Skip to content
← Back to Blog
Legal

Is Cold Email Legal in the EU? A Practical GDPR Guide for B2B

8 min · Apr 2, 2026

Yes, B2B cold email is legal under GDPR, but with conditions. The GDPR does not ban unsolicited B2B email. It requires a lawful basis for processing personal data, typically legitimate interest under Article 6(1)(f).

The key distinction: business vs personal email addresses.

  • info@company.cz: no personal data, GDPR does not apply
  • firstname.lastname@company.cz: contains personal data, you need a lawful basis

The ePrivacy Directive adds another layer. Most EU states require prior consent for marketing to individuals, but many (including Czechia) carve out B2B exceptions. Czech Act No. 480/2004 Sb. permits unsolicited B2B outreach when conditions are met.

Every cold email must include a one-click unsubscribe link. Non-negotiable under GDPR Article 21 and ePrivacy rules.

Czech and Slovak enforcement is real. The Czech UOOU and Slovak URPD have both issued fines for missing opt-outs and improper sender identification.

At Leadsplug, compliance is built in from day one: separate sending domains, proper SPF/DKIM/DMARC, and automated suppression. See our email infrastructure guide for the technical details.

How to Conduct a Legitimate Interest Assessment

Bottom line: yes, this is legal if you write down a fair business reason for emailing each person before you send. A Legitimate Interest Assessment (LIA) is a short written note proving you had that fair business reason.

Relying on legitimate interest requires a documented three-part balancing test before you send a single email.

Step 1: Identify the Interest

State a specific business purpose. “Growing revenue” is too vague.

Good example: “We provide cloud ERP for mid-market manufacturers. We have a legitimate interest in contacting operations directors at manufacturing firms with 50-500 employees in DACH because our solution addresses documented pain points in their segment.”

Step 2: Demonstrate Necessity

Show that cold email is necessary to achieve this interest. In most B2B contexts, decision-makers expect relevant commercial proposals via email and there is no equally effective alternative at scale.

Step 3: Balance Against Individual Rights

This is where most assessments fail. Consider whether the recipient would reasonably expect contact.

Factors in your favour:

  • Email sent to a business address
  • Content relevant to their professional role
  • Data sourced from public directories or professional networks
  • Clear opt-out provided

Factors against you:

  • Personal email addresses
  • Sensitive industries (healthcare, legal)
  • High frequency
  • Scraped data with no relevance filtering

Document everything in writing. Date it. Store it with campaign records. If a DPA requests it, you need to produce it within days.

Practical LIA Template

A well-structured LIA includes five sections:

  1. Controller identity (your company)
  2. Specific legitimate interest
  3. Necessity analysis (why email is the channel)
  4. Balancing test (your interest vs recipient rights)
  5. Safeguards (opt-out, data minimisation, frequency limits)

Create one master LIA per campaign type and update it per target market.

Country-by-Country ePrivacy Differences

GDPR is one regulation, but ePrivacy is implemented differently in each member state.

DACH (Germany, Austria, Switzerland)

Germany is the strictest major market. The UWG generally requires prior consent even for B2B. Courts recognise exceptions where there is a clear business connection, but the threshold is high:

  • Targeting must be precise
  • Messaging clearly relevant
  • Opt-out immediate
  • Limit follow-ups to two touchpoints

Austria follows a similar model. Switzerland (not EU) aligns closely with GDPR under the nDSG.

Nordics (Sweden, Denmark, Finland, Norway)

Privacy-conscious but pragmatic. B2B email is permitted where there is a reasonable business connection. Key considerations:

  • Higher expectations around data minimisation
  • Send volumes should be modest
  • List quality matters more here than anywhere else in Europe

Benelux

CountryStance
NetherlandsRelatively permissive: Telecommunicatiewet exempts B2B from consent requirement
BelgiumStricter: DPA defaults to requiring consent with limited exceptions
LuxembourgAligns with Belgium

Treat the Netherlands as your primary Benelux target. Approach Belgium and Luxembourg with tighter targeting and lower volume.

