TL;DR
You cannot send unsolicited B2B cold emails in Germany without prior consent. Unlike France, the Netherlands, or the UK, Germany applies UWG Section 7 equally to B2B and B2C - making cold email to any recipient "unreasonable harassment" without express consent. Double opt-in is not technically in the statute, but German courts accept nothing less as proof of consent. The compliant path: use GDPR legitimate interest to build your prospect database, then obtain documented email consent before sending. Two proven approaches: (1) Phone-first - cold call (legal under presumed consent), get verbal email consent during the call. (2) LinkedIn-first - send a connection request (no promo content), then once accepted, ask via LinkedIn message if you can follow up by email. A LinkedIn connection acceptance alone is not consent - but the conversation that follows is how you get it. Only then add prospects to email sequences. Existing customers can receive email under UWG Section 7(3) if all five conditions are met. Since November 2025, free trial registrations also count as a "sale" for this purpose (ECJ Case C-654/23).
Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. It reflects our understanding of the legal landscape as of April 2026 and may not cover all aspects relevant to your specific situation. Overloop is a software company, not a law firm. We recommend consulting a qualified German lawyer (Rechtsanwalt/Fachanwalt fur IT-Recht) before making compliance decisions. GDPR applies to data subjects in Germany regardless of where your company is established (Art. 3(2)), and UWG claims can be brought in German courts against foreign companies under the Brussels I Regulation.
Quick Scan: Every Rule Covered
Germany's requirements and how Overloop addresses each one.
Germany is the strictest EU market for B2B cold email. Most guides tell you that GDPR legitimate interest covers B2B outreach across Europe. That is true in France, the Netherlands, Ireland, and the UK. It is not true in Germany.
Germany applies two separate legal frameworks to email outreach - GDPR and UWG (Gesetz gegen den unlauteren Wettbewerb, the Unfair Competition Act). Understanding the distinction between these two laws is the single most important thing you need to know before prospecting into the German market.
This guide covers the actual legal requirements, not simplified summaries. It explains what you can and cannot do, why, and exactly how to run compliant B2B outreach campaigns that target German prospects.
Two Laws, Two Questions: GDPR vs. UWG
This is the concept that most compliance guides miss. Germany applies two separate legal frameworks to outbound email, and they answer different questions:
| Legal Framework | Question It Answers | Legal Basis for B2B | Result |
|---|---|---|---|
| GDPR (Art. 6(1)(f)) | Can I process this person's data? | Legitimate interest | Yes - you can build a prospect database |
| UWG (Section 7(2)) | Can I send this person an email? | Prior express consent | No - not without consent |
The GDPR legitimate interest basis works for data processing. GDPR Recital 47 explicitly states that "processing personal data for direct marketing purposes may be considered a legitimate interest." You can legally collect, store, and enrich B2B contact data for German prospects. That part is fine.
UWG Section 7 blocks the actual email. This is Germany's implementation of the ePrivacy Directive, and it functions as "lex specialis" - a specialized law that overrides GDPR on the specific question of electronic communications. UWG Section 7(2) No. 3 states that email advertising without prior express consent constitutes "unreasonable harassment." This applies regardless of whether the recipient is a private individual or a business.
The practical consequence is clear: having a GDPR-compliant database of German B2B contacts does not give you permission to email them. You need to satisfy both laws.
Overloop's B2B contact database operates under GDPR legitimate interest for data processing. That part is covered. But because UWG blocks unsolicited email, Overloop's multi-channel sequences let you start with a phone call or LinkedIn connection request for German prospects and only move to email after consent is collected. The platform supports this two-law workflow by design - and it is the reason email-only tools cannot legally operate in Germany for cold outreach.
The Double Opt-In Question
The common claim is that "Germany requires double opt-in." This is a simplification, but it is practically correct.
The statute: Neither GDPR nor UWG Section 7 explicitly mandates double opt-in as a method. UWG Section 7(2) requires "prior express consent" for email marketing but does not specify how that consent must be verified.
The courts: The German Federal Supreme Court (Bundesgerichtshof, BGH) has consistently held (I ZR 164/09; I ZR 218/07) that single opt-in is "by no means sufficient to prove consent." The BGH stated that double opt-in is "a more appropriate means" to prove consent, provided the confirmation email itself remains "completely neutral" - no promotional content in the confirmation message.
