Sending GDPR Compliant Emails? Better Safe Than Sorry

Updated on November 3, 2021

A year ago, the General Data Protection Regulation came into force, primarily designed to improve the protection of EU citizens’ personal data. The point of this regulative issued by the Council of the European Union and the European Parliament wasn’t to kill sales and marketing efforts, but to guide them to make several adjustments in order to be fully compliant. Businesses that are involved with the usage of personal data, for example through the usage of emails for outreach had no other choice than to take the necessary precautions to become compliant with the GDPR.

The businesses that one way or another, are involved with the usage of personal data, had no other choice than to take the necessary precautions to become compliant with the GDPR.

A year later, at Sales.Rocks, we make sure to collect only the necessary prospect information that is B2B related and publicly available. Additionally, we urge that all our platform users read our company policies related to data which are present on our homepage, in order to be safe from repercussions while using the company and contact data provided by our sales enablement platform to maximize their sales outreach.

GDPR Compliant Emails with Legitimate Interest

One of the six reasons for processing data under GDPR for sales is the Legitimate interest. In other words – the sender of the outbound campaign has to make sure that the offer presented to the prospect needs to be relevant to them.

But, how to confirm the reasons for Legitimate interest?

Check out these options:

  • Explore the company’s website and social media profiles to check if your product/service is supporting their goals
  • Find out if the company is expanding into a relevant area (that might be) relevant for your solution
  • Ask for referrals from your network
  • Check if the contact has already been showing some interest or asking for any information concerning your product (e.g. visited your website, interacted with the chatbot, etc.)
How to include Legitimate Interest in your email copy?

Having all these options in mind, it’s important to explain at the beginning of the email copy why the receiver is the relevant person to get this offer.

For example, in our emails, we open with this (assuming that the recipient’s name is Kara and she is the head of sales at Direct Sales Benelux):


While creating the copy and subject line of your email under GDPR, keep in mind these key things:

  • Improve your email signature with adding your name, email address, and company address;
  • Insert a link to your company Privacy Policy in the body of the email or in the signature and an opt-out and unsubscribe option for your newsletters.

The so-called “legitimate interest” of the company that processes the data for sales or marketing purposes, can never outweigh the objection of the data subject. In other words, according to the GDPR regulative, the data subject always has the right to object the processing of his/her personal data for direct sales/marketing purposes. In this case, the business entity is required to stop processing that data for marketing purposes, but can still process it for other means (e.g. performance of a contract).

Take a look at this example of how we managed to put this info in a signature:


It’s not just simply removing people who have opted out or unsubscribed, the regulation also prohibits holding inaccurate contact information.

Our database team makes sure that Sales.Rocks data storage is fully up-to-date with regularly cleaning the database of inactive or unresponsive leads.

It is also a good practice to come prepared with an informative reply for any possible GDPR complaints and answers to the most common questions. GDPR enforces the prospect’s right to be familiar with the information you have collected about them.

For example, when someone sends us an email asking “What information do you have on me?”, we use this GDPR acceptable reply:

“Your name, email address, company name and job title are the only data that we hold. As per your rights, we will delete this from our database if you are not interested in our services or wish us to do so. Your data is not being held in any other database or being resold.”


The General Data Protection Regulative is not about cold emailing. It is not even about businesses. It is more about the personal data protection of the individual. But, this doesn’t mean that the regulation stops people from prospecting or collecting leads. It only requires a greater level of care, relevancy, and accuracy from lead generators.

It might seem like a lot of work to be GDPR compliant when sending outbound emails. All you need to do is just add a few tweaks to your current emailing process to make sure that as a sender, you are fully compliant.

Remember – Better safe than sorry!

Author avatar