The Starting Point: GDPR and B2B Marketing#
Since May 2018, the General Data Protection Regulation (GDPR) applies across the entire EU. For B2B lead generation, this means: you can't just use any email address you find. But — and this is the good news — B2B lead generation is still legal if you know the rules.
Legal Basis for B2B Lead Generation#
Art. 6(1)(f) GDPR — Legitimate Interest#
The most important legal basis for B2B marketing. You may process personal data if you have a legitimate interest and the rights of the data subject do not override it.
In B2B contexts, the legitimate interest in acquiring new customers is recognized — particularly when:
- The person is contacted in their professional capacity
- The data comes from publicly available sources
- There is a relevant connection to your offering
Which Data Sources Are GDPR-Compliant?#
| Source | GDPR Status | Explanation |
|---|---|---|
| Legal notice (Impressum) | Permitted | Legally required publication |
| Google Maps | Permitted | Publicly available business data |
| Commercial register | Permitted | Public register |
| LinkedIn (public profiles) | Restricted | Business data only, no mass extraction |
| Purchased email lists (unclear origin) | Not permitted | Data origin must be traceable |
| Web scraping private data | Not permitted | Violates privacy rights |
Checklist: Is Your Lead Generation GDPR-Compliant?#
- Legal basis documented — Art. 6(1)(f) GDPR defined as processing basis
- Data origin traceable — You can prove where each lead's data came from
- Balancing test performed — Your legitimate interest outweighs the data subject's rights
- Opt-out mechanism available — Every email contains an unsubscribe link
- Privacy policy up to date — Your website informs about data processing
- Record of processing activities maintained — Lead generation is documented
- Data processing agreements signed — With all service providers (e.g., email provider, lead tools)
Common Mistakes and How to Avoid Them#
Mistake 1: Using Private Email Addresses#
Only contact business email addresses (firstname@company.com). Private addresses (name@gmail.com) have no place in B2B outreach.
Mistake 2: No Opt-Out Option#
Every email must contain a functioning unsubscribe link. This is not just a GDPR requirement but also legally mandated under German competition law (§ 7 UWG).
Mistake 3: Not Documenting Data Sources#
When a lead asks "Where did you get my data?", you must be able to answer. Document the source for every lead.
Mistake 4: Storing Data Indefinitely#
Delete leads that don't respond after a reasonable period (recommendation: 6-12 months).
Conclusion#
GDPR-compliant B2B lead generation is possible and legal. The key lies in the right data source (publicly available), the correct legal basis (legitimate interest) and clean documentation. Tools that rely on public sources like legal notices and Google Maps offer the safest path.