Lead Generation and Growth Hacking Blog

GDPR Cold Email Marketing Guide

 GDPR came into force on May 25, 2018. Ironically, it demands privacy policies and terms of conditions to be written in simple language anyone can understand, while the regulation itself seems to be difficult to interpret for people around the world.

One question being asked frequently is about the ways in which email communication is regulated under GDPR.

It is in light of these doubts that we are sharing this overview of GDPR and why it is important, especially when it comes to sending emails.

Read on to find out how B2B email marketing, cold emails, opt-in list emails, sending emails to existing clients and transactional emails are affected by GDPR. In the summary of this post, you will also find a link to download our Checklist for GDPR Compliant Emails. 

Table of Contents

What is GDPR?

GDPR, which stands for General Data Protection Regulation, is a legal regulation introduced by The Council of the European Union and The European Parliament to protect personal data of EU citizens.

This is precisely why GDPR was created - data protection. Whenever you are feeling it is unfair, remember that.

Why was GDPR created?

GDPR is all about protecting personal data of EU citizens, ensuring that their information is secure, and not about digital marketing nor outbound sales.

Naturally, since digital marketing nor outbound sales, demand processing personal data, GDPR will make some operations more complicated, although it will in turn benefit your business in some ways.

Which countries does GDPR cover?

General Data Protection Regulation covers countries of the European Union and its citizens’ data, wherever in the world it might be processed.

Which organisations does GDPR apply to?

GDPR applies to any organization or entity which processes data of EU citizens, regardless of where in the world that data is actually processed.

If EU citizens are your:

  • existing customers

  • email subscribers

  • or cold email targets

Even if your company is not in the EU, you must be GDPR compliant.

What is personal data in terms of GDPR?

According to GDPR definition, “personal data” is any personal data that could be used to identify one specific person, any piece of personally identifiable information (PII).  

GDPR Personal Data List
Source via Lawinfographic

But, is an email address PII?

The answer is positive, email addresses are personal data for the most part. However, there are few instances in which the email address does not point to an individual person.

Check out the following personal data examples from the GDPR email policy:

  • This email address is being protected from spambots. You need JavaScript enabled to view it. does count as personal data. It is a work email address of a specific person within a company. The corporate email points at an individual at a business.

  • This email address is being protected from spambots. You need JavaScript enabled to view it. does count as personal data. It is the email address of one specific person.

  • This email address is being protected from spambots. You need JavaScript enabled to view it. does not count as personal data. It is a generic business email address which helps you determine the company, but not one specific person.

Where can data be stored under GDPR?

GDPR does not specify your storage options, but your in-house, in the cloud or hybrid storage option must be easily accessible and manageable with privacy and protection as its foundation.

Moreover, you will have to understand your infrastructure and data architecture and that of any third-party services that you might use. Any customer relationship management (CRM) storage option that you use must be GDPR compliant.

What does GDPR mean for companies?

A company should appoint either a Data Protection Officer or a Data Protection Specialist, depending on the level of sensitive data processing you conduct.

You don’t actually have to hire a new person, you can pick someone from your team.

  • If your company does not process sensitive data, it is enough to appoint a Data Protection Specialist to make sure that the company’s policies on processing data are updated, clear and applicable.

  • If there are high risks (to rights and freedoms of EU citizens) during personal data processing at your company, you have to appoint a Data Protection Officer.

Moreover, your privacy policy and terms of conditions have to be written in simple language that anyone can understand. If your average Joe cannot understand your documents, then they are not GDPR compliant.

The Privacy Policy documents also have to include the following information:

  • What type of personal data does your company process?

  • How is that data processed?

  • Which third-party services do you use in your data processing?

  • How can the data owners edit their data?

  • How can the data owners delete all their data from your database?

  • How can the data owners report a breach of GDPR to you?

A good idea to avoid GDPR fines (up to €20 million, or 4% of last year’s revenue, whichever is higher) would be to assess risks for your company.

