Marketing leaders frequently view GDPR compliance as a binary switch: you either have explicit consent, or you cannot send the email. This interpretation often results in missed opportunities and stagnated pipelines. In the context of B2B prospecting, Article 6.1.f of the GDPR – Legitimate Interest – provides a lawful basis for processing personal data without prior consent, provided specific conditions are met.
For organisations operating in or targeting Spain, this legal basis interacts with the LSSI (Law on Information Society Services and Electronic Commerce) in specific ways. Understanding this intersection enables you to build a prospecting strategy that is both aggressive enough to drive revenue and compliant enough to withstand audit. This is not about finding loopholes. It is about applying the regulation as it was intended: to balance business growth with individual privacy.
The Legal Framework: GDPR Article 6.1.f and the LSSI
Under the GDPR, you must have a lawful basis for processing any personal data. In B2B email marketing, the data in question is usually the recipient’s professional email address (e.g., firstname.lastname@company.com). While consent (Article 6.1.a) is the most risk-averse basis, it is often impractical for cold outreach.
Legitimate Interest (Article 6.1.f) applies when processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights of the data subject. In plain English, you can email a prospect if your business need is valid and does not harm their privacy rights.
However, for companies based in Spain or targeting Spanish entities, the LSSI adds a layer of complexity. The LSSI historically prohibited sending commercial communications without prior request or authorization. Exceptions exist for existing customer relationships. The alignment between GDPR and local laws suggests that B2B outreach is permissible under Legitimate Interest if the content is relevant to the recipient’s professional role and they are offered a simple way to opt out.
Data from early 2025 indicates that Spanish companies correctly utilizing Legitimate Interest for B2B acquisition report 22% higher pipeline velocity compared to those relying strictly on inbound consent models. The difference lies in the ability to proactively target ideal customer profiles rather than waiting for them to arrive.
The Three-Part Test
You cannot simply claim Legitimate Interest exists; you must prove it. The Information Commissioner’s Office (ICO) and various EU data protection authorities promote a three-part test. Before launching a campaign, you must satisfy all three elements.
1. The Purpose Test
You must identify a legitimate interest. In a commercial context, direct marketing is widely recognised as a legitimate interest (Recital 47 of the GDPR explicitly states this). However, vague objectives are insufficient. Your purpose must be clearly defined, such as “introducing a SaaS solution specifically designed for logistics managers to optimize fleet routes.”
2. The Necessity Test
You must determine if the processing is necessary to achieve that purpose. If there is a less intrusive way to achieve the same result, Legitimate Interest may not apply. For email marketing, you must ask: is there another way to contact this specific B2B prospect effectively? Usually, direct email is the most targeted and least intrusive method compared to cold calling or physical mail.
3. The Balancing Test
This is the most critical component. You must balance your interests against the individual’s rights and expectations. You must consider:
- Expectation: Would the individual expect you to use their data in this way? A CTO expecting emails about software solutions is different from an HR manager receiving emails about industrial manufacturing equipment.
- Impact: What is the impact on the individual? Is it likely to cause nuisance or distress?
- Vulnerability: Is the data subject in a vulnerable position? (Rarely applies in B2B contexts).
If the recipient would be surprised, confused, or annoyed by your acquisition of their data, you likely fail the balancing test.
Documenting the Legitimate Interest Assessment (LIA)
Compliance is an activity of documentation. If you are audited by the AEPD (Spanish Data Protection Agency) or another authority, they will not ask what you thought; they will ask what you wrote down. Every major campaign or data processing activity requires a documented Legitimate Interest Assessment (LIA).
An LIA is a living document. It does not need to be a fifty-page legal brief, but it must be structured and filed. A robust LIA document includes:
- Date and Author: Who conducted the assessment and when.
- The Processing Activity: Description of the email campaign and data source.
- The Interest: Clear statement of the commercial benefit (e.g., business development).
- The Necessity Argument: Why email is required to fulfil this interest.
- The Balancing Argument: Why the rights of the recipient are not infringed. This should reference the professional nature of the data and the relevance of the offer.
- Safeguards: Detailed explanation of the opt-out mechanism and data retention policy.
- Outcome: A final decision signed by the Data Protection Officer (DPO) or senior management.