The bottom line: Double opt-in is not technically required by the letter of the law. But it is the only evidentiary standard German courts accept as sufficient proof of valid consent. Any company that relies on single opt-in in Germany cannot prove consent in court. That makes double opt-in a de facto requirement.
Overloop's consent tracking records the exact timestamp, source, and scope of each contact's consent. When a prospect gives you verbal permission on a call, you log it in Overloop with the date and context. If a court or DPA ever asks you to prove consent, you have an auditable trail ready to export.
B2B vs. B2C: Germany Has No B2B Email Exemption
This is where Germany diverges from the rest of Europe. Most EU countries treat B2B and B2C email differently. Germany does not - at least not for email.
| Channel | B2B Rule | B2C Rule | Key Detail |
|---|---|---|---|
| Consent required | Consent required | UWG §7(2) applies identically to both. No B2B exemption. | |
| Phone | Presumed consent OK | Express consent required | B2B cold calling is legal if you have concrete indications of interest. |
| Postal mail | Legitimate interest OK | Legitimate interest OK | Most permissive channel. GDPR Art. 6(1)(f) is sufficient. |
| LinkedIn connection requests | Generally OK | Generally OK | Non-promotional connection requests are not considered advertising under UWG §7. This makes LinkedIn a compliant channel to initiate contact and obtain email consent through conversation. |
| LinkedIn messages (promo) | Grey area | Grey area | InMail or messages with promotional content may be treated as electronic marketing under UWG §7. Keep initial messages conversational, not commercial. |
Compare this to France, where B2B cold email to corporate addresses about professional topics is legal without opt-in. Or the Netherlands, where published corporate addresses can receive cold email. Or the UK, where PECR allows unsolicited email to corporate subscribers.
In Germany, none of these exemptions exist for email. A B2B sales email to a CEO at their corporate address requires the same level of consent as a promotional email to a consumer. This also applies to generic corporate addresses (info@, kontakt@). German courts (OLG Munich, 29 U 857/12) have confirmed that UWG Section 7(2) protects businesses from unsolicited commercial email at any address, personal or generic.
This is exactly why Overloop built multi-channel sequences. A single campaign can combine phone calls, LinkedIn touches, and email steps in one workflow. For German prospects, you start with phone or LinkedIn (both legal for initial contact), collect email consent during the conversation, then let the sequence automatically move them to email follow-up. One sequence, different rules per market. This is Overloop's competitive advantage in strict markets like Germany: the LinkedIn + email combo lets you prospect at scale without breaking the law.
How Germany Compares to Other EU Markets
| Country | B2B Cold Email Without Consent? | Law | Notes |
|---|---|---|---|
| France | Yes | LCEN + CNIL guidance | Allowed to corporate addresses about professional topics |
| Netherlands | Yes | Telecommunicatiewet | Published corporate addresses, opt-out required |
| Ireland | Yes | SI 336/2011 | Corporate subscribers only |
| UK | Yes | PECR | Corporate subscribers, with opt-out |
| Sweden | Yes | Marknadsforingslagen | B2B allowed with opt-out |
| Germany | No | UWG §7(2) | Consent required even for B2B |
| Spain | No | LSSI-CE | Explicit consent required |
| Italy | No | D.Lgs 196/2003 | Consent required, Garante enforces aggressively |
| Belgium | No (with nuance) | WER (XII.13) | Prior consent generally required. Some tolerance for B2B email to published generic corporate addresses about professional topics. |
| Austria | No (with nuance) | TKG 2021 §174 | Prior consent generally required, but some case law supports B2B email to published business addresses. More permissive than Germany. |
| Poland | No | Prawo telekomunikacyjne | Prior consent for all electronic marketing |
The Existing Customer Exception: UWG Section 7(3)
There is one way to send email to German contacts without fresh consent. UWG Section 7(3) provides an "existing customer" exception - but it has strict conditions. All five must be met simultaneously:
- Prior business relationship. A real contractual relationship must exist. The email address must have been obtained directly from the customer in the context of a sale or service agreement. Merely requesting information, leaving items in a shopping cart, or creating an account without completing a transaction was historically not sufficient.
- Similar products or services only. You can only advertise products or services that are similar to what the customer already purchased. German courts apply a strict standard: products must be "interchangeable" or serve "the same or at least a similar need or purpose." You cannot use this exception to cross-sell your entire product range.
