Does the EU-US Data Privacy Framework solve the problem?

The DPF (July 2023) improves the transfer position for certified US providers including Mailchimp by allowing transfers without separate SCCs. It does not remove all legal debate around US access laws. EU-only or self-hosted infrastructure may still be simpler to explain to a DPO.

What about double opt-in, Impressum, and cookie banners?

These obligations exist independently of the tool. Broadcast supports double opt-in natively. Impressum, Datenschutzerklärung, and cookie banners are website concerns, not email-tool concerns.

For German companies

Mailchimp and DSGVO: An Assessment for German Companies

Q: What concretely changes with self-hosting?

You install Broadcast on a server you control. If your hoster, SMTP provider, backups, analytics, support tooling, and error tracking are all EU-based, third-country transfers for recipient data can be reduced or eliminated. AVV no longer needed with Mailchimp, still required with hoster and SMTP provider.

Q: How hard is migrating from Mailchimp to Broadcast?

Mailchimp allows CSV export. Broadcast imports CSVs directly. For lists up to ~50,000 recipients, expect roughly half a day end-to-end including server setup. Automations are rebuilt manually.

Q: Do I need a Datenschutzbeauftragter (DPO)?

The obligation follows from BDSG § 38 and DSGVO Art. 37 based on the nature and scope of processing, not on the tool. If you need a DPO today, you will still need one with Broadcast.

Mailchimp can be used in Germany — but doing so cleanly involves real legal work: a Transfer Impact Assessment, ongoing review of the EU-US transfer position, and an Auftragsverarbeitungsvertrag (AVV) with documented additional safeguards. This page explains the legal landscape, what the Mailchimp AVV does and does not cover, and how a self-hosted alternative like Broadcast can simplify the risk profile — without overstating what self-hosting actually solves.

We are not lawyers and this page is not legal advice. Specific guidance for your business should come from a qualified Datenschutzbeauftragter (DPO) or counsel.

Who this page is for

German companies that like Mailchimp’s convenience but dislike the compliance work around US data transfers. If you want your subscriber database on infrastructure you control, Broadcast is the self-hosted Mailchimp alternative for Germany — DSGVO-friendly newsletter software that puts your list, your server, and your SMTP choice in your hands.

See Broadcast — $250 one-time Calculate savings

TL;DR

• Mailchimp is a US provider (Intuit, USA). Use by a German company involves a transfer of personal data to a third country (a Drittlandtransfer), which carries additional compliance obligations under the DSGVO.
• In a BayLDA complaint outcome commonly cited as Aktenzeichen LDA-1085.1-12159/20-IDV and dated 15 March 2021, the Bavarian authority found one company’s use of Mailchimp unlawful because the controller had not assessed whether additional safeguards were required after Schrems II. The EDPB later republished BayLDA’s summary on 30 March 2021. The ruling addresses a single case but is widely treated as directional guidance.
• Schrems II (CJEU C-311/18, July 2020) invalidated the Privacy Shield. The successor — the EU-US Data Privacy Framework (2023) — improves the position for certified US providers, but does not end all legal debate around US access laws.
• The US Cloud Act applies to US parent companies even when data sits in an EU data center. Contracts can allocate obligations and add safeguards, but they cannot by themselves remove the fact that a US-controlled provider may be subject to US legal process.
• Self-hosting on a German server (e.g. Hetzner Falkenstein/Nuremberg) can reduce or eliminate third-country transfers for newsletter-recipient data — if the server, SMTP provider, backups, analytics, support tooling, and error tracking are all configured with EU-based processors. It is a simpler story to tell a DPO; it is not an automatic compliance shortcut.

Want the simpler infrastructure version? See how Broadcast works

At a glance

Question	Mailchimp	Broadcast self-hosted
Where is the list stored?	Mailchimp / Intuit stack	Your server
US transfer issue?	Generally yes — requires review	Avoidable with an EU-only stack
Monthly subscriber pricing?	Yes	No
DPO explanation	More complex (TIA, SCCs, additional safeguards)	Simpler infrastructure story
Infrastructure control	Limited	High
SMTP provider choice	Mailchimp-controlled	You choose (EU-based options available)

A detailed breakdown follows below.

The 2021 BayLDA ruling

The Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) is the only German supervisory authority that has, to our knowledge, formally challenged a specific company’s use of Mailchimp. The ruling is the most-cited reference point in German DSGVO assessments of Mailchimp today.

What the BayLDA found

A German company had transferred newsletter recipients’ email addresses to Mailchimp. The BayLDA reviewed the transfer in light of Schrems II and concluded:

The transfer to Mailchimp constitutes a transfer to a third country (USA).
Under US law — in particular FISA 702 — Mailchimp may qualify as an “electronic communication service provider” and thus be compellable to assist US intelligence agencies.
Standard Contractual Clauses (SCCs) alone are insufficient. The exporting company would have had to assess whether SCCs, given US law, deliver an “essentially equivalent” level of protection — that is, perform a Transfer Impact Assessment (TIA).
Because no such TIA had been performed, the transfer in this specific case was found not to be lawful.

