GDPR in DACH: How to Sell in the German-speaking Market

January 30, 2023


No one wants to start their business journey in new markets by breaking the law. 

When the European Union (EU) rolled out the General Data Protection Regulation (GDPR) in 2018, many companies were concerned about how it would affect their business. This was especially true for those looking to break into the European market, specifically the German-speaking region known as DACH (D/Germany, A/Austria, and CH/Switzerland), where regulation is tight.

In the world of sales, organizations need to rethink how they can comply with the GDPR but still generate quality leads to remain competitive. So, how can your sales team source compliant contact information and stay at the top of their game?

The GDPR may seem intimidating to a salesperson, especially in a new market. However, Germany is the largest economy in the EU, and with Austria and Switzerland also bringing substantial spending power, they’re definitely worth the effort. 

So, let’s understand from the beginning.

Unpacking all the acronyms and main terms

Here are some key GDPR-related terms to keep in mind.

What is GDPR?

The GDPR, or General Data Protection Regulation, was rolled out to give consumers in the European Union (EU) more control over their data. 

DSGVO is the German term for GDPR and stands for Datenschutz-Grundverordnung. The German-speaking regions of the EU are particularly rigid regarding data protection, making it challenging for companies in other areas of the world to break into these markets without a solid plan.

In short, it’s a regulation that protects the fundamental rights and freedom of people concerning the processing of personal data and the free movement of such data.

In the context of GDPR, you’ll often hear about Consent and Legitimate Interest because they play a vital role within the regulations. But what do they mean, and how are they different from each other?

Why is consent so crucial in GDPR for sales?

Consent is the explicit agreement a user makes by allowing your company to collect, store and process their data. Why is this important for Sales?

Your sales team could risk violating certain laws and regulations without obtaining proper consent before collecting, storing, and processing customer data. Obtaining the customer's explicit consent is essential – it protects your business and sales team from potential issues down the road. By obtaining consent, you ensure that both your sales team and customers comply with all applicable laws.

What is Legitimate Interest as outlined in the GDPR?

Unlike explicit consent from the user, Legitimate Interest is when you know you have a valid reason for data processing. That is, your business interest far outweighs any other factors. A good example is a credit card company that notices suspicious charges on a customer’s account. In this case, they’ll have to access and process the customer’s data because that serves to protect the customer. 

What is the UWG?

Where GDPR is in place to protect how your data is processed, the UWG, or Gesetz gegen den unlauteren Wettbewerb (in German), determines how your sales team can reach out to prospective customers. The UWG in English is known as the Act against Unfair Competition.

So, how can you easily remember what the GDPR and UWG regulate?


Source: Echobot

Now that you’re more familiar with the two main terms, let's break down how to set up your company and sales strategy for success in the German-speaking market.

The most relevant aspects of GDPR and UWG for sales 

Back when people used to go door-to-door to try and sell products or services, customers knew very little about what happened with the information they shared. Now, every consumer can go online to find exactly what happens to their data when they sign up for a newsletter, product demo, or whitepaper download.

Not only that, everyone has the right to decide how they want their information handled. That means someone might have initially agreed to give you their work email address to download that whitepaper, but they can also revoke that permission at any time.

Thankfully, in the digital age, salespeople don’t have to risk getting a door slammed in their faces anymore. But outreach can still be tricky, especially when you have to navigate policies that regulate how you do that.

So, how should you go about sourcing leads in a GDPR-compliant way and performing outreach in line with UWG best practices?

Begin by building trust. 

Data collection: GDPR compliance from the get-go

Compliant data sourcing isn’t as complex as you might think, but you still need a solid strategy. Sure, you could buy addresses from a list broker, but you’d be setting yourself up for hefty fines in the German-speaking market. 

The information you collect must come from a public source, and you should be able to provide information about where you got the data. What is the best practice here? Cut out the middle person and collect your own data. Here’s how.

What is first-party data, and how is it collected?

