Legalify shield logoLegalify
Free CheckerGDPR GuideBlogFeaturesHow it worksPricing
Log inSign up
← All articles

10 June 2026 · 6 min read

GDPR Compliance for B2B Marketing in the EU

B2B marketing occupies a specific space in EU data protection law that many teams either over-restrict (treating every B2B contact like a consumer) or under-protect (assuming GDPR doesn't apply to work emails). The reality is more nuanced, and the practical compliance gaps in B2B marketing are significant.

This guide explains how GDPR actually applies to B2B marketing, where B2B gets more flexibility than B2C, and where the compliance gaps typically sit in B2B outreach, ABM, and event marketing.

What's different about B2B under GDPR

The primary distinction between B2B and B2C GDPR compliance is in the ePrivacy Directive — the EU law that governs electronic direct marketing. ePrivacy, which will eventually be replaced by the ePrivacy Regulation, currently applies differently to B2B and B2C in most EU countries:

  • B2C electronic marketing (to personal email addresses, consumers) requires opt-in consent in almost all EU countries
  • B2B electronic marketing (to professional email addresses, employees at companies) can rely on legitimate interest in most EU countries, subject to relevance and opt-out requirements

This means cold email outreach to a CFO's work email about finance software can usually rely on legitimate interest, while the same cold email to that CFO's personal Gmail requires consent.

However, the B2B carve-out only applies to the ePrivacy layer. GDPR still applies in full to all personal data processing, including:

  • The right of access (the CFO can ask what data you hold on them)
  • The right to erasure (they can ask you to delete their details)
  • The right to object to marketing (they can tell you to stop)
  • The storage limitation principle (you can't keep their data forever)
  • The accountability principle (you need to document your lawful basis)

Lawful basis options for B2B marketing

Legitimate interest is the most commonly used lawful basis for B2B marketing, and it's legally viable when:

  1. You have a genuine legitimate interest — typically a commercial interest in reaching potential customers for a product or service that is relevant to their role
  2. The processing is necessary for that interest — you couldn't achieve the same purpose with less privacy impact
  3. The processing doesn't override the individual's rights and interests — assessed through the balancing test

The balancing test for B2B legitimate interest typically comes down to relevance: is the product or service genuinely relevant to this professional's role? A cybersecurity platform reaching out to a CISO is far easier to justify than the same platform cold-emailing an HR manager.

Contractual necessity applies once you have a B2B customer relationship — processing for contract performance covers CRM data for existing accounts, billing contacts, and service delivery.

Consent is rarely the starting point for B2B marketing (unlike B2C), but it becomes relevant for special category data, for marketing that goes beyond the individual's professional role, and in countries with stricter B2B ePrivacy rules (Germany, Austria).

Country-level variation in B2B ePrivacy rules

This is the most under-recognised risk in EU B2B marketing: the ePrivacy Directive is implemented differently across EU member states, and several countries have stricter B2B requirements than others.

Germany: The UWG (Unfair Competition Act) requires consent for B2B electronic marketing in most cases. Legitimate interest is accepted in narrow circumstances only. Germany is the strictest major EU market for B2B cold outreach.

Austria: Similar to Germany — consent required for electronic B2B marketing.

Netherlands: The ACM (Authority for Consumers & Markets) requires either consent or a genuine existing customer relationship for B2B electronic marketing.

France, Spain, Italy, Belgium: Generally permit legitimate interest for B2B electronic marketing with proper opt-out, but enforcement activity is increasing.

Nordics: Generally more permissive for B2B outreach under legitimate interest with clear opt-out.

Operating across the EU with a single B2B outreach policy based on the most permissive country is a common and significant gap. Each country should be assessed individually for its ePrivacy implementation.

Data quality and retention: the forgotten B2B obligations

B2B CRM databases tend to grow without cleaning. Every contact record represents personal data under GDPR, and the storage limitation principle requires that it be kept no longer than necessary.

Common B2B retention issues:

  • Contacts from a conference three years ago with no subsequent interaction
  • Leads that never converted, retained indefinitely on the assumption they might one day
  • Data from departed employees still in the CRM under the company account
  • Data enrichment records with no record of when or how the data was acquired

A defensible B2B data retention policy typically includes:

  • Active contacts (regular engagement or open opportunities): retained
  • Inactive contacts (no engagement for 24–36 months): flagged for re-permission or deletion
  • Departed employees: deleted when the departure is identified
  • Source records: maintained alongside each contact showing when and how the data was collected

B2B ad copy and LinkedIn targeting under GDPR

LinkedIn advertising for B2B is subject to the same GDPR framework as other digital advertising. The LinkedIn Insight Tag is a tracking cookie that requires prior consent under ePrivacy rules. Company-based targeting (job function, seniority, company size) uses LinkedIn's own data, which users consented to when they created their profile — this shifts some of the consent obligation to LinkedIn, but you remain responsible for the lawful basis of any follow-on processing.

