Home / Glossary / GDPR for Outbound
Compliance & technical · the EU question · deep dive

GDPR. It applies the moment you email a single person sitting in Europe.

GDPR — the General Data Protection Regulation — is the EU's data-protection law, effective May 2018, and the most consequential global regulation for B2B outbound sales since CAN-SPAM. It applies whenever your prospect is physically in the EU, regardless of where your company is based. Most US-based outbound teams misunderstand both its scope ("we're a US company, GDPR doesn't apply") and its mechanics ("we have legitimate interest, so we're fine"). Both intuitions are usually wrong. This essay covers the actual jurisdictional triggers, the six lawful bases for processing (and the one — legitimate interest — that B2B outbound depends on), the seven data-subject rights every outbound program must honor, the fine-tier structure (with the real-world enforcement record), and the operational checklist that keeps a US-based sales team out of European legal trouble.

Category: Compliance & deliverability · Read time: 13 min · Updated: 2026-05-24 · GDPR-1.0
Not legal advice. This essay is operational guidance for sales operators based on the regulatory text and published enforcement actions. GDPR is genuinely complex, member-state implementations vary, and the case law is still evolving. For any sustained EU outbound program, retain qualified data-protection counsel — preferably someone licensed in the member state of your largest EU prospect base.
TL;DR
GDPR applies whenever you process personal data of someone in the EU — including business email addresses of EU-resident professionals. The most common misconception is that B2B email "doesn't count"; it does, because names + work emails are personal data. The lawful basis B2B outbound relies on is "legitimate interest" — a contested framework that requires you to (1) show a genuine business reason for the outreach, (2) demonstrate the outreach is proportionate to that interest, and (3) confirm the recipient's rights/freedoms don't override it. Cold outreach to highly-relevant titles at companies showing real buying signals usually passes the test; spray-and-pray to anyone on a purchased list usually doesn't. Practically: maintain processing records, honor the seven data-subject rights (especially deletion and objection requests within 30 days), provide a one-click unsubscribe and a privacy notice on first contact, never email EU recipients from a purchased list, and document your "legitimate interest assessment" before launching any EU campaign. Fines are tiered up to €20M or 4% of global revenue, whichever is higher — the headline-grabbing fines have all been against major tech companies, but small B2B teams have been hit with €10K-200K penalties for relatively common outbound mistakes. The honest take: GDPR isn't a barrier to good outbound; it's a barrier to lazy outbound. Signal-anchored, well-targeted, individually-relevant outreach is mostly defensible. Mass purchased-list blasting to EU recipients is not.

01What GDPR actually is

GDPR is a European Union regulation, effective 25 May 2018, that governs how personal data may be collected, stored, processed, and shared. Personal data is defined broadly: any information that can identify a natural person, directly or indirectly. This explicitly includes business email addresses (because they typically contain a name and identify an individual), titles, company affiliations, and even IP addresses in many cases.

The regulation replaced the 1995 EU Data Protection Directive with three structural changes that matter for outbound sales:

1. Extraterritorial scope. Unlike the 1995 directive, GDPR applies to any organization processing personal data of EU residents, regardless of where the organization is based. A US-based SDR emailing a German CTO is processing the German CTO's personal data; GDPR applies to that processing. The 2024 Schrems II ruling further tightened the rules around US-EU data transfers, making the jurisdictional reach explicit.

2. Lawful basis required for every processing activity. Pre-GDPR, opt-out was the default standard for most B2B email in many EU member states. Post-GDPR, every processing activity needs one of six lawful bases (covered in §03), and "we're a legitimate business so it's fine" is not one of them. The basis must be documented before processing begins, not retrofitted after a complaint.

3. Genuine fines. Pre-GDPR penalties for data-protection violations in most EU member states topped out at €500K-1M. GDPR raised the cap to €20M or 4% of global revenue, whichever is higher. Multiple companies have been fined €100M+. The threat is real and the regulators have an enforcement record.

The reframe
GDPR is not a "cookie banner" law — it's a "you need a reason to have this data" law. Most US-based teams' first encounter with GDPR is through the visible cookie-banner aesthetic, which trivializes the actual requirements. The substantive rule is that every piece of personal data your organization processes must be tied to a documented lawful basis. If you can't explain (a) why you have this German CTO's email, (b) what business outcome that processing serves, and (c) why that interest outweighs the CTO's privacy expectations — you don't have a defensible processing activity, regardless of how good your cookie banner looks.