- No prior objection. The customer must not have previously objected to receiving marketing communications from you.
- Clear opt-out in every email. The customer must be informed of their right to object at no cost, both at the time of data collection and in every subsequent email.
- Sender clarity. The email must clearly identify the sender and include an Impressum (legal notice with company details).
The ECJ Freemium Ruling (November 2025)
In November 2025, the European Court of Justice issued a ruling (Case C-654/23) that expanded the interpretation of the existing customer exception. The ECJ indicated that free service registrations - freemium signups, free trial accounts - may qualify as a "sale" for purposes of the existing customer privilege, though national courts must still apply the specific conditions of their local implementation.
If this interpretation holds in German courts: when someone registers for a free trial of your product, you may email them about similar paid offerings under the soft opt-in, without needing separate consent. All other conditions of UWG Section 7(3) still apply strictly.
The ECJ also clarified that ePrivacy rules function as lex specialis in this area. However, GDPR still applies to the underlying personal data processing. Companies should ensure they have a documented legal basis under both frameworks.
This is a potential opening for SaaS companies with free tiers. But it only covers existing users who signed up voluntarily - not cold prospects. And because German courts have not yet issued domestic rulings applying C-654/23 to the UWG Section 7(3) framework specifically, the safest approach is to treat this as a developing area of law and consult with qualified German counsel before relying on it.
You can tag contacts in Overloop as "existing customer" or "free trial user" and build dedicated sequences for them that only promote similar features or upgrades. Overloop's automatic unsubscribe management ensures condition #4 (clear opt-out) is met in every email, and sender identification is baked into your email templates. The five conditions become a workflow, not a checklist you hope your team remembers.
Five Compliant B2B Outreach Strategies for Germany
Cold email is off the table without consent. That does not mean B2B prospecting into Germany is impossible. It means you need to use different channels and sequences.
Strategy 1: Phone-First, Then Email (Recommended)
This is the standard approach for compliant B2B outreach in Germany and the one most successful sales teams use.
- Build your prospect list. Use GDPR legitimate interest (Art. 6(1)(f)) to collect and process B2B contact data. This is legal.
- Cold call the business contact. B2B cold calling is permitted under UWG Section 7(2) No. 1 when there is "presumed consent" (mutmassliche Einwilligung). This requires objective, specific facts that suggest this particular business would welcome the call - for example, they operate in an industry with a documented need your product addresses, they recently signaled buying intent (website visit, content download, trade show attendance), or they have publicly sought solutions in your category. Generic B2B relevance ("all companies could benefit") is not sufficient. German courts (BGH, I ZR 169/07) apply this standard strictly.
- Obtain verbal consent for email follow-up during the call. Ask explicitly: "Can I send you more details by email?"
- Document the consent. Record the date, time, and scope of consent in your CRM. Best practice: immediately after the call, send a brief confirmation email asking the prospect to confirm their consent in writing. This creates a verifiable record that is stronger than a CRM note alone.
- Send email. Now you have a consented contact. Add them to your email sequence.
This approach converts cold prospects into consented contacts through a legal channel (phone), then moves them into email. It works within the law and maintains high-quality pipeline.
Build a multi-channel sequence in Overloop with a phone step first. When your sales rep completes the call and logs consent, the sequence automatically triggers the email follow-up. No manual handoff, no forgotten follow-ups, and the consent record is tied to the contact. Your team can scale the phone-first approach across hundreds of German prospects without losing track of who consented and who did not.
Strategy 2: Inbound Consent Collection
Content marketing, webinars, events, and trade shows. Collect explicit consent through forms with double opt-in verification. Business cards exchanged at trade shows may constitute consent if the circumstances demonstrate intentional agreement - but document the context.
Strategy 3: Existing Customer Email (UWG Section 7(3))
If you have paying customers or free trial users in Germany, email them about similar products or services. Meet all five conditions. Do not use this exception to cross-sell unrelated products. After the ECJ freemium ruling, this covers your entire active user base - not just paying customers.
Strategy 4: LinkedIn-First, Then Email (Scalable Alternative)
This is the approach that makes Germany manageable at scale - and where multi-channel tools like Overloop provide a real competitive advantage over email-only platforms.
