GDPR allows B2B cold email under Article 6(1)(f) "legitimate interest" — but only if you pass the 3-part legitimate interest test, respect the ePrivacy Directive's rules on electronic marketing, and follow the country-specific variations across EU member states. The playbook below is the compliance framework we use to run cold email for clients across Germany, France, the Netherlands, UK, Italy, and Spain since 2022. Includes the 3-part legitimate interest test in operator language, country-by-country enforcement strictness, the 12-point compliance checklist, the CAN-SPAM vs GDPR comparison, and what happens when you actually get a complaint.

The 6 lawful bases for processing personal data under GDPR

Article 6(1) of the GDPR lists six lawful bases for processing personal data. For B2B cold email, only one applies in practice: 6(1)(f) legitimate interest.

The other five do not fit cold outbound:

• 6(1)(a) Consent — would require explicit opt-in before the first email, which defeats the purpose of cold outreach

• 6(1)(b) Contract — requires an existing relationship

• 6(1)(c) Legal obligation — does not apply to marketing

• 6(1)(d) Vital interests — life-or-death situations only

• 6(1)(e) Public task — public authorities only

So the entire GDPR cold email compliance framework lives inside the legitimate interest base. Getting this right is the difference between compliant outbound and a regulator enforcement action.

The 3-part legitimate interest test

Before sending the first cold email under legitimate interest, every B2B sender must pass three tests, documented in writing. This is the Legitimate Interest Assessment (LIA) that the Information Commissioner's Office (UK) and European Data Protection Board recommend documenting.

Test 1: Purpose test — is there a legitimate interest?

You must identify a clear, lawful business interest. For B2B cold email, this is typically: "marketing our [product/service] to relevant business contacts to generate sales pipeline." This is recognised as a legitimate interest in GDPR Recital 47, which explicitly mentions "direct marketing" as a possible legitimate interest.

Document: what is the specific business purpose, why it matters, what the alternative would cost.

Test 2: Necessity test — is the processing necessary?

Cold email must be a proportionate way to achieve the purpose. You must show there is no less invasive alternative. For most B2B sales motions targeting specific decision-makers at qualified accounts, direct outreach is necessary because the alternatives (paid ads, content marketing) reach the wrong audience at materially worse cost-per-meeting.

Document: why cold email vs alternative channels, what data you actually need, why you cannot achieve the purpose without processing personal data.

Test 3: Balancing test — do individual rights override?

This is the test most B2B teams skip. You must weigh the recipient's interests, rights, and freedoms against your legitimate business interest. The recipient wins if:

• The data was collected with an expectation it would not be used for marketing

• The recipient is a vulnerable individual (employees of small businesses sometimes count)

• The processing causes significant intrusion or harm

• Reasonable expectations of the recipient do not include receiving your email

The balancing test typically passes for B2B sales emails sent to professional business email addresses (info@, sales@, or job-titled emails at companies that buy products in your category) and fails for personal email addresses (gmail.com, outlook.com), C-suite executives at non-B2B target companies, and sensitive sectors (healthcare, legal, financial services with regulated client confidentiality).

Document: who you target, what data you use, how you mitigate intrusion (frequency caps, easy opt-out, short sequences), and why the recipient's rights do not override.

The complete written LIA is what a regulator asks for first when investigating a complaint. Skipping the documentation is the most expensive compliance shortcut a B2B team can take.

Country-by-country GDPR enforcement strictness

GDPR is the same regulation across the EU and EEA, but enforcement and national-level interpretations vary materially. The ePrivacy Directive (Directive 2002/58/EC) gives each member state room to implement its own rules on electronic marketing, which is where the country-by-country differences live.

The strictness ranking for B2B cold email in 2026, based on national data protection authority guidance and enforcement actions:

• Germany (BDSG + UWG): strictest. The German Federal Data Protection Act plus the Act Against Unfair Competition (UWG) typically require prior opt-in for marketing emails, including some B2B contexts. Bundesbeauftragte für den Datenschutz (BfDI) enforces aggressively. Many German B2B operators get explicit opt-in via webform or trade show before sending cold email.

• Italy (Garante): very strict. The Italian Data Protection Authority has fined cold email senders €1M+ in enforcement cases.

• Spain (AEPD): strict. Cold email under legitimate interest is possible but documented LIA is mandatory in practice.

• Belgium (APD): moderately strict. Legitimate interest accepted with documentation.

• France (CNIL): moderate. CNIL's official guidance explicitly allows B2B cold email under legitimate interest to professional email addresses with proper safeguards (clear opt-out, accurate sender identification, relevant audience).

• Netherlands (AP): moderate to permissive. B2B cold email widely accepted under legitimate interest.

