Introduction

One of the most common questions professionals ask during GDPR training is simple yet vital. Who am I actually allowed to email?

Because GDPR is about having a lawful reason to process personal data, you cannot email people freely just because you have their address. At the same time, many legitimate business activities do allow email communication as long as the rules are followed.

This guide breaks down exactly who you can email, who you cannot, and how to avoid common mistakes. These principles build on the foundations explained in Camari Training’s GDPR modules which focus on clarity, accountability, and practical everyday decisions.

1. Who You Can Email Under GDPR

You are allowed to email someone only when you have a lawful basis for doing so. The lawful basis depends on the context, the relationship, and the purpose of the communication.

You can email someone when it is necessary for a contract

If the email is required to deliver a service, fulfil a contract, or take steps before entering into a contract, you are allowed to send it.

Examples include

• emailing an invoice

• arranging a service the individual has requested

• providing updates related to a purchase

This falls under contractual necessity which is one of the six lawful bases for processing personal data.

You can email someone when you have their informed and valid consent

Consent must be freely given, specific, informed, and unambiguous. If an individual has clearly agreed to receive certain types of emails, you can send them.

This is commonly used in marketing where individuals opt in to newsletters or updates.

They must also be able to withdraw consent easily at any time.

You can email someone when you have a legitimate interest that outweighs the individual’s privacy impact

This is often used for business communication such as

• contacting existing customers

• informing people about essential service changes

• communicating internally with staff

However, you must be confident the individual would reasonably expect the email and that it does not override their rights or freedoms.

You can email colleagues internally for legitimate business purposes

Emails within an organisation are allowed when the communication supports legitimate business functions and data is kept safe.

Clear policies and regular GDPR training help staff understand what information is appropriate to share internally.

You can email someone when the law requires it

Some emails are sent to fulfil legal obligations such as HR record keeping, safeguarding communication, or statutory reporting. If the law requires the communication, GDPR permits it.

2. Who You Cannot Email Under GDPR

Understanding who you cannot email is equally important. Many breaches occur not from malicious intent but from misunderstanding.

You cannot email someone without a lawful basis

If you cannot clearly justify why you are emailing someone, you cannot send the message. This includes contacting individuals simply because their address is available or because you think they may be interested.

You cannot email individuals for marketing without consent or a compliant soft opt in

For marketing activity, you cannot email someone if

• they have not given consent, and

• they do not fall under a valid soft opt in

A soft opt in only applies when

• the individual is an existing customer

• the marketing relates to similar products or services

• they were given a clear opportunity to refuse at the point of data collection

If these conditions are not met, marketing emails are not permitted.

You cannot email third parties without a legitimate and proportionate reason

Forwarding personal information to external partners, suppliers, or other organisations is only allowed when there is a lawful basis and appropriate safeguards.

Sharing unnecessarily exposes the organisation to risk and may breach the principle of data minimisation.

You cannot email someone because their address is publicly available

Having a publicly visible email address does not give permission to use it.

GDPR requires a lawful basis, not availability.

You cannot email former employees or former clients unless conditions are clearly met

Once a relationship ends

• contractual necessity no longer applies

• legitimate interest becomes limited

• marketing requires fresh consent unless a valid soft opt in exists

Many breaches occur when old contact lists are used without checking the lawful basis.

You cannot email large groups of people when the purpose does not justify the intrusion

Even non marketing communication can breach GDPR if the impact on privacy outweighs the legitimate interest.

For example, sending updates to a wide group of individuals who do not need the information is rarely justified.

3. How to Decide Quickly: A Simple Three Step Test

For time poor professionals, decision making must be fast and confident. Before emailing anyone, ask yourself:

1. Do I have a lawful basis to email this person?

If not, stop.

2. Would the individual reasonably expect this email?

If the answer is no, reconsider your approach.

3. Is the content necessary and proportionate?

Only include information that genuinely supports the purpose.

These habits reflect the GDPR principles taught through Camari Training’s modules which focus on clarity, minimisation, and responsible handling.

Conclusion and Checklist

Email is an everyday tool, but every message carries GDPR responsibility. When you understand who you can contact and who you cannot, compliance becomes far simpler and far more confident.

For organisations that want clarity and consistency, practical GDPR training makes the difference. Camari Training, in collaboration with CVG Solutions, provides accessible modules that help teams navigate lawful bases, data subject rights, breach reporting, and real workplace scenarios with confidence.

If you want a quick way to stay compliant every day, our one page checklist is ready to use. It helps you decide who you can email with confidence and clarity. Share it with your team to support better habits and build a stronger GDPR culture across your organisation.