CogniLead
Sign in
11 min read · Published 2026-06-04 · Updated 2026-06-04

How to respond to a GDPR DPA inquiry about cold outreach in 30 days

TL;DR

A Data Protection Authority can write to you at any time. In most EU jurisdictions you have 30 calendar days to substantively respond — sometimes less, depending on the lead supervisory authority and the specific inquiry. The first 72 hours decide whether you spend the next 27 days assembling evidence or chasing it.

This playbook is a day-by-day plan. Days 1–3 you acknowledge receipt and assemble the evidence pack. Days 4–14 you review internally, identify the in-scope sends, document any deletions. Days 15–28 you draft the response and get legal sign-off. Days 29–30 you submit. The artifact you produce is a cover letter plus an evidence pack plus a retention attestation — three documents, one envelope.

CogniLead renders the evidence pack PDF in 60 seconds per lead from Chainlog data. If you are not on CogniLead, the artifact is still recoverable — the rest of this playbook shows how to assemble it manually, which is what most teams find themselves doing under time pressure.

What triggers a DPA inquiry

DPA inquiries about cold outbound typically come from one of three places: a recipient complaint, a programmatic audit, or a sample-letter campaign initiated by the DPA itself.

  • Recipient complaint. A recipient files an Article 77 complaint with their local DPA. The DPA forwards the complaint to you, often with a specific list of questions tailored to the recipient's concerns. This is the most common trigger.
  • Programmatic audit. The DPA selects you as part of a sweep — for example, the CNIL has previously run coordinated audits across cold-outbound platforms. Audit questions are broader and procedural rather than recipient- specific.
  • Sample-letter campaign. The DPA sends a questionnaire-style letter to many controllers in a category to measure baseline compliance. The questions are formulaic; the response is too.

The format of the inquiry usually tells you which kind you are dealing with. A complaint forward will reference a specific data subject (often pseudonymized). A programmatic audit will list process questions. A sample letter will be obviously a template. All three have the same 30-day SLA — they differ in the evidence you need to surface.

Days 1–3 · Acknowledge receipt and assemble

Day 1 · Acknowledge inside 48 hours

Send a one-paragraph acknowledgement of receipt to the DPA contact named on the letter. State the date you received the inquiry, the reference number the DPA cited, and that you will respond substantively by the statutory deadline. Do not elaborate on the merits yet — you have not finished the internal review.

Forward the inquiry internally to the DPO (or the privacy lead if no DPO), the legal team, the engineering lead responsible for the outbound pipeline, and the executive sponsor. A response to a DPA is a four-person motion at minimum; under-resourcing it is the most common mistake.

Day 2 · Scope the inquiry

Read the inquiry slowly and produce a one-page summary that names: the data subject (or category), the campaign(s) in scope, the time window, the specific articles cited, and the information the DPA has asked you to produce. The point of the summary is to discover ambiguity early — if the DPA cited Article 14 but meant Article 13, you want to know on day 2, not day 25.

Day 3 · Begin evidence assembly

Identify every send to the named recipient (or the in-scope cohort). On CogniLead this is a single dashboard query and the evidence pack PDF renders in 60 seconds; without it, the equivalent work is a database join across your sends table, your suppression list, your enrichment provider's logs, and any LLM call records. Plan for it to take longer than you expect.

Days 4–14 · Internal review and document deletions

The bulk of the work is in this window. The goal is to produce an internal narrative of what happened, supported by primary evidence, that you can hand to legal for response drafting on day 15.

Days 4–7 · In-scope send analysis

For every in-scope send, document the following:

  • Signal provenance — when the signal that produced the lead was observed, from which public source, and the immutable Chainlog event id that anchors it.
  • Intersect decision — the suppression check that admitted the lead, the fit score that passed it, the rubric version that scored it.
  • Personalization call — which LLM produced the body, in which jurisdiction, against which prompt version. For CogniLead this is the PHI Gateway routing record.
  • Policy decision — the AgentGate verdict, the rule pack used, the input that produced it.
  • Dispatch record — the Resend message id, the timestamp, the subject hash and body hash, the recipient address.
  • Observation events — bounce status, click events (if consented), reply, unsubscribe, complaint. All as Chainlog events.

