GDPR and Cold Outreach:
What Every EU B2B Company Must Know Before Sending a Single Email
Most cold outreach agencies will tell you GDPR is complicated. It's not — if you understand three things: what's legal, what's not, and why being EU-native changes everything.
GDPR became enforceable in May 2018. In the years since, it has generated more anxiety in B2B sales teams than almost any regulation in recent memory — and also more bad advice.
Some agencies tell clients to avoid the EU altogether. Others claim GDPR doesn't apply to B2B. Both are wrong. The reality is more useful: GDPR-compliant B2B cold outreach is entirely legal — it just requires doing it correctly from the start, not patching compliance onto an existing campaign.
This guide explains exactly what you need to know to run outbound campaigns in Europe without legal risk. No legal jargon. No hedging. Just the rules and how to work within them.
Does GDPR Apply to B2B Cold Email?
Yes — and this is the most common misconception in the market. GDPR applies any time you process personal data of individuals located in the EU, regardless of whether the context is B2B or B2C.
A CEO's work email address is personal data. A Head of Sales' LinkedIn profile is personal data. A company name alone is not — but the moment you attach a contact name or job title, GDPR applies.
Anonymous company data is not regulated by GDPR. The moment you attach a name, email, or job title to it — you're processing personal data. Every B2B outbound campaign involves personal data. Full stop.
This also applies to US-based companies targeting EU prospects. If you are a company in San Francisco sending cold emails to decision-makers in Germany, GDPR governs that processing. Jurisdiction is determined by where the data subject is located, not where you are.
The Two Legal Bases That Matter for Cold Outreach
Under GDPR Article 6, you need a valid legal basis before processing someone's personal data. For cold outbound, two bases are relevant:
Explicit Consent
The prospect actively opted in before you contact them. Strong legal protection. Practically impossible for true cold outreach — you need contact to obtain consent.
Legitimate Interest
Your business interest in direct marketing is balanced against the recipient's privacy rights. Used by 63% of EU B2B marketers as the basis for cold outreach. Requires documentation — but works.
GDPR Recital 47 explicitly states that processing for direct marketing purposes may be regarded as carried out for a legitimate interest. This is not a loophole — it is the regulation acknowledging that outbound sales is a normal business activity.
The critical requirement: you must be able to demonstrate that your interest is genuine, your targeting is proportionate, and the recipient's rights are respected.
The Legitimate Interest Assessment (LIA)
Before running any cold outreach campaign, you need to complete a Legitimate Interest Assessment. This is a three-step documented analysis — not a form, not a checkbox. If a regulator ever questions your outreach, this document is your defence.
Purpose Test
Define your specific business interest. Example: "Business development through targeted outreach to B2B SaaS and Fintech companies in the EU who may benefit from outbound appointment setting services."
Necessity Test
Demonstrate that email and LinkedIn outreach are necessary and proportionate — that you process only minimum required data (name, job title, work email) and have a clear data retention policy (typically 12–24 months inactivity).
Balancing Test
Weigh your interest against the recipient's reasonable expectations. A CFO at a Fintech company receiving an email about B2B outbound services is a contextually appropriate contact. A private individual is not. Document why the balance tips in your favour.
The LIA is not a one-time task. It should be completed per campaign, per ICP, and reviewed regularly. An LIA for targeting Fintech Founders in the Netherlands is a different assessment than targeting HR Directors in Poland.
The 7 Operational Rules for GDPR-Compliant Outreach
Once your legal basis is documented, compliance comes down to consistent operational discipline across every campaign.
- Use only professionally sourced data. Contacts sourced from LinkedIn, Apollo, Clay, or other verified B2B databases — not scraped lists, not purchased bulk files with no provenance. Document your data source for every campaign.
- Contact only relevant decision-makers. Your message must be reasonably relevant to the recipient's professional role. Emailing a CFO about financial software is appropriate. Emailing a developer about HR tooling is not.
- Always disclose how you obtained the data. In your outreach, make it clear where you found their contact — "I came across your profile on LinkedIn" or "I found your company through [source]." Transparency is a GDPR requirement, not just good practice.
- Include a clear, one-click opt-out in every message. Unsubscribe requests must be honoured immediately — within 24–48 hours maximum. These contacts go to a permanent suppression list, not just a paused sequence.
- Minimise data collection. Collect only what you need: name, job title, company, work email. No personal phone numbers, no home addresses, no data beyond what the campaign requires.
- Maintain a Data Processing Agreement (DPA). If you use any third-party tools (Clay, Apollo, Instantly, Expandi) that process EU personal data on your behalf, you need a GDPR Article 28-compliant DPA with each vendor.
- Delete inactive data within 24 months. Prospects who haven't engaged and haven't explicitly opted in should be purged from your database. Regulators expect defined retention windows — document yours.
