In September 2025, the UK ICO published updated guidance on recognised legitimate interest - the first significant regulatory update on B2B outreach in several years, as covered by Clifford Chance. The ICO explicitly confirmed that B2B cold email is not prohibited but requires documented justification. Meanwhile, France’s CNIL and Germany’s DSK tightened enforcement in 2025 - the first fines for undocumented B2B outreach started arriving that year.
The legal framework has not changed - GDPR was not rewritten. What changed is enforcement practice. Regulators moved from writing rules to applying them. For EU B2B SaaS companies this means: outreach is still possible, but now you need to be able to prove it.
Below is what is actually legal, how countries differ, and how to run a compliant outbound motion without losing effectiveness.
Legal Basis: Legitimate Interest vs Consent
GDPR does not prohibit cold B2B email. Article 6(1)(f) allows personal data processing on the basis of legitimate interest when a three-part test is satisfied.
The legitimate interest test has three parts:
First - purpose test: you have a real, specific legitimate interest. For B2B outreach this sounds like “promoting a product to prospective clients in a relevant segment.” The formulation must be specific, not generic.
Second - necessity test: processing the data is necessary to achieve that purpose, and there is no less invasive way to do so. For cold email this test passes easily - there is simply no other way to contact a specific person.
Third - balancing test: your interest does not override the data subject’s privacy rights. What matters here: how sensitive the data is (a work email is not sensitive), whether the contact is reasonably expected (professional email - yes), and whether there is a clear opt-out mechanism.
Consent for B2B outreach is practically a dead option. Requiring prior consent before a cold message contradicts the entire logic of outbound. Legitimate interest is the only workable legal basis.
Important: GDPR governs the processing of personal data. Corporate emails like info@company.com are formally not personal data. But most work emails identify a specific individual (firstname@company.com) and fall under GDPR.
Country Differences: PECR, UWG, CNIL
On top of GDPR, each country has its own electronic communications legislation. This creates an additional layer of requirements.
UK - PECR (Privacy and Electronic Communications Regulations)
Post-Brexit the UK operates under UK GDPR plus PECR. PECR specifically governs electronic messages, not just data processing. For B2B: PECR allows cold email to corporate addresses without prior consent when the recipient is a legal entity or sole trader operating as a company. For individuals (sole trader as private person) - consent or soft opt-in is required.
The UK ICO clarified in 2025: a company employee’s work email may be used for B2B outreach under legitimate interest if the contact is relevant to the recipient’s professional role.
Germany - UWG (Gesetz gegen den unlauteren Wettbewerb)
Germany is the strictest jurisdiction. UWG Section 7 requires prior consent for any advertising email, including B2B. An exception exists but is narrow: previous business relationship with the client plus offering a similar product. Cold outreach in Germany without a prior relationship carries high regulatory risk. Germany’s DSK has been actively issuing fines since 2024.
Practical approach for Germany: first contact via LinkedIn (not email), obtain a soft confirmation of interest, and only then move to email correspondence.
France - CNIL
CNIL takes a middle position. Legitimate interest for B2B is recognised, but CNIL requires that data be obtained from a “legitimate professional source” - LinkedIn, an industry directory, a company’s public website. Purchased lists with no transparent source are a red zone. Opt-out must be present in every message and processed immediately.
LinkedIn Outreach: Platform Rules and GDPR
LinkedIn outreach is legally simpler than cold email for one reason: the user placed their data in a professional public context, which creates a reasonable expectation of professional contact.
But there are constraints from two directions.
LinkedIn’s rules: mass automated connection requests are prohibited by the Terms of Service. LinkedIn actively bans accounts sending more than 50-100 connection requests per week with signs of automation. InMail via Sales Navigator is the official compliant channel but expensive.
The GDPR angle: scraping LinkedIn to build outreach lists is a gray zone. LinkedIn prohibits it in its ToS. CNIL and the ICO have found specific scraping cases to violate GDPR. The safe position: use data only from people already in your network or those who found you via search.
For EU B2B SaaS mid-market, the effective combination is: LinkedIn for the first touch (warm connection request with a personal message) - email for follow-up after the request is accepted.
What Makes Outreach Compliant
Four practical requirements:
Documented Legitimate Interest Assessment (LIA). The ICO publishes a free LIA template. It is not a legal requirement in itself, but it is the only evidence in the event of a complaint or investigation. An LIA takes one to two hours per audience segment and confirms you passed the three-part test.
Clear and functional opt-out. Every message must include an unsubscribe link or instruction. Opt-out processing within 24-48 hours. The suppression list is maintained and applied to all future campaigns. This is not a recommendation - it is a legal requirement.
Relevance as a defence. The legitimate interest test is easier to pass when the offer is genuinely relevant to the recipient’s role and company. Mass spam to a purchased list makes for a weak legitimate interest argument. A personalised message to a VP of Sales at a SaaS company of the right size about a sales tooling product makes for a strong one.
Transparent data source. In the message or upon request you must be able to explain where you obtained the contact data. “Found your LinkedIn profile” is fine. “Purchased a list” is a red zone.
Personalisation Without Violations
GDPR does not prohibit personalisation. It regulates data processing. The difference matters.
Data from public professional sources can be used freely: job title, company, industry, location, public posts. This is all information the person placed in a professional context themselves.
What cannot be used: third-party data without consent, sensitive categories (health, political views), data obtained through technical means without the subject’s awareness.
Strong personalisation in EU B2B: reference a specific industry pain, a relevant case study, a public trigger (the company raised a round, launched a new product, grew to the right size). This is simultaneously the best personalisation and the strongest confirmation of legitimate interest.
Tools for EU-Compliant Outreach
Apollo.io - in 2024-2025 updated compliance features for the EU: GDPR-compliant data sourcing, suppression list management, opt-out tracking. Data is verified from public sources.
Lemlist - a French tool built with a GDPR mindset from the start. Built-in opt-out mechanics, blacklist management, EU-hosted data as an option.
LinkedIn Sales Navigator - the official compliant channel for LinkedIn outreach. Expensive (from 100 EUR/month per user) but legally clean.
Clay - an enrichment platform that aggregates from multiple sources. Requires verifying the GDPR compliance of each data provider. Flexible but requires effort.
Tools offering “verified EU emails” from opaque sources are a red zone. Data provenance must be verifiable.
EU B2B Outbound Benchmarks
Cold email benchmarks for EU B2B in 2025-2026:
- Open rate: 35-50% with strong personalisation and verified addresses
- Reply rate: 3-8% for cold, 8-15% for warm (post-LinkedIn)
- Positive reply rate: 1-3% of total sent
- Opt-out rate: under 1% with correct segmentation is a positive signal
LinkedIn connection acceptance rate for personalised requests in EU mid-market: 25-40%. For templated requests: 10-15% with risk of account restriction.
For EU B2B SaaS with ACV 20K+, realistic expectations: 500 personalised contacts per month yield 10-20 positive replies and 3-7 qualified conversations. Scaling through quality rather than volume is the core principle in the EU context.
Takeaway
- GDPR does not prohibit B2B cold email - legitimate interest works when the three-part test is satisfied
- Germany is a separate case: without a prior relationship, promotional email carries high legal risk
- A documented LIA is not a formality - it is the only defence in an investigation
- LinkedIn is legally cleaner as a first contact, but mass automation violates the platform’s ToS
- Personalisation from public professional sources is both compliant and more effective
- Opt-out mechanics and a suppression list are mandatory technical requirements, not optional features