Life After Privacy Shield: A dive into EU-based email delivery providers’ Privacy Policy

Now that we’ve got rid of the preposterous Privacy Shield, companies all over Europe are looking for EU – or at least EEA – alternatives to their tech stack. Though final words have not yet been spoken, European companies are better safe than sorry for moving their data away from the US.

If you’re unfamiliar with the Privacy Shield judgment, it might help to keep this article from NOYB open while reading this one.

Email Providers in the European Union

As with many services, email service providers are subject to the Privacy Shield judgment. The Privacy Shield program covered data transfers from the EU to the US by so-called “Electronic Communication Service Providers”, meaning not only email providers but also hosting providers, social media tools, or cloud storage providers are now under review. Recently, I published a list of 79 EU alternatives for business email. 

This list consists of every software provider in the email marketing, transactional email, and email delivery field based in Europe. (Editors Note: GDPR Compliant email marketing automation platforms can be found here)

However, since most email marketing providers use an email delivery service to get their marketing emails to the inbox, it’s interesting to see how these delivery services perform under GDPR, in their ‘life after Privacy Shield’.

So I narrowed down the list to 16 email delivery services. 

I then checked every service’s Privacy Statement that, according to the official website, should contain “the details regarding any transfer of personal data to a third country and the safeguards taken”. 

Here’s the list:

1. Alinto
2. Combell
3. EmailLabs
4. Flowmailer
5. Inboxroad
6. Leadersend
7. Mailjet
8. Mailrelay
9. MySMTP
10. SMTPBoxes
11. SMTPeter
12. Sendinblue
13. Sensorpro
14. Teneo
15. UltraMail24
16. Webpower

But is their data in the European Union?

There are two things you should know about the email delivery service you’re about to choose if EU data storage is crucial for your business: where data is stored and where data might transfer to. Most EU businesses may store their data in the EU, but use third parties from the US to provide or improve their services. In which case it’s still not GDPR compliant.

Let’s dive into the list of providers and see whether we can prove their GDPR compliance.

Alinto

Alinto is a French provider, focusing on SMTP relay and email security. Their privacy statement tells us: 

“Alinto will not reveal any information concerning the user, namely any Content or any data exchanged in this way, to a third person, except when presenting a valid request by a legal authority in the context of a legal action involving the user.”

Alinto hosts its own infrastructure.

Combell

Combell is a Belgian provider, part of team.blue. Their privacy statement tells us:

“Provision of data to third parties happens when it’s; 1) to our legal successors and other companies within the Combell group. 2) necessary for our service provision 3) there is a legal obligation 4) there is a legitimate interest for Combell or the third party concerned 5) Combell has received permission from the person concerned.”

Combell’s data center locations: Zaventem, Diegem, and Vilvoorde (Belgium). 

EmailLabs

EmailLabs is a Polish provider. Their Privacy Policy tells us:

“4) In some situations, the Controller is entitled to transfer your personal data to other recipients if necessary to perform the agreement made with you or to perform obligations imposed on the Controller. In such a case, we will transfer personal data to three groups of recipients: 1) persons authorized by us, our employees and associates who need to have access to personal data to perform their duties, 2) processors that we will entrust with the processing of personal data, 3) other recipients of data, e.g., telecommunications operators, agents, couriers, banks, insurance companies, law firms, debt collectors, public authorities.”

EmailLabs’s data is processed by their mother company Vercom S.A., with their infrastructure running on H88, both Polish providers.

Flowmailer

Flowmailer is a Dutch provider, focusing on transactional email delivery. Their privacy statement tells us: 

“Data within the EEA: Personal data are exclusively processed within the European Economic Area (EEA) or countries that cover adequacy decisions – i.e., decisions certifying ‘adequate’ standards in data protection.”

Flowmailer hosts its own infrastructure.

InboxRoad

Inboxroad is a Dutch SMTP relay provider. Sadly, their Privacy Statement is empty. They do however use Google Cloud and TransIP (a Dutch hosting provider) for their infrastructure. 

Leadersend

Leadersend is a Latvian provider, focusing on transactional email delivery. Their privacy statement tells us: 

“Location of data storage and transfers: LeaderSend-owned servers and third-party servers (data center) on which LeaderSend International Ltd. processes and stores data are located exclusively within the European Union territory (Latvia). LeaderSend undertakes not to transfer any data outside the European Economic Area.”