In the world of B2B, first-party data is any business-related information submitted voluntarily by your prospect directly to you. Perhaps they filled in a survey at your trade fair booth or signed up for your newsletter via your website; the information didn’t pass through any other party’s hands to get to you. 

Here’s what the online form might look like:

first party data

Source: Echobot

What is zero-party data, and how is it collected?

Zero-party data collection is similar in how the data moves from the customer directly to you, but the information itself isn’t necessarily business-related. Instead, it has more to do with behaviors and preferences.

For example, instead of just sharing their business email address with you, customers might also share that they enjoy listening to podcasts or when their birthday is. 

Think of it like this: What kind of additional (not necessarily business-related) information might the customer give when chatting with you? With both first and zero-party data collection, trust is implied because your prospect freely gives you their information.

Now that you know how to collect data, what next? Continue building on that trust.

Data processing: How does the user know what you’re doing with their data?

You know why you need data, but letting the user know why and how you intend to use their data is just good business. Whether it’s for product improvement or to understand how they interact with your brand, make your intentions transparent throughout their interactions with you. It begins the moment someone lands on your website and confirms the cookie policy:

cookie policy

Source: Echobot

Without this transparency and clarity, your user doesn’t have sovereignty over their data, which is the whole purpose of the GDPR. Because without data sovereignty, they won’t be able to make informed decisions. How can you ensure they have that control? 

Here are some tips:

data control

Source: Echobot

Data storage and security: How and where is all the data stored?

Your users trusted you with their information because you made your intentions transparent, and now your users want to know more.

Where should data be stored according to regulations?

GDPR dictates that data collected from EU citizens need to be stored within the borders of the EU to be compliant. However, should your data be stored outside the EU, you must adhere to some regulations.

But that’s not the only thing GDPR says about data storage. It also dictates how long you can store the data and when/how to delete it.

How long can data be stored?

According to the European Commission (EC), there isn’t a set limit, but they recommend only storing data for the shortest time possible. That means if you don’t have valid reasons for continuing to store the data, such as for tax purposes, be sure to delete it. You must also inform any involved third parties and ensure they comply.

Another stipulation is that you keep the data up to date if your company plans to store it over a longer timeframe. Reach out to your customers or give them a way to keep their data current. And as always, make sure you communicate why you need to store their data for longer.

Data best practices: Keep your intentions and data collection transparent

Potential customers giving you their information is the first step, but they need to know that they can always access their data, be informed about how you’re processing it, and revoke their consent at any time. 

Always be transparent about why you’re collecting customer data. If it’s to provide them with a better user experience in the future, then just say that. The why and how of data collection should never just be part of the small print. 

Make it as easy as possible for a user or prospect to come to you and ask for their data. Be sure to provide them with an easy way to download it, too. Nothing will turn off potential or current customers more than not knowing if you’re trustworthy or care about their data security.

Now that we've discussed the proper way to collect, store, and process data, let's move on to how to compliantly reach your prospects.

Cold outreach done right with the UWG

GDPR regulates how a prospect’s data is collected, stored, and processed. Let’s look more closely at how UWG affects how your sales team reaches prospects.

Cold outreach has the reputation of being tricky to do right. No one is truly enthusiastic about being called or emailed for the sole purpose of being sold a service or product. We talked about consent in the context of the GDPR, and consent is just as necessary here. The keyword in any kind of outreach is consent, so let’s first look at a couple of essential terms outlined by the UWG.

What is the difference between expressed consent and presumed consent?

Before reaching out to customers, ensure you're offering exactly what your prospect needs. When you’ve established that your product matches their needs, get their consent to contact them.

expressed vs presumed content

Source: Echobot

If you’re reaching out as a B2B company to prospects in the DACH region, to be truly successful, you need to understand how the different types of outreach are affected by UWG.

Cold calling 

Any sales rep will tell you that cold calling is one of the most challenging outreach methods. Dealing with people hanging up on you can be as demoralizing as a door in the face. But if you do your research, you can avoid violating the UWG! 

