bento icon close

Everything you need to know and the measures Sarbacane takes

Personal data are not data like any other, protecting them is a necessity, and now an obligation. The range of topics covered by the DPO is extremely varied. It's an exciting job!"


Data Protection Officer for Sarbacane

Certified "Data Protection Officer" by the Professional Evalution and Certification Board*

*Certificate No.: DPCDPO1052813-2022-11

How does Sarbacane help you be compliant with the GDPR

A 'GDPR compliant' app

The Sarbacane application provides its users with tools allowing them to communicate in compliance with the GDPR, namely :

  • Automatic management of unsubscriptions
  • Creation and administration of black lists
  • Recording of data related to the registration and unsubscription of contacts
  • Mandatory legal information to be displayed when creating contact forms
  • Double opt-in registration validation on contact forms

Invariable moderation of the sends

Each campaign sent with Sarbacane is analyzed and moderated before its final sending.

This verification enables Sarbacane to ensure that its users comply with the European regulation. If it's not the case, Sarbacane may refuse certain shipments. The reasons may be: a recipient base obtained without consent, no unsubscription link, etc.

GDPR: definition, context and scope

What is GDPR?

The GDPR is the General Data Protection Regulation. It was adopted by the European Parliament on April, 14 2016 and entered into force in the European Union on May, 24 2018. It aims to strengthen the protection of individuals and their fundamental rights by providing a legal framework for the processing of their personal data.

Who is responsible under the new European regulation?

In the GDPR there two types of players: data controllers and subcontractors.

Are you one of these players?

To sum it up: The controller determines the purpose(s) and means of processing applied to the personal data.

Subsequently, they may use one or more subcontractor(s) at certain stages of the data processing. These subcontractors act on behalf of and according to the instructions of the controller. Under the GDPR, subcontractors may also be held liable in some cases.


Are you a Marketer, Communication Manager, Sales Representative, Operational Manager, IT Administrator, Legal Assistant, eCommerce specialist, or in charge of Human Resources?

If yes, then you certainly play a role in the purpose and means of processing applied to personal data in your company. However, it's your company, the legal entity, and not yourself who is the controller. Unless it is demonstrated that you personally, have acted independently in determining the particular purposes and means of data processing.

To what extent are those responsible for the data processing liable?

Preparatory requirements

From May 25, 2018, two main principles are to be taken into account: privacy by design and privacy by default and responsibility.

Privacy by design and by default

Data protection by design or by default is the need to systematically integrate the necessary measures to ensure protection of personal data when creating a new product or a service. Any player at whatever stage in the creation process of a product of a service, must comply with this principle.


Added to this is the principle of accountability. Personal data controllers and subcontractors must also implement processes that safe guard protection of personal data, and be able to provide evidence of their conformity with the European regulation at all times (In other words: To be able to permanently track and confirm the efficiency of these processes through documentation and internal measures).

In which areas is the GDPR applicable?

The scope is as follows: Those who will be impacted are controllers and subcontractors based in the European Union (EU), and those located outside the EU providing goods or services to people located within the EU or monitoring their behaviour in the EU.

How should you prepare to comply with this regulation?

The rights and obligations foreseen in the European regulation include:

Data portability

Your customer will be able to require you to send them all their data on a legible medium, to be given to your competitors, should they choose to change suppliers.

Notification of personal data violation

If the protection of data has been violated (mistakes, non-authorization, etc) the controller of the data processing is obligated to inform Authorities within 72 hours. In some cases even the people whose data has been violated need to be informed if the risk of infringement of their rights and freedoms is high.

Keeping a register of data processing

with conditions, is highly recommended.

Appoint a Data Protection Officer (DPO)

Under certain conditions. Ensures the protection of personal data.

Carrying out impact assessments

Carrying out impact assessments in the event of high risk of damaging personal data protection, before implementing a new process. This is particularly recommended for processes that are already in place presenting a high risk.

What are the sanctions?

In the case of non-compliance with personal data protection regulations, a new scale of sanctions applies. A fine can reach up to 20 million euros, or 4% of the total annual global revenue, whichever amount is higher will be issued.

As a marketing professional and/or digital communications manager, what data can be processed?