• Ireland (DPC): moderate. B2B cold email allowed under legitimate interest, enforcement focused on consent breaches in B2C.

• United Kingdom (PECR + UK GDPR): permissive for B2B. The ICO explicitly states that B2B emails to "corporate subscribers" (limited companies, LLPs, government bodies) do not require consent under PECR, only under UK GDPR — which legitimate interest covers.

• Sweden, Denmark, Finland: moderate. Generally permissive for B2B under legitimate interest.

The operator implication: if your ICP includes German targets, plan for opt-in collection (webform, trade show, content download) before cold email. For Western and Northern Europe, legitimate interest with documented LIA + proper safeguards is the standard playbook.

The 12-point compliance checklist

The 12 controls that turn a legitimate-interest claim into actual compliance. Miss any one and the legitimate interest base becomes harder to defend in front of a regulator.

1. Documented Legitimate Interest Assessment (LIA) — written, signed, stored. Update annually.

2. Privacy policy with explicit cold email disclosure — published on your website, linked in every cold email signature. The policy must say you may contact business contacts based on legitimate interest and explain how to opt out.

3. Clear unsubscribe link in every email — one-click, machine-readable, processed within 5 business days (UK ICO best practice) or "without undue delay" (GDPR).

4. Business identification in every email — your company name, registered address, contact details. Required under both ePrivacy and CAN-SPAM.

5. Accurate sender identification — the "From" name and email must reflect a real person at a real company, not deceptive aliases.

6. Honest subject lines — no false or misleading subject lines (also a CAN-SPAM requirement; same outcome under GDPR's fairness principle).

7. Suppression list across all campaigns — once a recipient opts out, they never receive another email from any campaign or sender domain associated with your business.

8. Targeting limited to professional contacts at qualified businesses — no personal email addresses (gmail.com, outlook.com), no consumer-facing targets, no individuals in protected categories without lawful basis.

9. Reasonable frequency caps — limit per-recipient frequency. We use a maximum of 5 messages per 30-day window across all sequences combined.

10. Data retention limits — delete unengaged contacts after 24 months of zero engagement. Document the retention policy.

11. Data Subject Access Request (DSAR) process — within 30 days of a request, provide the requester with all personal data you hold on them, the lawful basis, and a path to deletion.

12. Data Processing Agreement (DPA) with vendors — every tool that touches contact data (Apollo, Smartlead, Lemlist, Clay, your CRM) must sign a DPA acting as data processor. Reputable B2B SaaS vendors provide standard DPAs on request.

CAN-SPAM vs GDPR: side-by-side

US senders mailing into the EU must follow GDPR, not CAN-SPAM. EU senders mailing into the US must follow CAN-SPAM for those US recipients. Many B2B teams operating cross-border get this wrong and apply only the home jurisdiction's rules.

The headline differences:

• Default state: CAN-SPAM permits cold email until the recipient opts out. GDPR requires a lawful basis (legitimate interest, with documented LIA) before the first email.

• Penalty scale: CAN-SPAM maximum is $46,517 per violation per email (FTC 2024 adjustment). GDPR maximum is €20M or 4% of global annual revenue, whichever is higher (GDPR Article 83).

• Opt-out window: CAN-SPAM requires honoring opt-outs within 10 business days. GDPR requires "without undue delay."

• Identification: both require accurate sender identification + business address. CAN-SPAM is more prescriptive about format.

• Data subject rights: GDPR adds DSAR, right to be forgotten, right to data portability. CAN-SPAM has none.

For cross-border B2B motions, the practical playbook is to design for GDPR compliance (the stricter standard) and you automatically meet CAN-SPAM.

What happens if you get a complaint

Regulators rarely initiate cold email investigations without a recipient complaint. The complaint pipeline:

Step 1: A recipient files a complaint with their national data protection authority (CNIL in France, ICO in UK, AEPD in Spain, etc.). The authority typically forwards a notice to your business via email or letter.

Step 2: You have 30 days (sometimes shorter) to respond. The regulator asks for: your LIA documentation, your privacy policy, proof of opt-out processing, your suppression list, and the lawful basis you relied on.

Step 3: If you can produce the documentation cleanly, most complaints close at the warning stage. The regulator confirms you comply and the case ends.

Step 4: If you cannot produce the documentation, or your processing was clearly outside legitimate interest scope (consumer targets, no documented LIA, repeated sends after opt-out), enforcement escalates: investigation, formal warning, then fines.

The 2024–2026 enforcement pattern across EU regulators: most B2B cold email cases close at step 3 with a warning if the sender has basic compliance hygiene. Cases that escalate to fines almost always involve missing LIA documentation, ignored opt-outs, or targeting outside legitimate interest scope.

