will be updating other legal documentation before the GDPR goes into full enforcement on May 25, 2018.
In order to process personal data, you need a lawful basis for processing. There are several methods to establish a lawful basis for GDPR compliance, but the most likely mechanisms you will rely on when sending communications with Mailgun is one of the following:
- Consent – Most marketing communication will rely on “consent”, which must be obtained by a “clear affirmative act”. For example, pre-checked boxes or implicit consent is inadequate to establish this lawful basis. The process for obtaining consent properly is one of the areas that is most impacted by the GDPR. According to the ICO, the following criteria must be met to show valid consent:
- Consent must be freely given. This means giving people genuine, ongoing choice and control over how you use their data.
- Consent should be obvious and require positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise, user-friendly, and easy to understand.
- Consent must specifically cover the controller’s name, the purposes of the processing, and the types of processing activity.
- Explicit consent must be expressly confirmed in words, rather than by any other positive action.
- There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
Once you’ve obtained consent, you need to be sure that it is recorded in a system of record so that it is easily audit-able. With each consent record, we recommend storing the identifier, timestamp, and location where consent was obtained.
- Contract – You can rely on this lawful basis if the processing of personal data is necessary for the performance of a contract. Password reset, billing notifications, and onboarding communication would likely fall under this lawful basis.
There are two key relationships that are defined in the GDPR. As a customer of Mailgun, you operate as the controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed in a lawful manner as described above and that you are using processors, such as Mailgun, that are committed to handling the data in a compliant manner.
Mailgun is considered a processor. We act on the instructions of the controller (you), which come in the form of API or SMTP requests. Similar to controllers, processors are expected to enumerate how they handle personal data, which we have outlined in this document and the legal documents listed below. As a processor, we rely on our customer to ensure that there is a lawful basis for processing.
Processors may leverage other third-parties in the processing of personal data. These entities are commonly referred to as sub-processors. For example, Mailgun leverages cloud infrastructure providers like Amazon Web Services, Rackspace, and Softlayer to host Mailgun.
Mailgun believes in being fully transparent in how we handle and process personal data. We keep data only as long as it is necessary to provide our services. Where possible, we employ mechanisms that allow us to automatically remove data after it is no longer needed to offer our services.
Message Bodies – Mailgun stores the bodies of messages for up to 72 hours for both incoming and outgoing messages. For outgoing messages, temporary storage allows our systems to attempt to re-deliver messages that could not be delivered on the first attempt. Customers relying on our parsing features use this feature to be able to retrieve messages that have been received as inbound messages.
For some customers, the message retention period may be selectively adjusted based on written instructions between the customer and Mailgun. Additionally, we offer features that prevent the retrieval of messages programmatically or allow the messages to be securely deleted after delivery.
Finally, our staff may access message bodies to assist customers in troubleshooting delivery issues or in response to a potential AUP violation. Employee access is routinely audited, and all employees are subject to our confidentiality provisions.
Message Metadata – The metadata of a message, which includes the sender, recipient(s), subject line, originating IP address and other routing data is indexed and maintained for 30 days.
As messages are processed by Mailgun, we generate discrete events from each service that handles message processing. This data is useful in troubleshooting processing and delivery issues that periodically occur when messaging users through Mailgun.
This data is available in its entirety via our logs and Events API.
At times, our staff may use this event data to assist in customer support requests or in response to a potential AUP violation.
Suppressions – Suppressions are permanently stored email addresses that are created as a result of a hard bounce, complaint, or unsubscribe. We store suppressions until you remove them or your account has been deleted.
When suppressions are removed, they are permanently deleted from the system. Suppressions may be stored in a backup system for disaster recovery purposes for up to 30 days after removal.
Recipient Data – Mailgun stores activity information of recipient email addresses in a hashed (pseudonymization) format. This data allows us to more accurately pre-validate email addresses, detect potential risky senders who may damage IP reputation, and help customers optimize their delivery processes.
This recipient data is only used as part of the delivery of Mailgun services.
As part of the GDPR, EU data subjects have certain rights to have their personal data removed, corrected, and exported. Mailgun has designed our platform with several self-service features that our customers can leverage to assist in reviewing the personal data stored on our platform to respond to data requests.
These features are designed to support the right to data portability, right to access, and right to be forgotten.
Unless otherwise required by law, in the event that Mailgun receives any type of request from a data subject, we will engage the respective customer within seven days to respond to the data subject request.
Our data processing agreement codifies many of the details described on this site in specific legal language. It’s available to customers on paid subscriptions or enterprise agreements. To obtain a copy, please contact our privacy team at email@example.com.
In many cases, yes. Even businesses that are not based in the EU are considered to be in scope of the GDPR if they are collecting personal data on EU residents.
The GDPR does not require that data processing be limited to the EU. The EU-US Privacy Shield is one of several valid lawful mechanisms to transfer data between the EU and the US. In addition to Privacy Shield, Mailgun’s Data Processing Agreement includes the EU Model Clauses, which is also a valid mechanism for the lawful transfer of data between the EU and US.
Yes, this is a valid use of personal data as long as the email address is not being used for processing. For many users, suppression lists act as a method of last resort to ensure that you are not inadvertently communicating with users that withdraw consent to receive communication from you.
The GDPR applies to all personal data, even if it was collected before May 25, 2018. As your business is preparing for the implementation of the GDPR, you should make sure you can properly audit the consent records for your email list.