GDPR and Cold Email: How to Stay Compliant in Europe

Cold email is legal under GDPR. The General Data Protection Regulation (Regulation EU 2016/679), which has been in effect since May 25, 2018, does not ban unsolicited business email. It regulates how personal data is collected, processed, and stored, and it requires that every processing activity -- including sending a cold email -- has a valid legal basis.

For B2B cold email, the relevant legal basis is legitimate interest under Article 6(1)(f). This means you can send cold emails to business professionals in the EU without prior consent, as long as you can demonstrate a genuine business reason for contacting them, you process only the minimum data necessary, and you respect their right to object.

This guide covers everything you need to know about sending GDPR-compliant cold email: the legitimate interest framework, data processing requirements, data subject rights, DPA obligations, enforcement risks, and practical steps to build compliance into your outbound process.

Table of Contents

• GDPR Overview for Cold Emailers
• Legal Bases for Cold Email Under GDPR
• The Legitimate Interest Framework
• How to Conduct a Legitimate Interest Assessment
• Data Processing Requirements
• Data Subject Rights
• Data Protection Authority Requirements
• ePrivacy Directive and B2B Exemptions
• Penalties and Enforcement
• Practical Compliance Steps
• Member State Variations

GDPR Overview for Cold Emailers

GDPR applies to the processing of personal data of individuals (called "data subjects") who are in the European Union, regardless of where the data processor or controller is located. If you are a US company sending cold emails to prospects in Germany, GDPR applies to your processing of their personal data. If you are a UK company emailing French prospects, GDPR applies (in addition to UK GDPR and PECR for your domestic operations).

Personal data under GDPR is defined broadly. It includes any information relating to an identified or identifiable natural person. For cold email, this means:

• The recipient's name
• Their email address (even a corporate one like john.smith@company.eu)
• Their job title
• Their company name (when combined with name)
• Their LinkedIn profile URL
• Any other identifying information you use for personalization

Every cold email you send involves processing personal data: you collect the data (from a lead list, LinkedIn, a website), store it (in your CRM or email tool), use it (to send the email), and potentially transfer it (to your email service provider). Each of these activities must have a legal basis under GDPR.

GDPR establishes several key roles. The data controller is the entity that determines the purposes and means of processing -- this is you, the company sending cold emails. The data processor is any entity that processes data on behalf of the controller -- this includes your cold email platform, CRM, and lead data providers. As the controller, you are responsible for ensuring GDPR compliance across your entire data processing chain.

Legal Bases for Cold Email Under GDPR

GDPR Article 6 lists six legal bases for processing personal data. For cold email, only two are relevant:

1. Consent (Article 6(1)(a))

The data subject has given clear, affirmative consent to processing their personal data for the specific purpose of receiving your commercial communications. GDPR consent must be:

• Freely given: The data subject must have a genuine free choice and must not face negative consequences for refusing consent
• Specific: Consent must be given for a specific processing purpose, not bundled with other purposes
• Informed: The data subject must be told what they are consenting to, who the controller is, and how their data will be used
• Unambiguous: Consent must involve a clear affirmative action (pre-ticked boxes are not valid)

Consent is the gold standard for GDPR compliance, but it is impractical for cold email. By definition, cold email involves contacting someone with whom you have no prior relationship, so obtaining consent before the first contact is a circular problem. Consent is more relevant for email marketing to existing contacts who have opted in through your website, at events, or through other interactions.

2. Legitimate Interest (Article 6(1)(f))

Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

This is the legal basis used by the vast majority of B2B cold emailers operating in the EU. Legitimate interest acknowledges that businesses have a genuine interest in direct marketing and allows processing for that purpose, provided appropriate safeguards are in place.

Recital 47 of GDPR explicitly states: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." This recital provides direct support for using legitimate interest as the basis for cold email outreach.

However, legitimate interest is not a blanket permission. You must conduct a Legitimate Interest Assessment (LIA) to document that your interest is genuine, that processing is necessary, and that the recipient's rights do not override your interest.