Leadersend uses Telia Latvija, a Latvian hosting provider, for its infrastructure. 

Mailjet

Mailjet is a French provider, part of Mailgun. Their DPA tells us:

“Controller acknowledges and agrees that, in connection with the performance of the Services under the Agreement, Processor may transfer Personal Data within its company groupings.”

Mailjet’s data is stored in Frankfurt (Germany) and Saint-Ghislain (Belgium).

MailRelay

Mailrelay is a Spanish provider. Their Privacy Policy tells us:

“a) The different Mailrelay delegations store their data in data centers located in Europe.”

Mailrelay seems to host its own infrastructure.

MySMTP

MySMTP is a Danish SMTP relay provider. Their privacy statement tells us:

“Personal data may not be transferred to non-member countries on the basis of the Data Processor’s acceptance or consent unless the Data Controller has approved such a transfer. The Data Processor shall beforehand ensure that the transfer of the personal data in question can legally take place in accordance with the provisions of the General Data Protection Regulation.”

MySMTP uses AdeoDC, a Danish hosting provider, for its infrastructure.

SMTPBoxes

SMTPBoxes is a Bulgarian SMTP relay service. Sadly, their Privacy Statement doesn’t include data storage nor data transfers, leaving us no clues about their GDPR compliance.

SMTPeter

SMTPeter is a Dutch SMTP relay provider, part of email service provider Copernica. Their privacy statement tells us: 

“Transfer of personal data outside the EEA: Copernica does not transmit personal data to countries outside the European Economic Area.”

SMTPeter/Copernica uses Leaseweb, a Dutch hosting provider, for its infrastructure. 

Sendinblue

Sendinblue is also a French provider. Their Privacy Policy tells us:

“Recipients of the data The personal data collected is intended for Sendinblue’s commercial and accounting departments. It may be transmitted to Sendinblue’s subsidiaries or to third-party data processors, which Sendinblue is authorized to use within the context of the performance of its Services. In this context, personal data may be transferred to an EU or non-EU country. Sendinblue implements guarantees ensuring the protection and security of this data, in compliance with applicable rules and regulations.”

Sendinblue’s data is either stored at their locations in Vitry-sur-Seine (France), in Google Cloud (Belgium), or AWS (Ireland).

Sensorpro

Sensorpro is an Irish provider. Their privacy statement tells us: 

“We do not share your information with any third-party and your data does not leave the EU.”

Sensorpro hosts its own infrastructure built on Ironport, physically located in ISO27001 EU data center. 

Teneo

Teneo is also a Belgian provider, focusing on SMTP relay. Their privacy statement tells us: 

“International transfers: We may transfer the information we collect about you to countries other than the country where we originally collected it for storage and processing of data and operating our services. Those countries may not have the same data protection laws as your country. However, when we transfer your information to other countries, we will protect it as described in this Privacy Notice.”

Teneo uses Teleweb, a Belgian telecom provider, for its infrastructure.

We cannot be sure yet. Essential questions should be asked about what countries the information is transferred to and what measures are taken (as the Privacy Notice doesn’t mention).UltraMail24

UltraMail24

UltraMail24 is a Czech provider. Their privacy statement tells us:

“We may share and disclose your Personal Information to the following types of third parties for the purposes described in this privacy policy: (i) Our service providers (ii) Advertising partners: (iii) Any competent law enforcement body, regulatory body, government agency, court or another third party (iv) A potential buyer (and its agents and advisors) .”

UltraMail24’s servers are located in Germany.

Is their service GDPR compliant? 

Most likely, no. They do not disclose what they mean with “service providers” and apparently share data with potential buyers. 

Webpower

Webpower is a Dutch provider. Sadly, their Privacy Statement doesn’t include data storage nor data transfers, leaving us no clues about their GDPR compliance.

What do the results in this list mean?

This list aims to help you in making your choice of email delivery provider in the EU. Some providers in this list are GDPR compliant, some are in a grey area where you need to start asking questions first, and some are (sadly) not GDPR compliant.

Since the Privacy Shield judgment, we need to look further than just EU headquarters; we need to look at where our data is sent to. 

The five names on this list that are 100% GDPR compliant and safe to use immediately – based on their current infrastructure and privacy policy – are:

1. Flowmailer | Check profile »
2. Leadersend | Check profile »
3. Alinto | Check profile »
4. SMTPeter | Check profile »
5. MySMTP | Check profile »