The Starting Point: GDPR and B2B Marketing
Since May 2018, the General Data Protection Regulation (GDPR) applies across the entire EU. For B2B lead generation, this means: you can't just use any email address you find. But — and this is the good news — B2B lead generation is still legal if you know the rules.
Legal Basis for B2B Lead Generation
Art. 6(1)(f) GDPR — Legitimate Interest
The most important legal basis for B2B marketing. You may process personal data if you have a legitimate interest and the rights of the data subject do not override it.
In B2B contexts, the legitimate interest in acquiring new customers is recognized — particularly when:
- The person is contacted in their professional capacity
- The data comes from publicly available sources
- There is a relevant connection to your offering
Which Data Sources Are GDPR-Compliant?
| Source | GDPR Status | Explanation | |--------|------------|-------------| | Legal notice (Impressum) | Permitted | Legally required publication | | Google Maps | Permitted | Publicly available business data | | Commercial register | Permitted | Public register | | LinkedIn (public profiles) | Restricted | Business data only, no mass extraction | | Purchased email lists (unclear origin) | Not permitted | Data origin must be traceable | | Web scraping private data | Not permitted | Violates privacy rights |
Checklist: Is Your Lead Generation GDPR-Compliant?
- [ ] Legal basis documented — Art. 6(1)(f) GDPR defined as processing basis
- [ ] Data origin traceable — You can prove where each lead's data came from
- [ ] Balancing test performed — Your legitimate interest outweighs the data subject's rights
- [ ] Opt-out mechanism available — Every email contains an unsubscribe link
- [ ] Privacy policy up to date — Your website informs about data processing
- [ ] Record of processing activities maintained — Lead generation is documented
- [ ] Data processing agreements signed — With all service providers (e.g., email provider, lead tools)
Common Mistakes and How to Avoid Them
Mistake 1: Using Private Email Addresses
Only contact business email addresses (firstname@company.com). Private addresses (name@gmail.com) have no place in B2B outreach.
Mistake 2: No Opt-Out Option
Every email must contain a functioning unsubscribe link. This is not just a GDPR requirement but also legally mandated under German competition law (§ 7 UWG).
Mistake 3: Not Documenting Data Sources
When a lead asks "Where did you get my data?", you must be able to answer. Document the source for every lead.
Mistake 4: Storing Data Indefinitely
Delete leads that don't respond after a reasonable period (recommendation: 6-12 months).
Conclusion
GDPR-compliant B2B lead generation is possible and legal. The key lies in the right data source (publicly available), the correct legal basis (legitimate interest) and clean documentation. Tools that rely on public sources like legal notices and Google Maps offer the safest path.
Related Articles
The Ultimate Guide to B2B Lead Generation in the DACH Region 2026
Everything you need to know about B2B lead generation in Germany, Austria and Switzerland. Methods, tools, GDPR compliance and practical tips.
Buying B2B Leads: The Complete Guide for the DACH Region
Where and how to buy B2B leads. Provider comparison, pricing, quality criteria and what to look out for when purchasing leads.