LinkedIn Outreach & GDPR: What German SDRs Must Know

LinkedIn outreach occupies a legal grey zone that English-language guides routinely flatten into "just send the message." For a German SDR or sales manager, that flattening is professionally dangerous: the country has stricter data-protection norms than most jurisdictions, a buyer culture that rejects mechanised outreach, and enforcement that is real rather than theoretical. This guide is the operator's view on what actually applies — and what it means for your daily sequences.

The legal foundation in two paragraphs

The General Data Protection Regulation (DSGVO in German) governs the processing of personal data of EU residents, including names, email addresses, phone numbers, job titles and any combination of those that identifies a person. Sending a LinkedIn message, scraping a profile, enriching a contact with an email — every one of those is a processing activity. As the operator, you are the controller for that processing, which means you need a lawful basis for it and you need to be able to demonstrate that basis.

The six lawful bases under Article 6 of the GDPR include consent, contract, legal obligation, vital interests, public task, and legitimate interest. For B2B cold outreach the relevant one is almost always legitimate interest — Article 6(1)(f). Legitimate interest is genuine but it is not a free pass: it requires a documented assessment that weighs your interest in contacting a prospect against the prospect's reasonable expectations and their right to data protection. The assessment is real, not ceremonial.

What "legitimate interest" actually means in practice

The legitimate-interest balancing test has three parts: a clearly identified purpose, a real necessity for processing the data to achieve it, and an assessment that your interest is not outweighed by the prospect's. For B2B outreach specifically, the test tends to be passed when:

• The contact is a business contact in a business context (their role makes commercial communication a reasonable expectation).
• Your outreach is genuinely relevant to their role (a CRM pitch to a CFO of a manufacturing company is harder to defend than a CRM pitch to the head of revenue at a SaaS company).
• You have a working opt-out and you honour it immediately.
• You are not contacting them via a channel they would not reasonably expect (a personal mobile number scraped from somewhere is far more aggressive than a LinkedIn message to their professional profile).

Documentation matters. A documented Legitimate Interest Assessment for your outreach program is the kind of artefact that converts a potential complaint into a defensible position. Most operators do not have one until they need it.

The German-specific considerations

Three things make Germany meaningfully stricter than the broader EU baseline:

• UWG §7 — competition law on unsolicited contact. Germany's Act Against Unfair Competition treats unsolicited commercial contact more restrictively than general GDPR norms. For email specifically, prior consent is generally required for B2C; for B2B the question is harder and turns on whether the recipient could reasonably expect the contact. LinkedIn messaging sits on the platform's own terms, which adds another layer.
• The Datenschutzbeauftragter requirement. Organisations above a certain size or processing sensitive data must appoint a data protection officer. If your prospect's organisation has one, complaints land there first, and Datenschutzbeauftragte have time and resources to pursue them.
• Enforcement culture. German DPAs are among the most active in the EU, fines for repeated or systemic violations are real, and class-action-like collective complaint mechanisms exist. The cost-of-failure math is materially worse than in lighter-enforcement jurisdictions.

The vendor angle — who is processing what

Every tool in your outbound stack is processing personal data on your behalf. Each one needs a Data Processing Agreement — Auftragsverarbeitungsvertrag in German — that establishes the processor relationship and specifies what they can and cannot do with the data. The DPA is not optional and not a checkbox: a missing DPA is a per-se violation that any complaint will surface immediately.

The vendors that show up in DACH outbound stacks vary in how easy this is. EU-hosted tools with clear DPAs available on request are the lowest-friction option. US-hosted tools require Standard Contractual Clauses on top of the DPA to cover the cross-border transfer, which is workable but more paperwork and more procurement friction. Tools that cannot produce a DPA at all should be walked away from regardless of feature set.

The companion guide on LinkedIn automation tools for German B2B assesses individual vendors against these criteria.

What your sequences actually need to do

Beyond the legal foundation, the operational practice for compliant DACH outreach has six concrete components:

• An identifiable sender. Your real name, your real role, a way to look you up. Sequences from anonymous or alias accounts trip both LinkedIn's enforcement and prospect skepticism.
• A clear purpose in the opening message. Why are you contacting this specific person? "Saw your post on X" if true, or a substantive reason tied to their role. Generic prospecting tells the prospect you have not done the work.
• Honest channel use. If you connected on LinkedIn, follow up on LinkedIn first. Jumping to a personal email address you enriched without that channel making sense is the kind of escalation that produces complaints.
• A working unsubscribe / objection process. If a prospect says "do not contact me again," you stop, and you ensure they are removed from any future sequences. This is both a GDPR right (Article 21) and basic professional courtesy.
• Honest data sources. Where did you get this email? If you cannot answer that question for any specific prospect, you have a problem. Tools that enrich profiles to verified work emails are usually fine; tools that produce personal mobile numbers from unclear sources are not.
• Retention discipline. Data you have collected and no longer need should be deleted, not stored indefinitely. Retention policies are a GDPR requirement and a sensible operational practice.

What "compliance" actually looks like in operations

For a working SDR or sales manager, the operational version of this guide reduces to:

1. Document your Legitimate Interest Assessment for outreach. Once. Update annually.
2. Have DPAs in place with every vendor. Audit annually.
3. Operate from an identifiable real LinkedIn account, with sequences that pass the "would I be embarrassed if this prospect read my outreach process" test.
4. Honour opt-outs immediately and remove the contact from your systems.
5. Do not enrich beyond what you need (personal mobile numbers, home addresses, anything that escalates the channel without justification).
6. Keep records — what you sent, when, who responded, who opted out — sufficient to demonstrate compliance if asked.

The honest summary

GDPR-compliant LinkedIn outreach in Germany is genuinely achievable, and most thoughtful sales operators are already most of the way there without realising it. The work is to formalise what you do (lawful basis, DPAs, opt-out process, retention) rather than to invent something radically new. The cost of doing this work is low; the cost of not doing it and being asked to demonstrate it is high. The right time to formalise is before someone files a complaint, not after.