GDPR Compliance for Email Marketing and Cold-Callings

Published on : 13 Dec 2022

GDPR compliance for email marketing and cold callings

Cold calling and emailing have always been popular and effective techniques of sales and communication with prospective clients. It is a way how brands can reach out to potential clients who may not be aware of your service or product offerings. It is a technique of creating brand awareness and lead generation. However, many customers see these activities as spamming.  This sales technique has earned a bad reputation for simply exploiting or misusing the personal data of individuals under the pretext of business.

People are often bombarded with irrelevant emails and sales calls that were of no interest to customers. This led to the practice of cold emailing and calling being seen as spam. Recognizing the growing misuse of personal data, the GDPR Regulation established strong measures to ensure the protection and privacy of people’s private data. Covering the requirements of GDPR, we have explained whether or not email and cold calling is allowed under GDPR and how organizations can ensure compliance while conducting such actives.

Are cold email marketing and cold calling allowed under GDPR?

GDPR Regulation was established to protect and preserve the rights of individuals and secure their personal data. That said, the regulation sets certain guidelines to ensure the private data of individuals are not misused in the pretext of business. But it is important to note and understand that the GDPR regulation does not stop email marketing or cold emails. However, the guidelines outlined does discourage the misuse of personal data.

The regulation is about protecting personal data and ending unethical digital marketing practices to protect individuals’ privacy. So, to simply put cold calling and cold email marketing activities are allowed under GDPR, provided appropriate guidelines are followed by the organization. However, anyone violating the rules will have to pay a hefty price for it. So, it is just that the businesses have to be a bit more careful about the methods they adopt to gather, manage, store and use the personal data of citizens of the EU.

What does the GDPR Regulation say about email marketing and cold-calling activities?

Organizations must follow certain guidelines as outlined in the GDPR Regulation to ensure compliance in their sales activity like cold emailing or calls. GDPR clearly states that the processing of personal data is only allowed if either the data subject has provided consent or there is a legal basis or legitimate interest of the organization (controller) to send e-mails.

Recital 47 of the GDPR states that the law also applies to the processing of personal data used for direct marketing as a legitimate interest of the controller. However, it is important to note that e-mail marketing is allowed without consent for existing customers. But in case the customers wish to not receive any further information by newsletter or e-mail, the customer can object to processing for marketing purposes.

According to Article 21(2), (3) GDPR, the data subject always has the right to object to the processing of personal data for direct marketing purposes. If the data subject objects, the controller has to stop the processing for marketing purposes. But they can continue to process the data for performing their contract.

It is also important to understand that the legitimate interest of the controller to process data for marketing purposes cannot overweigh the objection of the data subject. Regardless of whether the organization involves in the activity of cold calling or cold emailing, based on its legitimate interest or consent, they are required to adhere to the data subject’s right to be informed.

How can organizations ensure compliance while sending cold emails or in cold calling?

While it is clear that organizations are allowed to use the technique of cold calling or cold emailing for sales, but they are required to follow certain rules and ensure that the activities are GDPR compliant. So, here are some ways how businesses can ensure compliance with GDPR when sending cold emails or in cold calling.

Legit reason and targeted prospects

Organizations should have a legit reason for processing personal data. They should have a legal basis or legitimate interest to send e-mails. Also, organizations must ensure that the data they collect and use should be only if it is strictly necessary for business. So, for instance, if your business plans to simply just send mails then avoid collecting additional data like address and phone numbers. Plus ensure that you only approach well-targeted prospects. So, in this scenario, people sharing views on products similar to what your business offers can be your potential clients and so be considered as target prospects.

Businesses are allowed to contact only those prospects who are likely interested in their products and service offerings and likely to purchase or avail them. If the prospects are not relevant then you might be breaching the GDPR. Businesses are required to be very selective about the data they collect and the prospects they choose to communicate. If this is done right businesses will definitely not get penalized by the GDPR.

Explain how the prospect’s email was acquired

To cover all grounds of GDPR the organization must know how and from where they acquired the emails. Even if it is a list of emails bought from a third party, organizations must ensure that the database was collected and used in a GDPR compliant manner. Businesses are required to keep a record of how all the data was collected and is processed. It is also important to note that organizations must have in place measures to ensure that if a data subject demands deletion of their data or objects the processing of data, then it must be done immediately. Simply providing an unsubscribe link is not enough but the data must be immediately deleted.

GDPR Requirements

Organizations can process personal data under the following circumstances as outlined in the GDPR

  • Consent-When the organization gets appropriate consent from the prospect to process their personal data.
  • Contract-When there is an official and legit contract established between the organizations (controller) and the prospect that requires the processing of the personal data.
  • Legal obligation- When the organization has a legal obligation and by law is required to process the personal data of prospect.
  • Public Interest- When there is a need to process personal data which is in the public interest, an organization can process personal data.
  • Protect vital interest: When there is a vital mutual interest to protect and requires data processing organizations can process personal data.
  • Legitimate interest:When there is a legitimate interest and where both the parties will benefit, an organization can process personal data.

