The General Data Protection Regulation has been in force since May 2018, yet surveys consistently show that most EU residents don't know what rights it gives them. The regulation is long and technical, and the plain-English summaries that exist online are often written by lawyers for lawyers.
This is a plain-English account of what GDPR actually says about email addresses — what companies can and can't do with yours, and what you can demand they do.
Email is personal data. That changes everything.
The first thing to understand is that under GDPR, an email address is personal data. This isn't just a formality. It means that any company that holds your email address in the EU (or processes it on behalf of an EU resident anywhere in the world) is subject to GDPR's rules.
"Processing" means anything done with your data: storing it, reading it, sending to it, sharing it, profiling based on it. Essentially everything a company does with an email address counts.
This coverage is broader than most people realize. It doesn't just apply to European companies. An American company with EU customers is subject to GDPR with respect to those customers. A Brazilian startup with European users has obligations too. Geography of the company is largely irrelevant; geography of the users is what matters.
The six lawful bases for processing
Before a company can do anything with your email address, they need a lawful basis. GDPR defines six:
- Consent — you explicitly agreed to this use
- Contract — processing is necessary to deliver a service you've contracted for
- Legal obligation — required by law (e.g., tax records)
- Vital interests — to protect someone's life
- Public task — exercising official authority
- Legitimate interests — the company's interest is balanced against your rights
In consumer email contexts, the relevant bases are usually consent, contract, and legitimate interests. Each has different implications.
Consent is the strictest standard. It must be freely given, specific, informed, and unambiguous. A pre-ticked checkbox doesn't count. Bundling consent (e.g., "agree to terms and agree to marketing" in a single box) doesn't count. Consent can be withdrawn at any time, and withdrawal must be as easy as giving consent.
Legitimate interests is the most flexible and most abused basis. Companies use it to justify processing when they don't want to ask for consent. It requires a balancing test: the company's interest must outweigh the potential impact on the individual. For sending unsolicited marketing emails, this test almost never passes — which is why most legitimate companies use consent for marketing.
Your right to access
You have the right to ask any company what data they hold about you. They must respond within one month, in a readable format, at no charge. The response should include what data they hold, why they hold it, where they got it, who they've shared it with, and how long they intend to keep it.
For email specifically: you can ask a company to confirm whether they hold your email address and under what lawful basis. This is useful when you receive emails from a company you don't remember giving your address to.
Your right to erasure ("right to be forgotten")
You can demand that a company delete your data. They must comply unless they have a legal obligation to keep it (e.g., accounting records) or a compelling legitimate reason.
The right to erasure is particularly relevant for email addresses because there's often no ongoing relationship that justifies retention. If you gave an email address to a company for a one-time transaction years ago, they have no legitimate reason to still hold it.
Practically: send a formal erasure request to the company's data protection officer (look for a privacy policy contact email or a dpo@... address). Be specific: "I request erasure of all personal data you hold about me, including my email address." Keep a record. They have one month to comply.
Your right to object to marketing
Separate from the right to erasure, you have a specific right to object to direct marketing. If a company is emailing you marketing material, you can tell them to stop and they must do so immediately with no conditions attached. This applies even if they have a legitimate interest basis — the right to object overrides it for direct marketing.
This is stronger than a standard unsubscribe request. A company that honors an unsubscribe might keep your address in a suppression list and technically still "hold" your data. An objection under GDPR Article 21 requires them to stop using your data for that purpose, not just to add you to a suppression list.
What disposable email achieves that GDPR doesn't
GDPR gives you rights. Rights require enforcement. Enforcement requires knowing who holds your data and being willing to spend the time to exercise your rights with each of them.
In practice, many people don't exercise GDPR rights because the process is too slow and the volume of companies involved is too large. A data erasure request that takes one month per company, multiplied across dozens of companies that hold your address, is a significant time investment.
Disposable email addresses the problem upstream: instead of trying to claw back rights over data that's already been shared, you never give the data in the first place. There's nothing to erase. There's nothing to object to. There's no processing to audit.
GDPR is powerful for situations where you genuinely needed to give a company your real address and want to exercise control over what they do with it. For situations where you didn't need to give your real address — which describes the majority of marketing, free-trial, and content-gated interactions — prevention is cleaner than remedy.
Enforcement and complaints
If a company violates your rights under GDPR, you can complain to your national data protection authority. In Germany, this is the Bundesbeauftragter für den Datenschutz. In France, the CNIL. In Ireland (where most US tech companies are based in Europe), the DPC. Each authority accepts complaints in the local language and English.
Fines under GDPR are substantial — up to 4% of global annual revenue or €20 million, whichever is higher. The regulation has teeth. Several companies have received multi-million euro fines for consent violations in email marketing. Complaints from individuals do lead to investigations.
You can't claim rights you don't know you have. Share this with anyone who wonders why they're getting emails from companies they don't recognize.