The key insight: non-promotional LinkedIn connection requests are generally not considered advertising under UWG Section 7. This makes LinkedIn a legal channel to initiate contact with cold German prospects. But - and this is critical - accepting a LinkedIn connection is not consent to receive commercial email. German law requires "prior express consent" (vorherige ausdruckliche Einwilligung) that is specific, informed, and freely given. Accepting a connection on a social network does not meet any of these criteria for email marketing: the person is not consenting to email, does not know what products you plan to market, and is not choosing the email channel.
The connection is not the consent. The connection is the channel to obtain the consent. Here is the compliant workflow:
- Build your prospect list. Use GDPR legitimate interest to identify and collect B2B contact data. This is legal.
- Send a LinkedIn connection request. Keep it non-promotional. A short, personal note about shared industry relevance is fine. No pitch, no product mention, no CTA.
- Wait for acceptance. This is your trigger. In Overloop, the accepted connection moves the prospect to the next step in the sequence.
- Send a LinkedIn message. Keep it conversational, not commercial. Introduce yourself, explain briefly what you do, and ask: "Would it be OK if I sent you more details by email?"
- Prospect replies "yes" = documented consent. The LinkedIn conversation is your audit trail. Screenshot or log it in your CRM with the date and context.
- Add to email sequence. Now you have a consented contact. Move them into your email workflow.
This approach is more scalable than phone-first because LinkedIn connection requests can be semi-automated, and the consent conversation happens asynchronously. You are not blocked by phone availability or gatekeepers. And the LinkedIn message history serves as a written consent record - stronger evidence than a CRM note about a phone call.
This is where Overloop's multi-channel engine is a genuine competitive advantage over email-only tools. Build a sequence that starts with a LinkedIn connection request, triggers on acceptance, sends a conversational LinkedIn message asking for email permission, and only moves to the email step after consent is logged. The entire workflow runs in one sequence. No manual handoff, no spreadsheet tracking. Email-only platforms cannot legally operate in Germany for cold outreach - Overloop can, because it has the LinkedIn layer.
Strategy 5: Postal Mail
Physical direct mail under GDPR legitimate interest. Include a call-to-action to opt in for email communications. More expensive per contact than email, but legally clean for cold outreach to German prospects and carries higher response rates for high-value accounts.
Intent Data and Cold Email: What Signal Tools Can and Cannot Do
Intent platforms are everywhere in B2B sales: 6sense, Bombora, Clearbit Reveal, LinkedIn Sales Navigator alerts, Leadfeeder, RB2B, and newer AI-powered tools like Sortlist Radar. They identify which companies visit your website, research your category, or show buying signals on third-party sites. The question every sales team asks when they switch these tools on for the German market: "If a German company visits our pricing page three times this week, can we just add the contacts to an Overloop sequence and hit send?"
The answer is no. And the reasoning is the most misunderstood point in German B2B compliance.
Why intent signals do not unlock cold email in Germany
UWG Section 7(2) treats channels differently:
- Section 7(2) No. 1 allows "presumed consent" (mutmassliche Einwilligung) for B2B phone calls when there are concrete, specific indications that the business would welcome the call.
- Section 7(2) No. 3 requires "prior express consent" for email. No presumption, no exception for intent data, no relief for "warm" leads.
A Radar signal, a Bombora surge, a pricing page visit, a demo request on a comparison site: these are exactly the kind of concrete indications of interest that BGH I ZR 169/07 had in mind when it defined the presumed consent standard for phone outreach. They are legally meaningful. They are useful. But they work in the phone column, not the email column. Intent data makes your phone call compliant. It does not make your email compliant.
Mentioning the signal in the email makes it worse
Sales teams often try to turn the intent signal into email copy: "Hi Max, I noticed your team visited our pricing page twice this week." In the German market, this single sentence stacks three violations in one email:
- UWG Section 7(2) No. 3. The email itself is unsolicited commercial communication without prior consent.
- TDDDG Section 25. You are confirming in writing that you tracked the recipient's device without consent. German authorities treat website tracking pixels and visitor identification tools the same way they treat cookies.
- GDPR Article 14. You obtained their identity from a third-party data source (your intent tool or its data partners) without meeting the disclosure requirements within the one-month window.
This is one of the most reliably Abmahnung-triggering email patterns in the German market. Competitors, privacy advocates, and data protection authorities all know the signature.