For starters, identify whether you are a data controller or a data processor.

Who is a data controller?

A data controller has the most responsibility when it comes to complying with GDPR. This entity controls the data and the ways in which it is used.

Even when the controller does not process data on their own, but uses a third-party service, they are still in control of the data, having specified the ways in which it will be used and therefore, the responsible person.

Who is a data processor?

A data processor is the third party in question. They do not have the data, and they do not control the data. They are merely following the instructions for data processing given to them by the data controller.

Market Republic is actually a data processor. That means that we work according to our clients’ instructions. Whether it is account and contact data list building or SDR outsourcing, our services are GDPR compliant.

How will GDPR affect email prospecting and marketing?

Let’s say this once again - GDPR is not here to kill email marketing. Email marketing and sales emails under GDPR will actually reap some benefits for you conversion rates as well as database maintenance.

However, as a collateral of data protection efforts, the ways in which companies go about it will become more regulated.

Targeting and accuracy of email lists will have to reach a whole other level, and you will have to find out exactly when consent is required (this can differ from country to country, but more on this later in the article).

Follow these GDPR principles to avoid fines

GDPR outlines six principles that organizations must comply to when dealing with personal data:

  1. Lawfulness, fairness and transparency

  2. Purpose limitation

  3. Data minimisation

  4. Accuracy

  5. Storage limitation

  6. Integrity and confidentiality

Lawfulness, fairness and transparency

According to the first principle, organizations have to regulate their data collection processes to avoid breaking the law. They have to make sure that their data subjects know exactly what kind of data they collect as well as the reason for collecting it.

Purpose limitation

Personal data should only be collected for specific purposes which are clearly explained, and should not be kept for longer than necessary for that purpose to be completed.

Data minimisation

Only the personal data needed for a specific purpose is to be processed. If sending cold emails is the purpose for data collecting, then there is no need for you to collect a prospect’s phone number.


Inaccurate or incomplete data has to be edited, updated or erased. Data owners have the right to request that their data is edited or erased within 30 days of placing such request.

Storage limitation

Personal data collected must be deleted when it is no longer needed. It is argued that companies should keep the data for as long as the data owner is considered a customer. However, this time period differs from country to country so we recommend that you consult your lawyer.

Integrity and confidentiality

GDPR holds that security measures must be taken to ensure that personal data is protected against unauthorised or unlawful processing of the data, destruction or damage. The organization is also required to possess documentation to be able to prove this.

Now that we have gone over these principles, let’s review emailing under GDPR and principles directly affecting these practices.

Can you cold email according to GDPR?

In short, the answer is yes, but not like before. While sending unsolicited emails is still allowed, your usual practice will have to be modified to be in compliance with the principles of GDPR.

Lawfulness, fairness and transparency - How you got their data

Whether you are making you contact list yourself or having someone make it for you, the manner in which you obtain this data has to be legal, fair and transparent.

What this actually means is that if someone asks you about where and how you obtained their personal data, you have to be able to clearly answer this question. Be clear and honest when you tell them how you did this - legally, fairly and transparently.

Data minimisation and purpose limitation - Have a legitimate interest

The age of “spraying and praying” is officially behind us.

Emailing a huge list of random contacts is intrusive and a violation of GDPR.

In addition, when you consider the fact that you will be emailing people who have never heard of your services or do not in the least need them, it is a waste of time and money.

You have to target someone who could actually benefit from what you are offering, someone who is logically a potential customer.

Forget about quantity and focus on quality instead.

Spend time researching and then customize cold emails. Having a cold email sent to a person that you know needs your product, and having it personalized to their needs seems like time spent much better.

It actually heightens the chance of your prospect converting, an instance in which GDPR proves good for business.

However, remember that whether this is allowed depends on the Member State and is something that you should look into.

