The 2026 LIA playbook for B2B cold outbound: 7 elements your DPO will accept

TL;DR

B2B cold outbound under GDPR runs on Article 6(1)(f) — legitimate interest. Article 6(1)(f) is not a checkbox; it is a conditional lawful basis that requires a documented Legitimate Interest Assessment (LIA), substantive mitigations, and the practical capacity to honor a data subject access request inside the statutory window. A defensible LIA has seven elements: purpose, lawful basis citation, necessity, proportionality, risk to the data subject, mitigations shipped, and a named reviewer with a date.

This playbook is structured around those seven elements. We walk through each, name the common Data Protection Officer objections, and explain when LIA is not the right basis at all — there are cases (consumer outreach, special-category data, retargeting beyond first contact) where consent is the only basis that survives scrutiny.

The CogniLead LIA template at /legal/lia implements the seven elements. The CogniLead evidence pack bundles the LIA reference with every send so a DPA inquiry can be answered without forensic reconstruction. See the companion playbook How to respond to a DPA inquiry in 30 days for the response motion.

What is a Legitimate Interest Assessment

GDPR Article 6(1) lists six lawful bases under which a controller may process personal data. The most-used for cold B2B contact is Article 6(1)(f) — legitimate interest. The text reads, in relevant part, that processing is lawful where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. The recitals (notably Recital 47) explicitly contemplate direct marketing as a possible legitimate interest, with the caveat that the balancing test must come out in the controller's favor.

Because Article 6(1)(f) is conditional on a balancing test, the UK ICO and EU Data Protection Authorities expect controllers to run and document a Legitimate Interest Assessment before the processing begins. The LIA is the artifact that records the balancing — the purpose, the necessity, the proportionality, the risk, and the mitigations. It is not filed anywhere; it lives in the controller's records and is produced on demand.

An LIA is not a one-time document. The processing changes, recipients change, mitigations ship — the LIA needs to be revised on a cadence (we suggest annually, plus on any material change to the processing). The reviewer-and-date element exists to make that cadence inspectable.

The three tests

Across UK ICO, CNIL, and EDPB guidance the LIA shape converges on three tests: the purpose test, the necessity test, and the balancing test. The seven elements we cover below are the artifact you produce by working through those three tests in order.

1. Purpose test

Is the purpose legitimate? For B2B cold outbound the answer is nearly always yes — contacting a corporate prospect about a product they can buy is a recognized commercial interest contemplated by Recital 47. The interesting question is whether the purpose is specific enough to ground the rest of the LIA. "Selling our product" is too broad; "contacting engineering decision-makers at EU SaaS companies whose public job posts reference a stack our product supports" is specific enough to balance against.

2. Necessity test

Is there a less intrusive way to achieve the purpose? For prospecting where the recipient has not heard of you, the answer is almost always no — the recipient cannot opt in to a service they do not know exists. The LIA should document the alternative you considered (paid ads, content marketing, mutual introductions) and why they are inadequate or insufficiently targeted for this purpose. The necessity test fails if your processing is broader than strictly necessary — for example, scraping personal email addresses when corporate inboxes would have done.

3. Balancing test

Do the controller's interests override the data subject's rights and freedoms? This is where the LIA lives or dies. Recital 47 calls out the importance of reasonable expectation— a corporate employee reasonably expects to receive vendor outreach about products relevant to their role. A consumer receiving a sales pitch on their personal Gmail does not have that expectation. The balancing test is also where mitigations earn their keep: each shipped mitigation lowers the impact on the data subject and tilts the balance toward the controller.

The seven elements your DPO will accept

A defensible LIA includes the following seven elements. The CogniLead template at /legal/lia renders the same seven; we restate them here so you can audit whichever LIA you actually use.

1. Purpose, stated specifically

One paragraph. Who you are contacting, why, and what they will be invited to do. Specific enough that a regulator can decide whether the rest of the LIA is on point.

2. Lawful basis, cited

State that the processing is conducted under Article 6(1)(f) and reference Recital 47. If you are also relying on a derogation under the ePrivacy Directive (Article 13(2) of Directive 2002/58/EC, the so-called soft opt-in for existing customers), cite that here too. Most cold-outbound processing will not qualify for the soft opt-in.

3. Necessity, justified

Document the alternatives you considered and rejected. Paid ads do not reach the specific role you target; content marketing does not surface the urgency you respond to. Be honest — the DPO will read this section first.

4. Proportionality, scoped

Document the bounds of the processing. Whose data, sourced from where, retained for how long, and used for what. The two questions a DPO will ask are: have you minimized to the data you actually need, and have you constrained the use to the purpose stated above. The answer must be yes to both.

5. Risk to the data subject

Be specific about the possible impact. For corporate B2B cold outbound the realistic risks are: nuisance (the recipient finds the email irrelevant), profile inference (your enrichment data reveals more than you needed), and lock-in (the recipient is added to a sequence they cannot easily exit). Each risk maps to one or more mitigations in element 6.

