The General Data Protection Regulation (GDPR) applies if you send emails or messages to individuals in the European Union or United Kingdom, or if your business is established in the EU/UK. This guide explains how GDPR applies to your use of Rackwave and what you need to do as the Data Controller to remain compliant.
GDPR Roles in the Rackwave Context
| Role | Party | Responsibility |
|---|---|---|
| Data Controller | You (the Rackwave customer) | You decide the purpose and means of processing — why you send messages, to whom, and what the content is. You are responsible for having a lawful basis and valid consent from recipients. |
| Data Processor | Rackwave | Rackwave processes personal data (email addresses, phone numbers, delivery metadata) on your behalf and only according to your instructions. Rackwave is bound by the DPA to process data lawfully. |
| Data Subject | Your message recipients | EU/UK individuals whose personal data (email address or phone number) is processed when you send them messages through Rackwave. |
Key GDPR Obligations for Rackwave Customers
1. Establish a Lawful Basis for Processing
Under GDPR Article 6, you must have a lawful basis for processing personal data before sending messages. For email marketing, the most common lawful bases are:
| Lawful Basis | When It Applies | Example |
|---|---|---|
| Consent | Recipient has freely given, specific, informed, and unambiguous consent | Newsletter sign-up with a clear opt-in checkbox |
| Contract | Processing is necessary to perform a contract with the individual | Order confirmation email to a customer who placed an order |
| Legitimate Interests | Processing is necessary for your legitimate interests, provided they are not overridden by the individual's rights | Sending a follow-up email to an existing business customer about a relevant service |
| Legal Obligation | Processing is required to comply with a legal obligation | Sending a legally required notice or disclosure |
2. Obtain and Document Valid Consent
If you rely on consent as your lawful basis:
- Consent must be freely given — not buried in terms and conditions.
- It must be specific — covering the exact type of communication you plan to send.
- It must be informed — recipients must know who is collecting data and why.
- It must be unambiguous — a pre-ticked checkbox does not constitute valid GDPR consent.
- You must be able to demonstrate consent — keep records of when and how consent was given.
- Recipients must be able to withdraw consent easily at any time.
3. Honour Unsubscribe and Erasure Requests
When a recipient unsubscribes or requests erasure of their data:
- Add them to your MigoSMTP or Telnxo suppression list immediately.
- Remove them from your own contact database.
- Confirm the erasure in writing if requested.
- Respond to erasure requests within 30 days.
4. Provide Transparent Privacy Notices
Your privacy notice must inform recipients:
- Who you are and how to contact your DPO (if you have one).
- What personal data you collect and why.
- Your lawful basis for processing.
- How long you retain their data.
- That you use third-party processors (like Rackwave) to deliver communications.
- Their rights: access, rectification, erasure, portability, objection, and complaint to a supervisory authority.
5. Sign a DPA with Rackwave
GDPR Article 28 requires a written Data Processing Agreement between you (controller) and Rackwave (processor). See: Data Processing Agreement (DPA).
How Rackwave Helps You Stay GDPR Compliant
| GDPR Requirement | Rackwave Feature That Helps |
|---|---|
| Honour unsubscribe requests | MigoSMTP suppression list — automatically prevents future sends to unsubscribed addresses |
| Respond to erasure requests | Suppression API — programmatically add addresses to the suppression list; delivery logs can be exported for records |
| Security of processing | TLS encryption in transit, AES-256 at rest, access controls, and security monitoring |
| Breach notification | Rackwave notifies you within 48–72 hours of a confirmed breach affecting your data |
| Data portability | Delivery reports and logs are exportable via dashboard and API |
| International transfers (EU → India) | Standard Contractual Clauses (SCCs) incorporated into the DPA |
| Article 28 DPA requirement | Standard DPA available — signed within 3–5 business days of request |
GDPR Compliance Checklist for Rackwave Users
| ✓ | Action |
|---|---|
| □ | Identified your lawful basis for sending to EU/UK recipients |
| □ | Obtained and documented valid consent from email/SMS recipients |
| □ | Published a GDPR-compliant privacy notice on your website |
| □ | Signed a DPA with Rackwave (Article 28 requirement) |
| □ | Configured suppression lists to honour unsubscribes automatically |
| □ | Established a process for responding to data subject requests within 30 days |
| □ | Included Rackwave in your record of processing activities (ROPA) as a sub-processor |
| □ | Ensured your contact lists contain only data collected with a valid GDPR lawful basis |