rag.art
ProductPricingUse casesDocs
Log inStart free
  1. Home/
  2. Blog/
  3. GDPR, LSSI and the cold email landmine in Spain
2026-04-16·7 min read·rag.art team

GDPR, LSSI and the cold email landmine in Spain

Spain has stricter rules on commercial communications than the GDPR baseline. A short, practical guide to sending cold B2B email in Spain without a €10K AEPD fine.

compliancecold-emailspaingdpr

You can send a cold B2B email in Spain legally. You can also send one illegally — the line is thinner than most growth operators realise. The AEPD (Spanish Data Protection Agency) issues fines with enthusiasm, and the specific statute that bites is not GDPR. It is the LSSI, Ley 34/2002 on Services of the Information Society, which adds a consent-first regime on top of whatever your GDPR lawful basis was.

This is not legal advice. It is the version we followed to run 850 emails through the rag.art outreach pipeline without triggering a complaint. Pay a lawyer to validate your specific plan.

The two legal regimes, layered

GDPR (Regulation 2016/679)

Says you need a lawful basis to process personal data. For B2B cold email, 'legitimate interest' under Article 6(1)(f) is usable — provided you've run and documented a balancing test, and the contact is a business person at a work email in a professional context.

LSSI (Ley 34/2002)

Spain's implementation of the e-Privacy Directive. Its Article 21 prohibits unsolicited commercial communications via email except in two cases: prior consent, or a pre-existing customer relationship on analogous products or services. Legitimate interest under GDPR does not satisfy LSSI Art. 21 by itself.

How that resolves for cold B2B email

The working interpretation, backed by multiple AEPD rulings: a cold email to a B2B contact is legal if (a) the email address is publicly listed in a professional capacity, (b) the content is professionally relevant to the recipient's role, (c) the sender is clearly identified, and (d) an opt-out mechanism is visible and honoured. Miss any of the four and you're gambling.

The checklist we actually run

  1. Source the email from a public, professional source (company website, business register). Scrapers that pull personal Gmails break the 'professional capacity' defense.
  2. Document the source for every contact. Spreadsheet column: 'source_url'. One AEPD enquiry and you need this.
  3. Target role-based seniority: the message must be relevant to their job. CFO about CFO tools, not about pizza.
  4. Include a clear sender identity: your legal entity, NIF/CIF, and a physical address in the footer. LSSI Art. 10 requirement.
  5. Include one-click opt-out (a mailto: or an unsubscribe link). Honour it within 10 working days.
  6. Never, ever follow up more than twice. Multiple follow-ups to a non-responder escalate regulatory risk.
  7. Run the balancing test for GDPR legitimate interest and save it as a PDF. A lawyer can produce a template in an hour.
  8. Keep a suppression list. If someone opts out, they never get emailed again from any campaign.

Common mistakes we see

  • Using a cold-outreach tool that auto-appends tracking pixels invisible to the recipient. Tracking without disclosure complicates the legitimate-interest balance.
  • Mail merges into generic@empresa.com — those aren't personal data, but they're also not 'professional capacity' under LSSI; emails to info@ and hello@ fall into a safer grey zone but shouldn't be your primary target.
  • Confusing newsletters (which require opt-in) with sales outreach (which can be legitimate-interest). The regulator cares about the distinction; the tooling often blurs it.
  • Ignoring opt-outs because they came through a reply instead of the link. Opt-out is opt-out, however expressed.

If you get an AEPD complaint

The agency contacts you in writing. You have 10 days to respond. Your response includes: the source of the email address, the date of collection, the legitimate-interest balancing test, the opt-out mechanism you provided, and the suppression list showing the complainant now removed. If you have these artifacts, 90% of complaints close without a fine. If you don't, the fine range starts at €600 and scales with the number of recipients.

The practical takeaway

Cold B2B email in Spain is legal and productive if you run it like the lawyers-think-about-it version. If you run it like a growth-hack Twitter thread, you're building regulatory debt. The overhead of doing it properly is an afternoon once. The downside of doing it improperly is quarterly and expensive.

Want to see this in practice?

We help our customers onboard their outreach compliantly →
rag.art

RAG chatbots, your brand. Made in the EU, GDPR-ready, transparent pricing.

Product

  • Features
  • Pricing
  • Use cases
  • Widget playground

Verticals

  • Real estate
  • Insurance brokers
  • Franchises
  • Dental clinics
  • Law firms
  • Ecommerce

Resources

  • Docs
  • Blog
  • Compare
  • Trust & Security

Legal

  • Terms
  • Privacy
  • Cookies
  • DPA
  • AI disclosure

© 2026 rag.art — Made in the EU · GDPR-ready

PrivacyTerms