Using phpList for compliance with the GDPR

This chapter provides an overview of features and functionality of phpList version 3.3.3 and higher, implemented for phpList administrators seeking to be compliant with the General Data Protection Regulation in their data management practices.

The GDPR is a regulation in EU law which includes legal requirements for how the data of people in the EU is handled, including the kind of data collected by installations of phpList. The laws affect all entities which handle such data regardless of where they are based. In addition, the EU's directive on electronic privacy contains rules on the use of email for the purposes of direct marketing.

Ultimately it is the administrators of a given installation of phpList who are responsible for managing data responsibly. The following technical features of phpList relate to common strategies for complying with the regulations as they stand.

Note: GDPR is a comprehensive set of regulations which covers much more than just technical operation of the newsletter software that you use. For comprehensive information about entities' responsibilities, consult the Information Commissioner’s Office, the European Commission website, or independent legal advice. You can find the full text of the GDPR here.

Note: Features which are not present in older versions are labelled (⇮phpList-3.3.3) for convenience.

Sensitive ("special category") data

The GDPR makes distinctions between different types of data and the protections they require.

Justification for data processing

The GDPR requires that organisations have one of six possible legal justifications for processing subscriber data.

The justification most commonly used by newsletter and email marketers is that consent has been obtained from all their subscribers. In some situations, marketing by email can only be carried out with consent. The GDPR uses a specific definition of consent, and defines how it may be acquired and managed. phpList can easily be used to obtain and manage subscriber consent.

Legitimate interest

Right of access

The GDPR grants people in the EU the right to access the data you have which relates to them.

Right to rectification

The GDPR grants people in the EU the right to update inaccurate data which you store about them.

Right to erasure

The GDPR grants people in the EU the right to have their data erased in some situations.

Revision #2
Created 24 May 2019 14:00:38 by mariana
Updated 12 September 2019 19:52:02 by neil_brown