Central Europe (CZ, SK, PL, HU)

  • Czechia: permits B2B cold email under Act No. 480/2004 Sb.
  • Slovakia: comparable approach
  • Poland: allows B2B email but UOKiK has fined mass untargeted campaigns
  • Hungary: requires prior consent with limited B2B exceptions. Obtain consent or limit to published business contacts with documented LIA.

Southern Europe (FR, IT, ES, PT)

  • France: moderately permissive for B2B emails to professional addresses
  • Italy: stricter, with notable enforcement actions even in B2B
  • Spain: permits B2B cold email under LSSI with sender ID and opt-out

Universal advice: prioritise targeting precision, document your LIA, always include a visible unsubscribe.

Data Processing Agreements (DPAs)

Bottom line: if anyone outside your company touches your prospect data, you need a signed contract with them first. A Data Processing Agreement (DPA) is the contract that makes any partner handling your data follow the rules.

If you use any third party for outreach (agency, sending platform, data enrichment), GDPR Article 28 requires a DPA. Not optional.

A DPA must specify:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Type of personal data involved
  • Processor obligations

Key provisions:

  • Processor acts only on your documented instructions
  • Appropriate security measures implemented
  • Assists with data subject access requests
  • Deletes or returns data at end of service
  • Allows and contributes to audits

When your partner uses sub-processors (sending platforms, verification tools, CRM integrations), your DPA should list approved sub-processors with a notification mechanism for changes.

Data Sourcing Compliance

Where you get prospect data matters as much as how you use it.

Legitimate sources:

  • Public registries: Czech OR, German Handelsregister
  • Professional networks: LinkedIn profiles with published business info
  • Industry directories: conference lists (with follow-up consent), trade publications

Higher-risk sources:

  • Purchased lists: you inherit responsibility for lawful collection. Demand documentation from your provider.
  • Web scraping: high-risk under GDPR. Multiple DPAs have taken enforcement action. If you scrape, document LIA, limit to public business info, provide opt-out.

For combining compliant data with LinkedIn touchpoints, see our LinkedIn outreach playbook.

Common Mistakes That Lead to Fines

  1. No opt-out link: most common violation. Every email needs a one-click unsubscribe.
  2. Ignoring suppression lists: unified suppression across all sending identities is essential.
  3. Sending from your primary domain: spam complaints damage your business email deliverability. Use secondary sending domains.
  4. No LIA documentation: it takes little time to write, and skipping it leaves you exposed the moment a regulator asks to see it.
  5. Targeting personal email addresses: difficult to justify under legitimate interest. Stick to business domains.
  6. Excessive frequency: two to three touchpoints over three to four weeks is the standard.
  7. Slow unsubscribe processing: GDPR requires “without undue delay.” In practice: immediately.
  8. Lack of sender transparency: every email must clearly identify who is sending and why.

Penalties and Enforcement

Fines are real, though smaller than the headline tech-giant cases.

JurisdictionEnforcement pattern
Czech UOOUFines for missing opt-outs and improper sender identification
Germany (civil)Competitors can sue via UWG (cease-and-desist with penalty clauses)
Italy GaranteAmong the largest fines in Europe (precedent-setting)

Beyond fines, the practical damage is worse: blacklisting, domain reputation destruction, and months of lost sending capacity. Details in our email infrastructure guide.

Compliance is a competitive advantage. Companies that do outbound properly (targeted, documented, respectful) consistently outperform those cutting corners with higher reply rates and measurable ROI.

Compliance Checklist

  1. Document your legitimate interest assessment
  2. Verify you are contacting business email addresses at ICP-fit companies
  3. Include clear sender identification in every message
  4. Include a one-click unsubscribe link
  5. Maintain and check suppression lists before every send
  6. Use separate sending domains with proper DNS authentication
  7. Keep records of LIA and data sources
  8. Have a DPA with every third-party processor
  9. Review country-specific ePrivacy rules per target market
  10. Limit follow-ups to two or three over three to four weeks
  11. Audit data sources and retain lawful collection documentation
  12. Train your sales team on GDPR basics

Start Outbound the Right Way

The rules are clear, expectations documented, and enforcement patterns predictable. Build compliance into your process from the start, not as an afterthought.

At Leadsplug, every campaign runs on compliant infrastructure with documented LIAs, proper DPAs, and automated suppression. See how our approach works or Book a Free Call to talk through your target markets.