SPAM and GDRP - how to do mailings "there"?

My company is creating databases for “cold” mailing lists among Russian companies (by the way, this is quite in demand), but is it always interesting to broaden my horizons and see what they have? We searched, found and brought together general recommendations to help those who want to actively search for clients in Europe from Russia using “cold mailing lists”. This is definitely not legal advice, but, let's say, general recommendations.


Contrary to popular belief, sending emails to companies with commercial offers is still legal and does not contradict GDPR. This article will dispel some of the myths about cold newsletters and the new rules, as well as provide some simple and effective tips on how your company can stay within the new rules. We are sure that quite a few Russian startups would like to enter the European markets, and mailing lists are one of the easiest, cheapest and most effective ways to find customers. Although we use the word “cold mailings” in the article, in fact it is akin to SPAM, but on the other hand, let's be honest - a lot of companies resort to this method of sales.

First of all, we are sure that you know several definitions of the abbreviation GDPR, so we will not go into too much detail. The General Data Protection Regulation (GDPR) is a legal document issued by the EU Council and the European Parliament. Its main goal is to protect the personal data of EU citizens. GDPR is not about spam emails. And not about business. It is about protecting personal data.

However, a “cold” e-mailing can mean processing personal data, so when sending emails you need to take into account some key points described in the GDPR.

Here are the key points we will go through:

  1. Step one: make sure your newsletter is targeted and relevant
  2. Step Two: Explain the legitimacy of your interest in your letter
  3. Step three: make it so that you can unsubscribe from the newsletter quickly and easily
  4. Step four: constantly clean and update your database by removing inactive addresses
  5. Step Five: Prepare Informative Answers to Complaints and Questions Regarding Your Compliance with GDPR

Why is it still legal after accepting the GDPR “spam” mailings?

Let's try to briefly consider this topic, as we assume that anyone who has experienced “pressure” from articles about the rigor of GDPR and email newsletters from B2C companies will get confused about this issue.

GDPR protects individual users, not companies! The EU even states : “The proposed Privacy and Electronic Communications Regulation will increase the protection of people's privacy and open up new business opportunities.”

In accordance with the ePrivacy Privacy Statement, EU countries must decide whether to allow or prohibit “commercial mailings” (for example, B2B “cold email newsletters”).

In the UK, they decided to follow the PECR (Privacy and Electronic Communications Rules 2003), which means that business communications do not require prior consent.

For a more detailed review, we suggest you read the document published by the Commissioner for Information Resources on marketing in the field of “cold” B2B sales, or, if you want, more briefly, the article: Why GDPR does not mean that we are going to stop contacting enterprises )

Step one: make sure your mailing list is targeted and relevant

Lead generation and search for potential customers is, in essence, a search for personal data for use in advertising campaigns. Despite the protection of personal data, the GDPR does not prohibit people from searching and collecting information about potential customers, it just requires them to be more careful and accurate.

According to the GDPR, the personal data that you collect must be adequate and consistent with the purpose of their collection (Rule: Minimization of data ). This means that you have to consider two key things: the adequacy of data collection (how much data you really need for your purposes) and the relevance of data collection (the validity of collecting specific data).

Ensuring the adequacy of the collection: collect only what you need!

You should only collect the data that you need as an administrator or data analyst.

An easy way to comply with these requirements is to not request data unless you plan to use it. In marketing, subject to the rules of the GDPR, there is no concept of "for safety" or "just in case." Take the phone number only if you plan to call your customer. Take your home address only if you plan to send customers something by regular mail. Everything is simple.

Ensuring relevance: only collect what is relevant

A simple check of how relevant the information you have collected is whether the potential customer will be surprised to hear you? If your mailing list is targeted and correct, then no potential customer should be surprised at emails. The reason for applying should be obvious based on what you are doing and what the client’s occupation is.

Make sure that you are extremely accurate in your forecasts and the choice of target segments, and adapt the advertising campaign in each case individually, taking into account all the problem points.

Here are some simple classifiers to work with:

A few words about buying databases for newsletters ...

It is your responsibility to ensure that any address databases that you purchase are fully compliant with the new rules. There are many companies in Russia that sell ready-made databases obtained using parsing: 2GIS, AVITO, etc. Some bases are sold at bargain prices. If we talk about our company, then we collect data for mailings from the primary sources themselves (in fact - from the websites of companies), which allows us to accurately say that the data is complete and current.

For example, in Europe there is a company that sells mailing lists (look for “Taskeater”) and as a supplier of email addresses and leads for European countries, they have taken certain steps to fully comply with the new rules.

How did you do it? They form the basis for mailings “from scratch” and check the lists on themselves and their customers from public sources in accordance with specific targeting criteria.

Self-compilation of lists taking into account the criteria of the goal means that you can ensure the adequacy and relevance of the data collected and keep a detailed account of our process of forming potential customers.