  • Even if the offer is relevant for the owner of the business address, Germany, Austria, Spain and Italy still demand that you get consent first. It is therefore suggested that your initial email asks for consent before resuming marketing or sales activities. Another option would be to call the company phone and get consent that way.  

  • On the other hand, in the United Kingdom, France, Finland, Ireland and Sweden, sending such emails is perfectly okay.

If you have properly researched and targeted, your prospect should not be surprised to receive an email from you. You would not be surprised to see a tutoring ad at your University, would you?

As soon as they read the cold email, they should be able to make a logical connection between what you do and what they do under what is known as legitimate interest, a lawful reason for data processing.

Data sourcing under legitimate interest, which Market Republic does, is one of the best ways to collect data. The lists are up to date (data is 2-3 days old at max), the data is 98% accurate and really strict ICP and buyer persona profiles are defined according to legitimate interest.

Nonetheless, there are certain aspects that have to be included in your cold email:

  1. When emailing an individual at a business, you have to let them know that you are processing their data;

  2. You have to be able to clearly tell them why they are on your prospect list;

  3. You have to include instructions on how the recipient can edit their data, exercise the right to be forgotten and the right to assist in data deletion.

GDPR Compliant Email Example
Source via Taskeater

As far as limitedness goes, collect only the data you need. By collecting data that you do not have a plan for, you are only heightening the risks in case of a data breach and making your database more difficult to access and manage.

Therefore, if you do not plan on calling your prospect, their phone number is completely unnecessary. That is the precisely what the principle of data minimisation entails.

And there is a bonus - not only will respecting this rule mean that you are GDPR compliant, but it will also make your database less cluttered.

Accuracy - Update, edit and clean your database regularly

Make sure that your obtained data is accurate and updated. Enable and clearly describe to your contacts the process of editing their data or having it removed altogether.

Or this is another service that Market Republic can provide you with - we can update or source your data according to your specific instructions.

As was already said, be sure to include a way for the recipient to edit or delete their data in your cold email.

There is no rule about how this should be formulated except that it should be clear and simple.

Storage limitations - Keep data no longer than you need it

A new principle introduced by this regulation, it refers to the fact that you shouldn’t process data for longer than was intended for the original purpose. However, the time frame necessary is not specified by GDPR.

We suggest researching your industry to figure out how long without a reply shows that the recipient is not interested in your product. Their data should then be deleted.

What about opt-in lists? Is my email GDPR compliant?

Sending marketing emails to your opt-in lists is still allowed, as long as your list and emails are in compliance with the principles of GDPR.

Lawfulness, fairness and transparency - Tell people exactly what they sign up for

As far as opt-in lists go, you have to tell people exactly what they are signing up for.

If you tell them that it is so that you can email them the magnet checklist, then do not send anything else. If you plan on emailing them again or forwarding their address to the sales department, they need to be told that when filling out the form. Send email newsletters as frequently as you first intended. Be transparent.

And one more thing - if there are any checkboxes on the mailing list sign up form, they have to be unchecked by default. GDPR is all about active consent.

Double opt-ins are not in the official GDPR email rules, although they could be useful in documenting when, why and how consent was expressed.

Check out the infographic below for some GDPR email marketing consent form examples:

GDPR Compliant Email Marketing Consent Forms
Source via SendinBlue

Data minimisation and purpose limitation - Only collect the data that you need

This might be starting to sound repetitive, but collect only the data that you need.

Do not make an opt-in form with ten fields, six of which you do not even have a plan for. If it is an email subscription, it’s more than likely that you won’t need the person’s phone number. Finally, justify what you need the certain data for on the form.

Accuracy - Update, edit and clean your email lists

Just like your prospect lists, your opt-in lists should be accurate and up to date.

Every email  that you send out  needs to have clear instructions that allow the data owner to edit or delete their data altogether.

Moreover, they need to have an option to opt-out of the list. Note that the form this is supposed to be in is not specified by the regulation.

