Rightfully received data

Before you import contacts into Flexmail, you need to make sure you have a legal right to store and email them. This is not just a Flexmail requirement. It is a GDPR obligation. During every import, Flexmail asks you to confirm this explicitly

What counts as rightfully received data?

Under GDPR, you need a valid legal basis to process personal data. For email marketing, the most common bases are:

  • Consent: the contact actively gave you permission to email them, for example by filling in an opt-in form
  • Legitimate interest: you have a genuine business reason to contact the person, and their interest in not being contacted does not override yours. This applies more narrowly than many people assume.
  • Contractual necessity: emailing the contact is necessary to fulfil a contract with them, such as sending an order confirmation or service update

Contacts from opt-in forms

Contacts who subscribe through a Flexmail opt-in form have given you documented, double-confirmed consent. Their data is always rightfully received. Flexmail handles the confirmation process automatically.

What you should not import

  • Purchased contact lists
  • Scraped email addresses from websites
  • Contacts who subscribed to a different organisation's communications
  • Old lists where consent was collected under different terms or through a different brand

GDPR  GDPR Article 6 defines the legal bases for processing personal data. If you are unsure whether a specific list qualifies, consult gdpr-info.eu/art-6-gdpr/ or seek legal advice. Flexmail cannot assess whether your specific data is lawfully obtained. That is your responsibility as the data controller.

Common mistakes to avoid

Consent collected years ago under vague terms, such as "I agree to receive communications from our partners," is unlikely to meet GDPR's requirement for specific, informed, and freely given consent. If you are unsure whether old consent is still valid, it is safer to run a re-consent campaign before importing.

Over-relying on legitimate interest

Legitimate interest is often cited as a basis to email people who never explicitly opted in. In practice, GDPR requires you to conduct a balancing test showing that your interest genuinely overrides the contact's privacy rights. For cold marketing email, this bar is rarely met. When in doubt, use consent.

Importing a purchased list without checking

Purchased lists almost never meet GDPR consent requirements. The contacts gave their data to a different organisation for different purposes. Emailing them puts you in violation and typically generates high complaint rates, which directly damages your sending reputation.

GDPR considerations

As the data controller, you are responsible for the lawfulness of the data you bring into Flexmail. Flexmail processes that data on your behalf as a data processor, acting under the terms of the data processing agreement. The legal basis for processing is yours to determine and document.

Keep a record of how and when you obtained consent for each group of contacts. If you ever receive a subject access request or an audit, that documentation is your proof of compliance.

Next steps

Related articles

What else is there to know about Flexmail?
How to do that exactly in my account?
Need some inspiration?
Did this answer your question? Thanks for your feedback There was a problem submitting your feedback. Please try again later.

Didn't find what you were looking for? Contact Us Contact Us