Whether you buy data or collect it yourself, you should always store (or request) information on how and why you collected and processed the data. Thus, you will receive an accurate answer to the question “where did you get my email address?”, And you can also provide context to confirm your legitimate interest.

Step two: argue the legitimacy of your interest in the letter

With effective targeting, your motives for contacting a potential customer should be obvious, but always indicate them in your email newsletter and explain why your offer is relevant, as well as the reason for contacting.

You need to indicate right there why you think that your recipient is exactly the person you can contact, and how you then processed his data to establish contact.

Proper application of the principle of legitimate interest

Legitimate interest is one of the 6 legitimate grounds for processing data under the GDPR and covers business interests. The ICO (British Information Commissioner's Office) describes this as the most appropriate basis when "processing is not required by law, but brings obvious benefit to you personally or to other people."

However, “legitimate interest” is NOT an excuse that you can refer to in order to cover anything in the business field. The procedure must be followed to ensure compliance with GDPR.

Using a “legitimate interest” as a reason for processing data is legitimate only if your interests outweigh the human right to privacy.

According to paragraph 1 of Article 6 of the GDPR Act , a “legitimate interest” is such only if “processing is necessary to comply with the legitimate interests of the controller or a third party, except if the interests or fundamental rights and freedoms of the data subject require personal data protection are more important than this kind of interest, especially if the data subject is a child. ”

Unlike other legal bases , your grounds for processing data may be challenged. The question is whether your interest outweighs the right to privacy will always be open to discussion.

This is another reason why you need to keep track of potential customers. As the ICO emphasizes : “You are also required to ensure and demonstrate that your interests are balanced with those of the individual.” The key point is that you understand the whole context and logic behind the use of legitimate interests.

Now you can emphasize that the company will show obvious interest in the business of the potential client, BUT, using this argument, you must make sure that your proposal relates to specific commercial activities stated in the company's charter.

For example, an email automation company needs to protect the data that it automates, as well as its users, so the email server security solution is indeed a legitimate interest to contact them.

In these cases, you need to take the time to do some preliminary research on your prospects and provide some context in your email newsletter.

Here are some examples of reasons for a “legitimate interest”:

Describe “legitimate interest” in your email newsletter

There are several ways to do this. Woodpecker, in its excellent GDPR compliance guide, proposes to include a disclaimer that informs the recipient of your email that its data has been processed.

It should include three key informative elements:

Here is a simple example based on what we would include in our advertising campaigns:

“I decided to contact you, because on the basis of the [company name] LinkedIn profile, I have good reason to believe that you can use the information that I share. I have processed your name and email address solely for the purpose of sending you this message. If you want me to change the data that I used to contact you, or delete your data from my list, simply answer “No, thanks” and I will delete you from our database. ”

However, if you are worried about not scaring potential customers with a disclaimer, then just make sure that you integrate the three points above into a copy of your email.

Start by explicitly explaining exactly how you received their data and why you think it is relevant. For example:

“Hello, IMYAREC, I found your profile on LinkedIn, as I was looking for the opportunity to create my network of influential sales leaders, and after some research [company name] I thought that our service might be of interest to you”

Then make sure that the unsubscribe mechanism is clear and visible at the bottom of your letter.

Step three: make it so that you can quickly and easily unsubscribe from the newsletter

If you are engaged in cold e-mail newsletters, then you must inform your recipients of how they can exercise their right to delete data and their right to unsubscribe.

The mechanism for unsubscribing from the newsletter should be simple and clear to the average person.

The “unsubscribe” button at the bottom of the email is the easiest way to automate this process and meet all the requirements. Currently, any informational advertising program or software will first of all contain an automatic unsubscribe function.

However, the unsubscribe link is only one of the possible ways to unsubscribe. The official guides of the British Government portal ( on marketing and advertising say: “You should simplify unsubscribing as much as possible, for example, by sending the word“ STOP ”to a short number or by clicking on the“ unsubscribe ”link. Of course, it is not claimed that the “unsubscribe” link is the only sure way to unsubscribe.

For example, you can simply write in the footer that if any of the mailing recipients is not interested in it, then he can write to us and we will remove it from our address database and mailing list. This method is a completely justified refusal, and if it is better combined with the used automatic software and the address base, then you can use it.

Here is an example footer for email:

“If you are not interested and do not want to receive letters from me anymore, just reply“ No, thank you ”and I will remove you from my mailing list.”

The most important aspect of failure is that it is understandable, easy to execute, and respected by you.

This means that as soon as someone asks you to delete your data, you must delete it upon request. Create a list (liquidation or unsubscription list) of all companies and individuals who asked to be removed from your database, and then verify that you and your team members are not contacting them again. Find an algorithm that works for you, and then strictly stick to it.

Step four: constantly clean and update your database for mailing from obsolete and unnecessary addresses

In addition to simply removing people who have refused or unsubscribed, compliance with GDPR also means that you must not hold on to the same leads for several months or use unverified contact information. You must regularly clean the CRM database from inactive or non-responsive users, check the relevance of contacts, and log and label data appropriately to record how exactly you collected and processed personal data.

