GDPR Cold Calling: What Sales Teams Can and Can't Do

GDPR cold calling is legal under legitimate interest. Learn compliance rules, LIA templates, UK PECR requirements, and how to defend your data sources.

6 min readProspeo Team

GDPR Cold Calling: What Sales Teams Can (and Can't) Do

A rep on r/sales posted that their company started prohibiting cold calls to the majority of EU countries except the UK - all because of GDPR. Legal killed the EU pipeline overnight. The problem? GDPR doesn't ban cold calling. It never did. Most companies that stop dialing into Europe aren't following the law - they're following fear.

What You Need (Quick Version)

  • Can you legally cold call in the EU? Yes, via legitimate interest under Article 6(1)(f). You don't need consent.
  • What do you need to document? A Legitimate Interest Assessment for each campaign. Not a one-time generic form.
  • What do you say when someone asks "where did you get my number?" You disclose the source and your privacy info under Article 14. Script below.

Article 6(1)(f) provides a lawful basis for processing personal data when you have a "legitimate interest" that isn't overridden by the individual's rights. Recital 47 goes further and explicitly states that direct marketing may be regarded as carried out for a legitimate interest. That's not a loophole - it's the regulation's own language.

The alternative basis is consent, which is impractical for outbound sales. You can't get consent before you make first contact. That's the whole point of cold calling.

Here's the thing: GDPR actually makes outbound calling better, not harder. It forces you to target precisely, document your rationale, and respect opt-outs immediately. Precise targeting converts better than spray-and-pray - that's basic sales math. In our experience, teams that embrace the documentation requirements end up with tighter ICPs and shorter sales cycles because they're forced to think about who they're calling and why before a single dial goes out.

One caveat. GDPR isn't the only law governing calls. National ePrivacy rules in each EU country add calling-specific requirements, so always check the local regime before dialing into a new market.

The Legitimate Interest Assessment

A Legitimate Interest Assessment (LIA) is the document that proves you thought this through before you picked up the phone. It's a three-part test.

Three-part LIA test flow chart for GDPR cold calling
Three-part LIA test flow chart for GDPR cold calling

Purpose test. Identify your legitimate interest. For outbound calls, this is straightforward: "We're contacting VP-level buyers at mid-market SaaS companies to introduce our compliance automation platform." Be specific to the campaign, not generic.

Necessity test. Is calling necessary to achieve that purpose? If you've exhausted email and the prospect hasn't responded, a phone call is a reasonable next step. Document why other channels weren't sufficient.

Balancing test. Do the prospect's rights override your interest? In B2B scenarios, outreach to someone in a relevant business role is usually easier to justify than outreach to a private individual - consider the role, the data source, and the context. A CFO at a 200-person fintech company who's publicly listed on the company's leadership page is a very different calculus than a random mobile number scraped from a personal social profile.

The ICO publishes a downloadable LIA template (Word doc). Use it. File one per campaign, not one per year. If you can't explain why you're calling a specific segment, you shouldn't be calling them.

UK Rules: PECR, TPS, and CTPS

The UK is one of the clearest major markets for B2B cold calling because the ICO spells out an opt-out model for live marketing calls to corporate subscribers, with TPS/CTPS and objections as hard stops.

UK PECR rules - what you can and cannot do
UK PECR rules - what you can and cannot do

What you can do

Make live marketing calls to corporate subscribers - companies, LLPs, Scottish partnerships - without prior consent, as long as the number isn't on the TPS or CTPS registers and the business hasn't previously objected. You must display caller ID and identify your organisation.

Hard stops

Sole traders and some partnerships count as "individual subscribers" under PECR. They get the same protections as consumers. If a number is on TPS/CTPS, you generally can't make unsolicited marketing calls unless the recipient has specifically told you they don't object to your calls. Screen your lists frequently - there's a 28-day registration lag.

The trap most teams miss

UK GDPR still applies when you're processing personal data like named contacts and direct dials. You need a lawful basis even if PECR doesn't require consent for the call itself. Lots of teams get this backwards: they clear the PECR hurdle and forget they're still handling personal data.

Prospeo

The balancing test gets easier when your data has a clean paper trail. Prospeo's 125M+ verified mobile numbers are sourced through a Zero-Trust data partner policy with full provenance - so when a prospect asks "where did you get my number?", you have a defensible answer. GDPR-compliant, with DPAs available.

Pass the LIA balancing test before you ever pick up the phone.

What Changed in 2025-2026

The Data Use and Access Act 2025 clarified something important: under updated PECR definitions, a "call" and "communication" can still count even if they don't reach the intended recipient. An infringement can occur even if the call doesn't connect.

This matters for teams running high-volume dialers. Every dial - answered or not - needs to be defensible. Most compliance guides online are still stuck in 2018 and don't mention this change. If you're building or reviewing your outbound playbook in 2026, factor this in.

