But how?

On the 25th of May, 2018, the GDPR (General Data Protection Regulation) will replace the current Data Protection Act (WBP). This new legislation applies to the entire European Union and has two important consequences: strengthening and extending privacy rights and more responsibilities for organisations. The ESP will play an important role in this and as an email marketer, of course, you want to know if Clang is ready for the GDPR. The answer is: YES! On this page, you can read how Clang is ready for the GDPR.

Processing Data

Processing data

Email marketing is a form of direct marketing. On direct marketing, Article 6 of the GDPR states:

"The processing of personal data for the purpose of direct marketing can be regarded as carried out with a view to a legitimate interest."

This means that the GDPR states that the processing of personal data for email marketing purposes is permitted on the basis of a legitimate interest. There is a legitimate interest when there is a relevant and appropriate relationship between an organization and the person whose data is being processed. This relationship is, for example, present between an organization and its customers. As long as the marketing interest outweighs the privacy interest of the data subject, it is permitted to process personal data. The way in which you process personal data must be included in the privacy statement.

Rights and obligations

The GDPR brings with it a number of new rights and obligations. As soon as a person concerned wishes to make use of such a right, you are obliged to be of service as soon as possible. Below are some rights and obligations highlighted and how you can meet them here with Clang.



Do not throw away your database!

Requesting an opt-in for sending commercial e-mails is regulated in the Telecommunications Act (Tw). This law remains unchanged. Everything else, such as processing data, is in the GDPR. The GDPR has a direct influence on the Telecommunications Act, because this Act refers to the Personal Data Protection Act (Wpb) for the definition of obtaining permission and the Wpb will be replaced by the GDPR on 25 May. The main difference is that the consent of the person concerned must henceforth be 'unambiguous.' The permission must be an active voluntary act and cannot be derived from an agreement to the general terms and conditions.


The GDPR requires the burden of proof. If you have obtained permission from the person concerned, then you must be able to prove it. Otherwise, the rules for the opt-in and opt-out remain as they are. As long as your opt-ins have been obtained in accordance with the current legislation and you can demonstrate how, you do not have to re-apply your opt-ins and certainly do not have to throw them away! See a summary of what you must do to meet the opt-in requirements below:



The email opt-in must be a clear and affirmative action.

The opt-in must be recorded in your database so that you can prove that you have actually received permission from the person concerned.

The opt-in must be separate from other conditions and may not be a condition for delivering a product or service. "When you accept the general terms and conditions you will automatically be registered for our newsletter'' is therefore prohibited.

It is forbidden to tick the opt-in checkbox automatically. This is called 'Privacy by default'.

You need separate opt-ins if you use the data in different ways, or when you use the same data for different purposes. This is also called 'goal-binding'.

Recipients have the right to withdraw the opt-in. You must clearly tell the recipient how they can unsubscribe. This can be included in a 'Privacy Statement.'

Scroll to Top