GDPR-compliant prospecting

B2B prospecting that holds up under Article 6(1)(f).

GDPR allows cold B2B email under legitimate interest, but only if you can show the LIA, the source per contact, and the suppression that survives a re-import. The rules differ between NL, UK and DE. This guide walks through what each one actually requires and where most US-shaped prospecting stacks fail. Plain-language, written by operators, reviewed by counsel - not legal advice.

Try for free Read what GDPR actually says

You probably came here because

Your DPO asked which Article 6 basis you're sending under and you couldn't point at the LIA.
A prospect replied with 'how did you get my details and on what basis?'
Your current tool ships from the US and you can't trace a Schrems II answer through it.
An AP, ICO or BfDI letter is the kind of risk your CFO has now started asking about.

If any of that lands, the rest of this page is for you.

Free trial, no card

Run ten of your real prospects through the EU stack first.

Ten prospect packages built end to end on the same compliance posture as the paid product - source per contact, suppression durable, no behavioural data, no contract. We ask for one short feedback call after.

Try for free

What GDPR actually requires

Five things that have to hold for B2B cold outreach to be lawful.

Plain-language summary, not a legal opinion. Read it as the floor, then have your DPO or counsel review your specific motion before you scale across borders.

Article 6(1)(f): legitimate interest, written down before you send.

Cold B2B email in the EU runs on legitimate interest under Article 6(1)(f) GDPR, not on consent. Recital 47 explicitly contemplates direct marketing as a possible legitimate interest. The catch is that the basis only holds if you can show your reasoning, weigh it against the prospect's interests, and document the trade-off. That document has a name: a Legitimate Interest Assessment (LIA). Three columns - purpose, necessity, balancing test. If you can't produce one when asked, you don't have the basis. You have a hope.

ePrivacy on top: NL Telecommunicatiewet 11.7, UK PECR Reg. 22, DE UWG §7.

GDPR is the floor, ePrivacy adds the ceiling. The Dutch Telecommunicatiewet Art. 11.7 permits unsolicited B2B email to a contact at a legal entity, provided you identify yourself and offer a working opt-out in every message. UK PECR Reg. 22 only covers individual subscribers, so cold email to a corporate Ltd or LLP address sits outside it (sole traders and most partnerships do not - check ICO guidance). Germany is the strict one: UWG §7(2) Nr. 3 generally requires prior consent for natural persons, including business addresses tied to one named individual. Same regulation, three different default postures.

Source provenance per contact, not per database.

If a prospect emails back asking where you got their details, 'a B2B database' is not an answer the AP or ICO will accept. Each record needs a traceable lineage: a public KVK or Companies House entry, a named directory, a registered data partner with their own Article 6 basis. 'Our enrichment vendor' only works if you actually have the verwerkersovereenkomst, the SCCs where transfers cross borders, and the Schrems II transfer impact assessment behind it. The audit trail has to live with the contact, not in a vendor portal you'll lose access to next renewal.

Suppression that survives a re-import.

Article 21 gives prospects an absolute right to object to direct marketing. The mechanic that enforces it is your suppression list, and it has to apply across senders, sequences, and the next quarterly database refresh. The classic failure: someone unsubscribes in March, the data provider re-syncs the row in June, and the same person lands in the next sequence in July with a fresh sender. From the AP's perspective that's the same violation as ignoring the original opt-out.

Data minimisation and the behavioural data trap.

Hold what you need to make a contact decision. Drop the rest. Browsing history scraped from logged-in sessions, lookalike audiences built off cookie graphs, and shadow profiles enriched from third-party trackers fail Article 5(1)(c) regardless of what a US-built tool claims. They also tend to drag a DPIA obligation behind them under Article 35, because behavioural profiling at scale is on the AP's published list. The simpler the data, the easier the basis.

Where to actually look

The primary sources, in case you want to read them yourself rather than trust a vendor blog post:

- GDPR Article 6(1)(f) and Recital 47 on legitimate interest as a basis for direct marketing.
- Autoriteit Persoonsgegevens guidance and the AP's published enforcement decisions (Clearview AI, OLVG, Booking.com).
- Telecommunicatiewet Art. 11.7 for the NL B2B email carve-out.
- ICO Direct Marketing Code and PECR Reg. 22 on the corporate-subscriber distinction.
- UWG §7 and BGH case law on B2B unsolicited email in Germany.
- EDPB Recommendations 01/2020 on supplementary measures after Schrems II.

What most tools get wrong

Four failure modes a regulator would notice.

