GDPR & B2B Cold Outreach: What Is Legal in 2026

GDPR allows B2B prospecting under the legitimate interest basis (Article 6.1.f), provided: the message is directly related to the recipient's role, the sender's identity is clear, and a simple opt-out is offered.

In practice: contacting a CFO to offer financial management software = legitimate. Contacting the same CFO to sell a holiday = not legitimate.

1. Clear identity: name, role, company, physical address visible in every email.

2. Immediate opt-out: functional 'unsubscribe' link. No forcing a reply to exit.

3. Business relevance: pitch tied to the prospect's role and sector.

4. Reasonable frequency: max 3 to 5 touches over 30 days, then permanent stop if no response.

5. Processing register: log the legal bases used, keep proof of opt-outs.

Buying B2C qualified databases for B2B use: forbidden, even if the addresses are 'professional'.

Scraping personal emails (@gmail, @outlook): forbidden — this is strict personal data.

Enrichment via illegal sources (leaks, hacked databases): forbidden and dangerous.

Ignoring opt-outs: ICO fine up to 4% of annual turnover.

All data sources are legitimate (official LinkedIn API, Companies House, Apollo pro tier). Every sequence automatically includes the opt-out link. Opt-outs are centralised and never re-contacted. Processing register auto-generated and exportable.