Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sympa is a free, open source mailing list manager originally developed at Université de Rennes 1 in France and now maintained by the Sympa community. It powers list servers used by universities, research networks, public administrations and NGOs across Europe. Sympa handles subscriptions, list moderation, message distribution, web archives and digest delivery. Because the software is self hosted by the customer, the privacy footprint is limited to the data needed to manage subscriptions and one session cookie on the web archive interface.
Sympa is a free, open source mailing list management system released under the GNU GPL licence. It was originally developed in 1997 at Université de Rennes 1 in France and is now maintained by the Sympa community, including RENATER, the French national research and education network. Sympa is widely deployed across European universities, research networks, public administrations and NGOs to operate discussion lists, announcement bulletins and working group exchanges. The software is self hosted by the customer, which keeps full control of subscribers, content and configuration on its own infrastructure.
Sympa stores the subscriber email address, an optional display name, the list of subscriptions, the timestamp of the double opt in confirmation and a per list moderation status. The web archive interface issues a single session cookie that holds the authenticated user identifier when subscribers browse historical messages or change their settings. Sympa also keeps server side delivery logs that include the SMTP envelope and bounce metadata. No third party tracking cookie, fingerprinting script or external analytics call is embedded in the default Sympa interface.
Operating a mailing list means processing personal data (the subscriber email) under the GDPR. Article 13 of the ePrivacy Directive and the French LCEN require prior, free, specific and informed consent to send direct marketing or newsletter messages to natural persons. The CNIL guidelines on commercial prospection, the German UWG and the Spanish LSSI all converge on the double opt in process. The session cookie on the web archive is strictly necessary and does not require consent under Art. 5(3) ePrivacy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For each subscription the legal basis is explicit consent under Art. 6(1)(a) GDPR, evidenced by the email address provided and the double opt in confirmation timestamp that Sympa records by default. Internal corporate lists addressed to employees can sometimes rely on contract (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)) provided the purpose, scope and right to object are documented. Subscribers must be able to unsubscribe with a single click in every message, in line with CNIL recommendations and Art. 21 GDPR.
Because Sympa is self hosted, the controller chooses where the server runs. Most academic and public sector deployments stay on premise or on RENATER or GEANT infrastructure inside the European Union, which means no third country transfer occurs. Transfers may appear if the controller relays outgoing mail through a non EU SMTP provider (for example Amazon SES US, SendGrid, Postmark) or if some recipients themselves reside outside the EEA. In those cases Standard Contractual Clauses with the SMTP processor and a brief Transfer Impact Assessment should be in place.
Enable double opt in for every list, store the consent timestamp and IP and provide a unique unsubscribe link in each message. Configure DKIM, SPF and DMARC on the Sympa domain to protect deliverability and prevent spoofing. Set retention so that bounced addresses are removed after a defined period and archives older than the documented purpose are anonymised or deleted. Restrict the moderator and list owner roles, log access to the web interface and keep Sympa patched against the security advisories published on sympa.community.
Websites using Sympa must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment under Art. 35 GDPR is generally not required for a Sympa deployment that runs internal or community mailing lists with standard data (email address, optional name, list of subscriptions). It becomes relevant when the controller operates lists at very large scale, processes special category data such as patient or activist groups, or sends to recipients in third countries. The Art. 30 record of processing activities should document the legal basis for each list, the retention of subscriptions and archives, the SMTP relay used and the security measures applied to the Sympa server.
Sample consent text
You can subscribe to this mailing list managed by our Sympa server hosted in the European Union. By confirming your email address through the double opt in link, you give explicit consent under Art. 6(1)(a) GDPR to receive messages from this list. You can unsubscribe at any time using the link in every message or by writing to the list owner. We store your email address, your subscription preferences and the date of your confirmation as a record of consent.
