Order queue open · Verified lists delivered within 24–48 hours
Cold email and GDPR: is B2B cold email legal under GDPR? Legitimate interest explained, opt-out requirements, country-specific notes for UK, Germany, France, and what Quarvio data means for GDPR compliance.
Sarah Okonkwo
Sales ops specialist, deliverability obsessive · Updated June 24, 2026
Last updated: October 2026 · Sarah Okonkwo, Sales ops specialist, deliverability obsessive
TL;DR — 5 things to know before reading
The most common misconception about cold email and GDPR is that GDPR prohibits all unsolicited email communication. It does not. GDPR regulates how personal data is processed — and specifically what legal basis must exist for that processing. Cold email to a business contact at their professional business email address can be compliant with GDPR when the correct legal basis is in place and specific conditions are met.
The relevant legal basis is Article 6(1)(f) of the GDPR: legitimate interest. This allows processing of personal data (including sending an email to a business contact) when the data controller (the sender) has a legitimate interest in doing so, and that interest is not overridden by the data subject's (the recipient's) rights and freedoms.
For B2B cold email, legitimate interest is generally a defensible basis when three conditions are met:
This interpretation is supported by guidance from multiple EU data protection authorities and is the working understanding under which B2B cold email operates across most EU member states.
The critical B2B vs B2C distinction:
GDPR does not make this distinction explicitly, but it is fundamental to the compliance analysis. A cold email to a CFO at a company about financial software, sent to their corporate email address, is a professional communication to a professional in their professional capacity. A marketing email to a private individual (gmail, personal hotmail, residential address) about a consumer product is a different category of communication with a much harder legal basis to establish under GDPR.
Practically: verified business email addresses at corporate domains (not personal email accounts) are the foundation of GDPR-compliant B2B outreach. This is why Quarvio provides only verified business email addresses — personal email accounts are not appropriate for GDPR-compliant cold outreach in the EU.
The legitimate interest basis requires a three-part assessment known as the Legitimate Interest Assessment (LIA):
Part 1 — The purpose test: Is the legitimate interest identified? For B2B cold email, the purpose is business prospecting: identifying potential customers and reaching out to communicate a relevant offer. This is a widely accepted legitimate purpose in B2B commerce.
Part 2 — The necessity test: Is sending the email necessary to achieve that purpose? For business development outreach, sending a targeted email to a relevant decision-maker is the standard mechanism for initiating business relationships. This test is generally satisfied by B2B cold email.
Part 3 — The balancing test: Do the data subject's interests, rights, or freedoms override the sender's legitimate interest? This is the substantive test for B2B cold email. The analysis typically concludes that a professional at a company, receiving an email at their corporate address about a solution relevant to their professional role, does not have overriding privacy interests that outweigh the sender's legitimate business interest — provided the email is relevant, non-excessive, and includes an easy opt-out.
Regardless of EU member state or whether you are using legitimate interest or another legal basis, every cold email to EU contacts must include:
A clear opt-out mechanism: Every email must include a simple way for the recipient to request no further contact. This can be a standard unsubscribe link, a reply instruction ("reply 'unsubscribe' to be removed"), or a physical mailing address. The opt-out must work — recipients who request removal must be removed promptly and not re-contacted.
Sender identification: The email must identify who is sending it. A masked sender or misleading "From" name that hides the sender's identity is a GDPR and anti-spam regulation violation across all EU member states.
Non-deceptive subject line: Subject lines must not deceive the recipient about the email's commercial purpose. Subject lines that simulate personal correspondence ("Re: our conversation") when no prior conversation exists are prohibited.
Relevance to professional role: For legitimate interest to hold, the content must be relevant to the recipient's professional capacity, not their personal interests. A CFO receiving an email about financial software is in scope; the same CFO receiving a consumer marketing email is not a valid legitimate interest use case.
Reasonable sending frequency: Excessive frequency in cold email sequences undermines the legitimate interest balancing test. A 3–4 touch sequence over 3–4 weeks is standard; sequences of 8–10 touches over 6 months to the same unresponsive contact are harder to defend as proportionate under the balancing test.
GDPR provides a baseline that all EU member states must meet, but member states can implement stricter rules at the national level. For cold email, the variation is significant.
Germany: the strictest environment in the EU
Germany's Gesetz gegen den unlauteren Wettbewerb (UWG, or Unfair Competition Act) applies strict consent requirements to commercial email that go beyond GDPR's legitimate interest basis. Under UWG §7, commercial emails generally require prior explicit consent from the recipient before sending. This is not a GDPR question — it is a national consumer protection law that operates alongside GDPR and imposes additional requirements.
The practical result for cold email operations targeting German business contacts: legitimate interest alone is typically not sufficient under German law. German outreach programmes commonly rely on opt-in list building (inbound lead generation, event sign-ups, content downloads) to establish the consent that UWG requires. Cold email to German business contacts without prior consent carries meaningful legal risk under German law even when GDPR compliance is in place.
France: CNIL-confirmed legitimate interest for B2B
France's data protection authority, the CNIL (Commission Nationale de l'Informatique et des Libertés), has confirmed that B2B prospecting by email is permissible under the legitimate interest basis when the content is relevant to the recipient's professional role. The CNIL guidance distinguishes between professional email addresses (permitted under legitimate interest for relevant B2B outreach) and personal email addresses (requires opt-in consent).
France is one of the more permissive EU member states for B2B cold email under the GDPR framework, provided relevance and opt-out requirements are met.