The Legitimate Interest Framework

Legitimate interest is a flexible legal basis, but it comes with accountability requirements. The European Data Protection Board (EDPB) and national Data Protection Authorities (DPAs) have established a three-part test for assessing legitimate interest:

Part 1: Purpose Test

You must identify a specific, real, and present legitimate interest. For cold email, this is typically direct marketing of relevant business products or services. The interest must be lawful, clearly articulated, and real (not hypothetical or speculative).

Examples of legitimate interests for cold email:

• Marketing a B2B software product to companies that match your ideal customer profile
• Introducing your consulting services to businesses in an industry you specialize in
• Promoting a webinar or event to professionals whose role is relevant to the topic
• Following up with someone who visited your booth at a trade show (this may also qualify as consent depending on the interaction)

Examples that would likely fail the purpose test:

• Sending mass promotional emails with no targeting or relevance to the recipient
• Emailing consumers at personal email addresses about B2B products
• Sending emails purely to harvest data (click tracking, read receipts) without any genuine marketing purpose

Part 2: Necessity Test

You must demonstrate that processing the personal data is necessary to achieve your legitimate interest, and that there is no less intrusive way to achieve the same result. For cold email, this means:

• Email is a reasonable and proportionate way to reach the recipient (as opposed to, say, cold calling, direct mail, or advertising)
• You are collecting and processing only the minimum data necessary: typically the recipient's name, work email address, job title, and company name
• You are not collecting sensitive personal data (health, political opinions, religious beliefs, etc.)
• The data will not be retained longer than necessary for the purpose

Part 3: Balancing Test

This is the most critical part. You must weigh your legitimate interest against the impact on the data subject's rights and freedoms. Factors to consider include:

• Reasonable expectations. Would the recipient reasonably expect to be contacted about this type of product or service? A VP of Marketing would reasonably expect to receive emails about marketing tools. A pediatrician would not reasonably expect to receive emails about industrial equipment.
• Nature of the data. Are you processing only basic professional data (name, work email, job title)? Processing only publicly available business information weighs in your favor.
• Impact on the individual. How significant is the impact of receiving your email? A single, relevant, professional email with an easy opt-out has minimal impact. A daily barrage of irrelevant emails has significant impact.
• Safeguards. Have you implemented safeguards to reduce the impact? Providing a clear opt-out, limiting email frequency, honoring unsubscribes promptly, and allowing data deletion all weigh in your favor.
• Vulnerability of the data subject. Are you emailing vulnerable individuals (children, elderly, patients)? This weighs heavily against your interest.

How to Conduct a Legitimate Interest Assessment

A Legitimate Interest Assessment (LIA) is a documented analysis that demonstrates your processing meets the three-part test. You should complete an LIA before launching any cold email campaign targeting EU recipients and keep it on file. If a DPA or data subject challenges your processing, the LIA is your primary defense.

Your LIA should document:

1. The processing activity: What personal data you are processing, how you obtained it, and what you are using it for (sending cold emails promoting [specific product/service]).
2. The legitimate interest: Your specific business interest (direct marketing of relevant B2B products/services to professionals who may benefit from them).
3. The necessity analysis: Why email is necessary and proportionate, what data you are processing (minimum necessary), and your data retention policy.
4. The balancing test: Why the recipient would reasonably expect to be contacted, what safeguards you have in place (opt-out mechanism, data deletion upon request, limited frequency), and why your interest does not override the recipient's rights.
5. Your conclusion: Based on the analysis, processing is lawful under Article 6(1)(f) because [summary of reasoning].

You can use our free GDPR Legitimate Interest Assessment tool to walk through the key questions and evaluate your campaign's compliance posture.

