Life After Privacy Shield: A dive into EU-based email delivery providers’ Privacy Policy

Tom Blijleven

Tom Blijleven

With years of experience in the email (marketing) industry, Tom Blijleven writes about various topics within the industry, covering both marketing as transactional email. In his role as marketer at Flowmailer, he specializes in email deliverability and transactional email best practices.

Now that we’ve got rid of the preposterous Privacy Shield, companies all over Europe are looking for EU – or at least EEA – alternatives to their tech stack. Though final words have not yet been spoken, European companies are better safe than sorry for moving their data away from the US.

If you’re unfamiliar with the Privacy Shield judgment, it might help to keep this article from NOYB open while reading this one.

Email Providers in the European Union

As with many services, email service providers are subject to the Privacy Shield judgment. The Privacy Shield program covered data transfers from the EU to the US by so-called “Electronic Communication Service Providers”, meaning not only email providers but also hosting providers, social media tools, or cloud storage providers are now under review. Recently, I published a list of 79 EU alternatives for business email. 

This list consists of every software provider in the email marketing, transactional email, and email delivery field based in Europe. [Editors Note: GDPR Compliant email marketing automation platforms can be found here]

However, since most email marketing providers use an email delivery service to get their marketing emails to the inbox, it’s interesting to see how these delivery services perform under GDPR, in their ‘life after Privacy Shield’.

So I narrowed down the list to 16 email delivery services. 

I then checked every service’s Privacy Statement that, according to the official website, should contain “the details regarding any transfer of personal data to a third country and the safeguards taken”. 

Here’s the list:

  1. Alinto
  2. Combell
  3. EmailLabs
  4. Flowmailer
  5. Inboxroad
  6. Leadersend
  7. Mailjet
  8. Mailrelay
  9. MySMTP
  10. SMTPBoxes
  11. SMTPeter
  12. Sendinblue
  13. Sensorpro
  14. Teneo
  15. UltraMail24
  16. Webpower

But is their data in the European Union?

There are two things you should know about the email delivery service you’re about to choose if EU data storage is crucial for your business: where data is stored and where data might transfer to. Most EU businesses may store their data in the EU, but use third parties from the US to provide or improve their services. In which case it’s still not GDPR compliant.

Let’s dive into the list of providers and see whether we can prove their GDPR compliance.

Alinto

Alinto is a French provider, focusing on SMTP relay and email security. Their privacy statement tells us: 

“Alinto will not reveal any information concerning the user, namely any Content or any data exchanged in this way, to a third person, except when presenting a valid request by a legal authority in the context of a legal action involving the user.”

Alinto hosts its own infrastructure.

Is the Alinto service GDPR compliant?

Yes the service appears to be completely GDPR compliant at Alinto.

Combell

Combell is a Belgian provider, part of team.blue. Their privacy statement tells us:

“Provision of data to third parties happens when it’s; 1) to our legal successors and other companies within the Combell group. 2) necessary for our service provision 3) there is a legal obligation 4) there is a legitimate interest for Combell or the third party concerned 5) Combell has received permission from the person concerned.”

Combell’s data center locations: Zaventem, Diegem, and Vilvoorde (Belgium). 

Is the Combell service GDPR compliant?

Most likely, yes. Do check what ‘legitimate interest’ means to them, but overall, you can assume your data stays safe within EU borders.

EmailLabs

EmailLabs is a Polish provider. Their Privacy Policy tells us:

“4) In some situations, the Controller is entitled to transfer your personal data to other recipients if necessary to perform the agreement made with you or to perform obligations imposed on the Controller. In such a case, we will transfer personal data to three groups of recipients: 1) persons authorized by us, our employees and associates who need to have access to personal data to perform their duties, 2) processors that we will entrust with the processing of personal data, 3) other recipients of data, e.g., telecommunications operators, agents, couriers, banks, insurance companies, law firms, debt collectors, public authorities.”

EmailLabs’s data is processed by their mother company Vercom S.A., with their infrastructure running on H88, both Polish providers.

Is the EmailLabs service GDPR compliant?

Their service seems to be GDPR compliant, but we’re not sure what is meant with “processors that we will entrust with the processing of personal data” and what requirements for such processors are. 

Flowmailer

Flowmailer is a Dutch provider, focusing on transactional email delivery. Their privacy statement tells us: 

“Data within the EEA: Personal data are exclusively processed within the European Economic Area (EEA) or countries that cover adequacy decisions – i.e., decisions certifying ‘adequate’ standards in data protection.”

Flowmailer hosts its own infrastructure.

Is the Flowmailer service GDPR compliant?

Yes.

InboxRoad

Inboxroad is a Dutch SMTP relay provider. Sadly, their Privacy Statement is empty. They do however use Google Cloud and TransIP (a Dutch hosting provider) for their infrastructure. 

Is InboxRoad GDPR Compliant?

The chances are low that this service is GDPR compliant.

Leadersend

Leadersend is a Latvian provider, focusing on transactional email delivery. Their privacy statement tells us: 

“Location of data storage and transfers: LeaderSend-owned servers and third-party servers (data center) on which LeaderSend International Ltd. processes and stores data are located exclusively within the European Union territory (Latvia). LeaderSend undertakes not to transfer any data outside the European Economic Area.”

Leadersend uses Telia Latvija, a Latvian hosting provider, for its infrastructure. 

Is Leadersend GDPR Compliant?

Yes. Leadersend appear to be GDPR compliant.

Mailjet

Mailjet is a French provider, part of Mailgun. Their DPA tells us:

“Controller acknowledges and agrees that, in connection with the performance of the Services under the Agreement, Processor may transfer Personal Data within its company groupings.”