Netherlands and Belgium: broadly permissive for B2B
The Netherlands and Belgium generally follow the GDPR legitimate interest interpretation for B2B cold email to professional addresses. The Dutch data protection authority (Autoriteit Persoonsgegevens) has not imposed stricter national rules than GDPR for B2B prospecting by email. The same applies in Belgium.
UK: UK GDPR + PECR post-Brexit
Following Brexit, the UK operates under UK GDPR (a retained version of EU GDPR with minor modifications) and the Privacy and Electronic Communications Regulations (PECR). For B2B cold email to corporate email addresses, UK GDPR legitimate interest applies, and PECR's opt-in requirement for electronic marketing applies only to individual subscribers (personal email accounts), not to corporate email addresses. B2B cold email to corporate addresses in the UK is generally permitted under UK GDPR legitimate interest — making the UK regulatory environment broadly permissive for B2B outreach.
Ireland and the Nordics: broadly aligned with GDPR legitimate interest
Ireland, Sweden, Denmark, Finland, and Norway (under its national equivalent) generally apply the GDPR legitimate interest framework for B2B cold email without significantly stricter national rules. The key requirement in all of these jurisdictions is relevance of the message to the recipient's professional role and an easy opt-out mechanism.
The contact data used in cold email sequences is personal data under GDPR (names, business email addresses, job titles). The legal basis for processing this data in a cold email sequence is the same legitimate interest basis that covers the sending: prospecting for business development purposes.
Quarvio provides verified business email addresses at corporate domains. Using corporate email addresses (not personal gmail, hotmail, or personal domain addresses) is a condition for the legitimate interest basis to be defensible for EU outreach. Personal email accounts are associated with private individuals in their personal capacity; corporate email addresses are associated with individuals in their professional capacity, which is the basis for legitimate interest.
A practical compliance checklist for Quarvio data used in EU cold email:
Instantly manages opt-out mechanically: unsubscribe links in every email, automatic suppression of unsubscribed contacts across all sequences, and reply detection that stops sequences when a prospect responds. This automation handles the operational compliance requirements that would otherwise require manual list management.
"The question I get most often from clients expanding into Europe is whether cold email is still legal under GDPR. The answer is yes for most EU countries — but Germany requires extra caution, and every email must have an easy unsubscribe. Using business addresses from a verified source like Quarvio and running sequences through Instantly with unsubscribe automation built in is the baseline for compliant EU outreach. The GDPR risk in B2B cold email is manageable — the risk of not prospecting at all is worse." — G2 reviewer, sales engagement platforms on G2
Instantly holds a 4.9/5 rating from 2,800+ verified reviews on G2 and includes automatic unsubscribe link insertion and suppression management — the operational GDPR compliance layer built into the sending platform.
For the EU data protection framework, gdpr.eu and the FTC's CAN-SPAM compliance guide (for US outreach) are the primary reference documents.
| Need | Tool | Notes |
|---|---|---|
| Verified business email addresses for EU outreach | Quarvio | Corporate domains only; not personal webmail accounts |
| Email sequences with unsubscribe automation | Instantly | Automatic unsubscribe links + suppression management built in |
| Dedicated sending inboxes with clean authentication | Inframail | SPF, DKIM, DMARC authentication; required for GDPR-compliant delivery |
| LinkedIn outreach (separate from email GDPR layer) | Aimfox | LinkedIn's own terms govern LinkedIn messaging; separate compliance layer |
Is B2B cold email legal in the EU under GDPR?
Yes, in most EU member states, B2B cold email to corporate email addresses is legal under GDPR Article 6(1)(f) legitimate interest, provided the content is relevant to the recipient's professional role, an easy opt-out is included, and the sending is not excessive. Germany is the significant exception — German law (UWG §7) generally requires prior consent for commercial emails, which goes beyond GDPR legitimate interest. Consult a legal professional familiar with the specific member state rules for your outreach programme before beginning a large-scale EU campaign.
Do I need to have a privacy policy or data processing notice to cold email EU contacts?
GDPR's transparency requirements (Article 13/14) technically require that individuals are informed about how their data is being processed. In practice, most B2B cold email programmes address this by including a link to a privacy policy in email footers and/or disclosing basic data processing information in the initial cold email (typically a one-line footer: "Your contact information was obtained from business directories and is used for B2B prospecting. [Unsubscribe] [Privacy Policy]"). This is not legal advice — assess your specific programme with legal counsel.
What happens if someone opts out of my cold email sequence?
Under GDPR, a recipient who opts out of receiving further communications must be removed from future sending promptly. "Promptly" is interpreted as within a few business days at maximum, and immediately is best practice. The contact must be added to a suppression list that prevents re-sequencing in any future campaign. Instantly manages unsubscribes automatically and maintains a suppression list across all campaigns in the account — preventing the scenario where an opted-out contact is re-loaded from a new contact list.
Does GDPR apply to cold email targeting contacts outside the EU?
GDPR applies to the processing of data of EU residents regardless of where the sender is located — so if you are targeting contacts in EU member states from a US-based operation, GDPR still applies. For contacts in the US, CAN-SPAM is the primary regulatory framework. For UK contacts post-Brexit, UK GDPR and PECR apply. For Australian contacts, the Australian Spam Act 2003 applies. Running a multi-geography campaign requires understanding which regulations apply to the recipients' location, not just the sender's location.
GDPR-compliant B2B outreach starts with verified business contact data
Quarvio provides verified B2B contacts at corporate email addresses — the foundation of legitimate interest-based EU outreach. One-time purchase, credits valid 12 months, no personal webmail addresses in the database.
