Cold email outreach isn't banned in the EU — but it's regulated. The GDPR allows B2B cold email under certain conditions. The critical point isn't whether you may contact someone, but how you handle opt-outs when someone says: "Stop contacting me."
This article explains the Do Not Contact system in the Odoo CRM Outreach Campaigns module and covers what you need to consider for GDPR-compliant cold email.
Cold Email and GDPR: The Legal Framework
Legitimate Interest (Art. 6(1)(f) GDPR)
B2B cold email can be based on "legitimate interest" if:
- You're writing to a business email address (not personal)
- The content is relevant to the recipient (related to their role/industry)
- You have an overriding business interest
- You offer an easy opt-out option
What you must do
- Identify yourself: Sender, company, contact details
- Enable opt-out: Every email must offer a way to decline further contact
- Implement opt-out immediately: When someone says "don't contact me anymore," it must take effect instantly — across all campaigns, not just the current one
- Document: When was the opt-out set, by whom, for what reason
What you must not do
- Contact personal email addresses without consent
- Ignore or delay opt-out requests
- Share data with third parties without legal basis
- Contact without an identifiable sender
Note: This article is not legal advice. GDPR requirements vary by country, industry, and context. When in doubt: consult a data protection officer or lawyer.
The Three-Level Do Not Contact System
The Odoo CRM Outreach Campaigns module provides DNC (Do Not Contact) at three levels:
Level 1: Lead-Level DNC
What happens: Only this specific lead is blocked from outreach. Other leads with the same contact remain active.
When useful: The lead is irrelevant (wrong department, wrong product), but the contact could be relevant for other campaigns.
Example: You email a marketing manager about SEO services. They reply: "SEO isn't my area." You block this lead but might contact them later about a different topic.
Level 2: Contact-Level DNC
What happens: The contact (res.partner) is flagged. All CRM leads linked to this contact are blocked. New leads for this contact will also be blocked.
When useful: The person clearly says: "Don't contact me anymore." Not about a specific topic, but in general.
Example: A contact replies: "Please remove me from all your lists." → Contact-level DNC. No more outreach emails to this person, regardless of campaign.
Level 3: Company-Level DNC
What happens: The company (parent res.partner) is flagged. All child contacts inherit the block. All leads linked to any contact at this company are blocked.
When useful: A company says: "Stop contacting our organization." The block must apply to all people at that organization.
Example: The CEO replies: "We don't want to be contacted by your firm." → Company-level DNC. All contacts, all leads — instantly blocked.
Audit Trail: What Gets Documented
Every DNC action creates an audit entry:
| Field | Description |
|---|---|
| Timestamp | When the DNC was set |
| Set by | Which user activated the DNC |
| Reason | Free-text field for the reason (e.g., "Recipient requested opt-out via email") |
| Level | Lead, contact, or company |
This audit trail is important for GDPR compliance: you can demonstrate at any time when and why a contact was blocked.
How the Cascade Works in Practice
Scenario: You have 3 contacts at "Acme Inc.": Anna (Marketing), Bob (Sales), Clara (CEO). Each has 2 open leads.
Clara replies: "Please stop contacting Acme."
You set company-level DNC on Acme Inc.
Result:
- Acme Inc. → DNC ✓
- Anna → DNC (inherited from company) ✓
- Bob → DNC (inherited from company) ✓
- Clara → DNC (inherited from company) ✓
- All 6 leads → blocked ✓
- New leads for Anna, Bob, or Clara → automatically blocked ✓
No lead from this company can receive an outreach email anymore. Not in the current campaign, not in future campaigns.
Why CRM-Native DNC Is Better Than External Blocklists
Immediate effect
When you set DNC in an external tool, you also need to update it in the CRM and every other platform. In Odoo, you set it once — it applies everywhere.
Cascade
External tools typically have flat blocklists: one email address per entry. Odoo's DNC cascades from company to contacts to leads. You block a company, and all associated people and leads are instantly blocked.
Audit trail in the CRM
The proof of when an opt-out was implemented is directly on the contact record in the CRM. No separate system, no CSV exports, no "that's in the other tool."
No sync problem
If DNC is set in an external tool but the sync to the CRM fails, emails can still go out. With native DNC, there's no sync problem — the CRM itself is the single source of truth.
Best Practices for GDPR-Compliant Cold Email in Odoo
1. Configure sender identity clearly
Every sender in the module has: display name, email address, signature with company name and contact details. The recipient must always know who is contacting them.
2. Opt-out sentence in every template
Include in every email template a sentence like: "If you'd rather not hear from us, just reply with a quick note — we'll remove you from all outreach immediately."
3. Implement opt-out within 24 hours
When an opt-out reply comes in: set the appropriate DNC level (lead, contact, or company) immediately. Not on Friday, not "when I get to it."
4. Regular DNC review
Once a month: review the DNC list. Are all opt-outs correctly implemented? Are there leads still in campaigns despite DNC?
5. No personal email addresses
Only contact business addresses. anna.schmidt@acme.com = ok. anna.schmidt92@gmail.com = not ok for cold outreach.
6. Document the relevant connection
Why are you contacting this person? The connection to their role or industry should be documented in the lead or campaign. "All emails in the database" is not legitimate interest.
System Limitations
The DNC system in the module covers the operational side: reliably implementing, cascading, and documenting opt-outs. It does not cover:
- Legal assessment: Whether your cold outreach is legally permissible in a specific case must be evaluated legally
- Privacy policy: You need a privacy policy that describes cold outreach processing
- Processing records: The processing must be documented
- Deletion obligations: The module blocks outreach but doesn't delete data. GDPR deletion rights must be implemented separately
Conclusion
GDPR-compliant cold email is possible — but it needs clean processes. The three-level DNC system with cascade and audit trail gives you the operational foundation. Beyond that you need: clear sender identity, opt-out in every template, fast implementation, and legal backing.
The GDPR doesn't want you to stop contacting people. It wants you to do it respectfully, transparently, and with a working opt-out mechanism.
The CRM Outreach Campaigns module includes the three-level Do Not Contact system with cascade and audit trail. Also free: CRM Direct Email for automatic recipient auto-fill.
Related articles:
