Now that we’ve got rid of the preposterous Privacy Shield, companies all over Europe are looking for EU – or at least EEA – alternatives to their tech stack. Though final words have not yet been spoken, European companies are better safe than sorry for moving their data away from the US.
Email Providers in the European Union
As with many services, email service providers are subject to the Privacy Shield judgment. The Privacy Shield program covered data transfers from the EU to the US by so-called “Electronic Communication Service Providers”, meaning not only email providers but also hosting providers, social media tools, or cloud storage providers are now under review. Recently, I published a list of 79 EU alternatives for business email.
This list consists of every software provider in the email marketing, transactional email, and email delivery field based in Europe. [Editors Note: GDPR Compliant email marketing automation platforms can be found here]
However, since most email marketing providers use an email delivery service to get their marketing emails to the inbox, it’s interesting to see how these delivery services perform under GDPR, in their ‘life after Privacy Shield’.
So I narrowed down the list to 16 email delivery services.
I then checked every service’s Privacy Statement that, according to the official website, should contain “the details regarding any transfer of personal data to a third country and the safeguards taken”.
Here’s the list:
But is their data in the European Union?
There are two things you should know about the email delivery service you’re about to choose if EU data storage is crucial for your business: where data is stored and where data might transfer to. Most EU businesses may store their data in the EU, but use third parties from the US to provide or improve their services. In which case it’s still not GDPR compliant.
Let’s dive into the list of providers and see whether we can prove their GDPR compliance.
“Alinto will not reveal any information concerning the user, namely any Content or any data exchanged in this way, to a third person, except when presenting a valid request by a legal authority in the context of a legal action involving the user.”
Alinto hosts its own infrastructure.
Is the Alinto service GDPR compliant?
Yes the service appears to be completely GDPR compliant at Alinto.
“Provision of data to third parties happens when it’s; 1) to our legal successors and other companies within the Combell group. 2) necessary for our service provision 3) there is a legal obligation 4) there is a legitimate interest for Combell or the third party concerned 5) Combell has received permission from the person concerned.”
Combell’s data center locations: Zaventem, Diegem, and Vilvoorde (Belgium).
Is the Combell service GDPR compliant?
Most likely, yes. Do check what ‘legitimate interest’ means to them, but overall, you can assume your data stays safe within EU borders.
“4) In some situations, the Controller is entitled to transfer your personal data to other recipients if necessary to perform the agreement made with you or to perform obligations imposed on the Controller. In such a case, we will transfer personal data to three groups of recipients: 1) persons authorized by us, our employees and associates who need to have access to personal data to perform their duties, 2) processors that we will entrust with the processing of personal data, 3) other recipients of data, e.g., telecommunications operators, agents, couriers, banks, insurance companies, law firms, debt collectors, public authorities.”
EmailLabs’s data is processed by their mother company Vercom S.A., with their infrastructure running on H88, both Polish providers.
Is the EmailLabs service GDPR compliant?
Their service seems to be GDPR compliant, but we’re not sure what is meant with “processors that we will entrust with the processing of personal data” and what requirements for such processors are.
“Data within the EEA: Personal data are exclusively processed within the European Economic Area (EEA) or countries that cover adequacy decisions – i.e., decisions certifying ‘adequate’ standards in data protection.”
Flowmailer hosts its own infrastructure.
Is the Flowmailer service GDPR compliant?
Is InboxRoad GDPR Compliant?
The chances are low that this service is GDPR compliant.
“Location of data storage and transfers: LeaderSend-owned servers and third-party servers (data center) on which LeaderSend International Ltd. processes and stores data are located exclusively within the European Union territory (Latvia). LeaderSend undertakes not to transfer any data outside the European Economic Area.”
Leadersend uses Telia Latvija, a Latvian hosting provider, for its infrastructure.
Is Leadersend GDPR Compliant?
Yes. Leadersend appear to be GDPR compliant.
“Controller acknowledges and agrees that, in connection with the performance of the Services under the Agreement, Processor may transfer Personal Data within its company groupings.”
Mailjet’s data is stored in Frankfurt (Germany) and Saint-Ghislain (Belgium).
Is Mailjet GDPR Compliant?
Most likely, no. Ever since the Mailgun acquisition, the French Mailjet shares data “within its company groupings”, meaning data is transferred to US-based Mailgun.
“a) The different Mailrelay delegations store their data in data centers located in Europe.”
Mailrelay seems to host its own infrastructure.
Is Mailrelay GDPR Compliant?
“Personal data may not be transferred to non-member countries on the basis of the Data Processor’s acceptance or consent unless the Data Controller has approved such a transfer. The Data Processor shall beforehand ensure that the transfer of the personal data in question can legally take place in accordance with the provisions of the General Data Protection Regulation.”
MySMTP uses AdeoDC, a Danish hosting provider, for its infrastructure.
Is MySMTP GDPR Compliant?
Everything we have seen points to Yes, they are GDPR compliant.
“Transfer of personal data outside the EEA: Copernica does not transmit personal data to countries outside the European Economic Area.”
SMTPeter/Copernica uses Leaseweb, a Dutch hosting provider, for its infrastructure.
Is the SMTPeter service GDPR compliant?
Yes everything indicates this to be the case, as advised the parent states “Copernica does not transmit personal data to countries outside the European Economic Area.”
“Recipients of the data The personal data collected is intended for Sendinblue’s commercial and accounting departments. It may be transmitted to Sendinblue’s subsidiaries or to third-party data processors, which Sendinblue is authorized to use within the context of the performance of its Services. In this context, personal data may be transferred to an EU or non-EU country. Sendinblue implements guarantees ensuring the protection and security of this data, in compliance with applicable rules and regulations.”
Sendinblue’s data is either stored at their locations in Vitry-sur-Seine (France), in Google Cloud (Belgium), or AWS (Ireland).
Is the Sensorpro Service GDPR Compliant?
Yes, Sensorpro is GDPR compliant.
“We do not share your information with any third-party and your data does not leave the EU.”
Sensorpro hosts its own infrastructure built on Ironport, physically located in ISO27001 EU data center.
Is the Sensorpro Service GDPR Compliant?
Yes, Sensorpro is GDPR compliant.
“International transfers: We may transfer the information we collect about you to countries other than the country where we originally collected it for storage and processing of data and operating our services. Those countries may not have the same data protection laws as your country. However, when we transfer your information to other countries, we will protect it as described in this Privacy Notice.”
Teneo uses Teleweb, a Belgian telecom provider, for its infrastructure.
Is the Teneo Service GDPR Compliant?
We cannot be sure yet. Essential questions should be asked about what countries the information is transferred to and what measures are taken (as the Privacy Notice doesn’t mention).
We cannot be sure yet. Essential questions should be asked about what countries the information is transferred to and what measures are taken (as the Privacy Notice doesn’t mention).UltraMail24
UltraMail24’s servers are located in Germany.
Is their service GDPR compliant?
Most likely, no. They do not disclose what they mean with “service providers” and apparently share data with potential buyers.
What do the results in this list mean?
This list aims to help you in making your choice of email delivery provider in the EU. Some providers in this list are GDPR compliant, some are in a grey area where you need to start asking questions first, and some are (sadly) not GDPR compliant.
Since the Privacy Shield judgment, we need to look further than just EU headquarters; we need to look at where our data is sent to.