Back to Blog

The goal of the GDPR wasn’t to stop cold emailing in the European Union, but more to give people the right to be deleted from Giants, such as Facebook etc. In fact outbound sales are essential to almost any business and will continue to be. Legislation has improved the privacy of consumers by adding new rules, that went into effect on May 25’th this year. Below is our walk through what is truly changing with cold emailing and how it affects companies doing so.

This article is focusing on B2B sales, please keep that in mind.

Firstly, can you send an email to someone you’ve never met and should you?

A topic from the GDPR is that you need the consent of the data subject to process any data. If you’re reaching out to someone who doesn’t know you, you obviously don’t have any consent. So should you stop all cold emailing?

But the good news it that, consent isn’t the only case where processing is considered lawful. In particular when the “processing is necessary for the purposes of the legitimate interests pursued by the controller” (Article 6). The controller is the company sending the email, i.e., which is YOU.

Without hesitation, the controller’s legitimate interests do not apply « where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data ».

When looking at Recital 47, it provides some additional clarification on the idea of legitimate interests. In particular, it clearly states the following:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

“At any rate, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.”

When analyzing the last quote we find it particularly interesting. Will it be a surprise for the recipient to get your email? It should not be one at all. For example, if you look at our about page, you’ll get the email addresses of everyone at Alsmot any company. If you want to sell a service to Human Resources and reach out to one of our the HR people, it’s not a SURPRISE AT ALL.

Should I really include an unsubscribe link or not (is it required)?

It is clearly stated that article 21 of the GDPR describes the “Right to object” of data subjects. Because you are processing their personal data to send emails and potentially store the status in your CRM or marketing automation system, the recipient has the right to solely object to the processing and you have to comply. He or she could simply ask at any point, to stop or even destroy the data, again you can only comply or be fined.

We find it interesting that the article states “At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.”. It couldn’t be more clear: you need a dedicated paragraph in your email letting the user know that he/she can ask for the processing to stop. Whether it is done by asking for in a reply or clicking on a link is up to you.

To help users add unsubscribe links to emails sent through Gmail, We published a free Chrome extension: Mailstopper. Download it today and make it easier to send GDPR compliant emails.

So how should i draft my first email?

In Article 14 it is described that “Information to be provided where personal data have not been obtained from the data subject”. In particular, you should share let the prospect know:

“the identity and the contact details of the controller and, where applicable, of the controller’s representative”  and “the contact details of the data protection officer, where applicable”

In your email, you should make it clear who you and your company are. But having in every sales email information regarding your Data Processing Officer might be an overkill. A ” click here to learn more” should be enough.

The GDPR rule set state “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing” It might be obvious for most, it is a sales email, but not a fact. Business  to Business sales fall into the “legitimate interest” category, so there’s no reason to hide it as long as you target a potential buy. Do not email your Sales/Marketing solution to engineering, they do not have legitimate interest.

“from which source the personal data originate, and if applicable, whether it came from publicly accessible sources” On Salestools, all our data is found from Public sources so simply if you can find it on Google it is considered public.

We found that our customers and the world should be aware that there exist other requirements described in Article 14 that you need to meet! I invite you to take a look at the article as not to miss any at all.

“it is not necessary to impose the obligation to provide information where the data subject already possesses the information” (Recital 62) . For example, if you find someone’s email on their company’s website, and contact them regarding a relevant subject, then most of the points become totally irrelevant as the recipient already has the information upfront.

We sincerly hope this article helped answer some of the questions you had. We urge you to join Mailstopper to keep your company further ahead compliant with article 21.