EU Data Residency for Cold Email: What It Means (and What It Doesn't)
Data residency is one of the most misunderstood terms in cold email. People hear “European infrastructure” or “data stays in the EU” and assume it covers the legal side of sending. It does not. Residency is a statement about where your data physically lives and which IP addresses you send from. It says nothing about whether you are allowed to email a given person in the first place.
This post draws a clear line. First, what data residency actually is. Then, what the Microsoft EU Data Boundary means at a high level. And finally — the part most vendors skip — what residency does not do, including why GDPR and national consent laws like Germany’s UWG still apply regardless of where your mailboxes sit.
What data residency is
Data residency is the geographic location where data is stored and processed. For email infrastructure, it answers two concrete questions:
- Where is mailbox content stored at rest? Your sent items, received replies, contacts, and folder data. Are they held on servers in the EU or Switzerland, or somewhere else?
- From which IP space do you send? Outbound mail leaves from specific IP ranges. Those ranges are geolocated to a country or region.
When a provider says mailboxes have EU residency, the honest, narrow claim is this: mailbox content at rest sits in the EU or Switzerland, and outbound mail is sent from EU or CH IP space. That is a real, useful property. It matters for organisations with internal data-handling policies, for buyers who prefer to keep European data on European infrastructure, and for the practical reality that EU/CH-geolocated IPs are sometimes treated differently by receiving mail systems than IPs in other regions.
That is the whole of what residency claims. It is an infrastructure fact, not a legal blessing.
The Microsoft EU Data Boundary, briefly
Microsoft 365 mailboxes can fall under the Microsoft EU Data Boundary, a Microsoft commitment to store and process customer data for its cloud services within the European Union and the European Free Trade Association (EFTA) states. In plain terms, it is Microsoft’s framework for keeping core customer data — including mailbox content — inside the EU.
Two things are worth stating precisely, because over-claiming here is common:
- The EU Data Boundary covers storage and most processing of customer data within the EU/EFTA region. That is the strong, defensible part.
- It does not mean “no data ever leaves the EU.” Limited, defined categories of data — for example certain pseudonymised or operational data needed to run and secure the service — can still cross the boundary under Microsoft’s own published rules. Anyone telling you data never leaves the EU is overstating it.
So the accurate way to describe an EU-resident Microsoft 365 setup is: mailbox content at rest in the EU/Switzerland under the Microsoft EU Data Boundary, sending from EU/CH IPs. No more than that.
What data residency is NOT
Here is the part that matters most, and where a lot of marketing quietly misleads people.
Data residency does not make cold email legal. It does not grant consent. It does not satisfy GDPR. It does not override national anti-spam law. Storing your mailbox in Frankfurt or Zurich changes where the data lives — it does nothing to the act of sending an unsolicited message to a recipient. Those are two separate legal questions, governed by separate rules.
Mixing them up is the single most expensive misconception in this space. Let’s separate them cleanly.
GDPR: about processing, not permission to send
The General Data Protection Regulation (GDPR) governs how you process personal data — collecting it, storing it, using it. An email address belonging to a person (including firstname@company.com) is personal data under GDPR.
Under GDPR you need a lawful basis to process that data. For B2B prospecting, senders often rely on legitimate interest (Article 6(1)(f)) as the basis for processing contact data — holding it, scoring it, reaching out. That can be a valid basis for the processing, provided you do a balancing test, honour data-subject rights, and tell people how you got their data.
But — and this is the crux — legitimate interest covers the processing of the data, not automatically the act of sending an unsolicited electronic message. Whether you may actually send the email is frequently governed by a different body of law: the ePrivacy rules and national implementations that sit alongside GDPR. GDPR legitimate interest is not a blanket permission slip for cold outreach. Many people stop reading at “legitimate interest” and assume they are covered for sending. They are not necessarily.
And none of this is affected by where your mailbox is hosted. Residency does not change your lawful basis, your balancing test, or your obligations to recipients.
National consent law: Germany’s UWG §7(2) and others
On top of GDPR, individual EU countries have their own rules on unsolicited commercial communication. Germany is the clearest example. Under the German Unfair Competition Act (UWG), §7(2), unsolicited advertising by email is generally treated as an unreasonable nuisance and requires the recipient’s prior consent — and this applies to B2B, not just consumers. In other words: in Germany, emailing a business prospect cold, without prior opt-in, is a problem under the UWG regardless of GDPR and regardless of where your server sits.
