Deep breath — cold email recruiting to EU candidates can be legal, but two regulatory layers matter, not one. GDPR governs your lawful basis (legitimate interest is usually it for B2B). The ePrivacy Directive layers on top to govern electronic marketing communications — and some member states (notably Germany and Poland) require opt-in consent for cold email even in B2B contexts, regardless of your GDPR position. Check your target country before you assume "GDPR legitimate interest" is the whole story. Then run the checklist below.
Your Pre-Send Compliance Checklist
- ✅ Lock in a legal basis — and write it down. GDPR Article 6(1)(f) permits B2B cold outreach under legitimate interest, but you have to pass a three-part test: purpose, necessity, and balancing. Document it in a Legitimate Interest Assessment (LIA) before you send. The LIA isn't a freestanding legal requirement, but without one you lose the legitimate-interest defense by default in any regulatory inquiry.
- ✅ Only email business addresses — never personal ones. Legitimate interest applies when contacting candidates in their professional capacity at a work email. Personal addresses like Gmail or Yahoo generally require explicit consent in most EU jurisdictions — a much higher bar that essentially rules out cold outreach.
- ✅ Confirm the ePrivacy layer, not just GDPR. The ePrivacy Directive sits on top of GDPR for electronic marketing. Germany's DSK guidance leans toward requiring opt-in consent for cold B2B email; Poland typically requires consent even for B2B; the UK and France are more permissive on B2B legitimate interest. Confirm the target country's posture before relying on GDPR alone.
- ✅ Put the source and an opt-out in every email. GDPR mandates transparency: your first outreach must clearly identify who you are, include a one-click opt-out, and disclose where you found their data (e.g., "We found your profile on LinkedIn. Unsubscribe anytime."). Google and Yahoo now enforce one-click unsubscribe for bulk senders too — it's table stakes.
- ✅ Honor opt-outs before the next send — automatically. GDPR favors immediate action on opt-out requests; you don't get the 10-business-day window CAN-SPAM allows. Automate suppression-list updates in whatever email sequencer you use so no candidate gets a second touch after unsubscribing.
- ✅ Delete inactive candidates promptly. GDPR's storage limitation principle doesn't set a specific retention time — that's left to the controller's justification. Common industry practice (not a GDPR rule per se) recommends removing contacts who haven't responded within 30–60 days and deleting opted-out records immediately and permanently. If you store CVs for future roles, get a second consent at rejection — a quick line in your rejection email is enough.
The Risk Is Real
By DLA Piper's GDPR enforcement tracking, total GDPR fines have crossed several billion euros across thousands of enforcement actions since 2018, with hundreds of millions issued each year. The pattern is broad — direct-marketing violations, consent failures, retention overreach — and smaller agencies get caught alongside big tech. Getting your LIA written and your suppression list wired up takes an afternoon, not a legal retainer.
Sources
- LiteMail — GDPR Legitimate Interest for Cold Email in 2026
- EUR-Lex — Directive 2002/58/EC (the ePrivacy Directive)
- ICO — Storage Limitation Principle (UK GDPR Guidance)
- Instantly — Legal Requirements for Follow-Up Emails Under GDPR and CAN-SPAM
- GrowthList — GDPR Cold Email Guide: 7 Rules for Compliant Outreach 2026
- Recruitee — Your Guide to GDPR in Recruitment
- DLA Piper — GDPR Fines and Data Breach Survey