Days 8–10 · Suppression and deletion verification

Verify that any post-complaint suppression actually took effect. On CogniLead the suppression list is global per tenant and propagates in under 60 seconds; the Chainlog event proving the suppression is rendered in the evidence pack. Without that, you need to demonstrate manually that no further sends went to the recipient after the suppression was added — typically a SQL query against your sends table joined against your suppression table.

Days 11–14 · LIA and retention narrative

Restate your Legitimate Interest Assessment as it applied to the in-scope processing. The DPA will read the LIA carefully — if you have updated it since the in-scope sends, surface the version control. The companion LIA playbook walks the seven elements; the DPA inquiry response is the moment those seven elements pay rent.

Document your retention schedule and demonstrate that the in-scope records have been retained according to it. If retention has been exceeded, document the corrective deletion — the DPA will accept honest over-retention with a documented fix; it will not accept silent over-retention.

Days 15–28 · Draft and review

Days 15–20 · Draft the response

The response is a cover letter plus the evidence pack plus a retention attestation. Cover letter structure:

  1. Reference the DPA's inquiry number and date.
  2. Summarize the processing in scope in plain language.
  3. State the lawful basis (Article 6(1)(f)) and reference the LIA.
  4. Walk the mitigations shipped, in production at the time of the in-scope sends.
  5. Answer each specific question the DPA asked, by number, with reference to the evidence pack.
  6. Attest to any corrective actions taken since the inquiry was received.
  7. Sign off with the DPO (or privacy lead) and a contact for follow-ups.

Keep the tone neutral and factual. The DPA is not your adversary in most inquiries — they are a regulator confirming compliance. Do not argue; do not editorialize; do produce the evidence in full.

Days 21–25 · Legal review

External counsel (or in-house if you have it) reviews the cover letter, the evidence pack, and the retention attestation. The review should answer: do we admit anything we should not, do we omit anything required, is the language precise, are the statutory references correct, do we expose any unrelated liability. Plan for two rounds of edits — counsel rarely sign off on the first draft.

Days 26–28 · Executive sign-off

The DPO (or privacy lead) and the executive sponsor sign the cover letter. The evidence pack is sealed — for CogniLead that means the Chainlog hash chain is verified at render time and the rendered PDF carries a cryptographic attestation. For non-CogniLead artifacts, sign the PDF with the corporate e-signature.

Days 29–30 · Submit

Submit through whatever channel the DPA specified. Most EU DPAs accept submission via their secure portal or via email to a designated address. Retain the submission receipt — date, channel, recipient, and content hash. The receipt becomes part of your audit chain for the next inquiry.

What the evidence pack must contain

Whatever platform produced the sends, the evidence pack the DPA will accept is the same. Five elements, all timestamped, all cross-referenced:

  1. Signal provenance. When the lead was sourced, from which public artifact, with what observed-at timestamp. The Chainlog event id (or equivalent immutable reference) anchors this.
  2. Recipient identification. The hashed recipient address (or pseudonymized identifier the DPA used). Avoid exposing the raw address in the public-facing copy of the pack — DPAs will accept a hash plus a sealed plaintext-attached envelope.
  3. LIA reference. The version of the LIA that applied to the in-scope sends, with the reviewer name and date. If you cannot produce a contemporaneous LIA, document when it was first written and what changed since.
  4. Opt-out honoring. Demonstrate that the RFC 8058 one-click unsubscribe was offered, and that any received unsubscribe was honored within the documented SLO (CogniLead: 60 seconds). If a complaint was received, demonstrate the cessation timestamp.
  5. Retention schedule attestation. A one-paragraph statement that the in-scope records have been retained per the schedule and that no out-of-schedule retention occurred. If it did, the corrective deletion record.

