Legitimate interest under GDPR
The legal basis B2B cold outreach runs on.
GDPR Article 6(1)(f) permits processing personal data when it is necessary for a legitimate interest pursued by the controller, provided that interest is not overridden by the fundamental rights and interests of the data subject. For B2B direct marketing, this is the correct basis - not consent. Recital 47 explicitly names direct marketing as a possible legitimate interest. The catch: the basis only holds if you can show a documented three-part assessment, not just assume it. This guide explains what that assessment looks like, how to write one that holds up to an AP or ICO review, and when the basis fails.
You probably came here because
- Your DPO asked which Article 6 basis your cold outreach runs on and you said 'legitimate interest' but couldn't show the document.
- A prospect or regulator asked you to justify the processing and 'industry standard practice' wasn't a satisfying answer.
- You've seen tools claim legitimate interest applies automatically to B2B email and you want to know if that's actually true.
- You're preparing to scale outbound and want the legal architecture in place before the volume increases.
If any of that lands, the rest of this page is for you.
Free trial, no card
LIA template included with every trial.
Ten prospect packages built on a documented legitimate interest basis. Source per contact, LIA template for the campaign motion, opt-out mechanics. Free, no card, no contract.
Try for freeWhat Article 6(1)(f) actually requires
The legitimate interest basis: what it is and what it demands.
Legitimate interest is not a blanket exemption. It's a three-part test that has to be documented before the processing starts, not constructed after a complaint arrives.
Part one: identify a genuine legitimate interest.
The first part asks whether there is a real, lawful interest being pursued. For B2B direct marketing, the interests are commercial: finding new customers, informing professional buyers of relevant products and services. Recital 47 confirms that direct marketing is a recognised legitimate interest. What disqualifies a claim is that the interest doesn't actually exist, is pretextual, or is framed too vaguely to be tested. Write it down specifically: not 'marketing', but 'reaching heads of logistics at Dutch 3PL companies with 50-200 FTE to present our route optimisation software.'
Part two: necessity - is processing personal data actually required?
The second part asks whether processing this specific personal data is necessary to achieve the legitimate interest, or whether a less privacy-invasive route would work just as well. For B2B cold email to identified decision-makers at identifiable companies, the answer is yes - there is no practical alternative to contacting the right person at the right company. What fails the necessity test: bulk importing data you don't use, behavioural enrichment that adds no decision-making value, or retaining contact data well past the window of relevance.
Part three: the balancing test - do the prospect's interests override yours?
The third part is the most important and the most often skipped. You weigh your legitimate interest against the data subject's reasonable privacy expectation, any harm the processing might cause, and whether the processing would surprise them in a way that damages trust. For a named professional at a registered company, receiving a single relevant cold email about a product related to their role: the privacy intrusion is low, the processing is proportionate. What shifts the balance: personal addresses, irrelevant content, high volume, or behavioural data the prospect never knew existed.
The LIA: one page, three columns, written before you send.
The Legitimate Interest Assessment documents the three-part test. One page works for a standard B2B direct marketing campaign. Three columns: purpose, necessity, balancing test. Date it, store it with your Article 30 processing register, and revisit it when the campaign changes. Article 5(2) GDPR accountability requires you to be able to demonstrate the basis - 'we discussed it internally' is not a demonstration. The AP has made this clear in multiple enforcement contexts: the absence of a document is itself a violation of the accountability principle.
When the basis expires: objection, scope change, and stale data.
Legitimate interest as a basis for B2B direct marketing ends when a data subject objects under Article 21. The right to object to direct marketing under Article 21(2) is absolute - there is no override test. Processing for that purpose must stop immediately. The basis also becomes strained when the purpose changes, when the data is processed at a scale the original assessment didn't cover, or when the contact data is no longer fresh enough to be relevant.
Where to actually look
The primary sources, in case you want to read them yourself rather than trust a vendor blog post:
- - GDPR Article 6(1)(f) and Recital 47 on legitimate interest and direct marketing.
- - GDPR Article 21 and Recital 70 on the absolute right to object to direct marketing.
- - GDPR Article 5(2) on the accountability principle.
- - EDPB Guidelines 06/2014 on legitimate interests (WP29).
- - Autoriteit Persoonsgegevens published guidance on gerechtvaardigd belang.
- - ICO Legitimate Interests guidance and the three-part test.
Where the basis breaks down
Four ways legitimate interest fails in practice.
None of these are theoretical. Each has appeared in published AP or ICO enforcement decisions.
Claiming legitimate interest without a written LIA.
Article 5(2) GDPR makes the controller responsible for demonstrating that processing complies with GDPR - and demonstrating means producing a document, on demand, to a regulator or data subject. 'We believe we have a legitimate interest' is not accountability. The AP has made this clear in multiple enforcement decisions: the absence of documentation is itself a violation of the accountability principle, regardless of whether the underlying processing would have been lawful had it been documented.
Using one LIA to cover a different campaign motion.
An LIA is specific to a processing activity. The LIA that covers 'outreach to procurement managers at Dutch industrial BVs for a logistics software product' doesn't cover 'outreach to HR directors at German GmbHs for a recruitment tool.' Different purpose, different necessity argument, different balancing outcome, different jurisdictional ePrivacy layer. When your campaign motion changes - new sector, new geography, new product, new contact type - rewrite the LIA. Don't stretch it.
Not distinguishing B2B and B2C in the balancing test.