For more information about what is “cleaning up” CRM and whether there is a need for it, we recommend that you read the articles (in English) that were published over the past month regarding “cold” mailings:

CRM 101 Service: How Cluttered Is Your Data?

Trigger mailing: how to create a new business using CRM cleanup

How to keep your data in order after cleaning

If you are worried about the lack of time to clean up CRM - outsource it. This is not a risky procedure. Many companies in Europe offer CRM cleaning and data retrieval services for B2B companies of any size. They also remove leads that you no longer need, and replace them with active contacts with verified contact details, which is the main part of the services provided.

If you plan to transfer personal data anywhere, you must inform the owner thereof.

The human right to privacy and confidentiality means that any personal data that you collect cannot be used by you absolutely freely. You must explicitly notify data owners of your intention to share their data or process their data.

For example, if you are collaborating with another company regarding content, you need to inform everyone who signs up for your intention to share the subscription list with your partner.

You must also openly inform any of your users, customers or people who have subscribed to your newsletter, where their personal data is actually stored. If you have servers in other countries, you must explicitly indicate this in your Privacy Policy or on your website.

If you store personal data, you must take the necessary precautions to ensure their safety.

Not so long ago, on May 25, companies that failed to prevent data leakage and delayed informing data owners about the hack received rather substantial fines. Both TalkTalk and Carphone Warehouse received a £ 400,000 fine for this particular violation.

The security of personal data is a key aspect of the GDPR and, if you store personal data, it should also be in the spotlight for you.

A few key points about data security:

Step Five: Prepare an Informative Response to Complaints and Questions According to GDPR

Finally, prepare for a possible negative reaction to your newsletter. There is a lot of incorrect information about GDPR and how it will affect sales and marketing strategies in the future. Perhaps you are waiting for, at least, annoyed replies to the newsletter.

Of course, if your method of selecting recipients is accurate, and the letter is respectful and informative, then your proposal can bring a positive result. However, in some cases a sharply negative reaction awaits you. Cold newsletters are still cold newsletters, no matter how relevant they are.

Here are some questions you may be asked, along with what you should indicate in your answer. Any answer may include a combination of these three main points.

Question: “What right do you have to write to me?”

This is an absolutely legitimate question from a potential customer, even if his email address is corporate. The fact that the customer’s name is written in the email address makes this address personal data. This article by GDPR consultant Mark Gracie explains in more detail - When B2B data is personal data and what does it mean for GDPR (in English).

Your legitimate interest needs context (explanation). If your service is not specifically related to the charter of the company, then you need to explain the reasons why you considered them a suitable person for communication.

By keeping detailed records of the lead generation process, you can give an exhaustive answer on how and why you received the person’s data.

If your service is not specifically related to the charter of the company, explain the reasons why you considered them to be suitable persons for contact. New company project? Their website? Their LinkedIn profile? The article they recently published?

If you send emails to a wide circle of people, take care of finding information about the companies with which you contact. Is there anything on their website or in the press that gives you a reason to send them an email? Have you been helpful to other companies in the industry? There are more general answers that do not require a detailed study of someone’s “likes” on LinkedIn.

If you used the analysis of past customers to compile target criteria (a typical customer profile), then here is the answer that you can use in your mailing list:

“We have collected and processed your data based on legitimate interest. Considering how useful our [product / service] was for [company profile / potential client profile] in the past, I assumed that our offer would interest you. ”

Here is another example of an answer that can also be used:

“I studied [company name], because I thought that our services could be interesting, given the success that we saw in the decisions of the company **** in the past, and after finding your public profile on LinkedIn, I thought that you are the most a suitable person to contact to provide our services. Then I guessed your email address and verified it with the verification tool that we use when creating mailing lists for all our customers. ”

Question: “Where did you get my data?”

Explain where you found their data, why you thought that they were suitable for contact, and why you decided that your proposal would be of interest to them.

Again, if you keep a detailed lead generation log or request it from your suppliers, then in this case you have a comprehensive answer to this question. For example, if you use LinkedIn to search for your potential customers, a good answer to this claim would be:

“We use a third-party search service (www. ***. Com), and they found your profile on LinkedIn, since you match the profile of our typical client. Then they guessed your email using publicly available information and checked it with a validation tool. ”

Question: “What information do you have about me?”

The GDPR ensures the right of your potential customers to receive information and the right of access to it, which means that upon request, you must provide the information that you collected and describe how it was processed. A good answer in this case would be:

“Your name, email address, company name and position are the only data that we store. In accordance with your rights, we will delete this data from our database if you are not interested in our services or simply want us to delete it. Your data is not stored in another database and is not resold. "

A separate and big question is how to collect data for company databases. We do this with the help of parsing sites (more precisely, their content) and we will describe the entire process separately in a new article.

Maxim Kulgin,


All Articles