Germany is strict, but it is not alone. Several EU markets require opt-in even for business-to-business outreach, and the precise rules vary country by country. The takeaway is not “Germany is special” — it is that the legality of sending depends on the recipient’s jurisdiction and consent status, and infrastructure cannot change that.
A mailbox hosted on EU infrastructure sending to a German recipient is subject to German law. The EU IP does not help. The EU Data Boundary does not help. Residency is simply the wrong tool for that job.
Residency vs. legality, side by side
| Question | Answered by data residency? | Governed by |
|---|---|---|
| Where is my mailbox data stored? | Yes | Hosting / EU Data Boundary |
| Which IPs do I send from? | Yes | Hosting region |
| Do I have a lawful basis to process this contact’s data? | No | GDPR (e.g. legitimate interest) |
| Am I allowed to send this person an unsolicited email? | No | ePrivacy + national law (e.g. UWG §7(2)) |
| Have I honoured opt-out and data-subject rights? | No | GDPR + national law |
The left two rows are infrastructure. The bottom three are your responsibility as the sender, and they do not move when your hosting moves.
Who is responsible, and what to actually do
The sender is always responsible for consent and for complying with the law of the recipient’s country. No infrastructure provider — including this one — can take that responsibility on for you, and any provider claiming their hosting makes your sending “compliant” is not being straight with you.
Practical, honest guidance:
- Know your recipient’s jurisdiction. The rules that apply are the recipient’s, not yours and not your server’s.
- Treat strict opt-in markets (like Germany) as opt-in markets. Do not assume B2B is exempt — under the UWG it is not.
- Keep your GDPR house in order: a documented lawful basis, a legitimate-interest assessment where you rely on it, clear sourcing of data, easy opt-out, and prompt handling of data-subject requests.
- Get advice for your specific situation. This post is general information, not legal advice. If you send at scale into the EU, talk to a qualified lawyer in the relevant markets.
How Mailionaire thinks about this
Mailionaire provisions real, isolated Microsoft 365 mailboxes for cold email, and is built and run in Switzerland. Each sending domain is its own isolated Microsoft 365 tenant with up to 100 mailboxes. Switch on the optional EU/Swiss residency add-on and your mailbox content sits at rest in the EU/Switzerland on EU/CH IP space, under the Microsoft EU Data Boundary — a rare option among Microsoft 365 cold-email providers. You can read the technical detail on our European email infrastructure page.
We are deliberate about what that does and does not buy you. It is genuinely European infrastructure. It is not a consent mechanism, and it does not make your sending legal. Deciding who you may contact, on what basis, and under which country’s rules remains yours — as it does with any provider. We would rather say that plainly than sell residency as something it is not.
FAQ
Does EU data residency make my cold email GDPR-compliant?
No. Residency determines where your mailbox data is stored and which IPs you send from. GDPR compliance depends on having a lawful basis to process the data, honouring data-subject rights, and following sending rules — none of which change based on hosting location.
Can I send cold B2B email in Germany if my mailbox is hosted in the EU?
Hosting location does not help here. Under Germany's UWG §7(2), unsolicited advertising email generally requires prior consent, and this applies to B2B as well as consumers. The recipient's jurisdiction governs, not your server's.
Isn't "legitimate interest" under GDPR enough to send cold email?
Legitimate interest can be a lawful basis for processing contact data, subject to a balancing test. It does not automatically authorise the act of sending an unsolicited message, which is often governed by separate ePrivacy and national rules. The two are distinct.
Does the Microsoft EU Data Boundary mean my data never leaves the EU?
Not exactly. The EU Data Boundary keeps storage and most processing of customer data within the EU/EFTA region, but limited categories of data — such as certain pseudonymised or operational data — can still cross it under Microsoft's published rules. The accurate claim is "mailbox content at rest in the EU/Switzerland," not "no data ever leaves the EU."
Mailionaire provisions real, isolated Microsoft 365 mailboxes for cold email — built in Switzerland, with optional EU/Swiss data residency — then monitors and replaces them as they wear out. One flat price per domain. See how it works →