Maintaining a repository of LIAs demonstrates accountability. It shifts the conversation with regulators from “negligence” to “procedural interpretation.” Even if a regulator disagrees with your conclusion, the existence of a thoughtful LIA mitigates potential penalties significantly.
Applying This in Spain: Specific Nuances
For Data Innovation clients operating out of Barcelona or targeting the Spanish market, specific nuances apply to the data types.
Generic vs. Personal Corporate Emails
There is a legal distinction between info@company.com and florin.armasu@company.com. The former does not constitute personal data under GDPR, as it does not identify a natural person. You can email generic corporate addresses with fewer restrictions under the LSSI. However, generic inboxes rarely convert.
When you target specific individuals (personal data), you trigger GDPR requirements. Under the Spanish organic law (LOPDGDD), processing contact data of natural persons providing services to a legal entity is presumed lawful if it is for professional location purposes and solely to maintain the relationship with the legal entity. This provides a strong footing for B2B marketers in Spain, provided the email content is strictly B2B.
The Right to Object
Legitimate Interest is not absolute. The GDPR grants data subjects the absolute right to object to direct marketing. Your email infrastructure must support this flawlessly. This goes beyond a simple unsubscribe link. If a prospect replies with “stop contacting me,” your CRM must be configured to suppress them instantly and permanently across all channels.
Failure to honour an objection is where most fines originate. It is not the initial email that causes the legal issue; it is the second email sent after an objection.
Practical Examples: Safe vs. Unsafe Scenarios
To clarify where the line is drawn, consider these two scenarios relevant to a modern B2B strategy.
Scenario A: The Targeted Specialist (Safe)
You offer a CRM optimization service. You scrape public LinkedIn profiles to find “Sales Operations Directors” in the retail sector. You run an LIA determining that these professionals expect to hear about CRM efficiency. You send a highly relevant, personalised email to their corporate address. The email contains a clear footer explaining why they were contacted and an easy opt-out link.
Verdict: This is a classic application of Legitimate Interest. The targeting is precise, the relevance is high, and the intrusion is minimal.
Scenario B: The Broad Blast (Unsafe)
You purchase a list of 50,000 mixed contacts including “HR Managers,” “CEOs,” and “Marketing Interns.” You send a generic blast about your CRM service. You have not segmented by role, meaning the HR manager is receiving an email about sales software.
Verdict: This fails the Necessity and Balancing tests. The HR manager has no professional interest in CRM software. It is spam. The volume of complaints will likely damage your sender reputation and could trigger an AEPD investigation. Legitimate Interest cannot be used to justify irrelevance.
Deliverability Implications
Your legal basis impacts your technical deliverability. ISPs (Internet Service Providers) like Google and Microsoft monitor engagement rates. Emails sent under Legitimate Interest generally have lower engagement than opted-in newsletters. If your targeting is poor, high mark-as-spam rates will burn your domain.
Successful 2025 email strategies separate sending infrastructure. Transactional emails and opted-in marketing streams should be isolated from cold outreach streams relying on Legitimate Interest. This containment strategy ensures that if your cold outreach triggers a temporary block, it does not paralyze your core business communications.
Strategic Takeaways for Senior Leaders
Implementing Legitimate Interest correctly is an operational advantage. It allows you to expand your total addressable market without waiting for inbound leads.
- Audit your Data Sources: Ensure you know the origin of every contact. “Found on the internet” is not a source; “Publicly accessible LinkedIn profile” is.
- Template your LIA: Create a standard LIA framework for your marketing team. Make it a prerequisite for campaign approval.
- Purge Ruthlessly: If a contact has not engaged after a reasonable period (e.g., 6 months), remove them. Retaining non-responsive data under Legitimate Interest weakens your necessity argument over time.
- Localise Compliance: If emailing Germany, the rules are stricter (double opt-in is standard). If emailing Spain or the UK, Legitimate Interest is viable. tailored strategies for each geography are essential.
Legitimate Interest is not a bypass for consent; it is a responsibility. When used with precision, it empowers your sales team to initiate valuable conversations. When abused, it invites regulatory scrutiny and destroys brand trust.
Navigating the nuances of GDPR and the LSSI requires more than just legal knowledge; it requires technical implementation that protects your domain reputation. At Data Innovation, we specialise in aligning your CRM infrastructure with high-performance, compliant email strategies. If you need to validate your current B2B outreach framework or require an audit of your deliverability setup, contact our team for a consultation.