Third-party domains contacted
sympa.communitysympa.orggithub.comwww.renater.frCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sympa_session | Session | Session | First party session cookie set by the Sympa web archive interface to keep the authenticated subscriber identifier while browsing list archives or changing personal subscription settings. Strictly necessary, no consent required. |
| sympauser | Persistent | 30 days | Optional first party cookie that remembers the email address of the last authenticated user on shared workstations so that the login form can be prefilled. Set only when the visitor ticks the remember me option. |
Sympa places tracking cookies for advertising — comply with GDPR using FlowConsent.
Sympa stores the subscriber email address, an optional display name, the list of subscriptions, the timestamp of the double opt in confirmation, the moderation status and server side delivery logs that include the SMTP envelope and bounce metadata. The web archive interface sets a single first party session cookie carrying the authenticated user identifier. Sympa does not load third party analytics, does not set tracking cookies and does not perform browser fingerprinting. Outside of the session cookie the only personal data point exposed in the browser is the email address shown on user pages.
Yes for subscriptions, no for the archive session cookie. Subscriptions to a mailing list are processed on the legal basis of explicit consent under Art. 6(1)(a) GDPR and Art. 13 ePrivacy and require a double opt in confirmation. The session cookie on the web archive falls under the strictly necessary exemption of Art. 5(3) ePrivacy and Art. 22.2 LSSI because it is needed to deliver the authenticated archive service requested by the subscriber. No consent banner is needed for the cookie itself.
The primary basis is consent under Art. 6(1)(a) GDPR for every individual subscription, evidenced by the double opt in confirmation timestamp that Sympa records. Operating the server (security logs, abuse handling, bounce processing) can rely on legitimate interest under Art. 6(1)(f). Internal staff lists may rely on contract under Art. 6(1)(b) when subscription is part of the employment relationship. Each list configuration should document the chosen basis in the Sympa list description and in the controller record of processing activities.
Sympa itself does not transfer data internationally when hosted inside the EU on the controller infrastructure. Transfers may appear when (i) outgoing mail is relayed through a non EU SMTP provider such as Amazon SES US, SendGrid or Postmark, (ii) the controller chooses a non EU cloud host, or (iii) subscribers themselves reside outside the EEA. In those cases Standard Contractual Clauses with the processor and a Transfer Impact Assessment under Schrems II are required. Inbound public list archives addressed to a global audience do not need a transfer mechanism per Art. 49 GDPR.
A formal DPIA under Art. 35 GDPR is not generally required for a Sympa installation handling standard lists and email addresses on a moderate scale. It becomes recommended when the controller manages very large lists, when subscribers belong to sensitive categories (patients, minors, political or religious affiliations) or when the list operates large scale cross border traffic. The Art. 30 record of processing activities should always document each list, the legal basis, the retention period for subscriptions and archives, and the processors involved.
Host Sympa inside the EU and apply standard Linux hardening, TLS for SMTP and HTTPS, and access controls on the back office. Activate double opt in for every list, store consent metadata, and add a one click unsubscribe link in each message. Set retention rules so bounced addresses are removed and old archives anonymised or deleted in line with the documented purpose. Configure DKIM, SPF and DMARC. Keep Sympa patched against advisories published at sympa.community. Sign data processing agreements with any SMTP relay or hosting provider used.
Other open source mailing list managers include GNU Mailman 3, Listmonk, Mailtrain and phpList. Hosted European alternatives include Sendinblue (Brevo) in France for newsletters, Mailjet and Sarbacane. For research and academic communities GroupServer or the discussion features of Discourse and Element (Matrix) can replace pure email lists. The choice depends on whether public archives are needed, whether the controller wants self hosting and on the volume and type of recipients. Sympa remains the reference for academic and large institutional lists with rich moderation needs.
The privacy notice should describe the mailing list service powered by Sympa, the categories of data (email address, optional name, subscriptions, consent timestamp, server side delivery logs), the purposes (list distribution, moderation, security), the legal basis (consent for subscription, legitimate interest for operation), the retention period, the right to unsubscribe and the right to access, rectify or delete data. Mention the EU location of the Sympa server and any SMTP relay. Add the single session cookie of the archive interface in the technical cookies table.