CogniLead bundles these five into the six-page evidence pack PDF for every lead. Without CogniLead, the five elements are recoverable from operational logs but the assembly is manual.

Common DPA follow-ups

"Provide the prompts used by your LLM for the in-scope sends."

Provide them. Most DPAs are not interested in your prompt engineering; they are confirming that the LLM call did not process special-category data and was bounded by the LIA. If your prompt includes contractor-proprietary content, redact only that and document the redaction.

"Specify the jurisdiction in which the LLM call was processed."

For CogniLead: PHI Gateway routes EU recipients to EU-resident inference (Mistral, Infomaniak); the routing record is in the evidence pack. Without CogniLead: name the LLM vendor and the region of the call. If the LLM ran in the US for an EU recipient, document the safeguard (SCCs, Article 49 derogation) — and expect a follow-up.

"Confirm that no profiling under Article 22 occurred."

Most cold-outbound personalization does not constitute Article 22 profiling because no automated decision producing legal or similarly significant effects is made about the recipient. Confirm this in writing. If your platform makes an automated decision to suppress or admit, document that humans can review any specific decision on request.

"Provide the suppression list."

Do not provide the raw list — it is itself personal data and sharing it with the DPA without a controlled mechanism creates a new processing event. Provide an attestation, a row count, and the propagation SLO. If the DPA requests the raw list under a specific legal request, run the production through legal first.

"Demonstrate that the recipient was added under a legitimate-interest basis, not consent."

Restate the LIA, point to the contemporaneous version, and produce the signal that surfaced the lead. The DPA is testing whether the lawful basis was correctly identified at the time of processing — not whether you can argue it post-hoc. Honest reconstruction beats clever rephrasing every time.

"Provide a copy of the email body."

Provide it. The body is already in your sends table; rendering it back is straightforward. Bodies that look defensible in the cold light of a DPA response tend to be the same bodies that recipients reply to — if you cannot face producing the body, that is its own signal about the campaign.

Sample response structure

The structure below is what we ship as the CogniLead cover letter template. Customize for your specific inquiry.

To:    [DPA contact]
From:  [Controller], [DPO]
Re:    [DPA reference] — response to inquiry
Date:  [submission date]

1. Receipt and scope
   [Date received] · [scope summary]

2. Lawful basis
   GDPR Article 6(1)(f), Recital 47.
   LIA v[version], reviewed by [DPO] on [date].

3. Mitigations in production at time of in-scope sends
   - Corporate inboxes only
   - RFC 8058 one-click unsubscribe (honored ≤ 60 seconds)
   - Jurisdiction-aware LLM processing
   - Retention schedule: signals 90d, leads 30d post-suppression,
     sends 7y
   - Chainlog audit anchor per send

4. Specific responses
   Q1. [DPA question 1]
       A. [Answer with evidence pack reference]
   Q2. [DPA question 2]
       A. [Answer with evidence pack reference]
   ...

5. Corrective actions
   [None / list]

6. Attachments
   - Evidence pack (PDF, [hash])
   - Retention attestation
   - LIA v[version]

Signed,
[DPO name]
[Executive sponsor name]

Next step

If you already use CogniLead, the evidence pack endpoint at POST /v1/evidence/:lead_id/pdf renders the artifact in 60 seconds. If you do not, the rest of this playbook is the manual motion — and the most common reason teams move to CogniLead is the day they finish reconstructing one of these packs by hand.

Read the companion playbook The 2026 LIA playbook for B2B cold outbound for the upstream document the inquiry response references.

CogniLead

CogniLead renders this PDF in 60 seconds

One endpoint per lead: signal provenance, LIA reference, jurisdiction routing, policy decision, send hash, suppression check, Chainlog event tree. Six pages, A4, signable.

See evidence pack →See pricing →
Not legal advice

This playbook is published by CogniLead for orientation. It is not legal advice and should not replace counsel from a Data Protection Officer or qualified lawyer. The applicable rules depend on your jurisdiction, your data subjects, and the specific facts of the processing.