Lead Generation and GDPR: What You Can (and Absolutely Cannot) Do
You want to grow. Fill your pipeline with qualified decision-makers. But every time you reach out to a prospect, the same question lingers: is this even legal under GDPR?
That uncertainty is understandable. Since the General Data Protection Regulation came into force in 2018, the rules around personal data have tightened dramatically. Fines can reach 20 million euros or 4% of annual global turnover. That is enough to make any sales team hesitate. But here is the good news: lead generation is not illegal. You just need to know where the boundaries lie — and those boundaries differ significantly by channel.
This article takes a different approach from most legal overviews. No dry legal texts, but a practical channel-by-channel guide: what you can do, what you absolutely cannot do, and where the grey areas are.
The legal foundation: legitimate interest versus consent
Before diving into specific channels, you need to understand two concepts that sit at the heart of every GDPR discussion around lead generation.
Consent (opt-in) means someone has explicitly said “yes” to receiving your communication. This is the gold standard — if you have consent, you are legally safe. But in cold outreach, you do not have that consent by definition.
Legitimate interest (Article 6(1)(f) of the GDPR) is the alternative legal basis that makes B2B lead generation possible. You may process personal data if you have a legitimate interest, the processing is necessary to pursue that interest, and the data subject’s rights do not outweigh your interest. Regulators apply a three-part balancing test that you must be able to document.
In practice, this means that if you contact a sales director at an IT company because your product is directly relevant to their challenges, you can rely on legitimate interest. If you blast a generic sales pitch to thousands of randomly collected email addresses, the legal ground collapses.
Channel by channel: what is allowed?
This is where it gets practical. The rules vary considerably depending on the communication channel. Here is an overview you can apply immediately.
| Channel | B2B Allowed? | Conditions | Risk if violated |
|---|---|---|---|
| Phone | Yes (with conditions) | Public business number, offer opt-out, be transparent | Warning to fine |
| Limited | Legitimate interest, business email, opt-out, relevance | Fine up to €20 million | |
| Yes | Professional context, relevance, respect opt-out | LinkedIn account restrictions | |
| Post | Yes | Offer opt-out | Low risk |
| WhatsApp/SMS | No (without consent) | Falls under ePrivacy regulations | Regulatory fine |
Phone outreach: the safest option
In most EU countries, B2B cold calling remains the most legally straightforward channel. You may call businesses provided you use publicly available business phone numbers, offer an opt-out at the start of the conversation, are transparent about who you are and why you are calling, and ensure your call is relevant to the person you are speaking with.
The key distinction is between B2B and B2C. While consumer cold calling has been heavily restricted across Europe, business-to-business phone outreach is generally permitted when there is a reasonable expectation that the recipient would find the call relevant.
Email: the grey zone
Email marketing is where most misunderstandings occur. The ePrivacy Directive generally requires consent for commercial emails. However, in the B2B context, there is an opening through legitimate interest in several EU countries, including the Netherlands.
This means you may contact a business email address if you can demonstrate that your offer is directly relevant to the recipient’s role, you provide a clear opt-out mechanism, you are transparent about where you obtained their data, and you keep your communication limited and proportionate.
What you absolutely cannot do: send mass generic emails to purchased lists, use personal email addresses, or continue emailing after someone has unsubscribed. A single complaint to a data protection authority can trigger an investigation.
Important note for the German market: Germany applies significantly stricter rules. Under the UWG (Gesetz gegen den unlauteren Wettbewerb), cold email is prohibited in both B2B and B2C without prior explicit consent. If you operate in Germany, phone outreach is your primary legal channel.
LinkedIn: professional and personal
LinkedIn is one of the most powerful channels for B2B lead generation, and legally one of the safest. Because users deliberately make their profiles public in a professional context, reaching out to prospects via LinkedIn is generally permitted.
The key is relevance and professionalism. Do not send copied messages to hundreds of people. Personalise your message, explain why you are reaching out to this specific person, and respect it when someone is not interested.
Three golden rules for GDPR-compliant lead generation
Regardless of which channel you use, three principles always apply.
Rule 1: Document your legitimate interest. Record why you are contacting this specific person, what your legitimate business reason is, and why the prospect’s rights do not outweigh your interest. This does not need to be a legal document — a note in your CRM is sufficient.
Rule 2: Always offer an opt-out. In every email, every phone call, and every LinkedIn message, the recipient must be able to easily indicate that they no longer wish to be contacted. And when someone does so, you respect that immediately and permanently.
Rule 3: Minimise data processing. Collect only the data you actually need. A name, job title, company name, and business email address are sufficient. Do not store data longer than necessary and delete data from prospects who do not respond after a reasonable period.
Common mistakes that put you in the danger zone
In our daily practice, we see the same missteps recurring among companies engaged in lead generation.
The first and most common mistake is purchasing email lists from dubious data sources. These lists often contain outdated or incorrect data, and you cannot possibly demonstrate a legitimate interest for every individual recipient.
The second mistake is ignoring opt-out requests. It sounds obvious, but we regularly see unsubscribes not being processed in the CRM, resulting in the same person being contacted again weeks later.
The third mistake is the absence of documentation. If a data protection authority comes knocking, you must be able to demonstrate on what legal basis you are processing personal data. Without documentation, you have nothing to stand on.
How Leadverge solves this
At Leadverge, we generate leads in a way that is fully GDPR-compliant. Our approach is based on the principle of quality over quantity: we only contact prospects who match pre-defined criteria, through legally permitted channels, with messages that are relevant and personalised.
With our Guarantee Packages, you receive guaranteed Hot Leads — decision-makers who have actually shown interest. No cold lists, no mass email campaigns, but targeted outreach that is both effective and compliant.
FAQ: Frequently asked questions about lead generation and GDPR
Can you send cold emails under GDPR?
In several EU countries, including the Netherlands, B2B cold email is permitted under conditions — provided you can rely on legitimate interest, use a business email address, and offer an opt-out. However, in Germany this is virtually always prohibited under the UWG.
Is B2B lead generation legal?
Yes, B2B lead generation is legal. The GDPR does not prohibit the processing of personal data — it sets conditions on how you do it. As long as you have a valid legal basis and follow the rules, you may contact prospects.
What is the difference between opt-in and legitimate interest?
With opt-in, the person gives explicit consent. With legitimate interest, you do not have consent but can demonstrate that you have a legitimate business interest that does not conflict with the data subject’s rights. Opt-in is always safer; legitimate interest requires documentation.
What data can you collect without consent?
You may collect publicly available business data (name, title, company, business email) provided you can demonstrate a legitimate interest. Personal data such as private phone numbers or personal email addresses may not be processed without consent.
What are the fines for GDPR violations?
Data protection authorities can impose fines of up to 20 million euros or 4% of annual global turnover, whichever is higher. In practice, fines vary widely — from warnings to multi-million euro penalties, depending on the severity and scale of the violation.