Data Processing Requirements

Beyond the legal basis for sending the email, GDPR imposes several ongoing requirements on how you process personal data:

Records of Processing Activities (Article 30)

If your organization has more than 250 employees, or if you process personal data regularly (which includes sending cold emails on an ongoing basis), you must maintain a Record of Processing Activities (ROPA). This record must include:

• The name and contact details of the controller (your company)
• The purposes of the processing (direct marketing)
• A description of the categories of data subjects (business professionals) and categories of personal data (name, email, job title, company)
• The categories of recipients (your email platform, CRM, etc.)
• Transfers to third countries (if your email platform is US-based, for example)
• The envisaged data retention period
• A general description of technical and organizational security measures

Data Processing Agreements (Article 28)

When you use third-party services to process personal data (which includes your cold email platform, CRM, lead data provider, and any other tool that touches prospect data), you must have a Data Processing Agreement (DPA) in place with each processor. The DPA must specify:

• The subject matter and duration of processing
• The nature and purpose of processing
• The types of personal data and categories of data subjects
• The obligations and rights of the controller
• The processor's obligations regarding data security, sub-processors, data breaches, and data deletion

Most reputable SaaS platforms provide standard DPAs that you can sign. Sales.co provides a GDPR-compliant DPA as part of its service agreement, covering all data processing activities related to cold email sending, contact storage, and campaign management.

Data Minimization (Article 5(1)(c))

You must collect and process only the personal data that is adequate, relevant, and limited to what is necessary for the purpose. For cold email, this means collecting the minimum information needed to send a relevant, personalized email: typically the recipient's name, work email address, job title, and company name.

Collecting additional personal data that is not necessary for the email (personal phone numbers, home addresses, social media passwords, personal interests unrelated to business) would violate the data minimization principle.

Storage Limitation (Article 5(1)(e))

Personal data must be kept only as long as necessary for the purpose for which it was collected. You should define and enforce a data retention policy for your cold email prospect data. A reasonable retention period for cold email contacts is 6-12 months from the last interaction, after which the data should be deleted or anonymized unless you have a separate legal basis for continued retention (such as an active business relationship).

Data Security (Article 32)

You must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. For cold email data, this includes:

• Encryption of personal data in transit (TLS for email) and at rest
• Access controls limiting who in your organization can view prospect data
• Regular security assessments of your email infrastructure and tools
• Employee training on data protection
• Incident response procedures for data breaches

Data Subject Rights

GDPR grants data subjects (your email recipients) extensive rights over their personal data. As a cold emailer, you must be prepared to fulfill these rights upon request:

Right to Be Informed (Articles 13 and 14)

When you collect personal data, you must inform the data subject about who you are, why you are processing their data, what legal basis you are relying on, how long you will retain their data, and what rights they have. For cold email where data is not collected directly from the data subject (Article 14), you must provide this information within one month of obtaining the data, or at the latest when the first communication is sent.

In practice, many cold emailers satisfy this requirement by including a brief statement in their email footer or linking to a privacy policy. A minimal example: "I'm reaching out because I believe [Company] may benefit from [Product]. I obtained your business contact information from [Source]. You can learn more about how we handle your data in our privacy policy [link], or reply 'unsubscribe' to be removed from future emails."

Right of Access (Article 15)

Data subjects have the right to request a copy of all personal data you hold about them. If a cold email recipient asks what data you have on them, you must provide it within 30 days. This includes their name, email, any notes or tags in your CRM, and any tracking data associated with their email interactions.

Right to Rectification (Article 16)

Data subjects can request that inaccurate personal data be corrected. If a recipient says their job title or email is wrong in your records, you must update it promptly.

Right to Erasure / Right to Be Forgotten (Article 17)

Data subjects can request that their personal data be deleted. This right applies when the data is no longer necessary for its original purpose, when the data subject objects to processing and there are no overriding legitimate grounds, or when the data was unlawfully processed. Upon receiving a deletion request, you must delete all of the data subject's personal data from your systems within 30 days and confirm the deletion.

For cold emailers, this means that when someone asks to be removed, you must not only stop emailing them but also delete their data from your CRM, email tool, lead lists, and any other systems. The only exception is keeping a record of their email address on a suppression list to ensure you do not contact them again (this minimal retention is permissible under GDPR for compliance purposes).

