Live Direct Marketing logo
Inbox Placement Test
Compliance11 min read

Can you legally send cold email in EU? GDPR + legitimate interest explained

The honest answer is "sometimes, narrowly, and almost never in Germany". The EU rulebook is two laws stacked on top of each other, and the country layer underneath changes the answer for every recipient.

Cold email to EU recipients lives in a corner of compliance most outreach teams either over-fear or under-respect. Either you assume Europe is a no-go and miss real opportunities, or you assume GDPR only matters when you get a complaint and run into German UWG actions on your first launch. The right answer is more nuanced and depends on a documented balancing test, the recipient's country, and the relevance of the message to the recipient's professional role.

TL;DR

B2B cold email can be lawful in most EU member states under the legitimate-interest basis (GDPR Art. 6(1)(f)) plus the ePrivacy B2B exception. Germany requires opt-in for B2B too. France accepts narrow B2B targeting. B2C cold email requires consent everywhere. Document a balancing test before sending.

Two laws, not one

The frequent mistake is to argue compliance under GDPR alone. GDPR gives you the lawful basis for processing; the ePrivacy Directive (and its national implementations) governs the act of marketing communication itself. Both must be satisfied.

For email to individuals, ePrivacy generally requires prior consent — there is no "legitimate interest" carve-out at the ePrivacy layer for B2C. For email to businesses (legal persons), most member states do not extend the consent requirement, leaving room for legitimate-interest cold outreach. This is the only narrow lane in which cold email survives in the EU.

Legitimate interest in plain English

GDPR Article 6(1)(f) permits processing where it is necessary for the purposes of legitimate interests pursued by the controller, except where overridden by the interests or fundamental rights of the data subject. Recital 47 explicitly notes that direct marketing may be regarded as carried out for a legitimate interest.

Three tests must pass:

  1. Purpose test: is there a real, lawful interest? Selling B2B services to relevant decision-makers — yes.
  2. Necessity test: is processing necessary for that interest? Could you achieve it less intrusively? Highly targeted email scales sales contact in a way phone or post don't — generally yes.
  3. Balancing test: do the data subject's rights override your interest? Depends on relevance, volume, and how the data was obtained.

The balancing test is the decisive one and the one regulators ask about. Done well it is a one-page memo per campaign or per program, signed and dated.

A balancing-test memo that holds up

The shape of a defensible memo:

  • Identification of the interest: "Promote our SaaS product to compliance officers in mid-market financial services in Spain, France and Italy."
  • Recipient targeting: only addresses of named individuals in roles directly relevant to the offer; only addresses obtained from sources with no "no unsolicited email" notice.
  • Volume and frequency: first cold message, plus at most one follow-up at 7 days; suppression on first opt-out signal.
  • Recipient expectations: professionals in this role routinely receive vendor outreach about products of this kind.
  • Safeguards: one-click unsubscribe, immediate suppression, privacy notice, identification of source on request.
  • Conclusion: the controller's interest is not overridden by the data subject's rights given the targeting, restraint and safeguards.

This is a real document, archived per program, refreshed when anything changes. DPAs ask for it on complaints; producing it promptly defuses many investigations.

Country by country

ePrivacy is a directive, not a regulation, so member states have implemented it differently. The pattern that matters for cold email:

  • Germany. The strictest. Under UWG case law, B2B cold email essentially requires opt-in or a very tight existing business relationship. Treat Germany as opt-in only.
  • France. CNIL guidance accepts B2B cold email under legitimate interest when the message is directly related to the recipient's professional role and the address is professional. Generic addresses (info@, contact@) are permissible with the same caveats.
  • Italy. Garante has accepted B2B cold outreach with a documented balancing test, but has been aggressive against mass-list approaches and inadequate suppression.
  • Spain. AEPD is broadly comparable to France: B2B legitimate interest acceptable with the standard tests.
  • Netherlands, Belgium, Ireland. Generally permissive of B2B cold email under legitimate interest.
  • Nordics. Permissive of B2B cold email; Finland and Sweden tend to accept "negative consent" (you may send unless the recipient has objected).
The Germany problem

German plaintiffs' lawyers actively pursue UWG claims for cold email — typically a takedown letter with a few thousand euros in costs. It's a real cottage industry. Suppress .de domains and German recipient names at the list-build stage if you don't have express opt-in for them.

Role-based versus personal addresses

Generic role-based addresses (info@, contact@, sales@, careers@) are arguably less personal than named addresses. Some regulators and courts have treated them as outside personal-data scope when they cannot be linked to an identified individual. In practice, treat them as personal data unless you have a defensible reason not to. The deliverability benefit of cold email to role addresses is also low — they generally don't convert.

Named professional addresses (j.smith@company.com) are the legitimate-interest cold-email sweet spot: personal data, clearly professional, role-relevant when targeted properly. These are where your balancing test does the most work.

How you obtained the address matters

Source affects the balancing test directly. Better:

  • The contact's own LinkedIn profile or company website.
  • Public press release listing them as the contact for an initiative.
  • Conference attendee lists where speakers are publicly named.

Worse:

  • Scraped third-party databases of unverified provenance.
  • Leaked breach data (illegal to use, period).
  • Lists purchased from brokers without explicit per-record consent provenance.

The CJEU and several DPAs have signalled that aggregated scraping of public data still constitutes processing requiring a lawful basis and respect for data-subject rights. Public does not mean unrestricted.

Content rules that follow from the law

Even with a good legitimate-interest basis, the message itself must comply with ePrivacy national rules and GDPR transparency:

  1. Identify the sender, including business name and address.
  2. Identify how you obtained the address (one line is enough — "found your name in your company's investor relations contact page").
  3. Provide a one-click unsubscribe; honour it immediately.
  4. Link to a privacy notice covering legitimate interest as the basis and the right to object.
  5. Don't use deceptive subjects, fake reply-thread markers, or obfuscated sender names.

Realistic risk assessment

Most EU cold-email programs are not investigated by national DPAs. The realistic exposure is:

  • Recipient complains to a DPA — a documented balancing test and prompt suppression usually closes the file.
  • Recipient is a German lawyer or competitor — a UWG demand letter is plausible. Avoid Germany or have express opt-in.
  • Mass-scrape program — DPAs do investigate these, particularly when amplified by media. Don't run mass-scrape programs.

The deliverability risk is more constant: badly-targeted lists produce complaints, complaints feed reputation systems, and reputation drops kill inbox rate weeks before any regulator notices.

Frequently asked questions

Is GDPR consent required for B2B cold email?

No, in most member states. The legal basis can be legitimate interest, conditional on a balancing test. Germany is the major exception — UWG case law effectively requires opt-in.

Can I email a public conference attendee list?

Cautiously. The conference attendees expected the list to be used for the conference, not arbitrary marketing. If your message is directly related to the conference theme and you suppress quickly on objection, the balancing test is defensible.

What about the soft opt-in for existing customers?

That's a separate exception under ePrivacy: you may market "similar products and services" to your own existing customers without fresh consent, provided you offered an opt-out at collection. National implementations vary on what "similar" means.

Do I need to identify how I found the address?

GDPR Article 14 requires you to provide source information when you obtained the data from a third party. In cold email this often means a one-line note in the message itself, plus a link to a privacy notice with full detail.
Related reading

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required