Mailjet’s data is stored in Frankfurt (Germany) and Saint-Ghislain (Belgium).

Is Mailjet GDPR Compliant?

Most likely, no. Ever since the Mailgun acquisition, the French Mailjet shares data “within its company groupings”, meaning data is transferred to US-based Mailgun.

MailRelay

Mailrelay is a Spanish provider. Their Privacy Policy tells us:

“a) The different Mailrelay delegations store their data in data centers located in Europe.”

Mailrelay seems to host its own infrastructure.

Is Mailrelay GDPR Compliant?

We cannot conclude whether Mailrelay is 100% GDPR compliant, although it looks like they are. A note in their Privacy Policy about subprocessors/data transfers would be helpful.

Where can I find the MailRelay privacy policy?

Their privacy policy is located at https://mailrelay.com/en/privacy-policy

MySMTP

MySMTP is a Danish SMTP relay provider. Their privacy statement tells us:

“Personal data may not be transferred to non-member countries on the basis of the Data Processor’s acceptance or consent unless the Data Controller has approved such a transfer. The Data Processor shall beforehand ensure that the transfer of the personal data in question can legally take place in accordance with the provisions of the General Data Protection Regulation.”

MySMTP uses AdeoDC, a Danish hosting provider, for its infrastructure.

Is MySMTP GDPR Compliant?

Everything we have seen points to Yes, they are GDPR compliant.

SMTPBoxes

SMTPBoxes is a Bulgarian SMTP relay service. Sadly, their Privacy Statement doesn’t include data storage nor data transfers, leaving us no clues about their GDPR compliance.

SMTPeter

SMTPeter is a Dutch SMTP relay provider, part of email service provider Copernica. Their privacy statement tells us: 

“Transfer of personal data outside the EEA: Copernica does not transmit personal data to countries outside the European Economic Area.”

SMTPeter/Copernica uses Leaseweb, a Dutch hosting provider, for its infrastructure. 

Is the SMTPeter service GDPR compliant?

Yes everything indicates this to be the case, as advised the parent states “Copernica does not transmit personal data to countries outside the European Economic Area.”

Sendinblue

Sendinblue is also a French provider. Their Privacy Policy tells us:

“Recipients of the data The personal data collected is intended for Sendinblue’s commercial and accounting departments. It may be transmitted to Sendinblue’s subsidiaries or to third-party data processors, which Sendinblue is authorized to use within the context of the performance of its Services. In this context, personal data may be transferred to an EU or non-EU country. Sendinblue implements guarantees ensuring the protection and security of this data, in compliance with applicable rules and regulations.”

Sendinblue’s data is either stored at their locations in Vitry-sur-Seine (France), in Google Cloud (Belgium), or AWS (Ireland).

Is the Sensorpro Service GDPR Compliant?

Yes, Sensorpro is GDPR compliant.

Sensorpro


Sensorpro is an Irish provider. Their privacy statement tells us: 

“We do not share your information with any third-party and your data does not leave the EU.”

Sensorpro hosts its own infrastructure built on Ironport, physically located in ISO27001 EU data center. 

Is the Sensorpro Service GDPR Compliant?

Yes, Sensorpro is GDPR compliant.

Teneo

Teneo is also a Belgian provider, focusing on SMTP relay. Their privacy statement tells us: 

“International transfers: We may transfer the information we collect about you to countries other than the country where we originally collected it for storage and processing of data and operating our services. Those countries may not have the same data protection laws as your country. However, when we transfer your information to other countries, we will protect it as described in this Privacy Notice.”

Teneo uses Teleweb, a Belgian telecom provider, for its infrastructure.

Is the Teneo Service GDPR Compliant?

We cannot be sure yet. Essential questions should be asked about what countries the information is transferred to and what measures are taken (as the Privacy Notice doesn’t mention).

We cannot be sure yet. Essential questions should be asked about what countries the information is transferred to and what measures are taken (as the Privacy Notice doesn’t mention).UltraMail24

UltraMail24

UltraMail24 is a Czech provider. Their privacy statement tells us:

“We may share and disclose your Personal Information to the following types of third parties for the purposes described in this privacy policy: (i) Our service providers (ii) Advertising partners: (iii) Any competent law enforcement body, regulatory body, government agency, court or another third party (iv) A potential buyer (and its agents and advisors) .”

UltraMail24’s servers are located in Germany.

Is their service GDPR compliant? 

Most likely, no. They do not disclose what they mean with “service providers” and apparently share data with potential buyers. 

Webpower

Webpower is a Dutch provider. Sadly, their Privacy Statement doesn’t include data storage nor data transfers, leaving us no clues about their GDPR compliance.

What do the results in this list mean?

This list aims to help you in making your choice of email delivery provider in the EU. Some providers in this list are GDPR compliant, some are in a grey area where you need to start asking questions first, and some are (sadly) not GDPR compliant.

Since the Privacy Shield judgment, we need to look further than just EU headquarters; we need to look at where our data is sent to. 

The five names on this list that are 100% GDPR compliant and safe to use immediately – based on their current infrastructure and privacy policy – are:

  1. Flowmailer | Check profile »
  2. Leadersend | Check profile »
  3. Alinto | Check profile »
  4. SMTPeter | Check profile »
  5. MySMTP | Check profile »

Stay Connected

More Email News & Updates

New talent acquisition at Symplify Canada

Symplify is happy to welcome Arnaud Angèle within its Canadianteam. With over 5 years of experience in sales and business development, Arnaud has proven to