41. Email compliance i RODO/GDPR

Poziom: Ważne (Legal!) | Czas czytania: 12 min

Compliance w email marketingu to nie opcja - to wymóg prawny. Naruszenie GDPR/RODO może kosztować do 20 milionów EUR lub 4% rocznego obrotu. Ten tutorial pokrywa wszystkie wymagania dla Polski i UE.

GDPR/RODO dla email marketingu

Podstawowe zasady

1. Lawful basis (podstawa prawna)

Musisz mieć jedną z:

• ✅ Consent (zgoda) - najczęstsza dla marketingu
• ✅ Legitimate interest - dla klientów (soft opt-in)
• ✅ Contract - dla transakcji

2. Explicit consent (wyraźna zgoda)

❌ NIE:

[Submit] 

*By submitting you agree to receive emails

Pre-checked box = invalid!

✅ TAK:

<label>
  <input type="checkbox" name="marketing_consent" required>
  Wyrażam zgodę na otrzymywanie informacji marketingowych 
  drogą electronową zgodnie z 
  <a href="/privacy-policy">Polityką Prywatności</a>.
</label>

[Wyślij]

Consent requirements

Musisz mieć zapisane (audit trail):

{
  "email": "jan.kowalski@example.com",
  "consent_given": "2026-02-18T10:30:00Z",
  "consent_ip": "83.12.34.56",
  "consent_source": "Website signup form",
  "consent_text": "Full text of consent checkbox",
  "double_opt_in_confirmed": "2026-02-18T10:35:22Z"
}

Store w Custom Fields:

Field: consent_date → "2026-02-18"
Field: consent_ip → "83.12.34.56"
Field: consent_source → "landing-page-coaching-offer"
Field: doi_confirmed → "yes"

Double Opt-In (Best Practice)

Dlaczego DOI?

• Legal protection - proof of consent
• Better quality - only real emails
• Higher engagement - interested people tylko
• Lower spam complaints

Implementacja w GHL:

Step 1: Form submission

User fills form → Tag "pending-confirmation"
→ Automation triggered

Step 2: Confirmation email

Subject: Potwierdź subskrypcję - jeden klik

Cześć {{firstName}}!

Dziękujemy za zaje interesowanie!

Potwierdź swoją subskrypcję clickając poniżej:

<a href="{{confirmation_link}}" style="
  background: #3498db;
  color: white;
  padding: 15px 30px;
  text-decoration: none;
  border-radius: 5px;
  display: inline-block;">
  ✓ Potwierdzam subskrypcję
</a>

Link ważny przez 48h.

---
Nie zapisywałeś się? Zignoruj tego emaila.

Step 3: Confirmation click

User clicks link
→ Tag "confirmed-subscriber" applied  
→ Tag "pending-confirmation" removed
→ Welcome email sent
→ Added to marketing lists

Workflow:

TRIGGER: Form submitted
    ↓
TAG: "pending-confirmation"
    ↓
SEND EMAIL: Confirmation
    ↓
WAIT: Link clicked OR 48h timeout
    ↓
IF clicked:
  → TAG: "confirmed-subscriber"
  → START: Welcome series
  
IF NOT clicked (48h):
  → TAG: "unconfirmed"
  → STOP (no marketing emails)

Required Email Elements

1. Unsubscribe Link

<p style="text-align: center;">
  <a href="{{unsubscribe_link}}">
    Wypisz się z listy
  </a>
</p>

Requirements:

• ✅ Visible (nie hidden, micro-font)
• ✅ Working (test it!)
• ✅ One-click (no login required)
• ✅ Processed within 10 days (RODO allows longer than CAN-SPAM)

2. Sender Information

<div style="color: #999; font-size: 12px; text-align: center; padding: 20px;">
  {{company_name}}<br>
  {{street_address}}<br>
  {{postal_code}} {{city}}, {{country}}<br>
  NIP: {{vat_number}}<br>
  Email: {{contact_email}}<br>
  Tel: {{phone}}
</div>

Example:

Coachflow.pl sp. z o.o.
ul. Przykładowa 123/45
00-001 Warszawa, Polska
NIP: 1234567890
Email: kontakt@coachflow.pl
Tel: +48 22 123 45 67

3. Privacy Policy Link

<p>
  Twoje dane przetwarzamy zgodnie z 
  <a href="https://coachflow.pl/polityka-prywatnosci">
    Polityką Prywatności
  </a>
</p>

Data Retention (Przechowywanie danych)

GDPR Rules:

Keep data only as long as necessary:

ACTIVE SUBSCRIBERS:
- Marketing data: Until they unsubscribe
- Engagement history: 2 years
- Consent records: Until unsub + 3 years (proof)

FORMER SUBSCRIBERS:
- After unsubscribe: Delete marketing data within 30 days
- Keep: Consent records (3 years for legal defense)
- Keep: Transaction history (accounting law: 5 years)

INACTIVE CONTACTS:
- No engagement 24 months: Delete or re-permission

GHL Cleanup Workflow:

