Anyone who wants to win new customers in B2B rarely gets around active outreach. At the same time, cold outreach to EU contacts is legally more demanding than in many other markets. Many myths circulate: some consider every cold email forbidden, others completely unproblematic as long as it concerns business customers. Both are off the mark. The important thing to understand is that there are two separate levels you must observe, both at once: marketing and anti-spam law, which differs by jurisdiction, and data protection under the GDPR. This guide separates the two cleanly, explains what matters in each, and shows what a robust outreach process looks like. It is no substitute for legal advice, but it provides orientation.
Two levels that are often confused
The most common error in thinking is throwing marketing law and data protection into one pot. They answer different questions. Marketing law clarifies whether you may address someone with advertising at all. Data protection clarifies how you handle the personal data needed for that. Both levels must be satisfied at the same time. An outreach can be cleanly justified under data protection law and still be impermissible under marketing law, or the other way around. Anyone who thinks of only one of the two levels regularly overlooks the other. That is why we consider them separately below.
Level 1: marketing law, may I make contact at all?
Marketing law governs whether a promotional outreach is permissible. For email advertising to EU contacts, the principle is that it is generally impermissible without prior consent, including in B2B. National rules under the ePrivacy regime know narrowly defined exceptions tied to strict conditions. In the US, by contrast, CAN-SPAM allows commercial email without prior consent, as long as headers are honest, a valid postal address is included and a working opt-out is honored. In practice this means: cold email to EU companies is trickier than many assume, and differs significantly from the legal situation in the US. Anyone who simply transfers US practice to EU contacts quickly moves into risk. What is decisive is not whether a person or a company is contacted, but whether a permissible basis for the promotional outreach exists.
Telephone cold outreach to businesses is sometimes assessed somewhat differently than email, but also hinges on a presumed consent or a factual interest of the person called in the offer, and on do-not-call rules where they apply. The details differ between jurisdictions, which is why you should have your specific case reviewed by a professional. Blanket statements like calling is always allowed or emailing is always forbidden fall short and lead you astray.
Level 2: GDPR, how do I handle the data?
Even when the outreach is defensible under marketing law, you are processing personal data, such as the name and email of a contact. For that you need a legal basis under the GDPR. In B2B, the legitimate interest under Art. 6(1)(f) GDPR is often relied on here, which requires a balancing between your interest and the interests of the person concerned. This balancing is no free pass, it is a real assessment: the more relevant and restrained your outreach, the more likely your interest prevails. The broader and more intrusive, the more likely the interests of the data subject prevail.
In practice this means, among other things:
- Transparency: the contacted person must be able to understand where you got their data and how you process it.
- Data minimization: collect and store only what you genuinely need for the outreach.
- Right to object: a simple way to object to the processing must be possible at any time, and an objection must be implemented immediately.
- Documentation: record where data comes from and which basis you rely on.
The balancing of interests in practice
The balancing under legitimate interest sounds abstract, but it can be made concrete. It speaks for your interest when your offer has a recognizable factual connection to the activity of the contacted company and the outreach is restrained and relevant. It speaks against you when there is broad, generic mass outreach with no hook, the processing of data of unclear origin or the ignoring of objections. From this follows a practical rule of thumb: what makes good outreach, namely relevance, restraint and traceable data, simultaneously strengthens your data protection position. Clean outreach and legal defensibility pull in the same direction.
What this means for your outreach process
Working cleanly does not mean not doing outreach at all, it means setting up the process robustly. Fresh, traceably researched data is more valuable than purchased mass lists of unclear origin, because you can document source and recency. A personalized outreach with a recognizable factual hook to the contacted company is not only more successful, it is also easier to justify in the sense of the balancing of interests than a generic mass mail. A simple, immediately effective right to object belongs in every message, and every objection must be documented and implemented. That creates a process that not only works better, but is also traceable in case of dispute.
Checklist for a robust basis
- Data from a traceable source instead of anonymous purchased lists.
- A factual connection between your offer and the contacted company.
- Personalized, restrained outreach instead of generic mass.
- Transparency about the origin and purpose of the data processing.
- A simple, immediately effective right to object in every message.
- Documentation of origin, legal basis and objections.
Where may the data come from?
A central question is the origin of the data. Publicly available business information, for example from a company website or an official register, is generally easier to justify than data of unclear origin from purchased lists. What is decisive is that you can trace and document where a piece of information came from. Even publicly available data is subject to the GDPR as soon as it relates to a person, that is, its processing still needs a legal basis and must be transparent. Public therefore does not mean freely usable without any rule, it merely means that the collection itself is less intrusive. Anyone who documents the source stands better in every respect than someone with an anonymous purchased list.
Data processing agreements and service providers
As soon as you use tools or service providers that process personal data on your behalf, such as a sending or research tool, the data processing agreement comes into play. In such cases the GDPR requires a data processing agreement that governs how the provider handles the data. It also matters where the data is processed: processing within the EU is simpler under data protection law than a transfer to third countries, which triggers additional requirements. For EU-facing teams in particular, many customers value EU hosting. Anyone who selects their providers carefully and concludes the necessary contracts not only fulfills an obligation, but also builds trust with their own business partners.