02When it applies to you

The "does GDPR apply to my outbound campaign" question reduces to four sequential checks. If any answer is "yes," GDPR is in play:

Decision flow: does GDPR apply?
Q1
Is the recipient physically located in the EU/EEA when you send?
If yes → GDPR almost certainly applies. The recipient's location is the primary trigger, not your company's location, not the company's headquarters, not where the email server sits.
Q2
Are you "offering goods or services" to people in the EU?
If yes → GDPR applies regardless of where you're sending from. Outbound sales by definition offers goods or services. If your product is available in the EU, GDPR's "offering" test is met.
Q3
Are you monitoring the behavior of people in the EU?
If yes → GDPR applies. This catches things like website-visitor tracking, intent data, behavioral enrichment — all of which most modern outbound programs depend on for EU prospects.
Q4
Are you established (have an office, employees) in the EU?
If yes → GDPR applies to all your processing, regardless of recipient location.

The trap most US-based teams fall into is assuming Q1 doesn't apply because their CRM doesn't track recipient location. The regulator doesn't care whether you tracked it; they care whether the recipient was actually there. A German VP traveling to San Francisco when you happen to email them is probably still covered (they're an EU resident); a US VP at a US company who happens to be vacationing in Paris when you email them might be covered (depends on circumstances).

The operational implication: if your TAM includes any meaningful EU exposure, treat GDPR as applying by default to your full outbound program. Trying to selectively apply different rules to different segments creates more risk than just running the whole program to GDPR standards. The good news is GDPR-compliant outbound is basically just good outbound — signal-anchored, well-targeted, individually relevant — so the operational lift is small for teams already running quality outbound.

03The six lawful bases

GDPR Article 6 lists six lawful bases for processing personal data. You need at least one for every processing activity. For B2B outbound, only three are practically relevant:

Basis 1 · Safest
Consent
The recipient explicitly opted in to receive your outreach. Free, specific, informed, unambiguous. Pre-ticked boxes don't count; bundled consents don't count; consent for "marketing communications" doesn't extend to sales outreach.
When it works: webinar signups, gated content, demo requests, newsletter opt-ins. When it doesn't: any list you acquired without an explicit consent record from the individual.
Basis 2 · The B2B workhorse
Legitimate interest
You have a genuine business interest in the processing, the processing is necessary to achieve that interest, and the recipient's rights don't override it. Requires a documented "legitimate interest assessment" (LIA) — usually a one-page record explaining the three prongs.
When it works: targeted B2B outreach to relevant titles at relevant companies, with clear opt-out. When it doesn't: spray-and-pray, irrelevant outreach, individuals (not businesses) targeted personally.
Basis 3 · Existing customers
Contract performance
Processing necessary to perform a contract with the data subject. Useful for existing customers — invoicing, account management, support communications. Generally not applicable to net-new prospect outreach.
When it works: CSM emails to current customers, expansion conversations with existing accounts. When it doesn't: first contact with a prospect.
Bases 4-6 · Rarely outbound-relevant
Legal obligation · Vital interests · Public interest
The remaining three bases — legal obligation, vital interests, public interest — rarely apply to outbound sales. Legal obligation covers things like tax record retention; vital interests covers life-or-death situations; public interest covers government-mandated processing.
Don't try to stretch these for outbound. If your basis isn't consent, legitimate interest, or contract, you don't have a basis.

For B2B outbound at scale, the dominant basis is legitimate interest — consent is impractical because you're contacting prospects who haven't opted in, and contract doesn't apply to net-new outreach. Legitimate interest is contested precisely because the test is judgment-based and subject to regulator interpretation; the next section covers what passes and what doesn't.

04Legitimate interest in operational depth

Article 6(1)(f) lays out the three-prong test. To rely on legitimate interest, you must show:

Prong 1: Purpose test. You have a legitimate interest that the processing serves. For B2B outbound: "we are seeking to identify and contact potential customers who may benefit from our product" is a recognized legitimate interest. Sales prospecting is explicitly named in GDPR Recital 47 as an example of a legitimate interest.

Prong 2: Necessity test. The processing is genuinely necessary to achieve the interest, and you can't reasonably achieve it through less intrusive means. For B2B outbound: you have to make a case that direct outreach is necessary (vs. inbound-only marketing, which is less intrusive). This is usually fine for B2B sales but requires articulation.

Prong 3: Balancing test. The data subject's rights and freedoms don't override your interest. This is the prong where most outbound campaigns fail. Considerations include: did the recipient reasonably expect to be contacted? Is the outreach relevant to their professional role? Is the volume proportionate? Did you make opt-out easy?