For B2B ad copy specifically:

  • Claims about ROI, productivity gains, or business outcomes should be substantiated
  • Copy that targets specific industries should not imply knowledge of individual sensitive attributes (financial difficulty, specific business problems that imply negative company status)
  • Lead gen forms on LinkedIn are subject to the same disclosure requirements as any other form

Tools and processors in B2B marketing stacks

Every tool in a B2B marketing stack that processes personal data is a GDPR data processor. The standard B2B marketing stack includes multiple processors:

  • CRM (Salesforce, HubSpot, Pipedrive)
  • Email automation (Mailchimp, Lemlist, Apollo)
  • Data enrichment (Clearbit, ZoomInfo, Lusha)
  • Ad platforms (LinkedIn, Google, Meta)
  • Analytics (GA4, Mixpanel, PostHog)

Each requires a data processing agreement. Data enrichment providers are a particularly common gap — companies buy enriched B2B contact lists without fully considering that the original data may not have been collected with a GDPR-compliant lawful basis.

Scan your B2B campaign copy before launch

The free GDPR Ad Copy Checker scans ad copy, lead forms, and landing pages for these exact GDPR and advertising-claim signals in seconds — flagging bundled consent, special-category inference, undisclosed third parties, and missing opt-outs, with safer rewrites for each. No login required.

This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.

Frequently asked questions

Does GDPR apply to B2B email marketing?

Yes. GDPR applies to all personal data processing involving natural persons, including employees' work email addresses and contact details. The work email of an employee is personal data under GDPR. While the ePrivacy rules on electronic marketing are often less stringent for B2B than B2C in many EU countries, GDPR data subject rights still apply to every individual in your B2B contact database.

Can I do cold email outreach to B2B contacts under GDPR?

In many EU countries, yes — B2B cold outreach to professional email addresses can rely on legitimate interest as a lawful basis, provided the contact is relevant to your offering, the outreach is proportionate, you provide clear opt-out instructions, and you honor those opt-outs immediately. However, rules vary by country: Germany and Austria have stricter consent requirements even for B2B electronic marketing.

What is the difference between B2B and B2C GDPR compliance?

The key practical difference is the ePrivacy framework, which governs electronic direct marketing. In most EU countries, the strict opt-in consent requirement applies to B2C marketing but not to B2B marketing to professional roles. However, GDPR data subject rights (access, erasure, rectification, portability) apply equally to B2B and B2C contacts. The lawful basis options are also broader for B2B.

How long can I keep B2B contact data under GDPR?

GDPR's storage limitation principle requires that personal data is kept no longer than necessary for the purpose it was collected. For B2B sales contacts, a typical defensible retention period is 2–3 years of inactivity, after which data should be deleted or re-permissioned. Keeping B2B data indefinitely without reviewing or updating it creates enforcement risk.

Do I need a data processing agreement with my B2B marketing tools?

Yes. Any software tool that processes personal data on your behalf — CRM, email marketing platform, sales engagement tool, data enrichment provider — is a data processor under GDPR. You need a data processing agreement (DPA) with each of them that covers the nature of processing, security measures, sub-processor chains, and data transfer safeguards.

Free resource

Get the GDPR Ad Copy Checklist

12 checks every EU marketer should run before publishing. Free, instant, no spam.

No spam. Unsubscribe any time.

Check your ad copy for free

Paste your EU ad copy into the free GDPR Ad Copy Checker and get instant risk analysis — no login required.

Open the free GDPR checker
LLegalify

AI-powered GDPR and ad risk scanning for EU marketing agencies. Catch compliance issues before campaigns go live.

Designed for GDPR risk reviewSubprocessors listed in privacy policyDPA available on request

Product

  • Free GDPR Checker
  • Meta Ad Rejected?
  • GDPR Ad Compliance Guide
  • Legalify vs AuditSocials
  • How it works
  • Features
  • Pricing

Company

  • Blog
  • GDPR Guides
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • DPA
  • Security
© 2026 Legalify · Y-tunnus: 3610308-7 · Not a substitute for legal advice.
PrivacyTermsCookiesSecurity