The Illusion of “Innocent” Email Marketing
Most micro and small businesses treat their newsletter strategy like a leftover, slapped together with a few clicks, then left running on autopilot. No harm, right? You're not harvesting medical records or building AI models. Just sending updates.
That illusion has now expired.
In July 2024, the Italian Data Protection Authority (Garante) fined a company €45,000 for mismanaging its email marketing setup. Not because of a data breach. Not because of a surveillance scandal. Just... newsletters. Outsourced, unmonitored, and misaligned with GDPR basics.
The message to Dutch MSEs is clear: digital ≠ invisible. Every email you send qualifies as data processing. Every tool you use, Mailchimp, HubSpot, freelancers, puts you under Article 28 GDPR obligations. And every failure to document, control, or justify your process? That’s liability.
When “Just a Newsletter” Costs €45,000
The Italian case is instructive because of its normality. The fined company outsourced promotional mailings to external partners. No criminal activity. No hacking. Just poor hygiene: they never verified their processors' legal safeguards and handed over user data without meaningful oversight.
The Garante identified two key failures:
No partner due diligence. The company selected processors without checking GDPR compliance or securing appropriate guarantees. That’s a direct hit under Articles 28 and 83(2)(a). In particular, the partner tools used were based in the US and Spain, and the US partner did not name a GDPR Article 27 representative, worsening the controller’s exposure.
Blind delegation. They outsourced the operation and the responsibility, something GDPR never allows. That earned them a second strike under Article 83(2)(b).
The fine? €45,000. The defence? “But they told us it was fine.” Predictably rejected.
This isn't Italian drama. It’s EU law, binding in the Netherlands, and already being enforced.
Double Opt-In: Not Mandatory, Just Indispensable
While the fine focused on processor management, the Garante took the opportunity to repeat a key point: double opt-in remains the gold standard for proving consent under Article 7 GDPR.
It’s simple: single opt-in is easy to game, hard to defend. Anyone can type in an email address. Only double opt-in (clicking a confirmation link) provides clear evidence that the user knowingly subscribed.
This isn’t a theoretical risk. If someone files a complaint and your system can’t prove valid consent, the burden is on you. That’s not a risk. That’s a setup.
No Loopholes in Article 28: You’re Still the Controller
Outsourcing doesn’t dilute responsibility. If you use a SaaS tool or agency to send your newsletters, you’re still the controller. Which means:
- You must vet their GDPR compliance.
- You must sign a DPA (Data Processing Agreement) before any data exchange.
- You must document instructions: what they’re allowed to do, and what they’re not.
- And you must monitor that they’re doing it.
- Your freelancer forgot to include an unsubscribe link? That’s your liability.
- Your SaaS tool updated terms without telling you? You should have been watching.
Article 28 GDPR doesn’t care how small your list is or how “friendly” your vendor seems. It cares that you do your job.
Where Dutch SMEs Typically Fail
Here’s the unvarnished truth: most Dutch micro and small companies are already in breach. Not because they’re evil,because they’re sloppy.
Patterns we see again and again:
- Signup forms with no consent checkbox, or vague wording (“Sign up to stay updated!” is not consent).
- Single opt-in systems with no audit trail.
- Freelancers running campaigns with no contract, no guidance, no oversight.
- Using tools like Sendinblue or HubSpot without reading the DPA or checking data hosting jurisdictions.
- No way to prove when or how someone subscribed, or unsubscribed.
You don’t need an IT audit to see the problem. You just need to look.
The Real-World Risk Map of Email Marketing Non-Compliance
Issue | GDPR Article | What It Means for You |
No clear opt-in on signup | Art. 6(1)(a), Art. 7 | Consent is invalid → all processing becomes unlawful |
Single opt-in only | Art. 7(1) | You can’t prove consent in court or audit |
No DPA with provider | Art. 28(3) | You absorb full liability for their mistakes |
No partner assessment | Art. 28(1) | GDPR sees this as gross negligence |
No unsubscribe option | Art. 7(3), Art. 21 | You’re violating basic user rights |
Compliance = Respect
Forget the legalese for a moment. When someone gives you their email, they’re trusting you. That trust deserves structure, clarity, and boundaries. That’s what GDPR is really about.
So no, your newsletter isn’t “just a newsletter.” It’s a live, traceable process involving personal data, legal responsibility, and ethical handling. Get it wrong, and you lose more than compliance. You lose credibility.
Final Thought: Do It Once, Do It Right
You don’t need a team of lawyers to fix your setup. You just need to stop treating it like an afterthought.
Start here:
- Adopt double opt-in,no debate.
- Read your provider’s DPA, or switch to one that has one.
- Clean up your forms: explicit consent, clear purpose.
- Log consent events: timestamp, IP, source.
- Assess your partners: Are they compliant, or just convenient?
Privacy isn’t paperwork. It’s proof of seriousness.
Get serious. Or get ready for fines.
Head of Compliance and Legal Department
Francesco Cattaneo is Head of Legal & Compliance at XTROVERSO™. A qualified Italian lawyer and CIPP/E-certified privacy expert, he bridges civil law, digital regulation, and strategic governance. His writing challenges the false divide between law and innovation, showing how clear rules, when well-crafted, are not limits but instruments of freedom, protection, and long-term design.