What the balancing test looks like in practice

Apply the test to two real cases:

Case A — Passes. A US-based SaaS data-warehouse vendor sends one personalized email to the VP of Data at a 500-person German fintech that just raised Series C funding. The email references the funding, references a specific operational challenge typical of post-Series-C data teams, and offers a 20-minute conversation. The VP's role makes them the obvious decision-maker; the company size and funding stage make them a plausible buyer; the message is individually relevant. Easy one-click unsubscribe; LIA documented; privacy notice linked. Defensible legitimate interest.

Case B — Fails. The same vendor sends a generic "want to learn about our data warehouse?" email to 5,000 EU recipients from a purchased list. Recipients include accountants, marketers, lawyers, and HR managers — not the obvious target persona. No personalization, no reference to the recipient's actual situation. The recipient could not reasonably have expected this outreach. The volume is disproportionate to the interest. Fails the balancing test; not defensible under legitimate interest.

The diagnostic question to internalize: could a regulator reading this campaign reasonably conclude that the recipient's rights were respected? If the answer involves "well, the volume was high but..." you've already lost the argument. Volume is itself evidence against the balancing test.

Watch for
"We have legitimate interest" as a verbal incantation. Many sales teams treat "we have legitimate interest" as a self-evident truth that excuses any outbound. The regulator doesn't see it that way. Legitimate interest is a specific legal test with three documented prongs, and a campaign that fails any of them fails the whole test. Documented Legitimate Interest Assessments (LIAs) — a one-page record per campaign type explaining how each prong is met — are the minimum operational artifact. If your team isn't producing LIAs, you're claiming legitimate interest without doing the work it requires.

05The seven data-subject rights

Every individual whose personal data you process has seven rights under GDPR. Your outbound program must be able to honor each within statutory time limits (usually 30 days). The rights:

R1
Right to be informed
Recipients must know what data you have, where you got it, why you're processing it, and how to contact you about it. Usually satisfied via a privacy notice linked in every outbound email.
R2
Right of access
Recipients can demand a copy of all personal data you hold about them, including its source. Must be provided within 30 days, free of charge for the first request.
R3
Right to rectification
Recipients can require you to correct inaccurate personal data. Wrong title, wrong company, wrong email — they have the right to make you update or remove it.
R4
Right to erasure ("right to be forgotten")
Recipients can demand you delete their data. The most-exercised right in B2B outbound; the suppression list this generates must be maintained indefinitely so the contact isn't re-added on a future import.
R5
Right to restrict processing
Recipients can demand you pause processing (keep the data but stop using it) while a dispute is resolved. Less common but legally binding when invoked.
R6
Right to data portability
Recipients can demand their data in a machine-readable format to transfer elsewhere. Rarely invoked for outbound contact data but legally required.
R7
Right to object
Recipients can object to processing based on legitimate interest. For direct marketing (which includes most outbound), the objection is absolute — you must stop immediately. No balancing test, no negotiation.

Two practical implications. First, every request triggers a 30-day clock. Process them centrally with logged response times — regulators investigating complaints check response times first. Second, the right to erasure creates a permanent suppression obligation. The deleted contact must stay deleted forever, even if their email later appears on a new list, even if a different team re-imports them. The suppression list is the artifact every GDPR-compliant outbound program needs.

06The fine structure (and enforcement reality)

GDPR has two fine tiers, and a third unofficial category — the "real" exposure most B2B teams actually face:

GDPR penalty structure · stated + actual
Tier 1
Up to €10M or 2% of global revenue, whichever is higher. Applies to procedural violations: lack of records, failure to perform impact assessments, inadequate security measures, lack of data-protection officer when required.
€10M / 2%
Tier 2
Up to €20M or 4% of global revenue, whichever is higher. Applies to substantive violations: processing without lawful basis, ignoring data-subject rights, violating consent rules, unlawful international data transfers.
€20M / 4%
Actual
For B2B outbound: typical fines are €10K-200K for small/mid-size companies caught in the wrong. The headline-grabbing €100M+ fines have all been against major consumer tech (Meta, Google, Amazon). B2B outbound enforcement tends to involve smaller fines + cease-and-desist orders that force operational changes.
€10K - 200K

Two enforcement patterns to internalize:

Complaints drive enforcement. Regulators generally don't proactively scan for violations — they investigate when individuals file complaints. The path to a B2B outbound investigation usually runs: individual receives spammy cold email → individual files complaint with their national data-protection authority → DPA opens investigation → fines or cease-and-desist. The complaint-driven model means the worst-targeted, most-irritating outreach is what gets investigated. Quality outbound rarely triggers complaints.

Cross-border investigations are coordinated. The European Data Protection Board coordinates investigations across member states. A US-based company hit with a complaint in Germany may face a coordinated investigation that includes Austria, Belgium, and France if similar campaigns ran there. The geographic exposure compounds quickly.

