The General Data Protection Regulation (GDPR), which came into force on May 25 2018 intends to improve data protection for individuals in the EU. As a data processor and a data controller, we have worked hard to ensure our compliance.

However, as a Prospect.io user, are you GDPR compliant?

Well.. Let's find out!

This article will raise important points about how and why you are GDPR compliant by prospecting and/or by sending cold email campaigns.

Prospecting and GPDR

You are GDPR compliant when you're prospecting on a website or on LinkedIn without your prospect's agreement. However, the GDPR requires companies to have a “legal basis” for processing personal data about EU residents

• Article 6 of the GDPR allows the collection of data without consent if you have a legitimate interest in doing the processing.

• Article 6 (paragraph F) says « Processing shall be lawful only if […] processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the […] fundamental rights […] of the data subject”.

• The term “legitimate interest” is not clearly defined. The recital 47 of the GDPR states that a legitimate interest may provide a legal basis for processing data (except “where such interests are overridden by the […] fundamental rights […] of the data subject”).


There are 3 crucial questions you need to ask yourself:

  1. Do I have valid legitimate interest?
  2. Is prospecting necessary to pursue that interest?
  3. Am I violating any fundamental rights to pursue that interest?

If your answers are respectively yes, no and no, then you're GDPR compliant as far as prospecting is concerned.

Cold emailing and GDPR

Here again valid legitimate interest is the key. Sending cold email campaign is GDPR compliant if you send emails to people who you can reasonably expect to find their content useful.

In this respect, some requirements need to be fulfilled:

• The topic of the email must be clearly identified.
• There must be a clear way to opt out from future emails.
• A genuine physical address must be included in the email.
• The sender must be clearly identified.

Let’s develop these points.

A. The topic of the email must be clearly identified.

You can legally reach out to someone you haven't been in touch with before if you have reason to believe they would benefit from interacting with you. But you can only justify that interaction if you clearly state the reason you're reaching out about in your message and if your subject line isn't deceptive–which it should never be in any case.

B. There must be a clear way to opt out from future emails.

From a legal standpoint: you must always allow your prospect to opt out easily, but it doesn’t need to be through a link. Mailbox services don't have opt-out links so if you were sending a personal email from your personal mailbox, there would never be an unsubscribe link. Which is why you should use other ways to make it easy for your prospect to not receive any more emails from you.

We have 2 pieces of advice as an alternative to unsubscribe links:

  • PS in your signature: We recommend you add a PS to your signature or a friendly mention in the content of your emails, inviting anyone not interested and wanting to opt out to let you know about it.
  • Set your Goal: Prospect.io will automatically stop campaigns for prospects who reply (if that is the goal you set); you just have to archive the ones who ask to be unsubscribed in order to ensure they are never contacted again.

You are obligated to immediately stop contacting prospects who request it. If a prospect of yours demands that their data gets removed from your contact lists, you need to comply (in accordance with the ‘right to be forgotten’.). This is something you need to do manually by archiving them in Prospect.io.

C. A genuine physical address must be included in the email.

In order to establish trust and keep companies accountable, you now need to display the address in your business in the email.

Best way to do it? Include it in your signature; it'll look natural and won't be disruptive.

D. The sender must be clearly identified.

Each sender need to be clearly identified. That is, you can't just use a generic address or write in the name of the business. Not only is that illegal, it also dehumanizes the relationship. 


Bottomline: prospecting and cold emailing are okay as long as you play by those reasonable rules and focus the experience on the prospect.


For more information about GDPR, check out our dedicated page!

Did this answer your question?