Right to Object (Article 21)

Data subjects have an absolute right to object to processing for direct marketing purposes. When someone objects to your cold email (by replying "unsubscribe," clicking an opt-out link, or otherwise communicating their wish not to be contacted), you must stop processing their data for marketing purposes immediately. There is no balancing test for this right -- it is absolute for direct marketing.

Article 21(3) states: "Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes." This is clear and unconditional.

Right to Data Portability (Article 20)

Data subjects can request their data in a structured, commonly used, machine-readable format. This is less commonly invoked for cold email but you should have the capability to export a data subject's information in a standard format (CSV, JSON) upon request.

Data Protection Authority Requirements

Each EU member state has its own Data Protection Authority (DPA) that enforces GDPR within its jurisdiction. Key DPAs include:

• Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI), plus 16 state DPAs
• France: Commission Nationale de l'Informatique et des Libertes (CNIL)
• Ireland: Data Protection Commission (DPC) -- handles many cases involving US tech companies with EU headquarters in Ireland
• Italy: Garante per la protezione dei dati personali
• Spain: Agencia Espanola de Proteccion de Datos (AEPD)
• Netherlands: Autoriteit Persoonsgegevens (AP)

If you are a non-EU company processing data of EU data subjects, GDPR Article 27 may require you to appoint a representative in the EU. This requirement applies if you regularly process personal data of EU individuals or process sensitive data. For most companies running ongoing cold email campaigns targeting EU prospects, appointing an EU representative is advisable.

Additionally, Article 37 requires the appointment of a Data Protection Officer (DPO) for organizations whose core activities involve regular and systematic monitoring of data subjects on a large scale. For smaller sales teams, this is typically not required, but larger organizations with extensive outbound programs should evaluate whether the DPO requirement applies.

ePrivacy Directive and B2B Exemptions

GDPR does not exist in isolation for email marketing. The ePrivacy Directive (Directive 2002/58/EC), also known as the "Cookie Directive," specifically addresses electronic communications, including email. Article 13 of the ePrivacy Directive requires prior consent for unsolicited direct marketing communications.

However, the ePrivacy Directive has been transposed into national law by each EU member state, and the implementations vary significantly. Most member states have introduced a B2B exemption that allows unsolicited email to corporate email addresses for direct marketing purposes, provided the sender can be identified and an opt-out mechanism is included.

The B2B exemption generally applies when:

• The recipient is a corporate subscriber (using a business email address)
• The email is sent in a B2B context (promoting business products/services)
• The email is relevant to the recipient's professional role
• The sender is clearly identified
• An opt-out mechanism is provided

The B2B exemption varies by country. Germany, for example, is relatively strict and generally requires prior consent even for B2B email under its implementation of the ePrivacy Directive (UWG Section 7). France and the Netherlands are more permissive for B2B email to corporate addresses. Before targeting prospects in a specific EU country, you should verify that country's ePrivacy implementation.

The proposed ePrivacy Regulation, which would replace the ePrivacy Directive and harmonize these rules across the EU, has been in legislative development for years and is not yet finalized as of early 2026. Until it is adopted, the national implementations of the ePrivacy Directive remain in effect.

Penalties and Enforcement

GDPR provides for two tiers of administrative fines:

• Lower tier (Article 83(4)): Up to 10 million EUR or 2% of annual global turnover, whichever is higher, for violations of controller and processor obligations, certification body obligations, and monitoring body obligations.
• Upper tier (Article 83(5)): Up to 20 million EUR or 4% of annual global turnover, whichever is higher, for violations of the basic principles for processing (including legal basis), data subject rights, and international data transfer restrictions.

Cold email violations related to legal basis (no valid legitimate interest) or data subject rights (failure to honor opt-out requests or deletion requests) fall under the upper tier, with maximum penalties of 20 million EUR or 4% of revenue.

