What are regional routing rules (GDPR, data residency)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Regional routing rules decide where your email data physically lives and gets processed. If you have EU subscribers, this is not a nice-to-have. Sending their data to a US-only ESP without the right legal paperwork can put you on the wrong side of GDPR.
Here is what actually matters.
What counts as personal data in email
Under GDPR, almost everything an ESP touches is personal data. Email addresses. Names. IP addresses captured from opens. Click logs. Geo-location from tracking pixels. Bounce reasons that include the recipient's mail server reply. All of it.
That means the servers handling those events, the databases storing them, and the backup tapes sitting in some other region all fall under the rules.
What GDPR actually says about leaving the EU
GDPR does not ban moving data out of the EU. It restricts it. You can transfer personal data to a country outside the EU/EEA in three main ways:
- Adequacy decision. The European Commission has decided the destination country protects data well enough. The UK, Switzerland, Japan, and a handful of others qualify. The US qualifies only under the EU-US Data Privacy Framework, and only for companies that have self-certified.
- Standard Contractual Clauses (SCCs). Pre-approved legal contract templates from the European Commission. Both sides sign. You also have to run a transfer impact assessment to check the destination country's surveillance laws will not undermine the contract.
- Binding Corporate Rules (BCRs). Internal rules for multinational companies, approved by an EU data protection authority. Slow and expensive to set up. Mostly only large enterprises bother.
For a plain-English read on what these mechanisms are, the European Data Protection Board guidelines on Article 46 transfer tools are the source most legal teams cite.
Data residency is a separate thing
GDPR is about transfers out of the EU. Data residency rules say data has to stay inside a specific country, full stop. Russia, China, and India have versions of this. Some German state contracts insist on German-only hosting. Healthcare and financial services often add their own location requirements on top.
If a customer asks for "data residency in Germany," they do not mean GDPR. They mean the bits cannot leave German soil. Different problem, different answer.
How ESPs handle this in practice
ESPs with EU customers usually run separate infrastructure in the EU. When you sign up, you pick a region. That choice controls:
- Which data center stores your contacts and campaign data.
- Which IPs your sending traffic goes through (see how ESPs decide which IPs to use).
- Where the DNS lookups and bounce logging happen.
- Where backups and audit logs live.
Mailchimp, Brevo, Klaviyo, SendGrid, Postmark, and most others publish a Data Processing Addendum (DPA) that lists exactly which sub-processors touch your data and where they sit. Read it before you sign. If the DPA names US sub-processors and your data must stay in the EU, you have a problem the sales rep cannot fix.
Also check whether the ESP's tracking pixels and click-redirect domains run from EU servers. Some platforms host the app in Frankfurt but route every open event through a US tracking endpoint, which defeats the point.
What can go wrong
A few things to watch for:
- Feature gaps. Some ESP features (AI subject line tools, certain integrations) only run in the US region. If you pick EU, you lose them.
- Latency. Forcing all traffic through EU infrastructure for a US recipient adds milliseconds. Usually invisible. Occasionally not.
- Support staff. GDPR cares about access to data, not just storage. If a US support engineer can log into your EU account and pull contact records, that is still a transfer. Check the support model.
- Backup regions. Disaster recovery copies often live somewhere else. Confirm where.
What to do
Ask your ESP three questions before you commit:
- Where is the data stored, processed, and backed up? Get the answer in writing, in the DPA.
- Which sub-processors have access, and where are they?
- What is the legal transfer mechanism if any of those answers involves leaving the EU?
If you cannot get clean answers, that tells you what you need to know.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.