6. Mitigations shipped

This is where most LIAs fall apart. A DPO does not want a list of mitigations you plan to ship; the DPO wants a list of mitigations that are in production today. The mitigations CogniLead ships, and which we recommend you replicate whichever platform you use:

• Corporate inboxes only. Personal email addresses are out of scope.
• RFC 8058 one-click unsubscribe in List-Unsubscribe-Post, honored across all sender pools inside 60 seconds.
• Jurisdiction-aware LLM processing. EU recipients are never inferred against by US-region LLMs.
• Documented retention schedule: signals 90 days, leads 30 days post-suppression, sends 7 years.
• Chainlog-anchored audit chain per send; evidence pack PDF rendered on demand under Article 15.
• Hard suppression list: a complaint against one campaign suppresses across all campaigns.

7. Reviewer and date

Name the person who signed off and the date. If the LIA is signed by a DPO, name the DPO. If your organisation does not have a DPO under Article 37, name the person responsible for privacy and a fallback reviewer for continuity. Without a named reviewer the LIA is not a defensible artifact.

The CogniLead LIA template

The CogniLead LIA template at /legal/lia implements the seven elements above in a form a DPO can review in fifteen minutes. We deliberately do not duplicate the template here — keeping it in one place keeps the version history honest. The template is published under a permissive license and customers are encouraged to fork it.

Common DPO objections, and how to address each

"The purpose is too broad to balance against."

Tighten the purpose. "Cold outbound" is not a purpose; "contacting engineering decision-makers at EU SaaS companies whose public job posts reference Postgres or Redis between observed-date and observed-date + 30 days" is. The narrower the purpose, the more clearly the necessity and proportionality tests pass.

"The processing uses a US LLM. That is a transfer issue."

Address by routing. If the LLM call is the only US-region processing in the chain, route EU recipients to EU-resident inference. CogniLead does this through PHI Gateway; if you build your own pipeline you can do the equivalent with Mistral or Infomaniak on EU regions. The transfer issue disappears when no transfer happens.

"The retention schedule is too long."

Distinguish between operational retention and legal retention. Signals can expire fast (90 days) because the operational value of a signal decays quickly. Lead records can expire 30 days after suppression. Send records typically need to be retained for the duration of any applicable audit lookback — 7 years is reasonable in most EU jurisdictions, though your specific accounting framework may dictate otherwise.

"What evidence do you produce if a DPA asks?"

Show them the evidence pack PDF. The CogniLead evidence pack bundles signal provenance, AgentGate policy decision, jurisdiction routing, send hash, suppression check, and the Chainlog event tree for one lead in a six-page A4 artifact. See the companion playbook How to respond to a DPA inquiry in 30 days for the full motion.

"What if the recipient is in a special category — health, political opinion, etc.?"

You cannot rely on Article 6(1)(f) for special-category data under Article 9. The processing requires an Article 9 condition — most commonly explicit consent under Article 9(2)(a). For corporate B2B prospecting this rarely comes up, but if your targeting infers a special category (a job post that reveals a political stance, a thread that reveals union activity), the LIA does not save you. Drop the lead.

When LIA is not the right basis

LIA is the right basis for most corporate B2B cold outbound. It is not the right basis in any of these cases:

• Consumer outreach. Cold contact with a consumer typically requires consent under the ePrivacy Directive Article 13 (or the equivalent in the new ePrivacy Regulation when it lands). Article 6(1)(f) does not unlock consumer prospecting on its own.
• Special-category data. See the objection above. Article 9 applies; LIA is not enough.
• Retargeting beyond first contact. Once a recipient has responded (positively or negatively), continued processing for further outreach typically requires consent or a different lawful basis under Article 6(1)(a) or 6(1)(b).
• EU member state derogations. Some member states (notably Germany under §7 UWG) impose stricter requirements on commercial electronic communication that effectively require consent even for B2B contact. Country counsel is mandatory.
• Cross-border transfers without safeguards. LIA does not lawfully transfer data outside the EU. If your processing involves a transfer, Article 46 safeguards (SCCs, BCRs) or an Article 49 derogation must be in place.

The Switzerland-specific case

CogniLead is operated from Switzerland, which has its own federal data-protection regime — the revised Federal Act on Data Protection (nFADP), in force since September 2023. nFADP is broadly aligned with GDPR but is not identical: the lawful-basis framework is more permissive for legitimate-interest processing in some respects, the data-subject rights are slightly narrower on profiling, and the notification timelines for breaches are different. For Swiss-only processing, the LIA shape above carries over almost unchanged but the citations move from Article 6(1)(f) GDPR to the equivalent legitimate-interest provision in nFADP. For mixed CH/EU processing, the LIA must cover both regimes — and the data-residency commitments must match the strictest of the two.

Next step

If you already use CogniLead, your LIA reference is bundled into every send and the evidence pack is rendered on demand from the Chainlog. If you do not, the CogniLead LIA template is published at /legal/lia for you to fork and adapt. Either way the seven elements above are the durable structure — every defensible LIA we have seen renders the same skeleton.

Read the companion playbook How to respond to a GDPR DPA inquiry about cold outreach in 30 days for what happens when a regulator writes.