Why Desorbitante Our service Our technology Our data SolutionsResources ResultsPricingAbout Book your demo Call +34 614 63 25 11

Home / Blog / GDPR and B2B Prospecting: the practical guide (without the fear)

B2B Data

GDPR and B2B Prospecting: the practical guide (without the fear)

Alejandro Cova
Alejandro CovaGrowth Marketing Manager
· Apr 07, 2026 · 13 min read
GDPR and B2B Prospecting: the practical guide (without the fear)

Ask ten marketing leaders whether you can do cold prospecting in Europe and at least half will tell you GDPR bans it. It is one of the most widespread myths in B2B, and also one of the most expensive: out of fear, many companies give up a perfectly legal growth channel.

The reality is more nuanced. GDPR does not ban B2B outbound: it requires doing it with judgment and respect for the data. The difference between compliant and non-compliant is not whether you prospect, but how you do it.

In this guide you will see what GDPR is and who it applies to, whether B2B cold email is legal, the key difference between consent and legitimate interest, how to document your legal basis, what to include in each email and a checklist to give you peace of mind.

Note: this is a practical guide to orient you, not legal advice. For your specific case, your industry and your country, always consult your advisor or your DPO.

What is GDPR and who does it apply to?

GDPR (the General Data Protection Regulation) is the European regulation that governs how companies handle personal data. "Personal data" is any information that identifies a person: their name, their professional email, their job title. It applies to any company that processes data of EU residents, wherever it is based.

The important nuance for B2B: even if you write to a company, behind every email there is a person, so GDPR applies. But it applies in a way proportionate to the professional context, which is precisely what opens the door to well-done prospecting.

Is B2B cold email legal in Europe? The short answer

Yes, in general terms and done well. GDPR does not require prior consent for everything: it contemplates several legal bases, and relevant B2B prospecting usually relies on legitimate interest. The key is that the message is pertinent to the professional role of the recipient and that you respect their rights.

It is worth knowing that, beyond GDPR, there are privacy rules for electronic communications (the ePrivacy directive and its national transpositions) that may add nuances depending on the country and on whether you write to an individual or to a generic company inbox. That is why the "it depends on your country" in the note is real. But the underlying principle holds: professional, pertinent and respectful contact.

Consent vs legitimate interest

Here is the confusion that generates almost all the fear. Many people believe they need someone's express consent before writing to them. For B2B prospecting, usually not: that is the realm of legitimate interest.

  • Consent: the person has said "yes, write to me" (for example, by filling out a form). It is the typical basis for consumer marketing and newsletters.
  • Legitimate interest: you have a legitimate commercial reason to make contact and the impact on the person is minimal and expected in their role. It is the typical basis for B2B outbound.

You do not need an operations director to have requested your email in order to write to them about an operations solution, just as they do not need your permission to write to you. What you do need is to be able to justify why that contact is legitimate.

Legitimate interest, in detail

GDPR requires a legal basis to process data. In B2B, relevant commercial contact usually relies on legitimate interest, provided the message is pertinent to the person's professional role and provides reasonable value.

The key is in "pertinent". Writing to an IT director about an IT solution is defensible. Writing to them about life insurance is not. The better your message fits their job, the stronger your position. Pertinence is not just a legal matter: it is also what makes your prospecting work.

Compliance and data in B2B prospecting
Compliance and results go hand in hand: clean data and pertinent messages.

How to do your legitimate interest assessment (LIA)

Legitimate interest is not a free pass: it requires you to carry out (and document) a small assessment, known as the LIA. In practice, you ask yourself three questions:

  1. Is there a real legitimate interest? Selling a pertinent product to a company is one.
  2. Is contacting this way necessary to achieve it? In other words, that the means is proportionate.
  3. Does it override the person's rights? If the contact is expected in their role and not very intrusive, usually yes.

Putting this in writing in a simple document protects you against a possible complaint and, along the way, forces you to refine who you contact. It is half an hour of work that is worth years of peace of mind.

