- GDPR does NOT ban B2B prospecting in Luxembourg — it frames it. Confusing the two costs you deals, not a fine.
- The CNPD issued 50+ sanctions in 2023 totaling over €1.2M, with individual amounts ranging from €28,000 to €300,000.
- In Luxembourg, legitimate interest covers opt-out for generic business emails (info@, contact@) — but opt-in is still required for risky nominative addresses.
- Scraping LinkedIn is illegal, even though everyone does it. InMail, connection exports and Sales Navigator remain perfectly legal.
- 78% of Luxembourg SMEs would fail a CNPD audit (Deloitte 2024) — mostly because of a missing or non-existent processing register.
GDPR came into force in 2018 and, eight years later, still terrifies the majority of Luxembourg SME leaders I meet. The fear boils down to: "If I prospect, I expose myself to the CNPD; if I don't prospect, I go under." It's a false dilemma, and the confusion costs far more in lost opportunities than in actual fines. For the wider market context, also read Luxembourg B2B market: trends and opportunities.
After 12 years working with Luxembourg companies — private banks, law firms, SaaS vendors, industrial SMEs — I've seen three types of responses to GDPR: those who ignore it (and eventually pay), those who use it as an excuse to do nothing (and eventually go under), and those who treat it as a trust framework (and scale calmly). This article is for the third category. No legal bullshit, no FUD — just what actually happens when you prospect in Luxembourg in 2026.
1. The CNPD: who they are and what they really sanction
The Commission Nationale pour la Protection des Données (CNPD) is Luxembourg's supervisory authority for personal data. Its headcount remains modest (around 50 agents in 2025), but its sanction pace has sharply accelerated since 2022. In 2023, it issued 50+ sanctions totaling over €1.2 million — relatively modest on a European scale, but significant for a country of 700,000 inhabitants.
Here's what you need to understand: the CNPD isn't trying to punish legitimate commercial prospecting. It mainly targets blatant failings (no register, undefined retention periods, nonexistent legal basis) and data breaches. Clean B2B outreach flies under the radar. Sloppy B2B outreach ends up in the statistics.
| Main reason | Minimum amount | Maximum amount |
|---|---|---|
| Excessive data retention | €28,000 | €75,000 |
| No legal basis / consent | €50,000 | €180,000 |
| Failure to inform data subjects | €15,000 | €60,000 |
| Banking data breach | €100,000 | €300,000 |
| Unframed non-EU transfers | €40,000 | €150,000 |
2. The 6 GDPR legal bases — and the ones that actually matter for you
Article 6 of the GDPR lists six possible legal bases to process personal data: consent, contract performance, legal obligation, vital interests, public interest, and legitimate interest. For B2B prospecting in Luxembourg, only two really matter: consent (article 6.1.a) and legitimate interest (article 6.1.f).
The European legal consensus — confirmed by the EDPB guidelines and the CNPD's position — is that a company can rely on legitimate interest to prospect other professionals, provided three conditions are met: processing is necessary, interest is proportionate, and the rights of the persons are preserved (clear information, easy opt-out, limited duration).
- Consent (explicit opt-in): mandatory for B2C and for sensitive nominative B2B emails (health, politics, etc.).
- Legitimate interest: sufficient for standard B2B prospecting if you document the proportionality test and offer a visible opt-out.
- Contract performance: legal basis to reach out to existing clients on matters related to their service.
- Legal obligation: accounting traceability, invoicing, KYC obligations for banks and PSFs.
3. B2B prospecting: opt-in or opt-out in Luxembourg?
This is the question everyone asks, and the honest answer isn't binary. In Luxembourg, the law of 30 May 2005 (amended) distinguishes two cases: generic business emails (info@, contact@, sales@) fall under the opt-out regime — you can prospect without prior consent as long as you offer a clear unsubscribe. Nominative emails (firstname.lastname@company.lu) are riskier: tolerance exists if the role matches the subject of the message (you sell HR software to the HR director), but disappears when you send anything to anyone.
