GDPR for B2B email outreach in Romania — what's legal in 2026

Published 11 June 2026 · 7 min read · by Mircea Crașoveanu

The most common fear among founders in Romania — especially notaries, accountants, lawyers, clinics — is “if I send an email to a company I haven’t spoken with before, will I get a GDPR fine?”. Good news: GDPR DOES NOT prohibit B2B cold email. What matters is not “whether I'm allowed or not”, but on what legal basis you also do it how transparent you are. Below, briefly and practically.

⚠️ Note: this is an informational guide, not legal advice. For your specific case, check with a lawyer or the data protection officer.

1. Legal basis: legitimate interest, not necessarily consent

GDPR gives you multiple “legal bases” to process data. For contacting companies (B2B), the usual basis is legitimate interest — Art. 6(1)(f). You do not need explicit consent before sending a business email to a company, if you can demonstrate a reasonable business reason.

2. The 3-step Test (Legitimate Interest Assessment)

To base it on legitimate interest, you also do document the process A LIA - a short note answering 3 questions:

1) Objective

What is the legitimate interest? Ex: "Identifying companies that may need our accounting services". It must be real and concrete.

2) Necessity

Direct contact is necessary to achieve your objective? If there is a less intrusive but equally efficient way, use it.

3) Balance

Your interest vs. the recipient's rights. A relevant email, to a business address, with an easy opt-out, passes the balance. An irrelevant message, to thousands of addresses, with sensitive data - no.

Keep the LIA written. If someone asks (or ANSPDCP), you have proof that you thought ahead, not at something unreal.

3. Romania - stricter than EU average

Romania is among states that request clear information on how data will be used and leans towards a cautious approach (opt-in where applicable). Basically: be explicit about who you are and why you're writing, offer easy unsubscription, and don't persist after someone says "no". The supervisory authority is ANSPDCP.

4. What every email must contain by law

5. Where data comes from is extremely important

The difference between 'legal' and 'risk' starts at the source:

How does LeadMotor AI: work GDPR-first, on signals and official public data (ONRC, ANAF, CAEN), we automatically anonymize any personal data before processing, and each message has a one-click unsubscribe link (RFC 8058) + privacy policy link. Result: contact with real companies at the right time, without grey areas. Talk to Mircea →

Frequently Asked Questions

Is cold B2B email legal in Romania under GDPR?

Yes. GDPR does not prohibit it. Article 6(1)(f) allows contacting companies for legitimate interest, if you pass and document the three-step test and are transparent (opt-out, address, identity, privacy policy link). It does not apply to personal addresses / B2C, which require consent.

Do you need consent for a business email?

For a business address of a company, the usual base is legitimate interest (with a documented LIA), not consent. For personal addresses — yes, consent.

What must an email contain according to GDPR?

The sender's identity, a physical address, a mechanism for unsubscription (preferably one-click, RFC 8058) and a link to the privacy policy. Immediate honor-based opt-out.

Related guides: B2B email deliverability · How to find B2B clients

Do you want new clients without the gray zone GDPR? LeadMotor finds, verifies, and contacts the right companies — legally, on official data, with PII redaction and one-click unsubscription.

Start the free test on 20 companies →