Collect only the minimum

The minimization principle is simple: collect only the data you need for professional contact. Name, job title and corporate email are enough for almost everything. The fewer sensitive data you handle, the lower your risk and the easier it is to justify your processing. Accumulating information you do not use does not make you more powerful, it makes you more vulnerable.

What to include in each email

Transparency is not optional. Every prospecting message should make clear, without hiding it in the fine print:

  • Who you are: identify yourself with your name and your company.
  • Why you are reaching out: the professional reason for the message.
  • Where their data comes from: a brief mention of the source builds trust.
  • How to unsubscribe: a simple way to stop receiving messages.

The opt-out option is not a courtesy: it is mandatory. And, looked at properly, it is also good prospecting, because anyone who does not want to hear from you was never going to buy from you. Removing them from the list saves you time and protects your sending reputation.

Respect rights as soon as they are exercised

If someone asks you to delete their data, correct something or stop contacting them, do it and keep a record of the request and your action. Having a clear process for this (who receives it, within what time frame it is resolved, where it is logged) not only protects you: it conveys professionalism to someone who might one day be a customer.

The real risk: poor-quality data

The biggest problem is usually not prospecting itself, but the source of the data. Purchased lists of dubious origin are a time bomb: you neither know how they were collected nor whether those people expected that contact, and they are exactly the ones that generate complaints and claims.

Building your audiences from verified sources not only complies better: it converts more, because you are talking to those who genuinely fit. Compliance and results, far from clashing, go hand in hand. A clean, well-sourced list is, at the same time, more legal and more profitable.

Quick compliance checklist

  • Legal basis (legitimate interest) documented with your LIA.
  • Message pertinent to the professional role of the recipient.
  • Only minimal data: name, job title, corporate email.
  • Clear identification, reason for contact and data source in each email.
  • Simple opt-out option in every message.
  • Process to handle opt-outs and rights on time, with a record.
  • Data from verified sources, never opaque lists.

Frequently asked questions

Do I need consent to write a B2B cold email?

Generally no: pertinent B2B prospecting usually relies on legitimate interest, not on prior consent. You do need to be able to justify the legitimacy of the contact and to respect rights.

Can I write to addresses like info@ or to specific people?

Generic company inboxes are considered less as personal data, but they usually convert worse. To write to specific people, make sure of pertinence and transparency. The exact rules may vary by country.

Do I have to say where I got their data?

Yes, transparency about the source is part of compliance and, on top of that, builds trust. A brief sentence is enough.

What happens if someone complains or asks to unsubscribe?

Handle the request without delay, stop contacting them and record the action. A prompt opt-out process is your best shield and your best image.

Does GDPR apply if my company is outside the EU?

Yes, if you process data of EU residents. Your company's location does not exempt you; what counts is who you contact.

In short

GDPR is not the enemy of your growth. It is, in fact, a good framework for prospecting the way it should always be done: with clean data, relevant messages and respect for the person on the other side.

Document your legal basis, collect the minimum, be transparent, respect rights and work with verified data. Do it this way and you can prospect with the peace of mind of being compliant, which is precisely what lets you do it at scale. At Desorbitante we build compliant audiences and run prospecting taking care of this point from the very first email.

Ready to turn this into pipeline?

We design and operate your growth system end to end, so your team can focus on closing.

Book your demo
Keep reading

Related articles

B2B Data17 minMay 05, 2026

How to define your ideal customer profile (ICP): complete guide

Your ideal customer profile decides who you contact, what you say, and how much budget you burn. A weak ICP ruins everything downstream. The complete guide to building an actionable one, with an example, scoring, and mistakes to avoid.
Strategy10 minJun 09, 2026

B2B Marketing Agency: How to Choose Well in Spain and LATAM

How to choose a B2B marketing agency in Spain and LATAM: real pricing, the 10 key questions to ask before signing and the red flags to avoid.
Prospecting9 minJun 05, 2026

B2B Lead Generation Cost in 2026: Real Benchmarks

How much B2B lead generation costs in 2026: CPL by channel in Spain and LATAM, cost per qualified meeting and whether in-house or agency wins.

Subscribe to the newsletter

B2B sales and growth tips straight to your inbox. No spam, just what actually works.