Best practices for cold email in the EU with GDPR — what actually works
gdpr_realist · 2026-03-19 · 512 views
I see a lot of fear and misinformation about GDPR and cold email. Some people say cold email is illegal in the EU. Others say B2B is completely exempt. Both are wrong. After 18 months of sending cold B2B email to EU prospects — and consulting with two GDPR-specialized lawyers — here is what actually works and what will get you in trouble.
The legal basis: Legitimate Interest (Article 6(1)(f))
Cold B2B email in the EU is legal under the legitimate interest basis. This means you can email someone without their explicit consent IF: (1) you have a legitimate business reason, (2) the processing is necessary to achieve that purpose, and (3) the individual's rights do not override your interest. For B2B sales outreach to relevant decision-makers, this generally holds — but you need to document your reasoning.
What you MUST do:
- Only email business addresses — never personal email addresses (Gmail, Yahoo, etc.)
- Include your company name, physical address, and a clear way to opt out in every email
- Honor opt-out requests within 72 hours (I do it within 24)
- Keep records of where you got each contact's data (Apollo export, LinkedIn, company website, etc.)
- Have a privacy policy on your website that explains how you process personal data for outreach
- Be able to delete someone's data on request — this is the "right to erasure"
What will get you fined:
- Emailing personal addresses for B2B outreach
- No opt-out mechanism in your emails
- Ignoring unsubscribe requests
- Buying scraped data from shady providers with no data provenance
- Sending to France, Germany, or Austria without extra caution — these countries have stricter interpretations and more active enforcement
Country-specific gotchas: Germany requires a particularly strong legitimate interest justification and the Bundesdatenschutzgesetz adds extra requirements on top of GDPR. France's CNIL has been aggressive about enforcement. The UK (post-Brexit) follows similar rules under UK GDPR but enforcement is lighter. Nordics are generally more relaxed for B2B.
My practical approach: I segment EU prospects separately and send lower volume (10 emails per inbox per day instead of 18). I use a dedicated opt-out link instead of relying on "reply STOP". I keep a suppression list synced across all platforms. And I only use data from Apollo or LinkedIn where I can trace the source. 18 months in, zero complaints filed, zero legal issues, and a 3.2% reply rate on EU campaigns.
Comments (7)
eurosdr · 2026-03-19
this is the best GDPR cold email breakdown I've seen. the legitimate interest piece is what confuses most people. we've been sending to EU prospects for 2 years under legitimate interest with zero issues. the key is targeting — if you're emailing a VP of Engineering about a dev tools product, the legitimate interest argument is strong. if you're emailing random people about something irrelevant to their role, good luck defending that
compliancekate · DataGuard · 2026-03-19
Solid overview. One thing I'd add — the legitimate interest assessment (LIA) should be documented BEFORE you start sending, not after someone complains. Write down: what is the legitimate interest, why is emailing necessary to achieve it, and what safeguards are in place to protect the individual's rights. Keep it on file. If a DPA ever comes knocking, this is the first thing they'll ask for.
berlinbdr · 2026-03-19
Germany is a minefield for cold email. the UWG (Unfair Competition Act) has requirements on top of GDPR that basically mean you need a much stronger justification for B2B cold email here. we've had competitors report our emails to the Wettbewerbszentrale and it turned into a legal headache even though we were technically GDPR compliant. my advice: tread very carefully with German prospects
gdpr_realist · 2026-03-19
@berlinbdr thanks for flagging that. the UWG angle is something most non-German senders don't even know exists. I actually excluded Germany from my campaigns for the first 6 months and only added it back after getting specific legal advice for that market. worth the legal consultation fee if Germany is a significant part of your TAM
nordicnick · 2026-03-19
can confirm the Nordics are more relaxed. been sending cold B2B email to Swedish and Danish companies for over a year, never had a single complaint. we include an unsubscribe link, keep volumes reasonable, and only target relevant decision-makers. the culture here is generally more accepting of professional outreach as long as it's relevant and respectful. reply rate is 4.1% which is actually higher than our US campaigns
scrappyscott · 2026-03-19
the suppression list sync across platforms is the part most people mess up. if someone opts out on campaign A running through Instantly, that opt-out needs to propagate to campaign B running through Smartlead. we built a central suppression list in Google Sheets that syncs to both platforms via Zapier. took 30 minutes to set up and it's the only reason we haven't had a GDPR complaint
legallaura · 2026-03-19
one practical tip that nobody mentions — add a one-liner to your email explaining WHY you're reaching out to them specifically. something like "reaching out because I saw your company recently expanded to the DACH region." this isn't just good copy — it actually strengthens your legitimate interest argument because it shows the outreach is targeted and relevant, not a mass blast. it's marketing and legal compliance in one sentence