What is a data processor in email marketing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

When you upload your subscriber list to an ESP like Mailchimp or Brevo, you're entering a formal legal relationship. You're the data controller. They're the data processor.

Data controller = the person who decides what data is collected and why. That's you, the brand. You decide which subscribers to store, what you'll send them, and how long you'll keep their data.

Data processor = the company that handles that data on your behalf, under your instructions. Your ESP processes your list when it sends campaigns, but it can't use that data for its own purposes.

This distinction matters because under GDPR and similar laws, you as the controller are still responsible for how your processor handles the data. If your ESP has a breach, you can't just point at them. You need a Data Processing Agreement (DPA) in place, and you need to have chosen a processor who can actually meet GDPR standards.

Most reputable ESPs have DPAs ready to sign and maintain SOC 2 or ISO 27001 certifications to prove it. Check for these before you sign up, not after.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Understand your controller-processor obligations with your current ESP.

I'm trying to understand my GDPR obligations as a data controller. I use my ESP to send emails to my audience type. Can you explain what my data processor relationship looks like in practice, what a DPA should cover, and what I should verify about my ESP's compliance before I sign?

Edit the yellow boxes, then send to the AI of your choice.