In practice, the CNPD applies a soft opt-in principle for B2B: a nominative prospecting email is acceptable if the target role is relevant and the message provides real value. It sanctions when targeting is sloppy (purchased database, mass blast, zero segmentation) or when the unsubscribe is broken. For the technical side, see our trilingual email marketing guide for Luxembourg.
| Practice | Status | Condition |
|---|---|---|
| Email to info@company.lu | Tolerated | Working opt-out |
| Nominative email with relevant role | Tolerated | Relevance + opt-out |
| Nominative generic email, not relevant | Risky | Avoid |
| Sending from a purchased database | Sanctionable | Almost always |
| Campaign without unsubscribe link | Sanctionable | Automatic |
4. LinkedIn and GDPR: what's legal, what isn't
LinkedIn is the number one B2B channel in Luxembourg — 45% penetration, a world record. It's also a grey zone where many companies do illegal things without realizing it. The red line is automated scraping: extracting profiles in bulk via PhantomBuster, Apollo or any similar tool is a double violation (LinkedIn terms of service + GDPR). My LinkedIn guide for prospecting executives in Luxembourg details the clean methods.
- Automated LinkedIn scraping — illegal (CJEU Meta ruling 2023 + CNIL/CNPD position). Avoid it, even if your competitor does it.
- Exporting your own LinkedIn connections — legal. It's your network, you have an implicit contractual basis via LinkedIn.
- Sending InMail via Sales Navigator — legal. LinkedIn handles the legal basis, not you.
- Personalized connection request followed by a message — legal, provided the message stays proportionate and offers value.
- Using LinkedIn automation tools (Dux-Soup, Waalaxy, etc.) — grey zone. Legal if you control the pace and stay under LinkedIn's thresholds; illegal if you automate bulk scraping.
5. Your concrete obligations: what an audit checks
When the CNPD audits a Luxembourg company — and it's auditing more and more — it systematically asks for the same documents. If you don't have them, you're already losing. The good news: producing them takes between 2 and 5 days of work, not 6 months.
- Processing register (article 30): internal document listing each processing, its purpose, legal basis, recipients, retention period. Mandatory from 1 employee who processes personal data.
- Public privacy policy: accessible from every page of your site, written in plain language (not a copy-paste of a boilerplate template).
- Rights management procedure (access, rectification, erasure, portability, objection): a dedicated email address (dpo@ or privacy@) + one-month response deadline.
- Defined retention periods: unconverted prospects (3 years max after last contact), clients (10 years for accounting obligations), HR candidates (2 years).
- Impact assessment (DPIA): only if your processing is high-risk — automated scoring, systematic monitoring, sensitive data. Standard B2B prospecting doesn't need one.
6. The 5 mistakes that cost the most (and how to avoid them)
Across 50+ CNPD sanctions in 2023, the same patterns come up again and again. Here are the five mistakes that concentrate most of the fines in B2B prospecting — all avoidable in less than a week of work.
1. No documented legal basis
You prospect based on legitimate interest? Great — but have you written it down anywhere? The proportionality test must be formalized in an internal document (one page is enough). Without that document, legitimate interest doesn't hold up in an audit.
2. Broken or missing unsubscribe
A prospecting email without a visible and working unsubscribe link is an automatic violation. No grey area, no mitigating circumstance. Test your links every month — I've seen entire campaigns ship with a 404 link.
3. Opaque database origin
If you can't prove where your contacts come from (purchased, scraped, grabbed from a former colleague), you can't demonstrate your legal basis. The CNPD always traces back to the source. Build your database yourself or use providers that document provenance (Cognism, Kaspr, Lusha with GDPR audit).
4. Infinite retention
GDPR requires a retention period defined by purpose. A prospect who never converts must be purged (3 years after last contact is the norm). A CRM containing 15 years of untriaged history is a ticking time bomb.
5. Unframed sub-processors
If you use HubSpot, Brevo, Pipedrive, Make, Clay or any B2B automation tool in Luxembourg, you need a signed DPA (Data Processing Agreement) with each vendor. Most provide it automatically — but nobody verifies it's properly archived. It's one of the first things the CNPD asks for.
7. Being compliant without killing prospecting: the actionable checklist
Enough with the high-level theory. Here's the exact list of what to put in place to prospect safely in Luxembourg in 2026. It's the checklist I run with my clients before every campaign launch — it takes 3 to 5 days of effective work.
- Draft your processing register (an Excel sheet is fine — free template available on cnpd.public.lu).
- Document the proportionality test for your B2B prospecting: purpose, relevance, proportionality, rights of the persons. One page, dated, signed.
