Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Amazon Simple Email Service (Amazon SES) is the email-sending service of Amazon Web Services, used for transactional and marketing email at scale. EU developers commonly use SES with an EU region (Frankfurt, Ireland, Paris, Stockholm, Milan) for low cost and EU residency. SES does not run any script in the recipient browser by default; optional tracking pixels and click redirects add lightweight tracking.
Amazon Simple Email Service (Amazon SES) is the email-sending service of Amazon Web Services, launched in 2011. It is widely used to send transactional email (order confirmations, password resets), system notifications, and marketing campaigns at scale, with pay-as-you-go pricing per thousand messages. SES exposes both an SMTP relay and a REST API and is available in multiple AWS regions, including five EU regions (Ireland, Frankfurt, Paris, Stockholm, Milan).
Recipient email address, sender identity, full message payload (headers, subject, body, attachments), and message metadata (timestamps, IDs). With configuration sets, SES can also record open events (1x1 pixel) and click events (URL redirect), generating engagement metadata per recipient. Bounce and complaint feedback are processed via the SES feedback loop. No client-side cookies are set by SES on the sender website; tracking pixels embedded in emails are loaded by the recipient mail client when the email is opened.
Email addresses are personal data. Transactional emails (purchase confirmation, password reset) rely on contract performance under Art. 6(1)(b). Marketing emails require either consent (Art. 6(1)(a)) or the strict customer-relationship exception of the ePrivacy Directive Art. 13(2) where applicable. Open tracking pixels and click tracking can themselves constitute online identifiers under ePrivacy and, in the strictest reading, require consent. Always include a clear and accessible unsubscribe mechanism in every marketing email.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Choose an EU region (Frankfurt, Ireland, Paris, Stockholm, Milan) to keep the email data plane inside the EEA. The AWS control plane, IAM, billing, and support may still involve US access. AWS is certified under the EU-US Data Privacy Framework, and the AWS Data Processing Addendum incorporates Standard Contractual Clauses. Run a short Transfer Impact Assessment focused on the residual US access for control-plane operations.
Pick an EU AWS region at setup, sign the AWS DPA, review the SES configuration set for open/click tracking and disable it for transactional emails where engagement metrics are not needed, maintain a clean consent register for marketing lists, include unsubscribe and physical address in every marketing message, configure SPF/DKIM/DMARC for deliverability, and document SES in the RoPA as a processor.
Websites using Amazon SES must obtain user consent under GDPR regulations.
DPIA considerations
Amazon SES processes email recipient addresses, sender identity, full email payload (subject, body, attachments), and (when enabled) open and click events. Key DPIA considerations: (1) email addresses are personal data; (2) the email body itself may contain sensitive personal data (medical, financial, legal); (3) EU region selection keeps the data plane in the EU, but the AWS control plane and global services still involve transfers; (4) open tracking pixels and click tracking links are themselves online identifiers and can require consent under ePrivacy when they go beyond strict service delivery; (5) bounce and complaint feedback loops generate additional metadata. A DPIA is recommended for marketing campaigns at scale.
Sample consent text
We use Amazon SES (Amazon Web Services) to send transactional and marketing emails. The email content, your address, and (for marketing emails) tracking events are processed by AWS in our chosen EU region. Transfers outside the EEA rely on AWS Standard Contractual Clauses and the EU-US Data Privacy Framework certification. You can unsubscribe from marketing emails at any time via the link in every message.
Third-party domains contacted
email.eu-west-1.amazonaws.comemail.eu-central-1.amazonaws.comemail.eu-west-3.amazonaws.comemail.eu-north-1.amazonaws.comemail.eu-south-1.amazonaws.comaws.amazon.comr.<config-set>.amazonses.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| No cookies on the sender website | N/A | N/A | Amazon SES is a server-side email-sending service and does not set cookies on the sender website. The tracking pixel inside an outbound email is loaded by the recipient mail client, not by the sender domain. |
Amazon SES collects user analytics data — you legally need a consent banner. Try FlowConsent free.
No cookies on the sender website. The tracking pixel placed inside an email is loaded by the recipient mail client when the email is opened; modern mail clients (Apple Mail with privacy protection, Gmail image proxy) routinely strip or obfuscate that signal.
For transactional emails sent under contract performance, no consent is required for the sending itself. Open and click tracking enabled in marketing campaigns and the marketing emails themselves require consent under GDPR Art. 6(1)(a) and the soft opt-in conditions of Art. 13(2) ePrivacy.
Contract performance (Art. 6(1)(b)) for transactional email, consent (Art. 6(1)(a)) for marketing email, legitimate interest (Art. 6(1)(f)) for security and operational notices, with documented LIA.
When using an EU region (Frankfurt, Ireland, Paris, Stockholm, Milan), the email data plane stays in the EU. The AWS control plane and global services involve US access. AWS is certified under the EU-US Data Privacy Framework and the AWS DPA incorporates SCCs.
For transactional email, generally no. For marketing campaigns at scale with open and click tracking, document a short DPIA covering the legal basis, the tracking pixels, the retention of engagement data, and the unsubscribe workflow.
Pick an EU AWS region, sign the AWS DPA, disable open/click tracking for transactional emails, maintain a clean consent register for marketing lists, include unsubscribe and a physical address in every marketing email, configure SPF/DKIM/DMARC, and document SES as a processor in your RoPA.
EU-based alternatives: Brevo (France), Mailjet (France, Sinch), Mailgun EU region (Germany), Postmark EU region, Sparkpost EU. EU-friendly self-hosted: Postfix with OpenDKIM, MailerSend, listmonk plus SMTP. Privacy-friendly newsletter services: Buttondown, Mailcoach.
SES does not set cookies on your website, so no cookie policy entry is required for the sending side. Mention SES in the privacy notice under the email subprocessors section, with the chosen AWS region, the DPA and SCC references, and the DPF certification.