Can I use «legitimate interest» to justify marketing emails and cold messages?

Short answer

No. No, you can’t.

You can only send unsolicited communications if you have a prior sales relationship with the person.

It’s true that the regulation on this matter is not as straightforward as other GDPR matters, but a proper reading of the European law clarifies that you cannot email a person without their consent.

Also, it is worth noting that the UK GDPR may differ from the EU GDPR in this matter.

Long answer

This is not regulated in the GDPR, but in Directive 2002/58/EC

Instead of the General Data Protection Regulation, we must look at Directive 2002/58/EC of Privacy and Electronic Communications.

This is because Article 95 of the GDPR, which is called “Relationship with Directive 2002/58/EC”, explains precisely that Directive 2002/58/EC should prevail regarding these matters.

Here’s what the Directive 2002/58/EC on privacy and electronic communications says on its Article 13:

Article 13: Unsolicited communications

1. The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.

As you can see, the Directive clearly says that you cannot email people without their consent.

However, there is a second paragraph, which refers to the specific situation where a person is already a customer:

2. Notwithstanding paragraph 1, where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46/EC, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use.

This means you can actually send unsolicited emails to a person if they already are your customers, as long as you provide the opportunity to object.

However, the 3rd paragraph goes on to say that each European country may write their own measures:

3. Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing, in cases other than those referred to in paragraphs 1 and 2, are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation.

Local example: Spain’s Ley Orgánica 3/2018

And to offer a concrete example, let’s check what one of the European countries, Spain, has to say in this regard. This is regulated in Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales.

Artículo 19. Tratamiento de datos de contacto, de empresarios individuales y de profesionales liberales.

1. Salvo prueba en contrario, se presumirá amparado en lo dispuesto en el artículo 6.1.f) del Reglamento (UE) 2016/679 el tratamiento de los datos de contacto y en su caso los relativos a la función o puesto desempeñado de las personas físicas que presten servicios en una persona jurídica siempre que se cumplan los siguientes requisitos:

a) Que el tratamiento se refiera únicamente a los datos necesarios para su localización profesional.

What does this mean? In summary, the Spanish regulation says that no, you cannot reach out to someone via electronic means if you don’t have a legitimate basis. You can only send physical mail to the company address.

This is a funny twist of the Spanish regulation: wherein you are allowed to spam someone to their company address, but only to the physical address. So you cannot send them emails to their work email address, but you can post and physically deliver unsolicited information to someone, without their prior consent.

No, «legitimate interest» does not mean that your product may be interesting

This is tightly related to the issue of Article 6 of the GDPR: the legal basis for processing. To fully understand this issue, it is essential that you understand what Article 6 is saying.

Read more: What is Article 6 of the GDPR actually saying?

In summary, Article 6 of the GDPR says that you need someone’s prior consent in order to process their data. There are 5 other possible justifications, but none of them will offer you a way to cheat your way into spamming unsolicited communications.

One of the justifications is «legitimate interest», but as you can see in Directive 2002/58/EC, «legitimate interest» does not suffice as an excuse to send marketing emails and cold emails to your prospects – and remember that Directive 2002/58/EC prevails over the GDPR in this matters.

And furthermore, «legitimate interest» is only applicable to cases such as preventing harm from falling upon someone, like preventing fraud or ensuring security systems. Things that, if someone did not know, would present a risk to them or their organisation. This is even clarified by the European Commission, on a page called: What does ‘grounds of legitimate interest’ mean?

Read more: European Commission ( What does ‘grounds of legitimate interest’ mean?

However, it should be obvious that «legitimate interest» is a very specific situation, otherwise, it would mean that anyone can contact anyone about anything, rendering the whole GDPR obsolete.

Try GDPR.Direct today

GDPR compliance doesn’t have to be complicated or expensive. In fact, it can be easily achieved with the right tools and resources. All you need are the correct GDPR templates readily available online. Once you have these, simply make them accessible to your users in the appropriate places. That’s all it takes to comply with GDPR requirements. So don’t let law consultants convince you that GDPR compliance is a complex and costly process – it’s really not. With the right approach, GDPR compliance can be simple and affordable