The balancing test turns significantly on whether the contact is acting in a professional or private capacity. A procurement manager at a logistics firm receiving a relevant supply chain message is in a very different position from a consumer receiving an unsolicited marketing email. If your list contains sole traders, freelancers, or contacts operating in a consumer context, the balancing test may not tip your way - and you need a separate LIA or a different basis for those contacts.
Treating Article 21 opt-outs as sequence unsubscribes.
Many senders handle Article 21 objections by removing the contact from the active sequence and logging a 'do not contact' note in the CRM. That satisfies the immediate requirement but misses the durability requirement. If the underlying data provider re-syncs the contact record in the next quarterly refresh and the CRM note doesn't survive that re-import, the contact can re-enter a future campaign. The Article 21 right attaches to the contact record, not to the sequence.
When this approach works (and when it doesn't)
Legitimate interest is a real basis - with specific conditions.
Works when
- - You've written the LIA, stored it, and can produce it within hours of a request.
- - The purpose is specific: a professional role, a relevant product, a proportionate outreach volume.
- - The data is limited to what's needed: business contact, company profile, a relevance signal.
- - Opt-out processing is immediate and durable across re-imports.
Doesn't work when
- - You can't produce the LIA because it doesn't exist.
- - The prospect has already objected under Article 21 and you continued.
- - You're extending the basis to behavioural enrichment or cookie-based intent scoring.
- - The processing purpose has changed significantly since the LIA was written.
Honest steelman
Legitimate interest is a real and defensible basis for B2B cold outreach - but only when the three-part test is documented and honest. The uncomfortable truth is that many teams claiming legitimate interest have never actually done the balancing test. For large-volume outbound to very broad audiences with minimal targeting, the balancing test becomes harder to win - the less relevant the message, the harder it is to argue the prospect's privacy interest doesn't override the sender's commercial one. Hooklyne is built for targeted, signal-led outreach at lower volume, which is where the legitimate interest basis is most clearly defensible.
How Hooklyne is built for this
The LIA is part of the package, not a separate exercise.
The LIA template included with every Hooklyne trial covers the three-part test for a standard B2B direct marketing campaign: purpose (reaching an identified professional buyer with a relevant commercial offer), necessity (direct email to the right contact is the proportionate method), balancing test (a named professional at a registered entity has a reduced privacy expectation in their professional capacity and would not be surprised by relevant B2B outreach). It's one page, dated, and designed to be reviewed by your DPO before you scale.
Contact selection reduces the balancing test risk. Hooklyne builds packages for identified decision-makers at registered companies with a signal that makes the outreach relevant now - a funding event, a hiring inflection, a regulatory deadline, an expansion announcement. The more relevant the signal, the stronger the legitimate interest, and the easier the balancing test. Sending a relevant message to the right person at the right time is the LIA argument almost running itself.
Opt-out processing is built into the workflow. Suppressions persist across senders and refreshes. Sources are citable per contact. Article 30 record fields are included in the package format. The compliance architecture is the product architecture - not a layer added before going to a regulator.
Simple pricing.
Simple credit system. Every action priced transparently. Switch plans or cancel anytime.
Start
Solo rep. Test and validate your outbound. Self-serve.
Growth
1-2 reps. Full pipeline. Setup call included.
Scale
Small sales team. Volume outbound. Up to 5 reps.
FAQ
Legitimate interest questions, answered.
What is a Legitimate Interest Assessment (LIA)?
An LIA documents your three-part test under GDPR Article 6(1)(f): (1) purpose - what legitimate interest you're pursuing and why it's real; (2) necessity - why processing personal data is needed to achieve it; (3) balancing test - why your interest outweighs the data subject's rights. It should exist before processing starts, be specific to the processing activity, and be stored with your Article 30 records. One page is enough for a standard B2B outreach motion.
Does Hooklyne provide an LIA template?
Yes. Every paid plan includes the LIA template covering standard NL and UK B2B outreach under Article 6(1)(f). It documents the three-part test for outreach to professional roles at legal entities using public-source data. It's a starting point for your DPO or counsel to review against your specific motion.
Can legitimate interest cover all B2B outreach in the EU?
No. Legitimate interest covers the GDPR data processing basis in most EU member states. The ePrivacy layer - which governs the act of sending - varies nationally. Germany requires consent under UWG §7(2) Nr. 3 for most B2B cold email to named individuals regardless of the GDPR basis. Within NL and UK corporate subscribers, legitimate interest is the standard basis for B2B cold outreach.
What happens when a prospect invokes Article 21?
Processing for direct marketing must stop immediately - no exceptions. Stop means durable suppression: across all senders, all sequences, and all future data provider re-imports. Logging a 'do not contact' note in a sequence tool is not sufficient if that note doesn't survive a quarterly data refresh.
How specific does the LIA need to be?
Specific enough that a different processing activity would require a different document. An LIA for outreach to procurement directors at Dutch logistics BVs for a supply chain product doesn't extend to a different sector, geography, role type, or product. When your motion changes meaningfully, rewrite the LIA.
Can I rely on legitimate interest for a list I purchased?
If the list came from a compliant provider with their own Article 6 basis and you can trace the lineage per contact, legitimate interest is available for your use. If the provider can't show when and how each record was collected, the chain of basis is broken - and your LIA won't hold even if it's well-written.
Is this legal advice?
No. This is operator guidance based on GDPR text, EDPB guidance, and published enforcement decisions. Your specific LIA should be reviewed by a DPO or specialist counsel before scaling.
This page is plain-language guidance and not legal advice. Your specific motion should be reviewed by a qualified DPO or specialist counsel before scaling.