GDPR Compliance
Last Updated: March 26, 2025
Our Commitment to GDPR Compliance
At Suppression Manager, we are committed to ensuring compliance with the General Data Protection Regulation (GDPR), which enhances the protection of personal data for all EU citizens. This page outlines how we comply with GDPR requirements and how our service helps you maintain compliance in your email marketing activities.
How Suppression Manager Supports Your GDPR Compliance
Our email suppression management service is designed to help you comply with GDPR requirements in the following ways:
1. Right to Be Forgotten (Erasure)
Our suppression lists and blacklists ensure that individuals who have requested to be forgotten are not contacted again. When an individual unsubscribes or requests deletion of their data:
- Their email address is added to the appropriate suppression list
- Their email is stored as an MD5 hash for security and privacy
- The system prevents future communications to that address
2. Data Minimization
We implement data minimization principles by:
- Only storing the minimum necessary information (email addresses and their hashes)
- Not requiring or storing additional personal data beyond what is necessary for suppression management
- Providing options to store only hashed versions of email addresses for enhanced privacy
3. Secure Processing
We ensure secure processing of personal data through:
- Encryption of data in transit and at rest
- Secure hashing of email addresses
- Role-based access controls
- Regular security audits and updates
- DDoS protection for unsubscribe pages
4. Data Processing Records
Our system maintains detailed records of processing activities, including:
- When email addresses are added to suppression lists
- The source of the suppression request (which offer/campaign)
- Geographic information for compliance with regional regulations
- Audit logs of system access and changes
Our Role as a Data Processor
Under GDPR, Suppression Manager acts as a data processor for our customers, who are the data controllers. This means:
- We process personal data only on documented instructions from you, the controller
- We implement appropriate technical and organizational measures to ensure data security
- We assist you in fulfilling your obligations to respond to data subjects' requests
- We help you meet your obligations regarding security of processing, notification of data breaches, and data protection impact assessments
- We delete or return all personal data to you after the end of service provision
- We provide you with all information necessary to demonstrate compliance with GDPR Article 28
Data Processing Agreement
We offer a Data Processing Agreement (DPA) to all our customers that outlines:
- The subject matter and duration of the processing
- The nature and purpose of the processing
- The type of personal data and categories of data subjects
- The obligations and rights of the controller
- Subprocessor management
- International data transfer safeguards
To request our DPA, please contact legal@optout.email.
Data Subject Rights
We help you fulfill data subject rights requests by providing tools to:
- Verify if an email address is in a suppression list
- Remove an email address from a suppression list when appropriate
- Export suppression data in a machine-readable format
- Document consent and unsubscribe actions
International Data Transfers
For customers in the EU, we ensure that any transfer of personal data outside the European Economic Area (EEA) is done with appropriate safeguards in place, such as:
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules
- Adequacy decisions by the European Commission
Data Protection Officer
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and implementation to ensure compliance with GDPR requirements. You can contact our DPO at dpo@optout.email.
Contact Us
If you have any questions about our GDPR compliance or need assistance with your own compliance efforts, please contact us at gdpr@optout.email.