Making the newsletter DSGVO compliant | decareto

Created 21. March 2023

Sending a newsletter is part of email marketing. Email marketing means that you send a commercial email to a large number of contacts at regular intervals. However, these contacts must have explicitly agreed to receive the newsletter.

In the following article, we will explain which prerequisites there are for a newsletter that complies with data protection, how you can design a newsletter that complies with DSGVO and why the General Data Protection Regulation is so important for a newsletter in the first place.

What are the requirements for a DSGVO-compliant newsletter?

For a DSGVO compliant newsletter there is the prerequisite that, among other things, attention is paid to data minimization, the storage of personal data happens within the EU, consent is obtained for the collection of data and the privacy policy is adapted.

Data minimization

According to Art. 5, section c) of the General Data Protection Regulation, data minimization applies to data collection. This means that only the personal data necessary for sending the newsletter may be requested during registration. 

Since the newsletter is usually sent by e-mail, only the recipient's e-mail address is required. If the newsletter is to be sent in a personalized form, the name may also be requested in these cases.

Data storage on a server within the EU

The General Data Protection Regulation only allows personal data to be stored in countries where a sufficient level of data protection is guaranteed. In addition to the member states of the EU, there are a number of countries with an adequacy decision, such as Canada or Switzerland. Accordingly, storage in the USA, Russia or China is not permitted.

Obtain consent

If you want to send out a newsletter, you should make sure beforehand that the data collection happens exclusively with a legal basis and that you obtain the consent of the users about receiving the newsletter.

The best way to prove consent is to use the double opt-in procedure. Double opt-in means that after successful newsletter registration, an e-mail is automatically sent to the recipient, who must confirm one more time that he or she agrees to receive the newsletter.

Adapt privacy policy

As soon as you offer a newsletter on your website and thus collect personal data, you must mention this in the privacy policy. In addition, you are obliged to inform users about what data you collect during registration, why you collect this data and how long you store it.

Likewise, you must inform the recipients of your newsletter about the rights to cancel the subscription and the possibility to revoke the storage.

If you use a specific tool for sending your newsletter, this must also be defined in the privacy policy.

Purpose limitation

If you collect personal data during newsletter registration, you may also use it only for sending a newsletter email. According to Art. 5, Section 1b) DSGVO, you are obliged to purpose limitation. As soon as you use the collected data for purposes other than those specified during registration or in the privacy policy, you are in breach of the DSGVO.

Conclude AV contract with tool provider

If you use a tool for sending newsletters, you should make sure that the provider is based in the area of application of the General Data Protection Regulation and also complies with it. If this is the case, you conclude a commission processing contract with this provider in accordance with Art. 28, Section 3 DSGVO.

This contract specifies the scope and nature of the data processed, the obligations and rights of the controller, and the nature and purpose of the processing. 

Include unsubscribe link in every email.

In each newsletter sent by email, there must be a link that allows the recipient to unsubscribe from the newsletter. If the user has chosen to unsubscribe, you are obligated to immediately delete all personal data that you have stored from this user. Of course, this also applies to the tool provider.

How do I make a newsletter compliant with the DSGVO?

You can make a newsletter compliant with the DSGVO by primarily using tools for sending newsletters that are based in the area of application of the General Data Protection Regulation - in other words, they must be compliant with the DSGVO. You are obliged to conclude an AV contract with the provider.

DSGVO compliant tools for the newsletter 


In addition to being based in Germany, rapidmail is particularly characterized by its ease of use and beginner-friendliness. Via drag-and-drop and with a variety of template suggestions, even beginners can find their way around rapidmail right from the start. 


CleverReach is based in Germany and is a clearly laid out software that allows you to create your newsletter email. Thanks to the large selection of templates, creating newsletters is made even easier. With up to 1,000 emails per month, CleverReach is even free.


The German software Sendinblue allows you to personalize your newsletter email in an easy and individual way. The tool is kept very modern and attaches great importance to data protection and DSGVO compliance. This has been confirmed by TÜV Rheinland. 


Klicktipp is also a German newsletter software and helps you create a modern and intuitive newsletter email professionally. In doing so, Klicktipp relies on artificial intelligence. Klicktipp is 100% responsive and 100% privacy compliant. 

No matter which software you choose: remember to sign an AV contract with the tool provider in order to comply with the General Data Protection Regulation here as well and to legally carry out the process of data collection, transfer and storage.

How do you ensure that the newsletter subscription is compliant with the DSGVO?

One ensures that the newsletter subscription is DSGVO compliant by providing fields to fill in as well as information about the cancellation, frequency and content of the newsletter. At the end, you put a link to the privacy policy to offer further details on data processing.

Fields to fill in

The fields you put in your subscription form will be filled in later by your visitors. Here, as mentioned above, you must make sure that you only ask for the personal data that is important for sending an email. Only the e-mail address is necessary for this.

Thus, only the field for the e-mail address should be marked as mandatory. Of course, you may also provide other fields to fill in. However, this may only be voluntary information on the part of the recipient. 

Note on cancellation

Expand the registration form with a sentence stating that users can unsubscribe from the newsletter at any time if they no longer wish to receive it. To do this, add a link to each newsletter email that allows subscription to the newsletter.

If a recipient of the newsletter has cancelled the subscription, you are obliged to delete their personal data (Art. 17 DSGVO).

Frequency of the newsletter 

It is best to write directly in the registration form how often the newsletter will appear in users' email inboxes. The most important thing at this point is that you stick to this indication of frequency and do not send more or fewer newsletter emails than promised.

Information about the exact content of the newsletter

If potential recipients of your newsletter learn what to expect in the newsletter directly when they sign up, they are more likely to actually subscribe to your newsletter. 

Again, only send a newsletter with the content you promise subscribers in the sign-up form. 

Link to privacy policy

To inform your future readers about data collection, storage, and sharing, and to provide further information about cancellation and revocation rights, place a link to your privacy policy. 

Extend by checkbox for further purposes of use

If you would also like to use the subscriber's e-mail address, for example, to send them discount codes or promotional e-mails, you will need explicit consent for this. At this point, for example, set additional checkboxes that users can click to receive the preferred email.

Why is the DSGVO important when creating newsletters? 

When creating newsletters, the DSGVO is important because personal data is required for email marketing. However, personal data may only be collected, stored and processed lawfully, as data protection must be maintained. If this is not done, one is liable to prosecution.

Since 2018, website owners in the EU have been required to comply with the General Data Protection Regulation. This means that personal data is collected, stored and processed lawfully and recipients of the newsletter are informed about their rights and obligations.

Personal data may neither be collected nor passed on to third parties without the express consent and instruction of the recipients. If you do this anyway or use the collected data for purposes other than those stated, you must expect high penalties and/or warnings.

Is your newsletter DSGVO compliant?

Now that you have read this article and know about the essential requirements for the DSGVO-compliant design of a newsletter, you should make sure that your newsletter and the associated registration form are also created and sent in compliance with the law.

If you are not sure whether your newsletter is already designed in compliance with the regulations or how to design your newsletter in a DSGVO-compliant manner, feel free to contact us at any time. Alternatively, you can also benefit from our DSGVO scanner. With the help of data protection audits, we check your website, subpages and any forms for weak points and provide you with a detailed audit report.

Test decareto free of charge for 14 days and discover the benefits. We look forward to hearing from you!

Author: Eckhard Schneider

Back to overview