Data protection and transparency have always been core tenets of Emarsys – even before GDPR came into force on 25th May, 2018. These high standards are the basis of our certification with the Certified Senders Alliance (CSA), which manages an allowlist to ensure safe delivery of emails in several ISPs and mail providers. Its quality standards cover legal and technical admission criteria.
We would like to inform you of two recent changes to these standards.
Data to retain following a GDPR data deletion request
Even following a data deletion request, proof of double-opt-in should be kept for 3 years.
Since GDPR introduced the 'right to be forgotten', customers can contact you and request that all the data you hold on them be deleted.
However, Art. 17 para. 3 e does explicitly allow for some data to be retained, for example in order to protect you from litigation. The CSA, for example, expects businesses to keep at least the following data for the duration of the statute of limitations (e.g. in Germany 3 years after the latest sending):
- The declaration of consent.
- The contact email address.
- The “place” (e.g. registration form) and time of the data collection and the DOI.
You can read the CSA's own advice here: