4 min read

Email Archiving Compliance Laws in Europe

As of 2018, almost 125 billion business emails are sent each day. Using email to maintain existing customer relationships and gain new business has been a tried and trusted method since its inception. However, with the sheer amount of data and number of spam emails being sent around the world, there is an ongoing need for email compliance and email regulation, particularly when you are looking to implement an email archiving solution.

In terms of European email laws, the European Union (EU) introduced the General Data Protection Regulation (GDPR), email legislation which has had a massive impact on business’ use of customer emails and their responsibilities when it comes to sensitive data.

While there are 28 countries within the EU, there are also countries not in the union with their own regulations. We’ve taken a look across Europe to identify email compliance law that businesses must adhere to, and take into account when putting together an email retention policy.

European Union and Unsolicited Emails

In the EU, the Privacy and Electronic Communications Directive 2002, known as the E-Privacy Directive, offers guidance for the member states to protect its citizens from spam. One of the email archiving compliance laws is that using email addresses for marketing isn’t allowed unless:

  • Consent has been gained from the recipient,
  • Identification and contact information is clear in the message, and
  • An option to unsubscribe is available in each email.

The laws were then tightened up in 2018 with the introduction of GDPR, becoming legally binding for all member states. The regulation must be adhered to by individuals and businesses. It also applies to anyone who sends messages from outside of the EU to people within the EU. The expectations are:

  • Explicit consent is required (tick boxes aren’t enough).
  • Users must be informed of the purpose of collecting their data.
  • All content must be recorded – if private data is processed, a data protection officer must be appointed.

The regulation also works in retrospect, so data collected in the past has to be re-verified if you can’t prove the user’s previous consent.

Failure to follow these laws could lead to sanctions which could reach a maximum of 4% of annual global turnover or €20m (whichever is greater).

Outside of the EU

Outside of the EU, other European nations can choose their own email archiving compliance laws. Here are a few examples:


Norway has the Marketing Control Act 2009 and Electronic Commerce Act 2003, both of which look at SPAM regulation. It requires:

  • Consent (implicit or explicit) from users in an opt-in approach.
  • The commercial nature of the correspondence needs to be clear.
  • Special regulations apply when prices or discounts are mentioned.
  • The sender must show clear identification and contact information.
  • An option to cancel the subscription is a must.

Failure to do so could lead to 6 months in prison or a fine.


Businesses must state that any client data they have is processed legally, purposely and securely. Companies are required to:

  • Opt-in is required with a preference for a double opt-in.
  • Inform users that the email must state it is a commercial.
  • Place identification of the sender and contact information must be clear to users.
  • Include an option for unsubscribing.

Breaching this law is seen as a criminal offence and could face up to three years in prison or a fine of CHF 100,000.


The purchasing of mailing lists is allowed but consent for communication must be re-verified. Companies are required to:

  • Have opt-in options (single or double) except for emails that are B2B.
  • The Sender identification and contact information must be shown.
  • Offer an unsubscribe option which must be processed within 3 days.

Companies that fail to comply face fines up to TRY 15,000. Repeat offenders could face fines that are 10 times that of the original fine.

Europe and Email Retention Policy

An email retention policy is related to how long emails stay within an archiving server before being deleted completely. To be compliant with email in the EU and beyond, it is expected that email retained on a businesses’ system must follow the retention policy set out. With emails containing sensitive data of customers and clients that hackers will be looking for, proving you have the steps in place alongside the security is important. The complicated aspect is that every country and even every industry will have different regulations for how long you should retain emails.

In Europe, the rules on email retention are more relaxed compared to the USA. Within the EU, for example, the retention of emails should only be kept for as long as they are necessary for the business. The UK follows this suit and instead suggests the best practices for what emails should be kept and for how long. The EU is more interested in punishing those businesses that aren’t making the effort to comply with current regulations and still run outdated policies.

In summary, the sensitive data found within emails must be protected from hackers at all costs. Data should then be purged to avoid any data breaches in the future.

Email Legal Compliance Checklist for the EU

There are various things that you can do in your business to ensure it is compliant across Europe and beyond in terms of email communication:

  1. User opt-in: Most countries now expect senders to gain opt-in permission for users.
  2. Avoid false subject lines: Compliance laws prohibit the sending of emails with false or misleading subject lines.
  3. Give users an easy way to opt-out: A clear method to opt-out of email subscriptions must be given.
  4. Secure evidence: Secure evidence of those who have opted in to receive your emails.
  5. Monitor the reply-to address: Certain countries require proof that the reply-to address is being monitored.
  6. Use a valid postal address: It is vital that a valid postal address for your company is listed on emails.
  7. Provide different unsubscribe methods: Some countries expect companies to give users different methods of unsubscribing, such as via email, telephone and so on.
  8. Avoid harvesting: If your company harvests emails, this will not be accepted in a lot of countries.
  9. Create a privacy policy: Always link to a privacy policy that is easy and straightforward to read for all users. The date of the policy must be seen as well information on how a user can request their personal identifiable information.

Cryoserver and Email Compliance

Cryoserver can store your company emails in a safe and secure place for easy retrieval and deletion on request. Our servers comply with GDPR regulations, giving you the proof you need that you are protecting the data of your customers. It can also be integrated with Office 365 for easy archiving. Contact us today for how we can help your business be GDPR compliant with your emails.


Book a demo of Cryoserver with us today.

  • Free 14-day trial
  • Easy Setup & Migration
  • Excellent Support
Book Demo Contact