Cold Email and GDPR: A Practical Guide for Senders
Under the GDPR, cold email counts as processing personal data. So you need a documented lawful basis — usually legitimate interest after a balancing test — plus transparency and respect for data-subject rights. But GDPR does not by itself decide whether you may send the message. That question is governed separately by ePrivacy rules and national law in the recipient’s country. This is not legal advice.
GDPR governs processing, not the act of sending
The most useful distinction for senders is this: GDPR is about how you handle data, while a separate body of law governs whether the message is allowed.
A prospect’s name, work email, job title, and company are personal data. Collecting, storing, enriching, and emailing them are all “processing” under GDPR, and every step needs a lawful basis.
But the act of sending an unsolicited commercial message is mostly regulated by the ePrivacy Directive and each member state’s implementation of it. Germany’s UWG §7(2), for example, generally requires prior opt-in for advertising email, and that applies to B2B as well as consumers. You can be fully compliant on the processing side and still be sending unlawfully under national rules.
Treat them as two checks you both have to pass.
| Layer | What it governs | Example rule |
|---|---|---|
| GDPR | How you process personal data | Lawful basis, transparency, rights |
| ePrivacy + national law | Whether you may send | Germany UWG §7(2) opt-in |
What counts as a lawful basis
GDPR lists six lawful bases. For cold outreach, two come up in practice:
- Consent — the recipient actively opted in. Clean, but rare for genuinely cold contacts.
- Legitimate interest — you have a real business interest that is not overridden by the individual’s rights and freedoms.
Most B2B cold email relies on legitimate interest. That basis is not automatic; it requires a balancing test you should document before sending.
A workable balancing test asks three things: Is the interest legitimate (for example, offering a relevant service to a business contact)? Is the processing necessary for it? Do the individual’s interests, rights, and reasonable expectations override yours? Relevance matters here — emailing a marketing director about a marketing tool is easier to justify than untargeted blasts.
Legitimate interest is generally weaker for personal addresses and individuals acting as consumers, and stronger for role-based B2B contacts.
Transparency and data-subject rights
Because you collected the data indirectly (scraped, bought, or enriched rather than given to you), Article 14 transparency obligations apply. In practice that usually means informing the person — often at first contact, and generally within a month — about who you are, why you are processing their data, your lawful basis, and how to object or request deletion.
Data subjects also keep their rights regardless of your basis:
- Right to object to processing for direct marketing — an absolute right you must honour.
- Right to erasure (“be forgotten”).
- Right of access to the data you hold.
The operational takeaway: maintain a suppression list, make unsubscribe trivial, and act on deletion requests promptly. These are not nice-to-haves; they are how the rights above get satisfied in a real sending workflow. For the broader “is this even allowed” picture, see our is cold email legal overview.
Where infrastructure fits — and where it doesn’t
A common mistake is assuming that hosting data in Europe settles GDPR. It does not. Data residency affects where mailbox content sits at rest and which IPs you send from; it does not create a lawful basis or remove the consent question. We unpack that in detail in EU data residency for cold email.
What infrastructure can do is make compliance operationally achievable. Correct SPF, DKIM, and DMARC records, suppression handling, and one-click unsubscribe overlap directly with the Google and Yahoo sender requirements effective February 2024 — and good list hygiene supports your GDPR balancing test by keeping outreach relevant and respectful. Knowing how the underlying Microsoft 365 tenant is structured helps you keep records of what data lives where, which supports the transparency and access obligations above.
A practical checklist for senders
This is an operational summary, not legal sign-off:
- Identify and document a lawful basis for each campaign — usually legitimate interest, with a written balancing test.
- Check the recipient’s national law before sending; the recipient’s jurisdiction governs (Germany requires opt-in even for B2B).
- Keep outreach relevant and role-based; relevance strengthens legitimate interest.
- Provide an Article 14 privacy notice and a clear way to object.
- Run suppression lists and honour opt-out and deletion requests promptly.
- Keep records of where data is stored and how it is processed.
When in doubt, get advice from a qualified lawyer in the relevant jurisdiction. Nothing here is a substitute for that.
How Mailionaire approaches this
Mailionaire is sending infrastructure, not a legal product, so we are careful about the line: we configure SPF, DKIM, and DMARC, isolate each sending domain in its own Microsoft 365 tenant, and keep the technical record clear — but the lawful basis, consent where required, and data-subject requests remain your responsibility. EU/Swiss residency is available as an optional add-on rather than the default, and pricing stays simple at $50 per active domain. See how it works for what we set up and what stays in your hands.
FAQ
Does GDPR ban cold email?
No. GDPR governs how you process personal data, not whether you may send. You can process contact data under a lawful basis such as legitimate interest, subject to a balancing test. Whether the message itself is permitted is decided separately by ePrivacy rules and national law in the recipient's country.
Is legitimate interest enough to send cold email under GDPR?
Legitimate interest can justify processing contact data for B2B outreach after a documented balancing test. It does not automatically authorise the act of sending. In several countries, including Germany under UWG §7(2), unsolicited advertising email needs prior opt-in regardless of your GDPR basis.
Do I have to tell people I have their data before I email them?
GDPR's transparency duty applies. When data is collected indirectly, Article 14 generally requires you to inform the person — typically at first contact and within a month — covering who you are, why you process the data, your lawful basis, and how to object or request deletion. This is not legal advice.
Can a recipient ask me to delete their data?
Yes. Data subjects can object to processing and request erasure. You must honour opt-out and deletion requests promptly and stop further contact. Building suppression and easy unsubscribe into your workflow is the practical way to meet these duties. Consult a qualified lawyer for your situation.
Mailionaire provisions real, isolated Microsoft 365 mailboxes for cold email — built in Switzerland, with optional EU/Swiss data residency — then monitors and replaces them as they wear out. One flat price per domain. See how it works →