The “unsubscribe” button in every email has become the norm for this, but you can do it in any manner, as long as it is clear and simple.

Reminding the data owner of the way they first opted-in to this list should be included as well.

For example, take a look at Woodpecker’s GDPR compliant Mailchimp email footer which includes this information:

GDPR Compliant Email Footer Mailchimp

Storage limitation - Keep data until said otherwise

In contrast to cold emailing, since the person gave consent to what you were offering, it is okay to process their data until they withdraw said consent.

Can I still email existing customers?

Yes! As the result of a business agreement, you can process client’s data for its duration. The question posed here is how long after the expiration of the agreement is the data owner still considered a customer.

After the agreement expires, the exact time frame for data processing depends on the laws of the country your company is founded in. Definitely look into this depending on the location.

Can you send transactional emails?

Yes! Although it does fall under GDPR because invoices contain personal data, for the most part you will be able to legally keep such data.

  • For accounting obligations, as businesses are obligated to produce taxation reports and financial records, you are able to keep contact details and contact history.

  • As for B2C marketing, you would have to have them explicitly opt-in at the time of purchase with the checkbox unchecked by default.

  • When it comes to business to business marketing under GDPR, you can do this based on legitimate interest which has been discussed previously.

In both cases, the users have to have the option to withdraw consent.

In short - How to send GDPR compliant B2B cold emails

GDPR cold email requirements are as follows:

  1. The email should be targeted and relevant

  2. Justify legitimate interest

  3. Have easy opt-out options

  4. Clean your database at regular intervals

  5. Have justifications ready in case of complaints

1. The email should be targeted and relevant

Collect only the data you need. Moreover, you have to make sure to target the right people who would actually benefit from your service. They shouldn’t be surprised to receive an email from you. The collaboration between the two of you should seem like a logical possibility.

2. Justify legitimate interest

You have to be able to explain why the company you emailed is a legitimate interest, and include the explanation in your email. It is suggested that you check out whether your service supports one of the company’s aims, their client history for similar companies, etc.

In your email include the following:

  1. Statement letting them know that you are processing their data

  2. Justification on why they are on your prospect list

  3. Instructions on opting-out or editing their data

3. Have easy opt-out options

There is not one appropriate form for this. It only needs to be easy and quick. Once someone opts-out, you should immediately delete them from your database.

However, note that some countries demands opt-ins prior to sending cold emails. Moreover, under GDPR, the opt-in boxes should be unchecked by default. You need active consent.

4. Clean your database at regular intervals

You shouldn’t keep personal data for longer than it is necessary. There is no established time period for deleting the data, but some norm is that you should delete it after 30 days with no response.

5. Have justifications ready in case of complaints

Although your cold emails are probably targeted precisely, they are still cold emails and some people find them intrusive.

They might make complaints or ask questions. Under GDPR, you have to be to explain to them why you have collected their data, how it has been processed, and where it is being stored.

To make sure your email doesn't violate GDPR, download our free Checklist for GDPR Compliant Emails.


GDPR is not about ending email marketing strategies, it is here to regulate data protection and data processing by giving data owners indisputable rights of controlling their personal data. As a result, the established email marketing processes will have to be modified.

Data owners have to give you explicit consent, either email consent or through opt-in forms, as long as it is active consent, which they can withdraw at any time.

Your organisation has to be clear when justifying the collection of certain data, and may only use said data for the original purpose. After the purpose has been achieved, the data is to be destroyed.

Sending emails to a random list of people is not allowed. Contact list building should be precisely targeted and accurate. This certainly pays off in the long run, although it is time consuming. But, hey, we can help!

To increase your sales by prospect list building or SDR outsourcing, Market Republic is your best option.


Do you want to hear about how we can significantly contribute to your sales growth? Contact us!


Share on:

Are you ready to find out what we can do for you?

Yes, let's talk

NOTE! This site uses cookies and similar technologies.

If you not change browser settings, you agree to it. Learn more

I understand