Signal-Based Outbound & ABM in Europe

If you sell into the EU market, your sales and marketing teams need clarity on which signals they can use, how they can act on them, and what guardrails to put in place. This playbook gives you a practical, signal-by-signal breakdown so your team can run signal-based outbound and ABM with confidence.

‍

1. The Bottom Line

The good news:

UserGems’ core signals are GDPR-compliant — and in many cases, the underlying data processing is actually required by the regulation. GDPR obligates data controllers to keep CRM data accurate and up to date (Article 5(1)(d)). UserGems is a technical measure that helps fulfill that obligation. However two specific signals — contact-level intent and contact-level website de-anonymization — should be disabled for EU-targeted contacts.

‍Key Principle

GDPR does not regulate whether you can email someone. It regulates whether you are allowed to process and store that person’s information (i.e., have their contact details in your CRM).

The question of “can I send this email?” is governed by ePrivacy rules and your existing outbound policies — not GDPR itself.

‍

2. GDPR Basics: What It Actually Regulates

GDPR governs the processing of personal data — collecting it, storing it, updating it, and using it for business purposes. To process someone’s data lawfully, you need a legal basis. For B2B sales and marketing, two legal bases are most relevant:

Legitimate Interest (Article 6(1)(f))

You can process personal data when you have a legitimate business interest that isn’t overridden by the individual’s privacy rights. This is the primary legal basis for using UserGems signals. It applies especially well when:

• The person published their information themselves (e.g., on LinkedIn — a platform known for professional networking and sales engagement)
• The data relates to their professional life, not their private life
• There is an existing or potential business relationship
• Your outreach is personalized and relevant, not a mass marketing blast

‍

Data Accuracy Obligation (Article 5(1)(d))

GDPR requires that personal data be “accurate and, where necessary, kept up to date.” If you maintain a CRM with business contacts, you are obligated to take reasonable steps to keep that data current. Using UserGems to monitor and update contact data is a technical and organizational measure that helps fulfill this obligation. Some legal scholars argue this obligation itself constitutes a legal basis for the processing.

‍

3. Signal-by-Signal Compliance Guide

‍

⚠ For EU-Targeted Accounts: Disable These Two Signals

If your campaigns target contacts in the EU/EEA, you should not activate contact-level intent or contact-level website de-anonymization.

These signals rely on covert tracking of individual behavior without consent, which fails the legitimate interest balancing test under GDPR. The individual has no reasonable expectation of being personally identified, has not published this information themselves, and has no prior relationship with your company. These signals remain fully available for non-EU contacts.

However, you can use account-level intent and account-level website de-anonymization for the EU market.

‍

4. What Your Team Needs To Do

‍

‍

5. Best Practices Checklist

‍

‍

Disclaimer: This summary is for informational purposes only and does not constitute legal advice. Based on an independent legal assessment by Orrick, Herrington & Sutcliffe (February 2024). Consult your own legal counsel for jurisdiction-specific guidance.