Risk by channel when acting on intent signals
| Action triggered by signal | Risk level | Why |
|---|---|---|
| Cold email to detected contact | High | UWG §7(2) No. 3 requires express consent. Intent is not consent. |
| Cold email referencing the signal ("we saw you visited") | Very high | Stacks UWG §7 + TDDDG §25 + GDPR Art. 14 in a single message. |
| Cold email, signal hidden, no reference | High | Still a UWG §7 violation. Hiding the source does not cure it and may add transparency issues. |
| Phone call to detected contact | Low | The signal is the documented "concrete indication of interest" the BGH requires for presumed consent. Do not reveal the tracking on the call. |
| Non-promotional LinkedIn connection | Low | Not advertising under UWG §7. Valid path to initiate contact. |
| Postal mail with opt-in CTA for email | Low | GDPR legitimate interest is sufficient. Intent strengthens the LIA. |
The compliant intent-to-email workflow
The signal is a trigger, not a permission slip. Route the signal to the channel the law allows, not the channel that scales fastest.
- Signal fires. Your intent platform flags Company X: three visits to the pricing page, a demo comparison request on a third-party site, a surge in category research, an AI Search query matching your keywords.
- Phone call. A sales rep calls the relevant contact. The intent data is your internal justification for the call, satisfying the BGH standard for presumed consent. Keep the call pitch contextual to their industry and probable use case. Do not say "I saw you on our website."
- Obtain email consent on the call. "Can I send you a case study and pricing by email?" If yes, log timestamp, scope, and context in your CRM. Best practice: send a short confirmation email asking them to reply "yes" to confirm, which turns the verbal consent into a written record.
- Email sequence triggers. Only now does the Overloop email step fire. The first email can reference the phone call, not the signal.
Scalable variant: LinkedIn-first. Signal fires, a personalized non-promotional connection request goes out, the connection acceptance triggers a LinkedIn message asking for email permission, consent is logged, email sequence starts. This is the workflow that makes intent data usable at scale for the German market.
Concrete scenario: Sortlist Radar + agency Overloop campaign
This is a real pattern we see in the market. A Sortlist agency in Germany uses Radar to detect companies researching their service category on Sortlist pages. They then want to run an Overloop outbound campaign to those companies.
Non-compliant version (don't do this):
- Radar flags "Company X researched SEO agencies"
- Agency exports contact list
- Overloop sequence sends email: "Hi Max, saw you were looking at SEO agencies on Sortlist..."
- Result: UWG §7 violation + TDDDG violation + likely GDPR Article 14 violation. A single Abmahnung can cost the agency more than the deal is worth.
Compliant version:
- Radar flags "Company X researched SEO agencies"
- Agency BDR calls the marketing lead. Pitch is industry-contextual ("we work with [similar companies] on SEO"), no mention of the Radar signal or Sortlist tracking.
- During the call, BDR asks: "Can I send you two case studies by email?" Prospect agrees.
- BDR logs consent in Overloop with date, time, scope.
- Overloop sequence triggers the email step. First email references the phone call, not the signal.
- Result: compliant pipeline, auditable consent trail, same business outcome.
Alternative LinkedIn flow: Radar flag triggers a personalized LinkedIn connection request from the agency BDR. On acceptance, a short message asks if email follow-up is welcome. On "yes," the Overloop email sequence starts. Same logic, different channel, fully asynchronous.
Phrases to never put in an email to a German prospect
- "We noticed you visited [specific page]"
- "Our system flagged your company as a match"
- "Based on your recent research into [topic]"
- "You downloaded our guide on [X]" (unless they actually opted in through a form and you can prove it with a double opt-in confirmation)
- "Your colleague [name] suggested I reach out" (without their written permission)
Each of these invites an Abmahnung. A competitor or a privacy-aware recipient only needs to forward the email to a lawyer to trigger proceedings.
Overloop supports the intent-to-channel routing workflow directly. Intent signals from your stack (or from partners like Sortlist Radar) can trigger a sequence that starts with a phone step or a LinkedIn step, not an email step, for German contacts. Consent tracking then records the date, time, scope, and source when the prospect grants email permission. The email step only fires after consent is logged. The signal tells you who deserves attention. The sequence enforces how you are allowed to reach them. Email-only tools cannot draw this line. Multi-channel sequences can.
Data Handling Requirements
Even when you are not emailing German contacts, you still process their data. GDPR requires specific handling.