TRIGGER: Every month (1st day)
    ↓
FILTER: Contacts where:
  - Tag "subscriber" AND
  - Last email opened > 730 days ago
    ↓
ACTION: Send re-engagement email
    ↓
WAIT: 14 days
    ↓
IF no response:
  → Remove tag "subscriber"
  → Add tag "inactive-removed"
  → Stop all marketing
    ↓
OPTIONAL: Delete contact (if no transactions)

Right to be Forgotten (Prawo do usunięcia)

Request handling:

When contact requests deletion:

1. Verify identity (prevent abuse)
2. Check obligations (accounting? contracts?)
3. Delete within 30 days

What to delete:

✅ DELETE:
- Personal data (name, email, phone)
- Marketing preferences
- Communication history (emails, SMS)
- Custom fields
- Tags
- Notes

⚠️ KEEP (if legally required):
- Invoices (5 years - accounting law)
- Contracts (statute of limitations)
- Consent records (defense proof)

GHL Process:

1. Contacts → Search email
2. Click contact → Settings
3. "Delete Contact" → Confirm
4. Document request: Custom field or external log

Data Processing Agreement (DPA)

GHL as processor:

GoHighLevel = Data Processor You = Data Controller

Requirements:

• ✅ Signed DPA with GHL (available in leur ToS)
• ✅ GHL is GDPR compliant (US-based but EU-safe)
• ✅ Data hosting: USA (Privacy Shield successor)

Your responsibilities:

• Legal basis for processing
• Obtaining consent
• Honoring data subject rights
• Security measures
• Breach notifications

Marketing vs Transactional

Difference matters!

MARKETING EMAILS (require consent):

- Newsletters
- Promotional offers
- Product announcements
- Educational content (free)
- Re-engagement campaigns

TRANSACTIONAL EMAILS (no consent needed):

- Order confirmations
- Shipping notifications
- Password resets
- Account updates
- Invoices
- Support responses

Grey area:

Post-purchase email with:
- Order update ✅ (transactional)
- + Related products 🤔 (marketing!)

Solution: Separate emails or get consent

Privacy Policy Requirements

Must include:

# Polityka Prywatności

## 1. Administrator danych
- Nazwa firmy
- Adres
- NIP
- Kontakt (email, telefon)

## 2. Jaka podstawa prawna email marketing?
- Zgoda (Art. 6(1)(a) GDPR)
- Uzasadniony interes dla klientów (Art. 6(1)(f))

## 3. Jakie dane zbieramy?
- Email, imię, nazwisko
- Data zgody, IP address, źródło
- Historia komunikacji

## 4. Cel przetwarzania:
- Wysyłka newslettera
- Informacje o produktach
- Oferty personalizowane

## 5. Okres przechowywania:
- Do momentu cofnięcia zgody
- Consent records: 3 lata po wycofaniu

## 6. Twoje prawa:
- Wgląd w dane
- Poprawianie danych
- Usunięcie danych
- Cofnięcie zgody
- Przenoszenie danych
- Sprzeciw wobec processingowania

## 7. Odbiorcy danych:
- GoHighLevel (email platform)  
- Mailgun/Twilio (delivery)
- Google Analytics (analytics)

## 8. Przekazywanie poza UE:
- USA - adequate safeguards (DPA)

## 9. Automated decisions:
- Segmentacja na podstawie zachowań
- Scoring leadów

## 10. Prawo do skargi:
- UODO (Urząd Ochrony Danych Osobowych)
- ul. Stawki 2, 00-193 Warszawa

Penalties (Kary)

GDPR fines:

Lower tier (up to 10M EUR or 2% revenue):

• Data processor violations
• Certification breaches

Upper tier (up to 20M EUR or 4% revenue):

• No legal basis
• Violating data subject rights
• Unlawful transfers

Real examples:

• Google: €50M (lack of transparency)
• Amazon: €746M (unlawful processing)
• WhatsApp: €225M (transparency)

Polish-specific:

UODO (Polish DPA) can:

• Issue warnings
• Order corrections
• Suspend processing
• Impose fines

Most common violations:

• No consent or invalid consent
• Missing privacy policy
• Not honoring unsubscribe requests
• Lack of security measures

Compliance Checklist

Before sending any marketing email:

☑ Valid consent obtained (checkbox, not pre-checked)
☑ Double opt-in confirmation received
☑ Consent data recorded (who, when, where, IP)
☑ Privacy policy available & linked
☑ Unsubscribe link working & visible
☑ Sender info complete (company name, address, NIP)
☑ Marketing vs transactional properly separated
☑ DPA signed with GoHighLevel
☑ Security measures in place (2FA, access controls)
☑ Data retention policy defined & implemented
☑ Process for data subject requests (access, deletion)
☑ Breach notification procedure ready

Best Practices Summary

✅ Always:

• Use double opt-in
• Record consent details
• Make unsubscribe easy
• Separate marketing/transactional
• Review data retention quarterly
• Train team on GDPR

❌ Never:

• Buy email lists (always illegal under GDPR!)
• Pre-check consent boxes
• Hide unsubscribe links
• Ignore deletion requests
• Transfer data without safeguards

---

Następny krok: 42. Warming up domeny - budowanie reputacji nowej domeny