None of these are theoretical. Each has shown up in published AP, ICO or BfDI decisions in the last five years, and each is a reasonable thing for a buyer to be asked to defend.

Mass scraping of LinkedIn (and the 'we just enrich, you scrape' fig leaf).

Bulk scraping of LinkedIn profiles to build B2B lists is not lawful interest by default and is not blessed by the AVG. LinkedIn's User Agreement explicitly prohibits it (this is the hiQ Labs line of cases) and the AP has consistently treated unconsented scraping of profiles - including the Clearview AI decision - as unlawful processing. Tools that hand you the contacts and let you push the export button are putting the controller exposure on you. You're the one named in the complaint.

Behavioural data captured from cookies and pixels you never disclosed.

Some US-shaped enrichment tools quietly stitch in browsing data harvested via partner cookie networks, retargeting pixels, or 'identity graphs' nobody on the prospect's side ever consented to. That's a Recital 47 problem (the prospect would not 'reasonably expect' the processing) and an Article 35 DPIA problem. If a tool can offer you signals like 'visited your competitor's pricing page', stop and ask where the cookie was set. The answer rarely survives a regulator's curiosity.

Single-source databases with no documented lineage.

If a vendor cannot tell you which source supplied a given contact, when it was last verified, and on what basis the source itself collected it, that vendor cannot tell a regulator either. The chain of basis runs from the original collection forward - it does not start when you bought the export. 'Our proprietary database' is a marketing line, not a lawful basis. AP enforcement on the OLVG and Booking.com matters both turned on documentation, not intent.

International transfers a Schrems II review would catch.

If the tool processes EU personal data on US infrastructure, you are the controller of an international transfer. Standard Contractual Clauses are necessary, not sufficient. Schrems II requires a transfer impact assessment plus supplementary measures where US surveillance law (FISA 702, EO 12333) creates real risk. The Data Privacy Framework helps for certified recipients, but you need to verify the certification status per processor, not assume it. 'Hosted in the EU region' on a US-controlled platform does not solve the transfer problem.

When this approach works (and when it doesn't)

Cold B2B email under legitimate interest is a defensible motion, with limits.

Works when

- You're sending to a clear professional role at an identifiable legal entity, on a business address.
- Your message is materially relevant to that role and the value proposition is verifiable in plain language.
- You can produce the LIA, the source per contact, and the suppression record on demand.
- Your motion stays inside NL, UK (corporate subscribers), or other ePrivacy-friendly jurisdictions.

Doesn't work when

- You're sending into Germany without prior consent (UWG §7(2) Nr. 3 makes B2B cold mail to natural persons a problem).
- Your contacts are sole traders, freelancers, or partnerships - the ICO and AP both treat those as individual subscribers.
- You're enriching with behavioural data, intent signals from cookies, or scraped LinkedIn activity.
- Your motion is consumer-adjacent (small B2C2B) where the recipient is acting as a private individual.

Honest steelman

Hooklyne isn't the right fit if your compliance posture is already mature and your bottleneck is contact volume rather than basis defensibility. If you have a DPO who has signed off on a Cognism contract, run a Lusha extension on your reps' machines, and a custom suppression layer in your CDP, you've already paid for what we offer at the data layer. Cognism is the more complete European contact-data play at scale. We earn our keep when the team is small, the legal exposure is asymmetric, and you'd rather have ten defensible prospects than ten thousand brittle ones.

How Hooklyne is built for this

Compliance posture, not a compliance package.

Built and hosted in the Netherlands, on EU infrastructure, with a Dutch entity as the controller of record and a verwerkersovereenkomst available before you sign anything. We do not scrape LinkedIn, we do not retarget cookies, and we do not ingest behavioural data from logged-in sessions. Every contact comes from a public registry like KVK or Companies House, a sector directory, or a registered data partner operating under its own Article 6 basis - and the source travels with the record, not in a vendor portal.

Three documents you should be able to produce in an audit live with the contact, not in a separate compliance vault: source URL or registry citation, date last verified, and the LIA template that covers the campaign motion. Suppression is durable across senders, sequences, and quarterly refreshes - if a prospect opts out in March, the row stays suppressed when the underlying provider re-syncs in June. The AP's enforcement record on Booking.com and OLVG turned on whether documentation was producible on demand. Ours is.

Where transfers do touch third countries, the SCCs are the 2021 module, the TIA is on file, and the Schrems II supplementary measures are listed by processor. The simpler answer for most NL and UK senders is to never have the data leave the EU at all, which is the default posture here. If you're choosing between a US-shaped tool with a DPF certificate and an EU-built one with no transfer at all, the second is strictly less paperwork.