Source: BayLDA complaint outcome commonly cited as Aktenzeichen LDA-1085.1-12159/20-IDV and dated 15 March 2021; EDPB republished BayLDA’s summary on 30 March 2021. The exact reference and date are reproduced by multiple legal sources (SKW Schwarz, Datenrecht.ch). The decision addresses one specific case. It does not declare Mailchimp generally illegal in Germany, but it is widely treated as directional guidance by German DPOs.

The practical takeaway: Mailchimp can be used by German companies, but doing so defensibly requires documented compliance work — including a TIA with additional safeguards. Many companies decide that this work is worthwhile; others decide it is not, and choose either an EU-headquartered provider or a self-hosted alternative.

Schrems II, the EU-US Data Privacy Framework, and the Cloud Act

Two realities of US law shape the EU-to-US transfer position for any US provider, including Mailchimp.

Schrems II and the EU-US Data Privacy Framework

In Case C-311/18 (July 2020), the Court of Justice of the EU invalidated the Privacy Shield. Reasoning: US surveillance law (FISA 702, Executive Order 12333) does not provide EU citizens with effective remedies against data access by US authorities. SCCs remain available, but the data exporter must perform a Transfer Impact Assessment before each transfer and, where needed, implement additional safeguards.

The EU-US Data Privacy Framework (July 2023) is the Privacy Shield successor. It allows transfers to certified US companies without separate SCCs and improves the transfer position for those providers. Mailchimp states that The Rocket Science Group LLC d/b/a Mailchimp is covered under Intuit’s Data Privacy Framework certification; the current DPF listing for Intuit shows a next certification due date of 12 November 2026, so the certification appears active at the time of review. The DPF does not, however, end all legal debate around US access laws or future judicial challenges. For risk-averse German companies, EU-only or self-hosted infrastructure may still be simpler to explain to a DPO.

The US Cloud Act

The Clarifying Lawful Overseas Use of Data Act (2018) compels US companies to hand over data to US authorities — even when that data is stored in an EU data center.

Concretely: even if Mailchimp stored your data exclusively in Europe, Intuit as the US parent would still be subject to US disclosure orders.

This is the structural challenge that contracts alone cannot fully solve.

What the Mailchimp AVV (Auftragsverarbeitungsvertrag) covers — and what it doesn’t

Mailchimp provides an AVV (Data Processing Addendum) that includes Standard Contractual Clauses and can be countersigned by the customer. That meets the formal minimum for an EU-to-US transfer — but the AVV alone does not resolve the underlying structural questions.

What the AVV covers

• Standard Contractual Clauses (Module 2, Controller-to-Processor)
• List of sub-processors
• Technical and organizational measures (TOM)
• Breach notification obligations
• Deletion timelines after contract end

What the AVV does not resolve

• Cloud Act access by US authorities
• FISA 702 orders directed at the US parent
• The Transfer Impact Assessment itself (the customer must perform it)
• The “essentially equivalent” protection standard required by Schrems II
• Future shifts in US law or further legal challenges to the DPF

How self-hosting changes the picture

Self-hosting Broadcast on a German server changes where the personal data lives and which processors are involved. It is a meaningful simplification — not a compliance silver bullet. Self-hosting can eliminate third-country transfers for newsletter-recipient data if the server, SMTP provider, backups, analytics, support tooling, and error tracking are all configured with EU-based processors. The picture changes only as much as your full stack changes.

Aspect	Mailchimp (SaaS)	Broadcast self-hosted (EU stack)
Drittlandtransfer for recipient data	Yes, to the USA	Avoidable if the full stack is EU-based
TIA required	Yes, with documented additional safeguards	Not required for components without third-country transfer
Cloud Act exposure	Yes (Intuit, USA)	None at the Broadcast database/application layer when hosted with a German or EU provider; SMTP exposure depends on provider choice
Your role	Controller; Mailchimp is processor	Controller; only the SMTP relay (and any other tools you connect) are processors
AVV required with	Mailchimp + every sub-processor	Hoster + SMTP provider (both selectable as EU-based)
Subject access / deletion requests	Via Mailchimp API	Direct in your own database
Server location selectable	No	Yes (e.g. Hetzner Falkenstein/Nuremberg)

What self-hosting does not solve: you still need an Impressum, a Datenschutzerklärung, double opt-in, documented deletion processes, AVVs with your hoster and your SMTP provider, and a record of processing activities (Verzeichnis von Verarbeitungstätigkeiten). Self-hosting can simplify the third-country-transfer story; it does not satisfy DSGVO obligations on its own.

Hosting in Germany: Hetzner as a natural fit

Broadcast runs on any Ubuntu server. For German companies choosing on data-sovereignty grounds, Hetzner is a common pick — German company (HQ Gunzenhausen), data centers in Falkenstein and Nuremberg, transparent pricing.