The single most important investment is the documented LIA. It transforms enforcement from existential to administrative.

Common mistakes B2B teams make

The patterns we see across teams that get into trouble:

1. No documented LIA — relying on legitimate interest in conversation but never writing it down. The single most common compliance failure.

2. No privacy policy disclosure — privacy policy never mentions cold email or legitimate interest. Regulators read these first.

3. Slow opt-out processing — opt-outs take 2 to 4 weeks to propagate to all sequences. Should be 24 to 48 hours.

4. Suppression list gaps — opt-out from one domain still receives email from another sender domain you operate.

5. Consumer email targets — sending to gmail.com, outlook.com, yahoo.com addresses (which signal personal accounts) instead of business domains.

6. Sending to German targets without opt-in — assuming standard EU legitimate interest covers Germany, which is materially stricter.

7. No vendor DPAs — using contact data through Apollo, Clay, Smartlead without signed DPAs in place.

8. Excessive frequency — sending 10+ emails in 30 days to the same recipient. Easily challenged under the balancing test.

Tools that handle compliance

The cold email infrastructure tools we deploy have built-in features that handle key parts of GDPR compliance:

• Smartlead — bundled unsubscribe handling, suppression list across all campaigns per workspace, sender domain rotation that helps audit trails. Standard DPA provided on request. Best for agency-scale workspaces.

• Lemlist — built-in unsubscribe links, GDPR-mode toggle, EU-headquartered (France) which simplifies DPA negotiations. Lemwarm warmup network is EU-aware.

• Apollo — bundled data + sequencer with built-in suppression. EU data is weaker than purpose-built EU sources (Cognism). Standard DPA available.

• Cognism — purpose-built for GDPR-compliant European prospecting. 200M+ contacts with country-specific compliance flags, automated do-not-call/email suppression across EEA jurisdictions, mobile verification, and a strong data protection record. The default EU data source we pair with Smartlead for European outbound.

The recommended stack for GDPR-compliant European B2B outbound: Cognism for data + Smartlead for sending + documented LIA + privacy policy update + signed DPAs. Total monthly cost lands around $1,500 to $3,000 per seat depending on volume, materially cheaper than ZoomInfo at equivalent EU coverage.

For the full Apollo + alternatives landscape including Cognism specifically, see our Best Apollo alternatives listicle. For the cold email tools comparison, see Best cold email tools. For hiring B2B sales talent in Colombia at lower cost while serving EU clients, see Hire SDRs in Colombia.

FAQ

Is cold email legal under GDPR?

Yes, B2B cold email is legal under GDPR when the sender relies on the legitimate interest lawful basis under Article 6(1)(f), passes the 3-part legitimate interest test, and follows the compliance controls (documented LIA, clear opt-out, privacy policy disclosure, accurate identification, suppression list, DPA with vendors). Personal email targets (gmail.com, outlook.com) and certain national contexts (notably Germany) typically require explicit consent instead.

What is the legitimate interest test?

The legitimate interest test is the 3-part assessment B2B senders must document before relying on Article 6(1)(f) for cold email. It includes the purpose test (is there a legitimate business interest?), the necessity test (is the processing necessary?), and the balancing test (do the recipient's rights override?). The UK ICO and EDPB recommend documenting the LIA in writing.

Do I need opt-in consent for B2B cold email in the EU?

Mostly no, but it depends on the country. Most EU member states (UK, France, Netherlands, Ireland, Spain, Sweden) accept legitimate interest as the lawful basis for B2B cold email to professional business contacts. Germany is the major exception — German law typically requires prior opt-in for marketing emails including some B2B contexts. Italy is also stricter. For German targets specifically, plan to collect explicit opt-in (webform, trade show, content download) before cold email.

What is the difference between GDPR and CAN-SPAM?

GDPR (EU) requires a lawful basis before sending (legitimate interest with documented LIA for B2B cold email). CAN-SPAM (US) permits cold email by default and requires opt-out compliance. GDPR maximum penalty is €20M or 4% of global revenue (Article 83); CAN-SPAM maximum is $46,517 per violation per email (FTC). For cross-border B2B motions, design for GDPR compliance (stricter) and you automatically meet CAN-SPAM.

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement is a contract between a data controller (your business) and a data processor (a vendor that handles personal data on your behalf) required under GDPR Article 28. Every cold email infrastructure tool, CRM, enrichment vendor, or data platform that touches your contact data must sign a DPA. Reputable B2B SaaS providers (Smartlead, Lemlist, Apollo, HubSpot, etc.) provide standard DPAs on request.

How fast must I honor an unsubscribe request under GDPR?

