GDPR Compliance

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that took effect on May 25, 2018. It applies to all organizations processing personal data of EU residents, regardless of where the organization is located.

GDPR governs how personal data is collected, processed, stored, and protected. It gives data subjects significant rights and imposes strict obligations on organizations that process personal data.

MailSteady recognizes the importance of data privacy and is committed to maintaining full compliance with GDPR requirements.

2. GDPR Applicability

2.1 Who Does GDPR Apply To?

GDPR applies to MailSteady if we:

Process personal data of EU residents (data subjects)
Operate or have customers in the EU
Offer products or services to EU residents

2.2 Your GDPR Obligations as a MailSteady Customer

As a customer using MailSteady, you may be a Data Controller or Data Processor under GDPR. You are responsible for:

Obtaining valid consent or legal basis before collecting recipient emails
Ensuring compliance with email marketing laws (CAN-SPAM, GDPR, CASL)
Maintaining records of consent or lawful basis for processing
Honoring unsubscribe and data deletion requests from recipients
Ensuring your email content complies with applicable laws
Assessing whether a Data Processing Agreement (DPA) is needed

                Important: MailSteady provides inboxes and infrastructure only. You are responsible for ensuring your use complies with GDPR and all applicable email marketing laws. We strongly recommend consulting legal counsel to assess your obligations.
            

3. Data Subject Rights Under GDPR

GDPR grants data subjects (EU residents) the following rights regarding their personal data:

Right of Access

Data subjects can request access to their personal data that we hold and receive a copy of it.

Right to Rectification

Data subjects can request correction of inaccurate or incomplete personal data.

Right to Erasure

Data subjects can request deletion of their personal data under certain circumstances (right to be forgotten).

Right to Restrict Processing

Data subjects can request limitation of how their data is processed in certain situations.

Right to Data Portability

Data subjects can request their personal data in a portable format and transmit it to another controller.

Right to Object

Data subjects can object to processing of their data for specific purposes, including marketing.

Right Not to Be Subject to Automated Decision Making

Data subjects have rights regarding automated decision-making and profiling.

Right to Lodge a Complaint

Data subjects can lodge complaints with their local Data Protection Authority.

3.1 Exercising Data Subject Rights

MailSteady account holders (controllers) are responsible for responding to data subject requests. MailSteady will assist as needed. To request access to your own personal data held by MailSteady, contact us at support@mailsteady.com.

4. Legal Basis for Processing

4.1 How We Determine Legal Basis

Under GDPR, we can only process personal data when we have a valid legal basis. MailSteady processes personal data based on the following legal bases:

4.2 Legal Bases

Contract Performance: Processing necessary to provide our services (account creation, payment processing, inbox delivery)
Legal Obligation: Processing required by law (tax records, legal compliance, anti-fraud)
Legitimate Interests: Processing for our legitimate business interests (service improvement, security, analytics)
Consent: Explicit consent from the data subject for specific processing (marketing communications)

4.3 Your Responsibility as a Customer

As a customer collecting email addresses for cold outreach, you must ensure you have a valid legal basis for processing recipient emails. Valid bases typically include:

Express consent from the recipient (opt-in)
Pre-existing business relationship
Legitimate interest (if balancing test favors processing)

You are responsible for maintaining documentation of your legal basis for processing.

5. International Data Transfers

5.1 Data Transfer Mechanisms

If you are located in the EU/EEA and your personal data is transferred outside the region, MailSteady ensures adequate safeguards through:

Standard Contractual Clauses (SCCs): EU-approved contractual terms for international transfers
Data Processing Agreements: Binding agreements ensuring GDPR compliance
Privacy Shield / Adequacy Decisions: Where applicable

5.2 Your Data Location

Please contact us at support@mailsteady.com for specific information about where your data is stored and processed.

5.3 Transfer Impact Assessment

We conduct Transfer Impact Assessments (TIAs) to ensure personal data transfers comply with GDPR requirements, particularly following the Schrems II decision.

6. Data Processing Agreements (DPA)

6.1 When Is a DPA Required?

A Data Processing Agreement is required when:

You are an EU-based Data Controller
You process personal data of EU residents
You need MailSteady to process personal data on your behalf

6.2 Our DPA

MailSteady has a Data Processing Agreement in place that complies with GDPR requirements, including:

Clear definition of processing activities and responsibilities
Data subject rights assistance
Security and confidentiality obligations
Subprocessor management
Data breach notification procedures
International transfer mechanisms
Audit and compliance provisions

6.3 Requesting a DPA

If you require a Data Processing Agreement with MailSteady, please contact us at support@mailsteady.com. We will provide our standard DPA for your execution.

