GDPR and Email Verification: What's Legal, What's Not, and What's Just Cautious
Yes, you can verify B2B email addresses under GDPR. No, you cannot scrape them and verify whatever you want. The lawful basis you rely on changes everything about what you can do next.
Not legal advice. This post is a plain-English overview of how email verification interacts with the GDPR and similar regimes. For decisions that could expose your company to regulatory risk, consult a privacy lawyer in your jurisdiction.
The GDPR turned a lot of B2B marketers into nervous wrecks, and a lot of marketing tooling into either "fully compliant by design" or "blocked in the EU." Email verification falls in an interesting middle zone — it's allowed, often even encouraged, but with conditions that change with context.
Here's the version most teams need.
What's actually being processed when you verify an email
When you submit an email address for verification, three things happen with that string:
- Syntax + domain checks. No personal data leaves your control; we resolve the domain's MX records (public DNS) to find the right mail server.
- SMTP probe. We connect to the recipient's mail server and ask, in protocol, "would you accept mail for
user@domain.com?" The recipient server answers yes/no/maybe. The probe itself does not send a message — it stops before the body. - Result storage. The result is written to your account's history, alongside the email address you submitted.
Under the GDPR, an email address is personal data when it can be used to identify a natural person. john.smith@company.com is clearly personal data; info@company.com is more contested — most regulators would still treat it as personal data because it can be linked to an organisation's contacts.
So yes — GDPR applies. The question isn't whether; it's under what basis.
The six lawful bases (and the two that apply here)
GDPR Article 6 gives you six lawful bases for processing personal data. For email verification in a B2B context, only two are really relevant:
- Article 6(1)(f) — Legitimate interest. You have a real business reason to process the data, your legitimate interest isn't overridden by the subject's rights and freedoms, and you've documented this assessment.
- Article 6(1)(a) — Consent. The subject explicitly opted in, with clear language, without bundling consent into a longer form.
For most B2B email verification scenarios — checking the validity of a corporate email you already have legitimate reason to hold — legitimate interest is the basis you'll rely on. For consumer-facing or freshly-scraped lists, you typically need consent.
The practical implications:
- ✅ Verifying emails in your existing CRM (customers, leads who filled out forms, partners) — almost always fine under legitimate interest. They knew you had their address.
- ✅ Verifying emails captured through your signup form — legitimate interest plus their direct submission.
- ⚠️ Verifying a list you bought from a vendor — depends on the vendor. If they collected with valid consent and assigned that consent to you, OK. If they scraped, you're inheriting their problem.
- ⚠️ Verifying scraped emails — high risk. Scraping isn't always illegal, but using the data without lawful basis is. Verification doesn't fix that.
- ❌ Verifying random emails to see if they exist — no legitimate purpose, no lawful basis.
Data Processing Agreements and the chain of responsibility
When SecureLeadz verifies an email on your behalf, you are the controller (you decide why and how the data is processed) and we are the processor (we run the operation on your instructions). GDPR Article 28 requires a Data Processing Agreement (DPA) between controller and processor.
Our DPA is published at /legal/dpa (auto-counter-signed when you sign up). It covers:
- The categories of data we process (email addresses, optionally metadata you submit alongside)
- The purposes (verification, finding, screening)
- Our security measures (encryption in transit and at rest, hashed IPs, no plaintext logs)
- Sub-processors (we use upstream SMTP verification infrastructure — listed transparently)
- Cross-border transfer mechanisms (Standard Contractual Clauses for any non-EU sub-processor)
- Your audit rights and our incident notification SLA (72 hours, matching GDPR's own requirement)
You don't need to do anything special to "activate" the DPA — by using our service you accept it, and it's binding on us. If you need a counter-signed copy for your records, request it from compliance@secureleadz.com.
Subject access requests and erasure
A person whose email address you've verified can — in principle — ask you what data you hold about them, ask you to delete it, or ask you to stop processing it. In practice for verification:
- Right of access (Art. 15). They can ask you what email addresses of theirs you've verified. You can answer by searching your account's verification history.
- Right to erasure (Art. 17). They can ask you to delete records of their address. You can delete the matching rows from your verification history in your account dashboard, and forwarded requests will propagate to our backups within 30 days.
- Right to object (Art. 21). If you're relying on legitimate interest, they can object. You then have to weigh their objection against your business reason — and if the objection wins, stop processing.
The right-to-object framing is the one most people miss. Consent gives the subject the right to withdraw consent; legitimate interest gives them the right to object. Both end with you stopping — but the process is different.
Where things get harder: enrichment and prospecting
The hardest case isn't verification — it's finding. When you give us a name and a domain and ask for an email, you're processing personal data to create an identifier you didn't previously have.
This is still allowed under GDPR for legitimate B2B prospecting, but the legitimate-interest threshold is higher. You need to document:
- The specific business purpose (cold outreach for a B2B product the contact would plausibly find relevant — not "I might want to email them about literally anything").
- That you're contacting them in a professional capacity at a professional address.
- That you'll honour opt-outs immediately and won't re-contact.
- That the volume and frequency of contact is proportionate.
The line that gets crossed most often is "any B2B contact for any purpose." Sending a CFO a pitch for HR software because they have a corporate email and are technically a B2B prospect isn't an obvious legitimate interest — the professional relevance is missing.
The 30-second compliance checklist
If you can answer "yes" to all of these, you're in good shape:
- The email addresses we're verifying came to us through a path with a documented lawful basis (CRM, signup, business-card scan with consent, etc.).
- We have a DPA in place with our verification provider.
- We can identify and delete a specific subject's verification records on request.
- We've documented our legitimate-interest assessment (or our consent records).
- The verification result is used in proportion to the purpose — not retained indefinitely "just in case."
If any of these are "no," fix that one first. The verification step doesn't cause most GDPR problems — but it does amplify them when the underlying collection wasn't lawful in the first place.
TL;DR
Verifying emails you legitimately hold is fine under GDPR — almost always under the legitimate-interest basis. Verifying emails you scraped or bought from a sketchy vendor is risky regardless of how you verify. Get the collection right first; verification follows naturally.
Stop guessing which emails will deliver.
SecureLeadz verifies, finds, and screens B2B emails — and tells you exactly why each one will land. 100 free verifications, no credit card.
Try SecureLeadz free