GDPR requires opt-outs to be honored "without undue delay." The UK ICO recommends processing within 5 business days. Best practice across our client deployments is 24 to 48 hours, with automated suppression that propagates to all sequences and sender domains within minutes.

What is a Data Subject Access Request (DSAR)?

A Data Subject Access Request is the right of any data subject under GDPR Article 15 to obtain confirmation that you process their personal data, a copy of that data, and information about your lawful basis, retention periods, and recipients. You have 30 days to respond (extendable by 60 days for complex requests). Set up a process and named point of contact before you receive your first DSAR.

Can I send cold email to personal Gmail addresses?

In practice, no. Personal email addresses signal individual consumer use, not professional business activity. The balancing test in the legitimate interest assessment almost always fails for personal email targets — the recipient's expectation is that their personal address is not used for unsolicited business marketing. Stick to business domains and job-title-based or department-based emails (info@, sales@, named role addresses) at qualified business contacts.

How do I document the Legitimate Interest Assessment?

The LIA is a written document, typically 1 to 3 pages, signed and dated by a senior decision-maker. It covers: the specific business purpose, the data you process, why processing is necessary, who the recipients are, the safeguards you have in place (opt-out, frequency caps, accurate identification), and your conclusion that legitimate interest applies. Templates are published by the UK ICO and most national data protection authorities. Update annually.

What happens if I send a cold email to someone in Germany without consent?

Risk depends on the recipient's reaction. If they ignore or opt out, the practical risk is low. If they file a complaint with the German Federal Data Protection Commissioner (BfDI) or a state authority, you may receive a warning, a request for documentation, or in escalation a fine. Germany has historically been the most active EU enforcer of B2B email rules. The safe playbook for German targets is explicit opt-in collected before cold email.

Can I buy a list of European B2B contacts and email them under GDPR?

Sometimes, with caveats. Purchased lists are inherently riskier under GDPR because you cannot document that you collected the data with appropriate transparency. The legitimate interest base can still apply if (1) the source is reputable (Cognism, ZoomInfo with EU coverage), (2) the source provides a clean GDPR audit trail and DPA, and (3) you honor opt-outs the source has already recorded. Scraped lists and grey-market data sources are typically not defensible.

Is there a "soft opt-in" exception in the UK?

Yes, under the Privacy and Electronic Communications Regulations (PECR). UK B2B emails to "corporate subscribers" (limited companies, LLPs, government bodies) do not require consent under PECR — only under UK GDPR, which legitimate interest covers. Soft opt-in for B2C is more restrictive: it requires an existing customer relationship and clear opt-out.

How long can I keep contact data under GDPR?

GDPR requires data minimization (Article 5(1)(c)) and storage limitation (Article 5(1)(e)). You may only keep data for as long as you need it for the stated lawful purpose. For cold email under legitimate interest, the practical retention is 24 months of zero engagement before suppression. Document your retention policy and apply it consistently.

Bottom line

GDPR cold email is legal for B2B sales under legitimate interest, with documented LIA, country-aware targeting, and the 12-point compliance controls. The single most expensive shortcut B2B teams take is skipping the written Legitimate Interest Assessment — that document transforms enforcement from existential to administrative.

For most EU B2B motions, the compliant stack is straightforward: purpose-built EU data source (Cognism) + cold email infrastructure with bundled suppression and DPA (Smartlead or Lemlist) + documented LIA + privacy policy update + signed vendor DPAs. Pair with country-aware targeting that excludes Germany from legitimate-interest motions and routes German prospects through explicit opt-in collection.

For US-based B2B teams running cross-border outbound into the EU, design for GDPR (stricter) and you automatically meet CAN-SPAM. The €20M maximum fine is the largest single compliance risk on a cross-border B2B email program — the LIA documentation cost is trivial by comparison.

If you want help designing a GDPR-compliant European outbound motion (data source selection, LIA template, vendor DPAs, suppression infrastructure), book a working session with GROU. We run this stack for clients across EU jurisdictions.

→ Try Smartlead free (14-day trial, no card required). → Try Lemlist free (14-day trial, no card required).

About this guide

We are GROU, a B2B pipeline agency that runs lead generation, outbound, and LinkedIn content for clients across manufacturing, fintech, iGaming, software, and professional services. The compliance framework in this guide comes from our deployment data running GDPR-compliant cold email for European B2B clients across Germany, France, Netherlands, UK, Italy, and Spain between 2022 and 2026. This article is operator guidance, not legal advice — engage your data protection counsel before locking compliance decisions.

Some links in this article are affiliate. We may earn a small commission at no extra cost to you. We only recommend tools we've deployed for clients.