GDPR and Partners

What partners need to know about GDPR compliance in our Channel Marketing Solution.

What are my data privacy obligations when participating in the Extu program?

There are four key obligations that partners have when they use Extu’s services to send marketing materials to their subscribers:

  1. Establish the lawful basis for processing personal information on Subscriber lists.
    This means that you:
    • have obtained express consent from the individual recipient on your subscriber list to receive marketing material from you by way of a clear, freely given, fully informed, affirmative action
    • are relying on legitimate interests as the lawful basis for using the email address on your subscriber list to send marketing materials having carried out a documented legitimate interests assessment (i.e. there is a reasonable expectation by the recipient that they may receive marketing material due to an existing business relationship and the privacy impact has been assessed as low). Please see How do I ensure my subscriber list is GDPR compliant? for further information.
  2. Privacy Notices must give full information about the processing of personal data.
    As the controller of your subscriber list, your privacy notice should be compliant with the fairness and transparency requirements under the GDPR, and disclose:
    • The lawful basis that is relied upon for collection and processing of personal information, including the processing of email addresses for direct marketing purposes. In most cases, the lawful basis relied upon will be either consent or legitimate interests. You may also rely on other grounds such as performance of contract or legal obligation where you process personal information in the course of business (e.g. contact information to provide products or services to a particular customer).
    • What personal information you share with Extu (this should include notification that customer email addresses and copies of invoices/receipts will be shared in order to administer and validate campaigns).
    • Who you share personal information with and a list of third-party processors, which includes Extu.
  3. Appropriate technical and organizational measures should be in place Your systems should be secure – this includes having adequate IT and cybersecurity protections, as well as having good internal controls, policies and guidelines regarding the collection, use, sharing and handling of personal information.
  4. Be Extu’s partner in privacy. We need to work together to ensure we adhere to appropriate privacy standards and do our best to protect the personal information we collect and process in the course of sending marketing materials. We need to help each other address any privacy questions, complaints or requests, respond to a potential data breach and conduct privacy investigations or assessments. We are here to support you and you must immediately notify us:
    • in the event of a potential or actual data breach
    • if you receive a data subject access request
    • if you receive any complaints or claims from a subscriber or regulator regarding privacy or personal information
    • if you have any questions or concerns about privacy in general.

How do I ensure my subscriber list is GDPR compliant?

Partners should audit their subscriber list and test for GDPR compliance when they first join the program and on a regular basis thereafter. Even if you are not subject to the GDPR, Extu’s terms and conditions require that you have a lawful basis for processing the subscriber lists and for Extu to provide the marketing services.

Auditing your customer list means assessing the email addresses and other information you have collected and checking whether you have a lawful basis for such processing. If you do not have a lawful basis for collection, then the email address should not be included in your subscriber list.

While there are six lawful grounds for processing under GDPR, the bases most likely to apply for the collection and use of an email address for direct marketing purposes are:

  • consent; or
  • legitimate interest.

It is your responsibility to analyse your data processing activities and choose the right basis. If you are unsure which of the lawful grounds listed in the GDPR apply to you, please consult with your legal advisers to ensure processing activities are properly justified. It is important to remember that the GDPR enshrines the principle of ‘accountability’ which means that you must be able to demonstrate compliance, so diligent record keeping is vital to support these justifications.

The Information Commissioner’s Office also has further information on lawful basis, along with a lawful basis interactive guidance tool to help you determine which basis applies.


Consent means that the relevant individual has freely given their clear, explicit consent to the processing of their personal data for a specific purpose.

When you review your subscriber list you should consider whether express consent was given and whether it is still valid. Valid consent under the GDPR:

  • must be freely given; this means giving people genuine ongoing choice and control over how you use their data
  • should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, user-friendly and on a positive ‘opt-in’ basis as opposed to a pre-ticked box or ‘opt-out’.
  • must specifically detail the controller’s name, the purposes of the processing and the types of processing activity.

Make sure you keep records to evidence consent – who consented, when, how, and what they were told.

Examples of express consent include:

  • Opt-in via a web or online form, provided the opt-in box is not pre-selected by default
  • An offline form is completed that clearly indicates that the individual may be added to your email marketing subscriber list and they have expressly indicated their willingness to receive such emails
  • Giving you their business card; provided that 1) you have explicitly indicated that by giving you their business card they are agreeing to being added to your email marketing subscriber list; or 2) they added their business card to a container or pile that clearly indicated that by adding such business card they are agreeing to being added to your email marketing subscriber list. In either event, you must transparently communicate the basis of your processing via communication of your privacy notice.
  • Providing you with other express written permission to be added to your email marketing subscriber list prior to you contacting them via email.