- Publish or update your privacy policy with the article 13 mentions (controller identity, purposes, legal basis, retention, rights, DPO if any).
- Set up a dedicated email address privacy@yourcompany.lu and an internal process to answer access requests within 30 days.
- Audit your sub-processors: list every tool that touches personal data and verify each DPA is signed and archived.
- Define your retention periods per purpose and schedule automatic purging in your CRM (most support it natively).
- Test your unsubscribe links monthly and monitor spam complaints — if your rate exceeds 0.3%, kill the campaign.
- Train your sales team: one hour is enough to avoid 90% of mistakes. No certification needed — just clear rules.
Conclusion: compliance is a commercial advantage
GDPR isn't a brake on B2B prospecting in Luxembourg — it's a filter that eliminates lazy approaches and rewards quality. Companies that have understood this don't lose leads; they gain them, because their seriousness becomes a trust signal in a market where 78% of players are still sloppy. The CNPD isn't hunting for good companies, it's hunting for blatant failings — and a few days of work are enough to disappear from the radar.
If you want to launch a B2B prospecting program in Luxembourg without legal risk and without sacrificing results, that's exactly what we do with our B2B Lead Gen service: compliant strategy, up-to-date documentation, audited tools, measurable results. To discuss it concretely, book a free 30-minute call — we'll review your current situation and tell you what holds up and what needs to move.
Frequently asked questions
Can you do B2B cold email in Luxembourg without prior consent?+
Yes, provided you meet three conditions: target a professional email relevant to your offer, rely on documented legitimate interest, and offer a clear and working unsubscribe. For generic emails (info@, contact@), the opt-out regime applies without ambiguity. For nominative emails, the relevance of the role to the subject of the message is decisive. An HR director receiving an HR offer: relevant. An HR director receiving a crypto offer: risky.
How much does a CNPD fine cost a Luxembourg SME?+
Amounts observed between 2022 and 2024 range from €15,000 for a simple failure to inform to €300,000 for a banking data breach. The median for SMEs sits around €40,000-€60,000. These amounts are proportionate to the company's revenue and the intentional nature of the failing. A good-faith mistake quickly corrected costs far less than a systematic practice.
Do you need a DPO (Data Protection Officer) to prospect B2B in Luxembourg?+
Not systematically. A DPO is mandatory for public authorities, large-scale processing of sensitive data, and systematic monitoring. An SME doing standard B2B prospecting doesn't need one — but it must designate an internal contact and be able to answer rights requests. Many Luxembourg SMEs share an external DPO for a few hundred euros per month, which is often more cost-effective than an internal DPO.
Is scraping LinkedIn really illegal or just against the terms of service?+
It's doubly illegal: LinkedIn's terms of service explicitly prohibit it, and European case law (CJEU 2023 ruling) confirms that scraping profiles constitutes processing of personal data without a legal basis. The CNIL and CNPD have published similar positions. The fact that the tool is well known and used by your competitors is neither a legal basis nor a mitigating circumstance. Use Sales Navigator or export your own connections — both are perfectly legal.
How long can I keep prospects in my CRM?+
The practical rule: 3 years maximum after last significant contact for unconverted prospects (email, call, meeting). For clients, the duration aligns with Luxembourg accounting obligations (10 years for supporting documents). Beyond these deadlines, data must be either deleted or anonymized. Schedule an automatic purge in your CRM — it's trivial technically and saves you in case of audit.
Do I need CNPD approval before launching a prospecting campaign?+
No. GDPR removed the prior authorization regime from the CNPD for the vast majority of processing. You're responsible for your own compliance — the CNPD only steps in after the fact, on complaint or audit. However, if your processing carries a high risk (automated behavioral scoring, profiling, sensitive data), you must run an impact assessment (DPIA) internally, without submitting it to the CNPD except in specific cases.
What do I do if a prospect asks to exercise their right of access?+
You have one month to respond. Concretely: provide the list of data concerning them in your CRM, the processing purposes, recipients, retention period, and their rights. A simple CSV export works in most cases. Not responding or responding late is a classic failing the CNPD automatically sanctions on complaint. Get tooled up: most modern CRMs (HubSpot, Pipedrive, Salesforce) have a native "GDPR export" function.