The honest assessment: most B2B teams running well-targeted outbound at moderate volumes have low enforcement exposure. Most teams running purchased-list blasts at high volumes have high enforcement exposure. The gap between the two is mostly about quality of targeting, which is also the gap between effective and ineffective outbound. Compliance and effectiveness point the same direction.

07The operational checklist

What a GDPR-compliant B2B outbound program actually looks like, in concrete operational terms:

  1. Maintain a Record of Processing Activities (RoPA). A single document listing every processing activity (e.g., "outbound prospecting"), the lawful basis, the data categories, the data sources, the retention period, and any data sharing. Required under Article 30. Regulators ask for this first in any investigation.
  2. Conduct a Legitimate Interest Assessment per campaign type. One page documenting the three prongs (purpose, necessity, balancing). One LIA per campaign type, not per send. Re-review annually. The artifact that proves you actually did the legitimate-interest analysis.
  3. Provide a privacy notice in every outbound email. Either a link in the email body ("we got your contact data from [source]; you can opt out here; full privacy notice at [link]") or a clear footer. Article 14 requires this when data wasn't collected directly from the data subject — which is the entire premise of outbound.
  4. Implement one-click unsubscribe + 30-day deletion processing. Unsubscribe must work in one click (no form, no login). Deletion requests must be processed within 30 days of receipt. Both must be logged with timestamps so you can prove compliance if challenged.
  5. Maintain a permanent suppression list. Anyone who has opted out, exercised right to erasure, or filed a complaint must never appear in your outbound again — across all systems, forever. Re-imports from any source must be cross-checked against the suppression list.
  6. Sign Data Processing Agreements with every vendor that touches the data. Your enrichment provider, your sequencer, your CRM — each is a "processor" under GDPR and needs a signed DPA. Most reputable B2B vendors offer template DPAs; you have to actually sign them.
  7. Designate someone responsible for GDPR. Doesn't have to be a formal DPO unless you meet the scale thresholds, but someone needs to own the program — review LIAs, handle data-subject requests, audit suppression list integrity. This is operational ownership, not just legal-on-paper.
  8. Document everything. The single biggest predictor of regulatory outcomes isn't whether you got the compliance perfect — it's whether you can show you took it seriously. Documented LIAs, RoPAs, training records, vendor DPAs, and request response logs collectively demonstrate good-faith effort, which materially reduces fines even when violations are found.

08Common mistakes

Mistake 1
"We're a US company so GDPR doesn't apply." Wrong. GDPR's extraterritorial scope means it applies based on the recipient's location, not the sender's. A US company emailing one German VP is processing EU personal data and is subject to GDPR for that processing. Most US-based outbound teams hit this misunderstanding first.
Mistake 2
Treating "legitimate interest" as automatic. Legitimate interest requires the three-prong test, documented in an LIA. A campaign that fails the balancing test (e.g., spray-and-pray) doesn't have legitimate interest, even though the sender's business is legitimate. The basis is about the specific processing, not the company.
Mistake 3
Buying lists for EU outreach. Purchased EU contact lists are nearly always GDPR violations because the original data collection didn't have a lawful basis for transfer to a new processor. Even "GDPR-compliant" list brokers usually can't actually demonstrate the chain of consent. Don't buy EU lists. Period.
Mistake 4
Failing to respond to data-subject requests within 30 days. The 30-day clock starts at receipt, not at first review. A request that sits in an unread inbox for two weeks gives you 16 days, not 30. Missed deadlines are themselves Article 12 violations and trigger automatic procedural fines.
Mistake 5
Not maintaining a suppression list across systems. A common failure pattern: a contact opts out from System A, then gets re-imported six months later from a new data source into System B, then receives outreach again. Each re-contact is a fresh violation. The suppression list must live above any single tool and be checked by every import process.
Mistake 6
Ignoring DPAs with vendors. Your enrichment provider, your email-sending tool, your CRM — all are "processors" of EU personal data on your behalf. Each needs a signed Data Processing Agreement. Operating without DPAs is itself a violation, separate from the underlying processing. Sign the DPAs every vendor offers; they're usually template documents that take 15 minutes.
Try Mama free

GDPR rewards well-targeted, signal-anchored outbound.

The campaigns that pass the legitimate-interest balancing test are the same campaigns that get high reply rates: individually relevant to the recipient's actual situation, anchored on a real reason for outreach, proportionate in volume. Mama makes that standard easy to hit at scale — which is also what makes it the most defensible EU outbound architecture available.

Start free trial → Read about signal-anchored outbound