When UK Businesses Can (and Can’t) Share Customer Email Addresses Under GDPR

byAlex Solo23 February 202611 min read

eCommerce Digital Marketing & Advertising Regulatory Compliance Data & Privacy

Contents

Why Email Addresses Count As Personal Data Under UK GDPR
What Counts As “Sharing” Email Addresses (It’s Not Just Selling A Mailing List)
When Can A UK Business Share Customer Email Addresses Under UK GDPR?
Common Business Scenarios: What’s Usually OK (And What Needs Extra Care)
When You Can’t Share Customer Email Addresses (Or When It’s High Risk)
A Practical Compliance Checklist For Sharing Email Addresses
Key Takeaways

If you run a small business, customer email addresses can feel like gold dust.

They help you send order confirmations, manage bookings, follow up on enquiries, and (when done correctly) build a loyal customer base through marketing.

But as soon as you start sharing email addresses - whether with a marketing agency, your booking platform, a group company, or a new buyer of your business - you’re stepping into an area where UK GDPR compliance really matters.

This guide breaks down what sharing email addresses under GDPR actually means in practice, when it’s allowed, when it’s risky, and the steps you can take to protect your business from day one.

Under the UK GDPR and the Data Protection Act 2018, an email address will usually be personal data because it can identify a living individual, either on its own or when combined with other information you hold.

For example:

Personal email addresses like jane.smith@gmail.com are clearly personal data.
Work email addresses like jane.smith@company.co.uk can also be personal data (because it identifies a specific person at work).
Generic inboxes like accounts@company.co.uk might not be personal data if they don’t relate to an identifiable individual - but in practice, many “generic” inboxes are still used by specific people, so you should be cautious.

Once something is personal data, you need to treat it as protected information. That includes how you collect it, store it, use it, and - importantly here - how you share it with someone else.

If your business collects customer emails through your website, online store, booking forms, or even manual spreadsheets, it’s a good idea to have a clear Privacy Policy that explains what you do with that data in plain English.

When people think about sharing email addresses under GDPR, they often picture the obvious situation: selling or giving a marketing list to someone else.

But “sharing” under UK GDPR can be broader than that. It can include:

Giving a supplier access to your customer database (even if they don’t download anything).
Uploading emails to a third-party platform (email marketing tools, CRM systems, booking tools, customer support tools).
Sending a spreadsheet of customer contacts to a contractor who helps you with admin.
Passing customer details to a delivery partner, courier, or fulfilment provider.
Disclosing customer emails within a group of companies or franchise network.

So the question isn’t just “are we selling data?” It’s more like:

Who else can see or access these email addresses?
Why are they accessing them?
Do we have the right lawful basis and the right paperwork in place?

This is where many small businesses get caught out - not because they’re doing anything intentionally wrong, but because day-to-day operations often involve tools and suppliers that touch customer data.

UK GDPR doesn’t ban sharing personal data. What it requires is that you only share it when you have a lawful basis, you’re transparent about what you’re doing, and you put appropriate safeguards in place.

Below are the lawful bases that commonly apply when sharing customer email addresses in a small business setting.

If the customer has bought something from you (or is taking steps to buy something), you can usually use and share their email address where it’s necessary to deliver what they’ve asked for.

Common examples include sharing with:

your e-commerce platform or payment provider (to send receipts and confirmations)
your booking or appointment system (to send booking confirmations and reminders)
your delivery/fulfilment partner (to send tracking details)

The key word is necessary. If the sharing isn’t genuinely needed to provide the service, you may need to rely on another lawful basis (or not share at all).

Sometimes you must process or share information to comply with UK law - for example, tax and accounting requirements, responding to certain lawful requests, or regulated sector obligations.

This won’t apply to most everyday marketing-style sharing, but it can be relevant for formal disclosures.

Legitimate interests can be a helpful lawful basis for SMEs, but you can’t use it as a blanket justification.