It isn't just the message (nature, meaning) you send that will need to change in order to meet the requirements of GDPR, but also the way in which you treat the personal data of your contacts. Be transparent by informing them prior to the data processing. In the case where legal justification is based on consent, you must be able to provide valid evidence that consent was given.

What is personal data and how does it fit into email marketing?

Personal data is an information that can be used to directly or indirectly identify a natural person. An email address such as '' directly identifies a person, while a client number identifies a person indirectly.

On the other hand, a generic email address by itself does not identify an individual (unless you have additional information). Email addresses like '' are coordinates to a legal entity and are not considered to be 'personal data' under the GDPR.

How to deal with consent?

The rules applicable to electronic communication are not questioned by the GDPR.

Note that the draft for European regulation regarding electronic privacy, which is still under debate, touches on topics that combine digital communication and user consent. This topic will continue to develop over the next few months.

When we talk about personal data, we are inclined to think about the consent from the people whose data we are processing. Today, the internet is full of information about the concept of consent and how it has evolved over the years to the current definition set by the GDPR.

The European text reminds us that consent is a legal justification that can serve as a basis for data processing. But it isn't the only justification possible for data processing (ex: the execution of a contract) and, in that sense, it is wrong to affirm that consent is systematically mandatory and will be made a strict rule under the GDPR.

The GDPR reinforces the conditions that apply when data processing based on consent is necessary (for example, in the case of commercial prospecting in B2C) or when you choose to justify data processing by means of consent. You must obtain valid consent in compliance with the GDPR:

This is a clear declaration or act from the person in question

Pre-checked boxes, passive or implicit consent are strictly forbidden.

Consent should be informed

Inform the person in question in clear language about the intended use for their information. The person must be made fully aware of the data processing and its scope.

Consent must be free and specific

- Consent must be free and specific: Consent needs to have a specific purpose (for example, to send commercial offers). And consent must not be forced (meaning, it cannot be associated with discounts, gifts, or services). You also need to distinguish between consent for the processing of data and consent to the Terms of Use.

Inform the person that they have the right to revoke the given consent at any moment

Inform the person that they have the right to revoke the given consent at any moment, stating that revoking the consent is as easy as granting it.

Keep the proof of consent

Keep the proof of consent (the burden of proof is on you): what the person has consented to, the moment when they consented, and to whom. Traceability of consent actions must be implemented: the consent, its purposes and revoked consents.

Provide an easy way for users to revoke consent

Provide an easy way for users to revoke consent. (In the account settings, for example)

In addition, the right to be informed about the processing of data is reinforced by the European regulation. Users must be clearly informed of the use of their data, of the recipients, of the duration of data preservation, of the possibility of rectifying, deleting or limiting the data, or even the possibility of opposing processing.

What is the main obligation of the controller in relation to his subcontractors?

The controller should only use subcontractors who demonstrate sufficient safeguards in the implementation of appropriate technical and organizational data protection measures, so that the processing meets the requirements of the GDPR.

As a customer of an email marketing solution, you take on the position controller using the subcontractor for the routing of your newsletters or email campaigns, sent on your behalf and under your instructions. It is therefore your responsibility to ensure that this email marketing solution implements the necessary means to ensure the protection of personal data.

How does Sarbacane ensure its compliance with the GDPR

Sarbacane is involved on all levels of the ecosystem

A dedicated GDPR compliance team was appointed several months ago. It's formed by several technical and legal professionals, who promote concrete and weekly advances on this matter.

Concrete solutions already in place

The appointment of a Data Protection Officer (DPO)

The implementation of a registry that allows for an up-to-date view of personal data treatment.

Sarbacane has a statement regarding the protection of personal data available to all its users to achieve increasingly transparent communication.

Moreover, Sarbacane's teams receive training regarding new developments concerning GDPR.

Sarbacane has an agreement regarding the processing of personal data.

Sarbacane, i.e. Sarbacane's mother company, is an adherent member of the AFCDP (French Association of Personal Data Protection Correspondents) and thus participates in working groups to discuss the protection of personal data with other professionals.

A note on the processing of data by Sarbacane

Your email and SMS campaign data are hosted in France. When sending SMS, your data is also hosted in the European Union. As part of our customer relationship, when you exchange with the support, your email address and the content of your exchanges are also transmitted and hosted in the United States, under the protection of the European Commission's standard clauses.