Module 7 · Chapter 1

GDPR and cold email: what you can (and can't) do

12 min read

The General Data Protection Regulation (GDPR) is the most comprehensive data privacy framework in the world, and it governs how you can contact anyone in the European Union or European Economic Area. If you send cold emails to prospects in Europe — or if your company is based there — GDPR applies to you, regardless of where your servers are located.

The good news: GDPR does not ban cold email. The bad news: most people get compliance wrong, either by being too cautious (and missing out on a massive market) or too reckless (and exposing themselves to serious fines). This chapter gives you a practical, actionable framework for B2B cold outreach under GDPR — not a legal opinion, but the operational playbook that thousands of compliant senders follow every day.

This is not legal advice

This chapter provides practical guidance based on widely accepted interpretations of GDPR for B2B cold outreach. Your specific situation may differ. Consult a qualified data protection lawyer for advice tailored to your business.

Understanding the legal basis for cold email

GDPR requires a "lawful basis" for processing personal data — and an email address is personal data. There are six lawful bases in GDPR, but for cold B2B outreach, only two are relevant: consent and legitimate interest.

Consent

Consent means the individual has explicitly agreed to receive your communications. For cold email, this is a paradox: if you already have their consent, it is not really "cold" outreach. Consent-based approaches work for inbound — newsletter sign-ups, webinar registrations, content downloads — but they do not apply to cold outreach by definition.

Legitimate interest

Legitimate interest is the lawful basis that makes B2B cold email possible under GDPR. Article 6(1)(f) allows you to process personal data when you have a legitimate interest that is not overridden by the individual's rights and freedoms. For cold email, this means you can contact a business professional when:

  • You have a genuine business reason to contact them (your product or service is relevant to their role or company)
  • The processing is necessary for that purpose (you need their email to reach them)
  • The individual would reasonably expect to be contacted in this way (a VP of Sales expects sales-related outreach)
  • The impact on the individual is minimal (one relevant email is not intrusive)

The legitimate interest balancing test

Before sending any campaign, mentally run a three-part test: (1) Is there a legitimate interest? (2) Is processing necessary? (3) Does the individual's interest override yours? If you sell cybersecurity software and contact a CISO about a recent breach in their industry, you pass all three. If you sell pool cleaning and contact that same CISO at their work email, you fail step one.

The Legitimate Interest Assessment (LIA)

GDPR does not require you to file paperwork with a regulator before sending cold emails, but it does require you to document your legitimate interest assessment. This is an internal document that explains why you believe legitimate interest applies to your outreach. If a regulator or data subject ever asks, you need to be able to produce it.

A practical LIA for cold outreach should cover:

  • Purpose: What is the legitimate interest? (e.g., "Growing our customer base by reaching decision-makers in our target market")
  • Necessity: Why is email outreach necessary? (e.g., "Email is the only scalable way to reach these professionals directly")
  • Balancing test: How do you minimize impact? (e.g., "We limit sequences to 3 emails, honor opt-outs within 48 hours, and only contact people in roles relevant to our product")
  • Safeguards: What protections are in place? (e.g., "Suppression list, data retention policy, easy opt-out in every email")

Keep your LIA in a shared document that your sales and marketing teams can access. Update it when you enter new markets or target new personas.

What GDPR actually requires in your emails

Beyond the legal basis, GDPR imposes specific obligations on how you collect, store, and use personal data. Here is what this means in practice for your cold outreach:

Data source transparency

When you contact someone whose data you did not collect directly from them (which is every cold email), GDPR Article 14 requires you to tell them where you got their data. You do not need to do this in your first email, but you must provide this information within one month of obtaining their data, or at the time of first communication — whichever comes first. In practice, include a brief note in your email or have it available on request: "I found your contact details on LinkedIn" or "Your information is publicly listed on your company website."

Right to object and opt out

Every cold email must make it easy for the recipient to opt out. This is non-negotiable. Under GDPR, the right to object to processing under legitimate interest is absolute for direct marketing. When someone says "stop emailing me," you must stop — no questions asked, no "but let me explain why our product is great."

Include a clear way to opt out in every message. This can be an unsubscribe link, a simple "Reply STOP to unsubscribe" line, or both. The mechanism matters less than the clarity and speed of execution.

Data minimization

Only collect and store the data you actually need. For cold outreach, this typically means: name, email address, company name, job title, and perhaps industry or company size for segmentation. You do not need their home address, personal phone number, or date of birth. If a data provider offers 50 fields on each contact, only import the ones you will use.

Data accuracy

GDPR requires that personal data be accurate and kept up to date. For outreach, this means verifying email addresses before sending (bounced emails to wrong addresses are a compliance issue, not just a deliverability one), and regularly cleaning your lists of people who have changed roles or companies.

Data retention: how long can you keep prospect data?