Notable GDPR enforcement actions related to direct marketing include:

• Italian DPA vs. TIM (2020): 27.8 million EUR fine for aggressive telemarketing and email marketing without valid consent or legitimate interest
• French CNIL vs. CRITEO (2023): 40 million EUR fine for processing personal data for advertising purposes without a valid legal basis
• Spanish AEPD vs. CaixaBank (2021): 6 million EUR fine for sending commercial communications without valid consent and failure to properly manage opt-out requests
• Italian DPA vs. Enel Energia (2022): 26.5 million EUR fine for aggressive telemarketing practices without valid consent

While these large fines primarily target consumer-facing companies engaging in mass marketing, they establish the enforcement precedent that DPAs take direct marketing compliance seriously. Smaller B2B cold email operations are less likely to face multi-million euro fines, but they can face enforcement actions resulting in fines of thousands to hundreds of thousands of euros, injunctions requiring them to stop processing, and reputational damage.

Practical Compliance Steps

Here is a concrete, actionable checklist for running GDPR-compliant cold email campaigns:

Before Your Campaign

1. Complete a Legitimate Interest Assessment. Document the three-part test (purpose, necessity, balancing) for your specific campaign. Keep the LIA on file.
2. Update your Record of Processing Activities. Add your cold email processing activity to your ROPA, including the data categories, purposes, legal basis, retention period, and security measures.
3. Verify DPAs with your processors. Ensure you have signed Data Processing Agreements with your cold email platform, CRM, and any lead data providers.
4. Publish a privacy policy. Your website should have a privacy policy that covers your direct marketing activities, identifies the legal basis (legitimate interest), lists data subject rights, and provides contact information for exercising those rights.
5. Verify data sources. Ensure the prospect data you are using was obtained lawfully. Purchased lists should come from reputable providers who have obtained the data in compliance with GDPR.

In Your Emails

1. Include an opt-out mechanism. Every email must provide a clear and easy way for the recipient to opt out of future emails.
2. Identify yourself. Include your name, company, and a way to contact you in every email.
3. Be transparent about data source. Consider including a brief note about how you obtained the recipient's contact information (e.g., "I found your email on your company website").
4. Link to your privacy policy. Include a link in your email footer to satisfy the right to be informed.
5. Send only relevant, targeted emails. The more relevant your email is to the recipient's role and business, the stronger your legitimate interest basis.

After Your Campaign

1. Process opt-outs promptly. Honor unsubscribe requests within 30 days (sooner is better).
2. Fulfill data subject requests. Be prepared to handle access, deletion, and rectification requests within 30 days.
3. Enforce data retention. Delete prospect data that is no longer needed. Do not retain data indefinitely.
4. Maintain suppression lists. Keep a suppression list of recipients who have opted out to ensure they are not re-contacted in future campaigns.

Sales.co automates many of these compliance steps with built-in GDPR features: automated opt-out processing, suppression list management, data retention controls, and one-click data deletion for data subject requests. The platform also generates Data Processing Agreements and helps maintain Records of Processing Activities.

Member State Variations

While GDPR is a single regulation that applies uniformly across the EU, its interaction with national ePrivacy implementations creates variations in how cold email is treated in different countries. Here is a summary of key differences:

The key takeaway is that most EU member states permit B2B cold email under some form of exemption or legitimate interest basis. Germany is the notable exception, where cold email is treated more restrictively. If you are targeting German prospects specifically, you should be particularly careful to document your legitimate interest and ensure your emails are highly targeted and relevant.

Key Takeaways

GDPR does not prohibit cold email. It requires that cold email be conducted responsibly, with a valid legal basis, appropriate safeguards, and respect for data subject rights. The legitimate interest basis under Article 6(1)(f), supported by Recital 47's explicit mention of direct marketing, provides a solid legal foundation for B2B cold email in the EU.

The practical requirements are manageable: conduct a Legitimate Interest Assessment, maintain processing records, include opt-out mechanisms, honor data subject requests, and implement appropriate data security measures. These are not just legal requirements -- they are good business practices that build trust with prospects and improve the effectiveness of your outbound campaigns.

For tools to evaluate your GDPR compliance, use our free GDPR Legitimate Interest Assessment. For a broader view of international cold email regulations, read our cold email laws by country guide and CAN-SPAM Act explained.