CX22

~€5/month

2 vCPU, 4 GB RAM, 40 GB SSD. Comfortable for lists up to ~50,000 recipients.

CX32

~€9/month

4 vCPU, 8 GB RAM, 80 GB SSD. Comfortable up to ~250,000 recipients.

CX42

~€17/month

8 vCPU, 16 GB RAM, 160 GB SSD. For large lists or high send frequency.

Prices indicative as of 2026. Hetzner provides a DSGVO-compliant AVV. Falkenstein and Nuremberg are German-only locations; Hetzner also operates Helsinki and Ashburn (USA) sites that you can select or avoid at order time.

Compare all recommended hosting providers →

SMTP providers and EU data processing

Self-hosting changes which processors are involved in your stack, but your SMTP relay remains a processor for the recipient data passing through it. Broadcast works with any SMTP provider; the choice meaningfully affects the transfer story.

Amazon SES (eu-central-1)

Frankfurt region

Processing in Germany is selectable. Cloud Act exposure remains because AWS has a US parent. Very low cost: ~$0.10 per 1,000 emails.

Postmark

EU region available

ActiveCampaign-owned. EU data residency is selectable. Strong deliverability. US parent, so Cloud Act questions are similar to SES.

Mailgun (EU)

Frankfurt region

Sinch-owned (Swedish parent). EU data residency. Swedish corporate structure reduces — but does not eliminate — risks comparable to the Cloud Act.

Brevo SMTP

France

French provider, fully EU-based. No US parent. Often the simplest option to explain to a DPO from a transfer-only perspective.

Mailjet

France

Sinch-owned but operationally French, with EU data processing. A reasonable Mittelstand option.

Self-run SMTP

e.g. Postfix on Hetzner

Maximum control, no additional processor. Requires comfort with mail-server administration and IP-reputation management.

Compare all supported email providers →

Cost comparison

Worked example for a German company with 10,000 newsletter recipients and weekly sends.

Mailchimp Standard

10,000 contacts

Monthly fee~$135 / month

Annual cost~$1,620

Three-year cost~$4,860

Plus internal compliance work for TIA and ongoing transfer assessment.

Broadcast self-hosted

Hetzner CX22 + Amazon SES Frankfurt

License (one-time)$250

Hetzner CX22~€5 / month

SES for ~40k emails/month~$4 / month

Three-year total~$580

Different transfer story; SMTP provider choice still determines residual US exposure.

Estimated 3-year savings

~$4,280

On a 10,000-contact weekly newsletter, comparing Mailchimp Standard (~$4,860 over three years) with Broadcast self-hosted on Hetzner CX22 + Amazon SES Frankfurt (~$580 over three years).

Based on example pricing and usage assumptions. Mailchimp pricing as of early 2026; check current provider pricing before making a purchase decision. Doubling the list to 20,000 contacts roughly doubles the Mailchimp cost — the self-hosted cost stays largely flat.

Frequently asked questions

There is no clean yes-or-no answer. Mailchimp provides SCCs and an AVV, which meets the formal minimum for an EU-to-US transfer. Structurally, that transfer remains, and Schrems II requires a Transfer Impact Assessment. The BayLDA found one specific German use unlawful in 2021 because no TIA had been performed. Whether your particular use is defensible depends on your documented risk assessment and the additional safeguards you put in place.

The DPF (July 2023) improves the transfer position for certified US providers, including Mailchimp, by allowing transfers without separate SCCs. It does not, however, remove all legal debate around US access laws or future challenges. For risk-averse German companies, EU-only or self-hosted infrastructure may still be simpler to explain to a DPO.

You install Broadcast on a server you control (e.g. Hetzner Falkenstein). The newsletter database lives in your area of control. If your hoster, SMTP provider, backups, analytics, support tooling, and error tracking are all EU-based, third-country transfers for recipient data can be reduced or eliminated. You no longer need an AVV with Mailchimp — but you still need one with your hoster and your SMTP provider.

Mailchimp allows CSV export of the full audience including tags and custom fields. Broadcast imports CSVs directly. For typical lists (up to ~50,000 recipients), expect roughly half a day end-to-end including server setup and DNS configuration. Automations are rebuilt manually — no automatic converter exists.

These obligations exist independently of which tool you use. Broadcast supports double opt-in natively (confirmation emails with a link). Impressum, Datenschutzerklärung, and cookie banners are website concerns — not email-tool concerns. Self-hosting changes nothing here.

The obligation to appoint a DPO follows from BDSG § 38 and DSGVO Art. 37 — based on the nature and scope of processing, not on the tool you use. If you need a DPO today, you will still need one with Broadcast. The conversation with a DPO is, however, often easier when the data lives on your own German server.

A simpler infrastructure model for German newsletters.

Broadcast does not make you automatically DSGVO-compliant. It gives you a simpler infrastructure model: your list, your server, your database, your chosen SMTP provider.

One-time license. No per-subscriber tier. No US-headquartered processor for the application or database layer.