GDPR says you can only keep personal data for as long as it is necessary for the purpose you collected it. For cold outreach, this creates a practical question: how long can you keep a prospect's email address if they never reply?

There is no fixed number in GDPR. The regulation says "no longer than necessary." In practice, most compliance-conscious organizations follow these guidelines:

  • Active prospects (in a sequence or recently contacted): retain for the duration of the campaign plus a reasonable follow-up period (typically 3-6 months)
  • Non-responsive prospects: delete or anonymize within 6-12 months of last contact if there is no ongoing legitimate interest
  • Opted-out contacts: keep their email address on your suppression list indefinitely (you need it to ensure you never email them again), but delete all other personal data
  • Converted leads: once a prospect becomes a customer or enters your CRM as a qualified lead, retention is governed by your customer data policy, not your outreach policy

Document your retention periods in a data retention policy and set up automated processes to enforce them. Most outreach platforms allow you to auto-archive or delete contacts after a defined period of inactivity.

Do you need a Data Protection Officer?

GDPR requires a Data Protection Officer (DPO) in three cases: if you are a public authority, if your core activity involves large-scale systematic monitoring, or if your core activity involves large-scale processing of sensitive data. Most B2B companies sending cold emails do not meet these thresholds.

However, even if you do not legally need a DPO, it is wise to designate someone as the data protection point person. This person ensures your LIA is documented, your retention policies are enforced, opt-outs are processed, and data subject access requests are handled within the 30-day deadline.

Country-specific nuances within the EU

GDPR is the baseline, but individual EU member states can add their own rules through national ePrivacy laws. These can be stricter than GDPR for electronic communications. A few notable examples:

  • Germany: The Gesetz gegen den unlauteren Wettbewerb (UWG) is stricter than GDPR for B2B email. Germany generally requires prior consent for commercial emails, even to business addresses. Many practitioners consider cold B2B email higher risk in Germany and approach it with extra caution or focus on other channels.
  • France: CNIL (the French data protection authority) generally allows B2B cold email under legitimate interest, provided the message is relevant to the recipient's professional role and an opt-out is included.
  • Netherlands: The Telecommunicatiewet requires opt-in consent for commercial electronic messages, but has an exception for B2B email sent to generic company addresses (info@, sales@). Emails to personal business addresses are treated more strictly.

Germany deserves special attention

If you are targeting German prospects, research the UWG carefully or consult a local lawyer. The enforcement landscape there is different from most other EU countries, and competitors can file complaints against you for unsolicited emails.

Your practical GDPR compliance checklist

Here is a step-by-step checklist you can implement today to ensure your cold outreach is GDPR-compliant:

  • Document a Legitimate Interest Assessment for each outreach campaign or audience segment
  • Only collect data you actually need (name, business email, title, company)
  • Verify email addresses before sending to maintain data accuracy
  • Include a clear opt-out mechanism in every email
  • Process opt-outs within 48 hours (ideally automatically)
  • Be ready to tell prospects where you got their data
  • Respond to data subject access requests within 30 days
  • Set up data retention rules — auto-delete non-responsive contacts after 6-12 months
  • Maintain a master suppression list that persists across all campaigns
  • Ensure your data processors (outreach platform, email provider, data vendors) have GDPR-compliant Data Processing Agreements in place
  • Update your privacy policy to mention B2B outreach under legitimate interest
  • Designate a data protection point person, even if a formal DPO is not required

What happens if you get it wrong

GDPR fines can reach up to 20 million euros or 4% of global annual revenue, whichever is higher. In practice, most enforcement actions against small and medium businesses result in smaller fines, warnings, or orders to change practices. But the reputational damage can be worse than the fine — a GDPR complaint from a prospect can spread through your target market fast.

4%

Max fine (% of global revenue)

30 days

Deadline for data subject requests

48h

Best practice opt-out processing

More importantly, non-compliance hurts your deliverability. When recipients mark your emails as spam — which they are more likely to do if they feel their privacy was violated — your sender reputation drops, and fewer of your emails reach the inbox. Compliance and deliverability are two sides of the same coin.

"GDPR compliance is not a tax on your outreach — it is a filter that forces you to be more relevant, more targeted, and more respectful. The companies that embrace it outperform the ones that try to work around it."

GDPR as a competitive advantage

Here is the mindset shift that separates great outreach teams from mediocre ones: GDPR compliance is not a constraint — it is a quality filter. Every requirement pushes you toward better practices. Data minimization forces you to focus on what matters. Legitimate interest forces you to think about relevance. Data accuracy forces you to clean your lists. Opt-out handling forces you to respect your audience.

When you follow GDPR properly, you end up with smaller, cleaner lists of genuinely relevant prospects — and those lists convert at dramatically higher rates than the spray-and-pray alternative. The regulation is not your enemy. It is the guardrail that keeps you on the road to sustainable growth.