AI Prospecting & GDPR: Full Compliance Guide 2026

Article 6.1.f of the GDPR permits processing personal data when necessary for the legitimate interests of the controller. Regulators confirm that B2B email prospecting may rely on this basis under three cumulative conditions: the prospect is a legal entity or a natural person acting in a professional capacity, the message is directly linked to their professional role, and the right to object is clearly offered.

In practice, contacting a procurement director to propose a procurement optimisation solution falls within legitimate interest. Contacting a creative director to sell accounting software does not — the functional link is missing. This relevance criterion is the first filter that regulators examine during an inspection.

The opt-in versus opt-out distinction is frequently misunderstood in B2B. Unlike B2C where consent (opt-in) is the rule, B2B operates under an opt-out regime: you may prospect without prior consent, provided opt-out is simple, immediate and permanently respected. The EDPB confirmed this interpretation in its Guidelines on the use of personal data in direct marketing (version 2.0, 2024).

Each prospecting email must include, in a legible form: the sender's identity (name, role, company, physical address), the legal basis for processing (legitimate interest — citing the article is recommended), a one-click functional unsubscribe link, and information on where the data was collected (e.g. 'your public LinkedIn profile' or 'the Companies House commercial register').

Regulators have made clear that omitting the data source constitutes a breach of GDPR Article 14. Administrative penalties for this type of violation accounted for 34% of all enforcement decisions issued by data protection authorities in 2024.

An AI scoring system that automatically assigns a score to natural persons — even in a B2B context — may trigger the obligation to carry out a Data Protection Impact Assessment (DPIA, Article 35 GDPR). Regulators consider a DPIA mandatory when processing involves a 'systematic and extensive evaluation of personal aspects'.

For B2B commercial scoring systems, a nuanced position applies: if scoring is based on firmographic data (company size, sector, company registry data) and professional behavioural signals (public LinkedIn activity, published job postings), without processing sensitive data and without triggering legally significant automated decisions, a DPIA is recommended but not strictly mandatory. However, if the score automatically excludes an individual without human oversight, a DPIA becomes mandatory.

At Lead-Gene, the 12-criterion AI scoring is documented in a processing register compliant with GDPR Article 30. Each criterion, its data source and weighting are recorded. A human systematically validates exclusions before they become permanent, placing the processing outside the scope of Article 22 (fully automated decision-making).

Opt-out must be operational within 72 hours according to 2024 regulatory guidance. In practice, an opt-out received on a Friday must be effective before Monday. Any re-contact after an expressed opt-out constitutes a clear violation, potentially subject to a fine of up to 4% of global annual turnover (Article 83 GDPR). A €800,000 fine was issued in 2024 against a B2B prospecting operator for systematic failure to honour opt-outs.

Retention of B2B prospecting data is limited to 3 years from the last contact or the end of the commercial relationship. Beyond that, data must be deleted or anonymised. Opt-out lists, however, must be retained indefinitely to prevent re-contacting individuals — the 'suppression list' that every compliant system must maintain.

To calibrate risk, here are penalties issued or confirmed between 2024 and early 2026 in the commercial prospecting field: €800,000 (B2B prospecting operator, systematic opt-out failures, 2024 decision), €3.2 million (B2C e-retailer using B2B databases without verifying legal basis, 2024), €150,000 (SaaS prospecting startup with no legal notice or processing register, 2025), €60,000 (consulting firm retaining prospect data beyond 3 years, 2025).

Data protection authorities have also increased inspections of automated systems since 2024, with AI-driven commercial prospecting identified as a priority enforcement area. Unannounced online checks (testing live cold email sequences without prior notice) now represent 31% of all inspections.

For businesses prospecting simultaneously in the EU (GDPR) and Switzerland (revised Federal Act on Data Protection, revDPA, in force since September 2023), two regimes coexist. The Swiss Federal Data Protection Commissioner confirmed in its 2024 guidance that B2B email prospecting is permitted under the revDPA on the same legitimate interest basis as the GDPR.

A structural difference worth noting: unlike the GDPR, the revDPA provides for criminal sanctions (fines up to CHF 250,000) targeting the natural persons responsible for processing, not just the legal entity. This creates a higher personal liability for executives than under French or Belgian law. For businesses operating on both sides of the border, deploying the higher standard (GDPR) as a single baseline applied equally in Switzerland is the recommended approach.