What Data You Can Process (Under Legitimate Interest)
- Professional email addresses
- Company name, industry, size
- Job title and professional role
- Business phone numbers
- Publicly available business information
Required Disclosures (GDPR Art. 13/14)
When you first contact someone - whether by phone, email, or any other channel - you must provide the following information. Note: when you obtain contact data from third-party sources (Art. 14), you must inform the data subject within one month of acquiring the data or at the latest at first contact. If you build prospect lists from databases, the clock starts when you acquire the data, not when you reach out.
- Your identity as the data controller
- Purpose of data processing
- Legal basis (legitimate interest) and the specific interest
- Data source - where you obtained their contact information
- Data retention period
- Right to object, right to erasure, right to access
- DPO contact information
- Right to lodge a complaint with a supervisory authority
Legitimate Interest Assessment (LIA)
You must document a Legitimate Interest Assessment before processing prospect data. It covers three tests:
- Purpose test: What specific business outcome does the processing serve?
- Necessity test: Could you achieve the same outcome with less data or a less intrusive method?
- Balancing test: Do the individual's rights and freedoms override your legitimate interest?
DSK guidance suggests that a legitimate interest basis for direct marketing data may weaken if there has been no meaningful contact with the data subject for approximately 17 months. This is a practical benchmark, not a statutory deadline. Note that valid consent does not expire through passage of time alone (though it must be freely withdrawable at any time). It is the legitimate interest assessment that weakens over time without interaction. Review and refresh your records regularly.
Data Minimization
Collect only what is necessary for the specific purpose. If your outreach requires name, company, title, and phone number, do not enrich 50 additional data attributes. Document why each data field is needed.
Tracking Pixels and Open Tracking (TDDDG)
This is a compliance point that most B2B platforms overlook.
Germany's TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, formerly TTDSG) Section 25 requires consent for accessing information stored on end-user devices. Tracking pixels in emails technically fall under this rule.
German authorities are increasingly treating tracking pixels like cookies - requiring explicit consent before deployment. Open rate tracking and click tracking in emails sent to German recipients are legally questionable without documented consent.
Practical impact: If you use a sales engagement platform that automatically inserts tracking pixels into emails, consider disabling open and click tracking for German recipients. The compliance exposure is real, and the penalties mirror GDPR enforcement.
Overloop gives you control over tracking at the sequence and contact level. You can disable open tracking and click tracking for specific campaigns or segments. When you build a Germany-focused sequence, turn tracking off for those contacts. You lose some analytics, but you eliminate a compliance risk that most of your competitors are ignoring.
Enforcement in Germany: Three Attack Vectors
German enforcement is real and comes from multiple directions. This is not theoretical risk.
1. Competitor Abmahnung (Cease-and-Desist)
This is the most common enforcement mechanism and the one most companies underestimate. Under German unfair competition law, competitors can send a formal Abmahnung demanding you stop sending unsolicited email and pay their legal costs.
- Even a single unsolicited email can trigger an Abmahnung
- Legal costs range from several hundred to several thousand euros per incident
- Repeat offenses escalate dramatically
- No government involvement required - any competitor can file
2. Data Protection Authority (DPA) Enforcement
German state data protection authorities (Landesdatenschutzbehorden) are the primary enforcement body for email-related GDPR violations and can impose fines up to 20 million EUR or 4% of annual global turnover. The Bundesnetzagentur (telecom regulator) imposed 1.435 million EUR in fines in 2023 for illegal marketing communications, primarily relating to unauthorized phone marketing. Both authorities are actively increasing enforcement.
3. Civil Claims
Individual recipients and businesses can claim damages directly. Consumer protection associations can bring collective actions. German courts have a long track record of ruling against unsolicited commercial email.