Simple pricing.

Simple credit system. Every action priced transparently. Switch plans or cancel anytime.

Start

from€39/mo

100credits / month

Solo rep. Test and validate your outbound. Self-serve.

Recommended

Growth

from€129/mo

400credits / month

1-2 reps. Full pipeline. Setup call included.

Scale

from€239/mo

800credits / month

Small sales team. Volume outbound. Up to 5 reps.

See full pricing Request pilot access

FAQ

GDPR prospecting questions, answered.

Is B2B cold email actually legal in the Netherlands, the UK and Germany?

Three different answers under the same GDPR. NL: yes, under the Telecommunicatiewet Art. 11.7, to a legal entity at a business address with identification and a working opt-out. UK: yes to a corporate subscriber under PECR Reg. 22 (limited companies, LLPs, government bodies); no to most sole traders and partnerships, which the ICO treats as individual subscribers. DE: generally no without prior consent under UWG §7(2) Nr. 3, even for B2B - the BGH has consistently treated unsolicited business email as anti-competitive. Your sending posture should match the recipient's jurisdiction, not your own.

What's a Legitimate Interest Assessment and do I really need one?

An LIA is the document that records why your direct marketing is a legitimate interest under Article 6(1)(f), why processing is necessary to achieve it, and why the prospect's rights and freedoms do not override it. Three columns, one page is enough. You need it because Article 5(2) GDPR makes you accountable for the basis you claim, and 'we discussed it informally' is not accountability. Run one per campaign type, store it with your processing register, and revisit it when the campaign motion changes.

What's the difference between AVG and GDPR?

AVG is GDPR. The Algemene Verordening Gegevensbescherming is the Dutch name for the Regulation. The Netherlands also has a national implementation act, the UAVG, which fills in the open clauses (criminal data, BSN, age of consent for children). The substantive obligations on a Dutch B2B sender are the same whether you call them AVG or GDPR.

What records do I have to keep, in practice?

At minimum: the source of each contact and the date added, the date and basis of last verification, every message that went out, every objection or unsubscribe received, your LIA per campaign type, your verwerkersovereenkomst with each processor, and your transfer impact documentation where data crosses to the US or other third countries. This is the Article 30 record of processing in practical form. Most enforcement actions turn on whether you can produce these in days, not whether the underlying processing was sympathetic.

Does GDPR require a DPIA for prospecting?

Not by default for plain B2B email to identified roles at identified companies. A DPIA under Article 35 is triggered when processing is 'likely to result in a high risk' - typically large-scale behavioural profiling, automated decision-making with legal effects, or sensitive data. If your motion stays at 'business contact, business message, business opt-out' the LIA is enough. If your tool ingests browsing data, builds intent scores from cookies, or processes data on a scale the AP has flagged, run the DPIA. The AP publishes the list.

How do international transfers affect a US-built prospecting tool?

Heavily. Schrems II struck down Privacy Shield and required Transfer Impact Assessments when EU personal data lands on US infrastructure under FISA 702 reach. SCCs are still required as the contractual basis. The Data Privacy Framework re-opens a route for DPF-certified US recipients, but you have to check the certification per processor and accept that the framework is under active legal challenge. EU-built and EU-hosted is the simpler posture - fewer documents, smaller surface area, cleaner answer when a prospect or regulator asks.

What if a prospect asks where you got their details?

You answer with a specific source and date, not a vendor brand. With Hooklyne, every contact in a prospect package ships with the source URL or registry citation that supplied it - a public KVK page, a Companies House entry, a registered data partner under their own basis. You can paste the answer back to the prospect in under a minute and it satisfies the right of information under Articles 13 and 14.

Is this legal advice?

No. This is plain-language operator guidance based on how the AVG, GDPR, ePrivacy, and the AP's published enforcement record work in practice. Before you scale a sending motion - especially across NL, UK and DE - get a DPO or specialist counsel to review your LIA, your processor agreements, and your transfer documentation. The cost of that review is small compared to a single Article 83 fine.

What if Hooklyne doesn't work for you?

If your motion is NL or UK B2B with a small team, the trial answers in two weeks - ten prospects, full provenance, your real ICP. If the replies aren't there, you keep the data, the LIA template and the source citations, and you walk. If your motion is a Germany-heavy outbound machine with consented funnels already in place, an EU-built guide-and-package tool is probably not what closes the gap; a German-specialist consented data partner is. We'd rather say that up front than sell you a seat.

This page is a plain-language guide and not legal advice. National rules add layers and your specific motion should be reviewed by a DPO or specialist counsel before you scale across borders.