In simple terms, legitimate interests can apply where:

you have a real business reason for sharing the email addresses,
the sharing is proportionate, and
it doesn’t override the customer’s rights and expectations.

For example, it might be legitimate to share customer emails with an IT support provider so they can fix a system issue, or with a CRM consultant helping you clean up your database - if access is limited and your customers would reasonably expect that.

In practice, you should consider doing (and recording) a quick “balancing test” whenever you rely on legitimate interests, especially if the sharing feels customer-facing or marketing-related.

Consent can be appropriate where customers have a real choice and clearly understand what they are agreeing to.

However, consent is also fragile:

it must be freely given and specific,
you must be able to prove it, and
customers can withdraw it at any time.

For direct marketing by email, you also need to think about the UK’s e-privacy rules (PECR). Depending on your circumstances, you might be able to use the soft opt-in - but it has strict conditions, so it’s worth getting this right before you scale your email marketing.

One of the most common email-sharing scenarios under UK GDPR is using third-party suppliers like:

email marketing platforms
CRM systems
helpdesk or chat tools
cloud storage
analytics and tracking tools
virtual assistants and admin contractors

Often, these suppliers are acting as your data processors (they process customer email addresses on your instructions). That can be lawful - but only if you have a written contract with the mandatory UK GDPR clauses.

In a lot of small businesses, this is either missing entirely or handled informally by email. That’s risky. A proper Data Processing Agreement (or a compliant addendum within your supplier contract) is a key part of staying protected.

Common Business Scenarios: What’s Usually OK (And What Needs Extra Care)

Let’s make this practical. Here are some situations we regularly see in growing UK businesses.

If you’re giving a marketing agency access to your customer list, the first thing to clarify is: are they acting as your processor (sending campaigns on your instructions), or are they using the data for their own purposes?

If they’re a processor, you’ll usually need a processor contract and clear instructions about what they can and can’t do.
If they’re a controller (deciding how to use the emails themselves), you’ll need a much stronger justification and transparency - and this is where businesses can quickly drift into “unlawful list sharing”.

Also remember: even if UK GDPR allows the data-sharing, marketing emails may still require consent/PECR compliance.

This is usually a “business as usual” processor scenario, provided:

you’ve checked the supplier’s privacy and security standards,
you have the right data processing terms, and
you’ve told customers (in your privacy information) which types of providers you use and why.

If you’re not sure whether your current approach stacks up, putting a simple compliance framework in place (policies, contracts, notices) through a GDPR package can save a lot of stress later on.

This is common when you run multiple trading names, or you have a group structure with separate limited companies.

The tricky part is that customers might not expect their email address given to “Brand A” to be used by “Brand B” - even if you own both.

You’ll generally need to think about:

whether you have a lawful basis for that internal sharing (legitimate interests or consent are common)
whether your privacy information clearly explains the group sharing
whether you’re sending marketing (and therefore need to consider PECR rules)

If you’re selling your business, the buyer will likely want customer data - including email addresses - as part of what they’re buying.

There are two phases where sharing happens:

Due diligence: you disclose information so the buyer can assess the business
Completion: the customer database transfers as a business asset

This is doable, but it needs careful handling (minimisation, confidentiality, and clear legal documentation). The transaction documents often deal with what customer data is included and what obligations apply after completion, which is why a properly drafted Business Sale Agreement can be so important.

There are a few recurring danger zones where UK businesses get into trouble when sharing email addresses under GDPR.

If you’re handing a list of customer emails to another business so they can market to them, that’s often high risk. In practice, it will typically require clear prior consent and clear privacy wording, and you’ll also need to comply with PECR rules on direct marketing.

Even if you believe customers “won’t mind”, UK GDPR is built around what people were told and what they reasonably expect.

Convenience isn’t a lawful basis.

If a supplier doesn’t need customer emails to do their job, don’t give them access. Data minimisation is a core UK GDPR principle - you should only share what’s needed, for the purpose you’ve identified.