Information duties under Art. 13 and 14
The GDPR requires that data subjects be informed about the processing of their data. When you collect data not directly from the person but from other sources, for example from public directories, Art. 14 applies with special information duties. In practice this means that the contacted person must be able to understand who you are, where you got their data, for what purpose you process it and which legal basis you rely on. This transparency can be elegantly built into the first outreach and a linked privacy notice. It is not a bureaucratic burden, it is a trust signal: anyone who discloses where they come from appears more credible than someone who conceals their source.
Implement the right to object correctly
Every data subject has the right to object to the processing of their data for advertising purposes, and this objection must be simple and possible at any time. In practice this means: every message contains a clear, simple way to opt out or object. An objection must be implemented immediately and fully, with no hurdles and no further follow-up mails. Ignoring or obstructing an objection is not only legally tricky, but also bad for business, because it annoys people and harms your own reputation. A clean process records who objected and ensures that those people are no longer contacted, permanently. That protects you legally and preserves your good name at the same time.
Retention period and deletion concept
Data may not be kept indefinitely. The GDPR requires that personal data be stored only as long as necessary for the respective purpose. For outreach this means having a concept for when data is deleted or anonymized, for example when a contact shows no interest permanently or has objected. A simple deletion concept sets deadlines and ensures they are actually observed. That prevents a growing mountain of stale data from accumulating over the years, which is not only legally problematic but also practically worthless. Data minimization and regular cleanup are therefore not only an obligation, but also in your own interest.
Documentation and accountability
The GDPR knows the principle of accountability: you must not only act lawfully, but also be able to prove it. In practice this means documenting the essential decisions and bases, that is, where data comes from, which legal basis you rely on, how the balancing of interests turned out and how you handle objections. This documentation sounds like effort, but in case of dispute it is your most important protection. It also forces you to think the process through clearly, which raises the quality overall. Anyone who documents cleanly from the start, instead of having to reconstruct it afterward, saves a lot of trouble and stands much better in an audit.
B2B and B2C: an important difference
The legal assessment differs depending on whether you address business customers or private individuals. Toward consumers, the hurdles for promotional outreach are generally higher. In B2B there is somewhat more room, for example via legitimate interest, but that room is narrower than many assume, and does not release you from the basic duties. It is also important that the line is not always clear-cut: a sole proprietor with a business and a private sphere cannot be assigned cleanly to one category. In case of doubt, the more cautious assessment is the safer one. This distinction is a good example of why blanket statements lead you astray and the individual case counts.
Common misconceptions about cold outreach
- In B2B everything is allowed: false, marketing law and the GDPR apply in B2B too, with clear limits.
- I may freely use public data: false, even public personal data needs a legal basis and transparency.
- An imprint is consent: false, the mandatory listing of a contact address is not agreement to advertising.
- An unsubscribe link is enough for everything: it is important, but it replaces neither the necessary legal basis nor the information duties.
- What works in the US works here too: false, the legal situation for EU contacts is significantly stricter.
How Firmeo creates a clean basis
This is exactly where Firmeo comes in: instead of stale lists, Firmeo researches fitting companies live from public sources, checks them against their own website and documents the sources, so origin and recency stay traceable. The outreach happens personalized from your own mailbox with a recognizable factual hook, and sequences stop immediately on reply or objection. Processing runs EU-hosted with a data processing agreement, based in Austria. That does not replace a legal review of your specific case, but it creates a documented, traceable basis you can build on.
Conclusion
GDPR-compliant cold outreach is no contradiction in terms, but it demands care. The most important thought of this guide is the separation of the two levels: marketing law clarifies whether you may address someone with advertising, data protection clarifies how you handle the data needed for that. Both must be satisfied at the same time, and both are handled more strictly for EU contacts than many assume. Anyone who internalizes that avoids the most common misconceptions, such as the assumption that in B2B everything is allowed or that public data may be used freely.
The good news is that legal care and good outreach do not contradict each other, they pull in the same direction. Traceable data from a verifiable source, a factual connection to the contacted company, a restrained, personalized outreach and a simple, immediately effective right to object simultaneously strengthen your data protection position and your reply rates. Add to that the duties that run in the background: information duties, a thoughtful retention period, a deletion concept and the documentation of your own decisions. That sounds like effort, but it is above all a sign of professionalism and, in case of dispute, your best protection.
This article is no substitute for legal advice and cannot conclusively assess the individual case, because the lines are often fluid and depend on details. What it can do is provide orientation: it shows what matters and makes clear that a robust outreach process is possible if you set it up cleanly from the start, instead of repairing it afterward. Anyone who additionally has their specific process reviewed by a professional does outreach not only more successfully, but also with a clearer conscience.
