CogniLead
Sign in
Template for review — not legal advice

This document is a template published by CogniLead GmbH (in formation). CogniLead does not provide legal advice. Have your Data Protection Officer and legal counsel review before relying on this version in production. Last updated: 2026-06-03.

Legal

Legitimate Interest Assessment — template

A Legitimate Interest Assessment (LIA) is the structured three-part test required when relying on GDPR Article 6(1)(f) as the lawful basis for processing. This page is a template you can copy into your own compliance file for any campaign you run on CogniLead.

Customer instructions

Copy this template into your compliance file. Fill in the bracketed sections for your specific campaign — the named product, the audience segment, the signal source, the jurisdiction, the retention period. Have your Data Protection Officer sign off before activating outbound to a new audience segment. Re-run the assessment whenever the audience or the personalization criteria change materially.

1. Purpose test

Stated legitimate interest: direct marketing to business contacts on the basis of public technical signals indicating a current capacity gap relevant to the named product [describe product and ICP].

Legal anchor: GDPR Recital 47 explicitly states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” The recital provides recognized weight that direct marketing on a B2B basis can satisfy Article 6(1)(f), provided the controller can demonstrate that the balancing test in step 3 is met.

Lawful and ethical: the processing complies with applicable national rules on unsolicited commercial communication (e.g. UWG Art. 3(1)(o) in Switzerland, the ePrivacy Directive as transposed in the relevant Member State) by relying exclusively on corporate contact addresses and providing an unambiguous opt-out in every message.

2. Necessity test

The processing must be necessary to achieve the legitimate interest and there must be no less intrusive way to achieve the same outcome.

  • We process the minimum data required: corporate email, role class, jurisdiction, and the technical hook text derived from a public source.
  • We never enrich beyond the public signal and the corporate inbox. There is no enrichment of personal contact information.
  • We never use paid contact databases (Apollo, ZoomInfo, Lusha, similar). The source for every contact is a public artifact (job posting, GitHub repository, conference attendee list, funding announcement).
  • We rate-limit outreach in the pipeline so that no audience segment is over-contacted.
  • The audience size is bounded by the signal source. We do not broadcast — every send is tied to a specific publicly visible technical hook.

On this basis, the processing is the least intrusive practical method of pursuing the stated interest. A purely consent-based model is not available for cold business outreach because, by definition, no prior contact exists from which to obtain consent.

3. Balancing test

We weigh the legitimate interest against the rights and freedoms of the data subjects.

  • Nature of the contact: recipients are corporate professionals being contacted at their corporate email address. The contact is purely professional and does not touch their personal sphere.
  • Material relevance: the pitch is tied to a specific public statement of need by the recipient organization. The CogniLead pipeline enforces this with a technical_hook_verified=true precondition — pitches that cannot cite a specific source artifact never leave the pipeline.
  • Reasonable expectations: an organization that publishes a job posting describing a current engineering need should reasonably expect to receive outbound vendor contact relevant to that need. The contact does not exceed the reasonable expectation of a professional who has publicly signaled the gap.
  • Opt-out mechanism: every email includes a RFC 8058 one-click List-Unsubscribe header. Recipients can also request their entire domain to be suppressed. Suppression is honored within 60 seconds of receipt.
  • Retention: retention is strictly bounded. Raw signals expire after 90 days. Lead records are deleted 30 days after suppression. Send-event audit records are retained for 7 years for evidentiary purposes only, in a tamper-proof audit chain (Chainlog), and are not used for further processing.
  • No special categories: no Article 9 special category data is processed. No criminal data (Article 10) is processed. No automated decision-making with legal effects within the meaning of Article 22 is performed.

Provisional conclusion: on these factors, the data subject's interest is not overridden, provided the mitigations in section 4 are in force.

4. Mitigations

Mitigations are technical and organizational controls that reduce the impact of the processing on data subjects. CogniLead implements the following by default:

  • Hook verification: every model-generated pitch is structurally checked for a citable source artifact. Uncited pitches are dropped before send.
  • AgentGate policy gate: length-violating and jurisdiction-violating sends are blocked at the policy layer regardless of upstream behavior. The outbound-gdpr risk pack is active by default.
  • Suppression latency: suppression requests are honored within 60 seconds via webhook; in-flight sends to a newly-suppressed recipient are aborted at dispatch time.
  • DSR endpoint: recipients may request data deletion or export through the /api/v1/dsr endpoint, with a 30-day SLA and Chainlog evidence of the action taken.
  • Bounce handling: a hard bounce triggers immediate suppression of the address. The domain is also flagged for review. Three soft bounces in a 14-day window also trigger immediate suppression.
  • Complaint handling: a spam complaint via the receiving mailbox provider results in immediate suppression of the recipient and a domain-level reputation review.

5. Conclusion

Customer DPO completes this section.

Having weighed our legitimate interest in [describing the campaign] against the rights and freedoms of the data subjects named in section 5 of this assessment, and taking into account the mitigations in section 4, our legitimate interest is / is not overridden by the interests, rights or freedoms of the data subjects.

Signed: [DPO name]
Role: [role]
Organization: [organization]
Date: [YYYY-MM-DD]
Review interval: [e.g. annually, or on material audience change]

Pair this completed LIA with the signed Data Processing Agreement and the technical and organizational measures listed in /legal/security to constitute the GDPR documentation pack for a single audience segment.