Do Companies Actually Get Fined?

Yes. In September 2025, the ICO fined two energy companies £550,000 total for unlawful automated marketing calls. Green Spark Energy made 9.5 million automated calls. Home Improvement Marketing's overseas call centre made 2.4 million in three months, generating 274 complaints.

ICO enforcement stats and fine breakdown from 2025
ICO enforcement stats and fine breakdown from 2025

The investigation uncovered WhatsApp messages between staff discussing "how to avoid getting caught." A director admitted no consent was obtained. Due diligence on data providers? Never conducted. The pattern in enforcement is simple: no documentation, no provenance records, no compliance controls. The ICO doesn't care whether it was sloppy or malicious - the outcome is the same.

"Where Did You Get My Number?"

This is the question that kills deals and triggers complaints. A rep on r/sales described using Kaspr to pull mobile numbers and getting "pretty aggressive" reactions from prospects. Mobile numbers sourced via data enrichment tools feel invasive because they're tied to personal identity, 2FA, and security.

Under Article 14, when you didn't collect the data directly from the person, you need to provide privacy information - including the source - within a reasonable time. If you're contacting them, that means at the latest during your first communication. Here's a script that works:

"I found your contact details through a professional data provider that sources business information from public records and professional profiles. I'm reaching out because [specific reason tied to their role]. If you'd prefer I remove your details, I'll do that right now."

Say it calmly. Don't apologize for calling. The real risk isn't the call itself - it's where you got the number and whether you can defend that source. If your data provider can't tell you where a number came from, you're exposed.

Compliance Is a Data Problem, Not a Dialing Problem

Let's be honest: the companies getting fined aren't getting fined for cold calling. They're getting fined for not knowing where their data came from. Every enforcement action we've seen follows the same pattern - no source records, no vendor due diligence, no audit trail.

GDPR cold calling compliance operational checklist
GDPR cold calling compliance operational checklist

Here's the operational checklist:

  • File a per-campaign LIA before any calls go out
  • Log the lead source (link + timestamp) for every contact
  • Screen every UK list against TPS and CTPS
  • Process DNC requests within minutes, not end-of-day
  • Display caller ID on every call
  • Maintain an audit trail of all interactions
  • Source data from a provider that verifies in real time and enforces opt-outs

That last point is where most teams fall down. As one compliance-focused SDR leader put it on r/GrowthHacking: "Store source documentation for every lead - link and timestamp - so you can answer the provenance question in seconds."

Prospeo verifies emails and mobile numbers in real time, refreshes data every 7 days versus the 6-week industry average, and enforces opt-outs globally - with 125M+ verified mobile numbers and 98% email accuracy, you get data you can actually defend when a prospect challenges you. Cognism is another solid option if you want DNC-screened data baked into the platform, though expect enterprise pricing typically around $1,000-$3,000/month for small teams with annual contracts.

Skip Cognism if you're a small team or agency that needs self-serve access without a sales call. It's built for mid-market and up.

If you're tightening your outbound motion, it also helps to standardize your sales prospecting process, keep your ideal customer profile explicit, and run everything through a repeatable cold calling system with clean contact management.

Prospeo

The companies that got fined had no data provenance, no due diligence on providers, and no documentation. Prospeo is GDPR compliant with 5-step verification, opt-out enforcement, and a 7-day data refresh cycle - so your call lists never go stale and your sourcing is always audit-ready.

Stop dialing on fear. Start dialing on data you can defend.

FAQ

Is cold calling illegal under GDPR?

No. Legitimate interest under Article 6(1)(f) provides a lawful basis for B2B cold calling without prior consent. You need a documented Legitimate Interest Assessment per campaign, and you must honour opt-outs immediately.

Not for live calls to corporate subscribers. Screen against TPS and CTPS, honour previous objections, display caller ID, and identify your organisation. Sole traders and some partnerships get stricter consumer-level protections under PECR.

How do I stay compliant when using enrichment tools for mobile numbers?

Use a provider that verifies in real time and enforces opt-outs globally. Log the source of every number and disclose it on the call per Article 14. Process removal requests immediately.

What's the biggest compliance risk with GDPR cold calling?

Lack of data provenance. Every ICO enforcement action follows the same pattern: no documentation, no source records, no due diligence on data vendors. If you can't prove where a number came from within seconds, you're the next case study.

B2B Data Platform

Verified data. Real conversations.Predictable pipeline.

Build targeted lead lists, find verified emails & direct dials, and export to your outreach tools. Self-serve, no contracts.

  • Build targeted lists with 30+ search filters
  • Find verified emails & mobile numbers instantly
  • Export straight to your CRM or outreach tool
  • Free trial — 100 credits/mo, no credit card
Create Free Account100 free credits/mo · No credit card
300M+
Profiles
98%
Email Accuracy
125M+
Mobiles
~$0.01
Per Email