Country-by-Country: ePrivacy Directive Variations
Here is what most agencies miss: GDPR operates alongside the ePrivacy Directive, which each EU member state has transposed into national law differently. This creates meaningful variation in what is permissible country by country.
| Country | B2B Cold Email Rules | Strictness |
|---|---|---|
| Germany | Among the strictest in the EU. Section 7 of the UWG generally requires prior consent even for B2B email to corporate addresses. Exceptions are narrow. Approach with documented LIA and high relevance. | Strict |
| France | More permissive for B2B. Cold email to professional addresses for relevant business purposes is generally accepted under legitimate interest with proper opt-out mechanisms. | Moderate |
| Netherlands | Permissive for B2B to corporate addresses. Clear opt-out and professional relevance required. One of the more outbound-friendly EU markets. | Permissive |
| Poland | Moderate. Legitimate interest applies to B2B outreach but Polish regulators (UODO) are increasingly active. Documented LIA and clear sender identification essential. | Moderate |
| Lithuania | Aligned with general EU framework. B2B cold email under legitimate interest is acceptable with standard compliance requirements. Local DPA (VDAI) is present but enforcement is proportionate. | Moderate |
| Nordics (SE, DK, FI) | Generally permissive for B2B to corporate email addresses. High data literacy in market — transparency and relevance matter even beyond legal requirements. | Permissive |
The key implication: a single campaign template sent across all EU countries is not enough. Country-level assessment of ePrivacy rules is part of compliant EU outreach — and it's one of the primary reasons EU-native agencies have a structural advantage over US-based ones operating in Europe from a distance.
3 Myths That Cost B2B Companies Deals
"GDPR bans cold email in Europe."
GDPR does not ban cold email. It regulates how personal data is processed. B2B cold email under legitimate interest is explicitly supported by GDPR Recital 47.
"If I'm B2B, GDPR doesn't apply to me."
GDPR applies any time you process identifiable personal data — including business contact information. B2B does not create an exemption.
"I'm a US company so EU rules don't affect me."
GDPR is triggered by the location of the data subject, not the sender. If you contact an EU prospect, GDPR applies regardless of where you are incorporated.
"Buying a verified contact list means I'm compliant."
The vendor's compliance does not transfer to you. You are a separate data controller and carry independent obligations — including your own LIA and data processing documentation.
What This Means for Non-EU Companies Entering Europe
For US, Israeli, and Asian technology companies seeking to enter the European market, GDPR compliance is not a technicality — it is a trust signal. European buyers, particularly in Fintech, Banking, and regulated B2B SaaS, will ask about data processing before they sign anything.
The companies that struggle most are those that treat EU compliance as an afterthought: running US-style outreach into German and French markets, using third-party data with no DPA documentation, and ignoring opt-out requests because the team is "too busy." The result is poor deliverability, damaged sender reputation, and occasionally a DPA inquiry.
The companies that break into EU markets efficiently are the ones that treat GDPR compliance as a competitive asset — because in a market where 45% of agencies offer no compliance documentation at all, being the agency that can hand a CFO a clean, documented data processing framework is a material advantage at the contracting stage.
RevyGo is incorporated in Lithuania and operates as a genuine EU-native agency. GDPR compliance is not a checkbox for us — it is native to how we build every campaign. Every client engagement includes a GDPR Article 28-compliant DPA. Every outreach campaign is documented with a Legitimate Interest Assessment. Every tool in our stack (Clay, Apollo, Instantly, Expandi) holds its own GDPR compliance certifications and is covered under a signed DPA.
Your GDPR Compliance Checklist Before Launching Outreach
Before sending the first message in any EU outbound campaign, run through this list:
- Legitimate Interest Assessment (LIA) documented per campaign and ICP
- Data sourcing provenance documented (where contacts came from, how recently verified)
- Data Processing Agreements signed with all third-party tools processing EU personal data
- Opt-out mechanism included in every email and LinkedIn message, with suppression list in place
- Opt-out requests honoured within 24–48 hours with permanent suppression
- Country-level ePrivacy rules checked for each target market (especially Germany)
- Data minimisation confirmed — no fields collected beyond what the campaign requires
- Retention policy defined — inactive prospect data deleted at 12–24 month threshold
- Privacy notice updated to reflect outbound processing activities
- Team trained on data subject rights (right to access, right to erasure, right to object)
How the LIA decision works — at a glance
Every campaign must pass all three tests before the first message goes out. Fail any one — stop, fix it, then re-run.
GDPR is not the barrier to EU outbound that many agencies describe. It is a framework — and for companies that build campaigns correctly from the start, it is a manageable one. The businesses that treat compliance as foundational rather than reactive are the ones that win client trust faster, avoid deliverability damage, and scale in European markets without regulatory interruption.
If you are running outbound into Europe — or planning to — the question is not whether to be compliant. It is whether your agency has built compliance into the system from day one, or is hoping nobody notices.
Run EU Outbound the Right Way
Every RevyGo campaign is built GDPR-compliant from the first message. EU-native, documented, and built by 15 years of B2B sales experience across the markets you're targeting.
Book a Strategy Call