Who is responsible for compliance — sender or ESP?

The sender (data controller) bears primary responsibility for email marketing compliance. You decide what data to collect, what emails to send, who to target, and how to handle subscriber relationships. These are controller decisions that carry controller accountability. If you send to improperly obtained addresses, fail to honor unsubscribes, or violate privacy regulations, the legal consequences fall primarily on you-not your ESP. You cannot delegate compliance responsibility by choosing to work with a particular vendor.

Your ESP (data processor) has its own obligations but within a narrower scope. Under GDPR, processors must implement appropriate security measures, only process data according to controller instructions, assist controllers with data subject requests and breach notifications, and maintain records of processing activities. ESPs are also accountable for their sub-processors and must have their own compliance frameworks. If an ESP acts outside your instructions or fails to meet processor obligations, they bear responsibility for those failures.

In practice, the relationship is shared but asymmetric. You're responsible for using the ESP correctly-configuring it according to compliance requirements, uploading only properly consented data, honoring the opt-outs it processes. The ESP is responsible for providing tools and infrastructure that enable compliance-functional unsubscribe handling, suppression list management, consent tracking features. Choose an ESP that facilitates compliance, but understand that the most compliant platform in the world can't fix non-compliant practices on your end. Think of it like driving: you're responsible for obeying traffic laws, while the car manufacturer is responsible for building a safe vehicle-both have obligations, but you're the one driving.