For example, if your prospect signed up for a demo version of your platform, they should have the option to allow you to contact them. Unless they choose to accept calls, don’t call. Your prospect or customer can also retract this consent at any time.

Please note that you’re also not allowed to hide your telephone number when calling prospects – this is especially relevant in Switzerland. Your prospect should be able to verify your business identity with the telephone number if necessary. This will also enable the person to block all further calls from an unwanted number. Preventing them from doing that violates UWG.

If you need more convincing, failing to comply with either regulation ​​could see you paying a penalty of up to 300,000 euros!

Cold email prospecting

Email outreach can be tricky in the context of the UWG. The regulations state that unless a user has expressly opted-in to allow email contact for advertising purposes, your sales team shouldn’t send out that pitch email just yet. So, how can you prepare your pitch to hit right and align with the regulations?

The easiest way to ensure you’re on the right track is to send emails if you’ve had previous contact with a prospect and they’ve given express permission to contact them. For example, if your company hosts a webinar that requires people to register, you can provide them with the option to opt-in to email marketing. But in the DACH market, opting for it isn’t just as simple as it sounds.

What is a double opt-in? 

Imagine a user signs up to receive something from you and agrees to be contacted via email; they’ll first get an email asking them to confirm that’s what they really want. You can only proceed with your email outreach once they’ve consented for a second time.

This regulation affects things like newsletters and email campaigns that showcase new offerings. Please note that a double opt-in is only relevant in Germany and Switzerland. Austria only needs a single opt-in. 

Step 1 of a double opt-in:

double opt in step 1

Source: Echobot

Step 2 of a double opt-in:

double opt in step 2

Source: Echobot

All your prospect has to do now is follow the steps outlined above, and you’ll have permission to send that newsletter!

This all sounds time-consuming (and it is), but the benefit for you is that with a double opt-in, you can be sure that your prospect wants to receive communication from you.

Other outreach methods

Although no longer common, reaching out to potential clients with advertising or a sales pitch in the form of a physical letter is the most appropriate method of contact in the context of the UWG. However, you need to do your research! 

Tip: Since you won’t be able to personally verify every single mailbox, make sure you don’t “spam” their mailbox, and if they ask you to cease contacting them, you comply immediately.

Social selling is becoming popular in B2B to find prospective customers. On popular social business networks, you can find a virtual treasure trove of ideal customers. It’s common to reach out to prospects, informing them of your products or services. 

Trade shows are also great for reaching out to your target market. Hundreds or even thousands of people already interested in your service or product are all now under one roof, waiting to hear what you offer. If they want to hear more about you, your service, or your product, get signed consent that you’re allowed to follow up with them.

Which outreach methods are allowed in each country?

The German language may be something that each country in the DACH region has in common, but are there differences in outreach regulations? Keep in mind that there may also be a preference in each country on how they like being contacted. Knowing the laws and general preferences can boost your outreach success.


Although cold-calling is technically illegal, it’s still tolerated. However, don’t forget that the UWG requires that you have previous consent to call – either presumed or expressed. 

Email outreach is where you have to tread more carefully. As we mentioned previously, Germany requires a double opt-in for any kind of email communication and outreach. 


There is no presumed consent framework in Austria as in Germany, meaning cold calling is illegal here. But, in Germany, it’s tolerated.  Email may seem your safest bet in Austria, as they only require a single opt-in instead of a double opt-in. However, it’s exactly this lack of a double opt-in that could leave you vulnerable to liability. 


Although it’s not part of the EU, to conduct business, Switzerland’s regulations closely match those of its DACH neighbors. Like Germany, Switzerland requires a double opt-in for any email correspondence. 

Cold-calling regulations closely match Germany as the presumed consent regulation is also in place here.  

Understanding how DACH does business 

Gaining knowledge on selling more effectively can sometimes be as straightforward as reading up on the latest sales psychology tips. But why stop at just that?