Whatever be the reason for contacting prospects and processing their data, it is important that the organization informs and communicates the same to the prospect their emails. This is an essential step in the process of GDPR Compliance.

Explain Legal Interest in the Email

Legal interest is one of the six lawful data processing reasons outlined in the GDPR. Whenever the processing of personal data is not a lawful obligation but for the benefit of both the prospect and organization, then it must be justified and communicated to the prospect in the mail accordingly. Organizations need to prove that there is a legitimate interest in contacting the prospect and that may include-

  • The product and service offerings of the organization are of the prospect’s interest and support their need.
  • The prospect asked for information or searched for details related to your product and service.
  • The prospect is up for expansion in an area that is relevant to your product or service.
  • The prospect is your existing or previous client from the same industry.
  • The business got to know about the prospect from your network.
  • The products and services offered, support the prospects of investment and growth.

It is important to note that the term legal interest for processing data can only be legal if the interest also accounts for the person’s right to privacy. Again an organization cannot hold personal data longer than needed. When an organization collects personal data like an email address, they need to inform the individual that the data has been stored for future marketing purposes and also provide a legitimate interest in storing and processing the data. The email should include a copy of

  • A statement informing the prospect how their data was collected and will be processed.
  • Provide a time frame or retention period for storing their data.
  • Provide a brief explanation of why the data is processed.
  • Step-by-step guidelines to the receiver for changing or objecting to the processing or deletion of their data.
  • Provide a copy of the Disclaimer for the cold email.

Process of Unsubscribing

If the organization is up from sending cold emails, they also need to provide the recipients an option to opt-out of the emailing list.  Organizations are required to provide an easy, quick unsubscribe option with an ‘unsubscribe link’ added at the bottom of your email to ensure compliance.  This is the fundamental element and right of the recipient in the cold email. The organization should even provide a guide for those who wish to delete their personal data from the records. So, if the receiver asks you to delete their data, then it is easily deleted from your records, backups, and other places of storage. Organizations must ensure that the information provided must be clear and steps to opt-out must be easy.

Frequently Update the Database

GDPR also requires organizations to keep their database updated and delete any data that is no longer required or in use. This simply means that organizations should have in place a data retention policy to regularly update their database and prevent storing of personal data longer than required. So, businesses must not hold any leads for a long time or incorrect contact details. This is one of the most essential and core components to ensure cold emails are GDPR compliant.

CRM database must be regular, up-to-date, and should be traceable in terms of how the personal data was collected, processed, and stored. So, remove the leads that are no longer require and replace them with active contacts with correct contact details. An organization must also secure its database by taking necessary measures for security. Measures such as having in place physical access controls, data access controls, system access controls, input controls, transmission control, and segregation of data, backups, are some measures that will help to secure the data.

Strong Data Security

The purpose of the GDPR Regulation is mainly to ensure data protection and privacy of personal data. So, that said, when sending cold emails organizations must ensure systems applications, and networks used for mailing and storing of data must be GDPR Compliant. The data collected and processed should be encrypted and the ones that are stored should be retained for only as long as when necessary. Organizations must also keep a record of the data collected, processed, and used while establishing a level of authorization for every activity.

Prompt Response to Request/Queries

When organizations run a cold email campaign it is natural that the recipient will have queries regarding your mails or may possibly even request for an unsubscribe or deletion of their data or even ask for their information or correction of their data. So, organizations are required to have in place a system that facilitates prompt response to any such request or queries. The GDPR Regulation gives the citizen of the EU the right to information, right to access, right to rectification, right to deletion, right to restrict processing, right to data portability, right object, and even right to prevent automated decision making. So, with such right given to the citizens, organizations are required to oblige to their request and respond to it at the earliest


The aim to establish GDPR is to not just simply abolish the cold calling and emailing strategy but to ensure that the organizations appropriately secure the data. The regulation was not designed to limit the way business generates leads, but to ensure appropriate measures are taken to communicate with prospects and prevent misuse of personal data.  With GDPR in place, gone are the days of spamming people with random business advertisements.

GDPR is more focused on protecting and preserving the rights of citizens of the EU. The GDPR regulation encourages businesses to build genuine connections with people who may be interested in the business offering. This adds more accuracy and relevance to the emailing process.

The regulation should be seen as an effort to secure and preserve the rights of people and also for quality lead generation. GDPR compliant cold emails will eventually help organizations close deals faster as the list of prospects will be more relevant and accurate when purchased while ensuring compliance.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.