How Overloop Handles GDPR Compliance: The Full Picture
You have seen how Overloop addresses each compliance requirement throughout this guide. Here is the complete list in one place:
| German Requirement | What the Law Says | How Overloop Solves It |
|---|---|---|
| Data processing basis | GDPR Art. 6(1)(f) legitimate interest | B2B contact database operates under documented legitimate interest. DPA available for all customers (Art. 28). |
| No cold email without consent | UWG §7(2) requires prior express consent | Multi-channel sequences with phone-first or LinkedIn-first steps. Email only triggers after consent is logged via call or LinkedIn conversation. |
| Consent proof (double opt-in standard) | BGH requires auditable consent records | Consent tracking with timestamp, source, and scope. Exportable for court or DPA requests. |
| Existing customer emails | UWG §7(3) five conditions | Contact tagging for existing customers. Auto-unsubscribe in every email. Sender ID in templates. |
| Opt-out in every email | UWG §7(3) + GDPR Art. 21 | Automatic one-click unsubscribe link. Opt-outs processed immediately, contact suppressed across all sequences. |
| Data subject rights | GDPR Art. 15-20 (access, erasure, portability) | One-click contact deletion and full data export. |
| Tracking pixel consent | TDDDG §25 requires consent for device access | Tracking controls at sequence and contact level. Disable open/click tracking for German segments. |
| Data minimization | GDPR Art. 5(1)(c) | Collect only fields you use. No hidden enrichment beyond what you configure. |
Overloop does not make legal decisions for you. You still need to understand which contacts require consent and which qualify under the existing customer exception. But every compliance requirement in this guide maps to a specific feature in the platform. The tooling supports the workflows German law requires. Compliance depends on how you configure and use these features in accordance with legal advice specific to your situation.
Compliance Checklist: B2B Outreach in Germany
Use this checklist before launching any campaign that targets German prospects.
Before You Start
- Document your Legitimate Interest Assessment (LIA) for data processing
- Prepare your GDPR Article 13/14 disclosures
- Confirm your DPA is in place with your data processor
- Set up consent tracking in your CRM
- Review your data retention policy (17-month DSK guideline)
For Cold Prospects (No Prior Relationship)
- Do NOT send cold email without documented consent
- Option A - Phone-first: cold call under presumed consent (UWG §7(2) No. 1), ask for explicit email consent during the call, document it
- Option B - LinkedIn-first: send non-promotional connection request, once accepted send a LinkedIn message asking if you can follow up by email, log consent when they say yes
- A LinkedIn connection acceptance alone is NOT consent - you must ask and receive explicit permission for email
- Only add to email sequences after consent is recorded
- Alternative: postal mail with opt-in CTA for email
For Existing Customers (UWG §7(3))
- Verify a real contractual relationship exists (sale or free trial registration post-ECJ ruling)
- Send only about similar products or services
- Check that the customer has not previously objected
- Include a clear, cost-free opt-out in every email
- Include full sender identification and Impressum
Every Email You Send
- Working one-click unsubscribe link
- Clear sender identification
- Impressum with company legal details
- Link to privacy policy
- Data source disclosure (how you obtained the contact)
- Consider disabling tracking pixels for German recipients (TDDDG)
Recent Legal Developments (2025-2026)
ePrivacy Regulation Withdrawn (February 2025)
The EU Commission abandoned the draft ePrivacy Regulation after years of negotiation. This means the patchwork of GDPR plus national ePrivacy implementations - UWG and TDDDG in Germany - continues indefinitely. No EU-wide harmonization of email marketing rules is coming.
ECJ Case C-654/23 (November 2025)
The European Court of Justice expanded the existing customer soft opt-in to cover free and freemium registrations. Also clarified that ePrivacy rules are lex specialis - no separate GDPR legal basis is needed when UWG Section 7(3) conditions are met.
TDDDG Consent Management Ordinance (April 2025)
New requirements for how consent management platforms operate in Germany, with direct implications for tracking pixel consent in email.
Increasing DPA Enforcement Activity
German state DPAs continue to increase enforcement actions. The trend toward treating email tracking pixels as requiring separate consent is accelerating.
Frequently Asked Questions
Is B2B cold email legal in Germany?
B2B cold email without prior consent is not legal in Germany. Unlike most EU countries, Germany's UWG Section 7(2) treats unsolicited commercial email as "unreasonable harassment" regardless of whether the recipient is a business or consumer. You need prior express consent or must qualify under the existing customer exception (UWG Section 7(3)).
Does Germany require double opt-in for email marketing?
Double opt-in is not explicitly written into German statute law. However, the German Federal Supreme Court (BGH) has ruled that single opt-in is insufficient to prove consent. Double opt-in is the only evidentiary standard German courts accept. In practice, this makes double opt-in a de facto requirement for any email marketing where you need to prove consent.
What is the difference between GDPR and UWG for cold email in Germany?
GDPR and UWG address two different questions. GDPR (Article 6(1)(f)) governs whether you can process someone's personal data - and legitimate interest is a valid legal basis for B2B contact data. UWG Section 7 governs whether you can send the email - and it requires prior express consent. Having a GDPR-compliant database does not give you permission to cold email those contacts under German law.
