GDPR for B2B email outreach in Romania — what's legal in 2026
Published 11 June 2026 · 7 min read · by Mircea Crașoveanu
The most common fear among founders in Romania — especially notaries, accountants, lawyers, clinics — is “if I send an email to a company I haven’t spoken with before, will I get a GDPR fine?”. Good news: GDPR DOES NOT prohibit B2B cold email. What matters is not “whether I'm allowed or not”, but on what legal basis you also do it how transparent you are. Below, briefly and practically.
1. Legal basis: legitimate interest, not necessarily consent
GDPR gives you multiple “legal bases” to process data. For contacting companies (B2B), the usual basis is legitimate interest — Art. 6(1)(f). You do not need explicit consent before sending a business email to a company, if you can demonstrate a reasonable business reason.
- Business address (office@, contact@, a professional role in a company) → usually legitimate interest, with documented evaluation.
- Personal address or physical person (B2C) → you need consent. Legitimate interest does not cover here.
2. The 3-step Test (Legitimate Interest Assessment)
To base it on legitimate interest, you also do document the process A LIA - a short note answering 3 questions:
1) Objective
What is the legitimate interest? Ex: "Identifying companies that may need our accounting services". It must be real and concrete.
2) Necessity
Direct contact is necessary to achieve your objective? If there is a less intrusive but equally efficient way, use it.
3) Balance
Your interest vs. the recipient's rights. A relevant email, to a business address, with an easy opt-out, passes the balance. An irrelevant message, to thousands of addresses, with sensitive data - no.
Keep the LIA written. If someone asks (or ANSPDCP), you have proof that you thought ahead, not at something unreal.
3. Romania - stricter than EU average
Romania is among states that request clear information on how data will be used and leans towards a cautious approach (opt-in where applicable). Basically: be explicit about who you are and why you're writing, offer easy unsubscription, and don't persist after someone says "no". The supervisory authority is ANSPDCP.
4. What every email must contain by law
- Clear identity — who you are, what company you represent.
- Physical address — a real postal address.
- Unsubscribe — a simple mechanism, ideally one-click (RFC 8058). Honored immediately.
- Link to privacy policy — how data is processed.
5. Where data comes from is extremely important
The difference between 'legal' and 'risk' starts at the source:
- ✅ Official public data — company registries (ONRC/Commercial Register), ANAF, CAEN codes. Public company data, accessible legally.
- ⚠️ Purchased lists — often old, unclear origin, with personal addresses mixed in. High risk (cannot prove legal basis).
- ❌ Personal data extracted from context (CNP, personal phone number, personal email) — do not search for in B2B outreach.
Frequently Asked Questions
Is cold B2B email legal in Romania under GDPR?
Yes. GDPR does not prohibit it. Article 6(1)(f) allows contacting companies for legitimate interest, if you pass and document the three-step test and are transparent (opt-out, address, identity, privacy policy link). It does not apply to personal addresses / B2C, which require consent.
Do you need consent for a business email?
For a business address of a company, the usual base is legitimate interest (with a documented LIA), not consent. For personal addresses — yes, consent.
What must an email contain according to GDPR?
The sender's identity, a physical address, a mechanism for unsubscription (preferably one-click, RFC 8058) and a link to the privacy policy. Immediate honor-based opt-out.
Do you want new clients without the gray zone GDPR? LeadMotor finds, verifies, and contacts the right companies — legally, on official data, with PII redaction and one-click unsubscription.
Start the free test on 20 companies →