Compliance

Cold email in the EU. How I stay GDPR compliant and still book meetings

eu_outbound · 2026-03-20T00:00:00Z

I send cold email from Berlin targeting prospects across the EU. Yes, it is legal under GDPR. No, you cannot just blast purchased lists. Here is how I do i

eu_outbound · 2026-03-20 · 1,940 views

I run outbound from Berlin. My prospects are across Germany, France, the Netherlands, the UK (post-Brexit, similar rules), and the Nordics. I have been doing this for two years without a single complaint to a data protection authority. Here is my practical approach. This is not legal advice. It is what works in practice.

The legal basis: legitimate interest. Under GDPR Article 6(1)(f), you can process personal data (including sending a B2B cold email) if you have a legitimate business interest and that interest is not overridden by the individual's rights. For B2B cold email, this means: you have a genuine reason to believe your product or service is relevant to the person's professional role, and you are contacting them in their business capacity at their work email.

Step 1: Research the person first. I never email someone I have not at least looked up on LinkedIn. I need to confirm they hold a role where my product is genuinely relevant. Spraying 10,000 emails to a purchased list is not legitimate interest. Contacting 200 carefully selected VP of Sales at companies that match my ICP is.

Step 2: Document your legitimate interest assessment. I keep a simple spreadsheet for each campaign. Columns: prospect name, company, role, why this person would benefit from my product, data source. If a regulator ever asks (they have not), I can show that every contact was researched and relevant. This takes 30 seconds per prospect and protects you.

Step 3: Include opt-out in every email. Every single email ends with a clear unsubscribe option. "If you would prefer I not contact you again, just reply and let me know." Some people use formal unsubscribe links. I keep it conversational because it fits B2B email tone better. Either approach works as long as the opt-out is clear and easy.

Step 4: Honor unsubscribes within 24 hours. When someone asks to be removed, I remove them from all lists within the same business day. I maintain a master suppression list across all campaigns. Instantly and Smartlead both support global suppression lists. Use them.

Step 5: Only collect data you need. GDPR's data minimization principle means you should only hold the personal data necessary for your purpose. For cold email, that is: name, work email, company, job title. Do not scrape personal phone numbers, home addresses, or social media accounts unless you have a clear reason for each data point.

Step 6: Use data sources with DPAs. Make sure your data providers (Apollo, Cognism, Lusha) have Data Processing Agreements available. These are standard documents that establish each party's obligations under GDPR. Every major data provider offers them. Download and keep them on file.

My results: I send about 300 cold emails per day across EU markets. Reply rate averages 4.1%. That is actually higher than most US-focused senders report. My theory: EU inboxes get less cold email volume than US inboxes, so each email has less competition for attention. The compliance steps add maybe 15 minutes per day to my workflow. Worth it for both legal protection and the peace of mind.

GDPR does not ban cold email. It bans lazy, untargeted, privacy-violating cold email. Do the research, document your reasoning, respect opt-outs, and you will be fine.