Further information on consent can be found on the Information Commissioner’s Office website: ICO: Consent and Guidance on Consent

Legitimate Interest

There may be instances where reliance can be placed upon your legitimate interests with subscribers and a ‘soft opt-in’ can be established.

Legitimate interest may be relied upon if the marketing to be carried out is in the legitimate interests of your own business or of a third party, which could include software vendors, where there are reasonable grounds that the individual would expect the processing and there is likely to be a minimal impact on privacy. The EU Commission has confirmed that processing of personal data for direct marketing purposes can be regarded as being carried out for a legitimate interest provided that all of the necessary criteria has been met.

To rely on legitimate interest as grounds for lawful processing, you will need to conduct and keep a record of your legitimate interest assessment. The Information Commissioner’s Office website has a sample legitimate interest assessment template you can use as a guide.

Once you have established and recorded your justification for legitimate interest as grounds for lawful processing, you can review your subscriber list to determine whether any of the email addresses meet the soft opt-in criteria.

Soft opt-in applies to existing customers only (not prospective customers). To be eligible for inclusion under soft opt-in, the email address must have been obtained in the course of a sale of a product or service to that person.

There are no legal time limits enforced regarding soft opt-in, but as a guide, purchases made within six to 24 months of the date of the review could be considered a reasonable timeframe. Remember there must be a reasonable expectation that the subscriber would consent to receive the marketing emails.

Further information on legitimate interest can be found on the Information Commissioner’s Office website: ICO: Legitimate Interests and Guidance on Legitimate Interests.

Quick FAQs

Potentially. The GDPR applies to the extent you:

  • are a business established in the EU
  • offer goods or services to people in the EU or monitor the behavior of people in the EU
  • process the personal information of people in the EU.

Even if the GDPR does not apply to your business, you still have an obligation to comply with local privacy laws and ensure you obtain the necessary consents from your subscribers in relation to the personal information you collect.

You also have an obligation under Extu’s General Terms of Service to comply with certain data privacy requirements (see What are my data privacy obligations when participating in the Extu program?)

Additional information or resources on your local privacy obligations:

Unless you can provide 100% assurance that a list you have purchased is composed solely of individuals who have consented under the GDPR, we do not support partners using a purchased list. Partners should never use email addresses that are copied or scraped from the Internet or newsgroups; from purchased, loaned, or rented lists; or other email addresses that were obtained without either (a) express opt-in and consent from the email recipient or (b) another lawful basis for collection such as legitimate interest.

It is a breach of Extu’s terms and conditions to use third-party lists that do not meet the GDPR’s lawful basis for collection requirements or the consent requirements of local privacy laws.

GDPR is a positive step forward for data protection. It is not about preventing businesses from pursuing their commercial interests. Extu has been working hard to ensure we support our partners with GDPR compliance (see GDRP and Extu) and, as a controller and processor of your data and your subscriber’s data, we are here to help. While we do our best to ensure our service is delivered in compliance with the GDPR, you own and control your subscriber list. This means as a data controller you need to ensure that:

  • your subscriber lists comprises individuals for whom there is a lawful basis for collection
  • you have the adequate disclosures in your privacy notice
  • you know what to do if you receive a privacy request or complaint
  • You have appropriate technical and organizational measures in place.

See partner obligations for more details.

A controller is the party who determines the purposes, conditions and means of processing personal data, while the processor is the party who processes personal data on behalf of the controller. Partners are controllers of their customer’s personal information (including your subscriber list). Given the nature of the multi-vendor digital marketing services provided directly by Extu, we are also deemed a controller under the GDPR.

Where the complaint or request relates to personal data that Extu is a controller over, you should immediately notify Extu by emailing our privacy officer at You will separately need to consider your other obligations over such complaint or request and consider seeking legal advice as to what steps should be taken.

No. You own your list and we will not share it with sponsors without your express permission. In order to deliver our services to your subscribers, we will be granted with a license to access and use your list.

Statistical, behavioral and performance-based data in aggregated and de-identified form.  We may also share details of sales and transactions that you submit to us via receipts/invoices in order to validate the effectiveness of the marketing campaigns. We will seek your consent before we share any lead data with sponsors. Please see our terms of service and privacy notice for more information.

We may share personal information (including your subscriber list) with third parties but only for the purposes of providing or optimizing the services as more particularly set out in our website Privacy Notice.  A full list of Extu’s third party service providers or processors can be found here.

Disclaimer: This is a general guide to some of the requirements of GDPR. This guide does not constitute legal advice or a statement of the steps that you should take to ensure your own compliance, and you agree not to rely on the information provided herein for your own compliance. For complete advisory information, please review the UK Information Commissioner’s Office website – Guide to GDPR. If you have additional questions we encourage you to seek the advice of a legal or privacy professional.

Please note, under your service agreement with Extu, you are wholly responsible for providing, and certifying the lawfulness, of the email addresses of your customers.