B2B cold email is legal under GDPR — provided it rests on the correct legal basis. The lawful basis is legitimate interest under Article 6(1)(f), which permits processing personal data when a controller has a genuine, proportionate business interest not overridden by the rights of the data subject. For B2B outreach sent to professional addresses in a relevant business context, this threshold is routinely met. The obligation is not to avoid cold email — it is to document why your interest is legitimate, give recipients a clear way to opt out, and honour those requests without delay.
Most B2B founders approaching outbound in Europe start from the wrong premise. They assume GDPR means cold email is banned. It does not. What GDPR bans is unaccountable cold email — campaigns with no legal basis, no transparency, and no opt-out mechanism.
The distinction matters because it changes everything downstream. If you believe cold email is illegal, you don't build infrastructure for it. You stall. Your competitors — the ones who understand the regulation — are booking meetings while you wait for legal clarity that already exists in the text.
We run outbound infrastructure for B2B companies across the EU and North America. The GDPR question comes up in every onboarding call. The answer is always the same: yes, it is legal, here is the legal basis, here is the documentation you need to maintain, and here is where it gets complicated.
What Article 6(1)(f) Actually Says
The GDPR identifies six lawful bases for processing personal data. Consent is one. Legitimate interest is another — and it is the one that applies to B2B cold email.
Processing shall be lawful only if... processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
— GDPR Article 6(1)(f)
In plain terms: you can process someone's business email address and contact them if you have a legitimate business reason, if contacting them is necessary to pursue that reason, and if your interest does not override their rights. For B2B outreach — where a company contacts a business professional about a product or service genuinely relevant to their role — this test is routinely satisfied.
The Three-Part Legitimate Interest Assessment
Legitimate interest is not a blanket permission. To rely on it compliantly, you must document that your processing passes three tests. This is known as a Legitimate Interest Assessment (LIA) — the document a regulator would ask for first if you received a complaint.
Your interest must be real, specific, and not prohibited by law. The more specific you are, the stronger the basis. Contacting the Head of Sales at a SaaS company to offer a B2B outbound service they are likely to need — that is a legitimate interest. Sending the same message to every company in a sector regardless of fit — that is not.
You cannot use legitimate interest if you could achieve the same result without processing the personal data. For cold email, this test is straightforward: you cannot contact someone by email without their email address. Processing their contact data is necessary.
You must weigh your interest against the data subject's reasonable expectations and the potential impact on them. Factors that tip the balance in your favour: the email is sent to a professional address; the content is relevant to their professional role, not personal life; you provide a clear opt-out; you honour opt-outs and do not re-contact. Factors that tip the balance against you: the recipient has no reasonable expectation of contact from your type of company; the data came from sources with no professional context; you are emailing personal addresses.
"B2B cold email sent to a professional address about a professionally relevant offer satisfies the balancing test — when a clear opt-out mechanism is present and honoured."
What You Must Do to Stay Compliant
Relying on legitimate interest is not a passive decision. It requires active documentation and correct execution before the first email goes out.
This does not need to be a 20-page legal document. It needs to record: the specific purpose of the processing; why that purpose qualifies as a legitimate interest; why processing is necessary; the balancing assessment with your reasoning; and the date it was completed. Keep it on file — if you receive a Subject Access Request or a complaint, this is your primary defence.
Under Articles 13 and 14 of the GDPR, data subjects must be informed that their data is being processed, the legal basis, and their right to object. In cold email, a single footer line handles this:
Your contact details were sourced from [Apollo / LinkedIn] for the purpose of [relevant business context]. If you'd prefer not to receive further messages, reply with "unsubscribe" and we'll remove you immediately.
It does not need to be lengthy. It needs to be present.
Article 21 of the GDPR gives data subjects the right to object to processing based on legitimate interest. When someone unsubscribes: stop contacting them, remove them from active sequences immediately, and record the objection so they are not re-imported in a future list build. In Smartlead, global unsubscribe lists handle this automatically — but you must verify the suppression list is applied to every new campaign. This is the most common compliance failure point.
You need to show where contact data came from. "Apollo export filtered by [ICP criteria] on [date]" is sufficient. If your data provider later proves non-compliant, you need to identify affected records and remove them.
Where It Gets Complicated: Germany and ePrivacy
The GDPR is an EU-wide regulation. But it sits alongside national ePrivacy laws that can be stricter — and in Germany, they are.
Germany's Gesetz gegen den unlauteren Wettbewerb (UWG), specifically §7, governs unsolicited commercial communications. The German interpretation has historically been more conservative than the GDPR's legitimate interest framework, particularly around what counts as a prior business relationship.
The practical position for B2B cold email into Germany: emailing a named decision-maker who has publicly listed their professional contact for business engagement carries lower risk. Bulk cold email to generic company addresses (info@, contact@) without any prior engagement carries higher risk under UWG.
Germany is not a no-go zone. It is a more careful zone. The same infrastructure approach works — the ICP definition and relevance threshold just need to be tighter. For the Netherlands, France, and the Nordics: GDPR legitimate interest is generally applied without additional national restrictions for B2B professional communications.
Common Mistakes That Create Compliance Risk
These are the failure modes we see most often when companies run EU cold email without specialist infrastructure.
Frequently Asked Questions
Yes. B2B cold email is lawful under GDPR when it relies on the legitimate interest basis (Article 6(1)(f)). The sender must document a Legitimate Interest Assessment, include a transparency notice in the email, and provide a clear opt-out mechanism. Cold email is not banned by GDPR — unaccountable, undocumented cold email is what the regulation addresses.
Legitimate interest (Article 6(1)(f) GDPR) is one of six lawful bases for processing personal data. It applies when a controller has a genuine, specific business interest in processing someone's data, processing is necessary to pursue that interest, and the controller's interest is not overridden by the data subject's rights. For B2B cold email, this typically means contacting a professional at a business address about a commercially relevant offer.
GDPR applies to any processing of personal data about individuals — including professional email addresses. B2B cold email is not exempt, but it is lawful under the correct legal basis. B2B contacts generally have a lower expectation of privacy regarding their professional contact details, which strengthens the balancing test under legitimate interest.
Yes, with more careful execution. Germany's UWG (§7) applies additional requirements for commercial electronic communications. The targeting criteria must be tighter — contacting a named decision-maker with clear professional relevance is safer than bulk-emailing generic company addresses. The infrastructure approach is the same; the ICP precision threshold is higher.
You need: (1) a completed Legitimate Interest Assessment; (2) records of the data source for each contact list, including provider and export date; (3) an up-to-date suppression list of anyone who has opted out; and (4) your transparency notice template. These are what a Data Protection Authority would request in the event of a complaint.
Complaints are typically filed with the national Data Protection Authority in the complainant's country. The regulator will ask for your legal basis, your LIA, and evidence that you handled opt-outs correctly. If your documentation is in order and opt-outs were honoured, the likelihood of a significant fine is low. Most cold email complaints result in a warning or a request to improve processes — not a penalty — when the legal basis is legitimate interest and documentation exists.
Ready to run compliant outbound?
Position & Scale builds and operates GDPR-compliant cold outbound infrastructure for B2B companies across the EU and North America.
Book a Strategy Call