Can I cold call B2B prospects in Germany instead of emailing them?
Yes. Germany treats B2B phone outreach differently from email. Under UWG Section 7(2) No. 1, B2B cold calling is permitted when there is "presumed consent" (mutmassliche Einwilligung) - concrete indications that the business contact would be interested in your product or service. This is why the phone-first, email-second approach is one of the standard compliant B2B outreach strategies in Germany.
Does accepting a LinkedIn connection count as consent to receive email?
No. Accepting a LinkedIn connection is not valid email marketing consent under German law. UWG Section 7(2) requires "prior express consent" that is specific (the person knows they are consenting to email), informed (they know what products will be marketed), and freely given. Accepting a social media connection meets none of these criteria. However, LinkedIn is a legal channel to initiate contact: send a non-promotional connection request, then once accepted, ask via LinkedIn message if you can follow up by email. When the prospect explicitly agrees, that is documented consent. The connection is not the consent - the conversation is.
What is the existing customer exception under UWG Section 7(3)?
UWG Section 7(3) allows you to email existing customers without fresh consent if all five conditions are met: (1) you obtained the email during a prior sale, (2) you advertise similar products or services only, (3) the customer has not objected, (4) you include a clear opt-out in every email, and (5) you clearly identify the sender. Since November 2025, the ECJ ruled that free trial or freemium registrations qualify as a "sale" for this purpose.
What are the penalties for sending unsolicited B2B email in Germany?
Enforcement comes from three directions. Competitors can send an Abmahnung (cease-and-desist) - triggered by even a single email, costing several hundred to several thousand euros. German state DPAs can impose GDPR fines up to 20 million EUR or 4% of global turnover. Individuals and businesses can claim damages directly. The Bundesnetzagentur imposed 1.435 million EUR in fines in 2023 for illegal marketing communications.
How does Overloop handle GDPR compliance for German prospects?
Every German compliance requirement maps to a specific Overloop feature. The B2B database operates under GDPR legitimate interest with a DPA. Multi-channel sequences enforce phone-first or LinkedIn-first workflows so email only triggers after consent is logged. LinkedIn automation handles connection requests and triggers on acceptance, letting you obtain consent through LinkedIn conversation before moving to email. Consent tracking records timestamp, source, and scope for court-ready audit trails. Automatic unsubscribe handles UWG Section 7(3) opt-out requirements. Contact tagging separates existing customers from cold prospects. Tracking controls let you disable open/click tracking for German segments (TDDDG compliance). One-click contact deletion covers GDPR data subject rights.
Do email tracking pixels require consent in Germany?
Germany's TDDDG Section 25 requires consent for accessing information stored on end-user devices, and tracking pixels fall under this rule. German authorities increasingly treat tracking pixels like cookies - requiring explicit consent. Consider disabling open and click tracking for German recipients to reduce compliance exposure.
The Bottom Line
Germany is not impossible for B2B outbound. It is different. The law restricts the channel - unsolicited email - not the activity of B2B prospecting.
You can legally build prospect databases. You can cold call German businesses. You can connect on LinkedIn. You can send postal mail. You can email existing customers and free trial users. You can collect consent through inbound channels, events, phone conversations, and LinkedIn messages.
What you cannot do is load a list of German email addresses into a sequence and hit send. That approach, which works in France, the Netherlands, and the UK, will create legal exposure in Germany.
The companies that succeed in the German market are the ones that adapt their workflow. Phone-first or LinkedIn-first sequences. Consent-gated email steps. Proper documentation. It requires more effort per contact, but German B2B deals tend to be larger and stickier than other markets. The compliance overhead is worth it.
This is also where multi-channel platforms have a structural advantage over email-only tools. If your outbound platform only does email, Germany is a dead end. If it combines LinkedIn and email in one sequence - with triggers on connection acceptance and consent logging - you can prospect into Germany at scale while staying compliant.
Build the workflow once. Run it for every German campaign. Stay on the right side of the law.
The Only Way to Cold Prospect Germany at Scale
Email-only tools cannot legally cold prospect in Germany. Overloop combines LinkedIn and email in one sequence - connect first, get consent, then email. Route German prospects through compliant workflows automatically.
Try Overloop Free