A lot of risk comes from not clearly defining roles:

If you and another business decide together how customer emails will be used, you may be joint controllers (which brings extra obligations).
If the other business is using the emails for their own aims, they’re likely a controller, not your processor.

If you assume a supplier is a processor, but in reality they’re acting as a controller, you can end up with gaps in transparency, contracts, and lawful basis analysis.

UK GDPR also expects you to keep personal data secure. That includes how you share it internally and externally.

Examples of risky behaviour include:

sending spreadsheets of customer emails to personal accounts
sharing login details to CRM systems across a team
allowing broad access to customer databases when only a few staff members need it

Even if there’s no malicious intent, a data breach is still a data breach - and it can create real legal and reputational headaches for a small business.

One practical step is having clear internal rules on how staff use business systems and handle personal data, supported by an Acceptable Use Policy.

When you’re moving fast in business, you need a checklist that’s realistic - not one that assumes you have an in-house legal team.

Here’s a practical framework you can use before you share customer email addresses with anyone.

1) Be Clear On The Purpose

Write down (even in a simple internal note):

Why are we sharing these email addresses?
What outcome are we trying to achieve?
Is there a less intrusive way to achieve it?

2) Identify The Lawful Basis

Ask:

Is this necessary to perform a contract with the customer?
Do we have a legal obligation to do this?
Can we rely on legitimate interests (and does it match customer expectations)?
Do we need consent?

If you’re using email addresses for marketing, also consider PECR rules alongside UK GDPR. The two work together, and getting one right doesn’t automatically mean you’re compliant with the other.

3) Confirm Whether The Recipient Is A Processor Or Controller

This changes what paperwork you need and what you must tell customers.

Processor: they act only on your instructions (you need a processor contract).
Controller: they decide what to do with the data (you need a lawful basis for that disclosure and clear transparency).

4) Put The Right Contract In Place

If it’s a processor relationship, make sure the contract includes the mandatory UK GDPR terms (processing instructions, confidentiality, security, sub-processors, assistance with rights requests, deletion/return, audits, etc.).

This is exactly the kind of thing that’s easy to miss if you’re trying to piece it together from generic templates - and why getting the right legal documents in place early is such a smart move.

5) Update Your Customer-Facing Privacy Information

Customers should be able to understand, in plain English:

what data you collect (including emails)
why you use it
who you share it with (at least by category, and sometimes by name)
whether it goes outside the UK
how long you keep it

That transparency piece is often what makes the difference between “this is fine” and “this feels like a complaint waiting to happen”.

6) Keep Security Practical (But Real)

You don’t need enterprise-level systems to be compliant, but you do need sensible controls such as:

role-based access (only people who need the data can access it)
strong passwords and multi-factor authentication
secure sharing methods (not personal email accounts)
basic training for staff handling customer data

If your team sends marketing messages or customer communications, it’s also worth being clear on what your staff can do through business channels and what must be avoided - especially when personal data is involved. (If you’re ever relying on email communications to prove notices or contract steps, it’s also worth remembering that emails can be legally significant in the right circumstances.)

Key Takeaways

Email addresses are usually personal data, so UK GDPR applies to how you collect, use, and share them.
“Sharing” includes giving access to suppliers and platforms - not just selling a mailing list.
You can share customer emails where you have a lawful basis (commonly contract necessity, legitimate interests, or consent), and you’re transparent about it.
If a supplier is a processor, you’ll generally need UK GDPR-compliant processing terms in writing (not just an informal arrangement).
Marketing has extra rules (PECR), so don’t assume GDPR alone covers your email campaigns.
High-risk areas include list sharing for others’ marketing, sharing “just in case”, and sharing without security controls.
Getting your policies and contracts right early is one of the easiest ways to reduce compliance risk as your business grows.

If you’d like help with GDPR compliance, sharing customer data, or putting the right documents in place (like a Privacy Policy or Data Processing Agreement), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call