                Note: A DPA is typically required if you are using MailSteady as a Processor for personal data. If you are independently operating as a Data Controller, you may not need a DPA with MailSteady.
            

7. Data Breaches & Notification

7.1 Data Breach Definition

A data breach occurs when there is unauthorized or accidental access, disclosure, or loss of personal data. Under GDPR, we must notify affected parties and supervisory authorities of breaches without undue delay.

7.2 Our Data Breach Protocol

In the event of a data breach affecting personal data:

We will immediately investigate and assess the scope and impact
Notify affected EU data subjects without undue delay (typically within 72 hours)
Notify the relevant Data Protection Authority (DPA) within 72 hours
Provide information about remediation steps and available support
Document and maintain records of the breach

7.3 Your Notification Obligations

If a breach affects personal data you control, you are responsible for notifying affected individuals and regulatory authorities. MailSteady will provide you with information to facilitate your compliance with notification obligations.

7.4 Reporting a Suspected Breach

If you suspect a data breach, immediately contact us at support@mailsteady.com.

8. Privacy Impact Assessments (DPIA)

8.1 What Is a DPIA?

A Data Protection Impact Assessment (DPIA) is a systematic analysis of the processing activities, risks, and safeguards for personal data processing that may pose high risks.

8.2 When Is a DPIA Required?

A DPIA is typically required for:

Large-scale processing of personal data
Processing involving automated decision-making
Processing of special categories of data
Systematic monitoring activities

8.3 MailSteady and DPIAs

As a customer using MailSteady, if your use involves high-risk processing, you may need to conduct a DPIA. MailSteady will assist by providing necessary information about our processing activities and security measures.

8.4 Requesting DPIA Information

Contact us at support@mailsteady.com if you need information for your DPIA assessment.

9. Supervisory Authorities

9.1 What Is a Supervisory Authority?

Supervisory Authorities (SAs) are independent public authorities responsible for monitoring GDPR compliance in their respective countries or regions. Each EU/EEA member state has at least one SA.

9.2 Right to Lodge a Complaint

If you believe MailSteady is not complying with GDPR, you have the right to lodge a complaint with your local Supervisory Authority. A list of EU/EEA SAs is available at edpb.europa.eu.

9.3 Cooperation With Authorities

MailSteady cooperates fully with Supervisory Authorities and regulatory investigations related to GDPR compliance.

9.4 Common Supervisory Authorities

Ireland: Data Protection Commission (DPC) - for MailSteady as the primary authority
Spain: Spanish Data Protection Authority (AEPD)
France: Commission Nationale de l'Informatique et des Libertés (CNIL)
Germany: Bundesbeauftragte für Datenschutz und Informationsfreiheit (BfDI)
Austria: Austrian Data Protection Authority (DSB)

10. Contact & Support

10.1 GDPR Inquiries

For questions about GDPR compliance, data subject rights requests, or to report concerns, please contact:

MailSteady Support Team
Email: support@mailsteady.com

10.2 Assistance Available

MailSteady can assist with:

Data subject access requests (SARs)
Deletion and erasure requests
Data correction and rectification
Data portability requests
Data Processing Agreement negotiation
DPIA and compliance assessment information
Breach notification support

10.3 Response Times

We aim to respond to all GDPR-related requests within 30 days. For data subject access requests, we will provide a substantive response within 30 days of the request (extendable by 60 days for complex requests).

                Guidance Note: MailSteady provides GDPR compliance infrastructure. You remain responsible for ensuring your use of the service complies with GDPR and all applicable laws. We recommend consulting with a data protection expert if you have complex compliance requirements.
            

Additional Resources

For more information about GDPR, visit:

European Data Protection Board (EDPB): edpb.europa.eu
European Commission GDPR Information: ec.europa.eu/info/law/law-topic/data-protection_en
Your Local Data Protection Authority's website

MailSteady also recommends reviewing our Privacy Policy and Terms of Service for additional compliance information.

Table of Contents

Questions About GDPR Compliance?