Put aside all the stereotypes you have of the German-speaking region of Europe. Apart from the vital business context that the GDPR and UWG provide, you must also ensure you’ve learned about each market within the DACH region. Cultural context is essential here and can make or break your success, no matter how compliant you are.

Although each region has distinct cultural characteristics, several similarities are especially relevant for doing business. Here are the top five:

  1. There’s quite a high level of formality expected when doing business in any of the three countries. However, the level of formality can be industry-dependent. So, how you approach a tech company will be different than how you approach a construction company. If you’re unsure, keep it formal.
  2. The adherence to a rigid business hierarchy and structure is closely related to formality. But, again, this is largely industry-dependent so do your research.
  3. All regions are very task-focused. There’s a huge emphasis placed on getting things done rather than building relationships. It’s more efficient, which is another trait favored by DACH.
  4. Reliability is another must-have when doing business within DACH. Be on time, and do what you say you’re going to do.
  5. Written communication (not just outreach-related) is preferred over spoken communication in all regions of DACH. So whether it’s an email or a brochure, make sure it’s well-written and logically structured.

A good rule of thumb for all German-speaking regions, especially in the context of B2B, is never to discuss or ask about topics involving someone’s private life. 

4 steps to GDPR and UWG-compliance in sales for DACH  

Now you have all the information, how do you put it into practice? Of course, there’ll be work on your end, but we’ve taken all the guesswork out of the equation. 

1. Audit

Take a look at your current compliance documentation and ask the following questions:

  • Is it all up-to-date? 
  • Do you have all the legally-required documentation available and easy to find?
  • Do you need an internal compliance officer or lawyer to review or create new documents as required?

2. Plan

Figure out how to take any necessary measures. How do you plan to be compliant, and what areas of your business are directly affected? Compliance is vital for different departments within an organization, not just sales. 

Every department needs to be on the same page regarding your outward-facing compliance strategy. That means I.T. or HR has to have the same understanding of your compliance strategy as the sales or marketing teams.

3. Execute

How do you let your customers or prospects know you’re compliant? By telling them, of course! Make compliance a part of every aspect of your business within DACH. Whether during outreach, in a newsletter, or as part of an email signature, your dedication to compliance will not go unnoticed. 

  • Make your intentions known during contact – why have you reached out to them?
  • Don’t forget! Be sure to review the consent requirements.
  • Always tell people why you need their data, how you intend to process it and where you will store it.
  • Remind your customers to keep their data/information up-to-date and make it easy for them to do so.
  • Create a data management hub for your customers to have a more transparent and consistent overview of their data.

4. Maintain

Creating strategies, frameworks, and documentation is great, but they aren’t static. You must ensure you’re keeping up with the latest developments and align your internal and customer-facing documentation accordingly.

Ensuring you communicate changes to your prospects, customers, or users is critical. Make it easy for them to see what has changed and explain how these changes will affect their data or how you reach out to them.

In short, stay informed about any updates regarding GDPR or UWG and adjust your internal processes and documentation to reflect these changes.

GDPR isn't a barrier to your success 

It may seem overwhelming to start selling to the German-speaking markets. However, with strict regulations and a more conservative and rigid culture, there are many things to be careful of before you get going.

Understand the implications of both the GDPR and UWG, and learn how they affect a customer’s or prospect’s data and how you reach out to them. Get to know the DACH region's culture to boost your sales success. Equipping your teams with a deeper understanding of who they’re doing business with will ensure you reach your goals faster.

If you’ve done the prep work and have a clear vision of where you want to go, compliance with the GDPR and UWG shouldn’t be a barrier to success. Instead, think of compliance as a way to build trust, position yourself as an authority in your space, and sustain profitable customer relationships. 

Europe isn't the only market with data regulations. Learn more about similar state laws in the US, especially the California Consumer Privacy Act (CCPA), before venturing into the US market.

sales intelligence software
Sell smart; sell better

Inform your sales strategy with data-driven insights, improve your sales processes, and always stay compliant with sales intelligence software.

sales intelligence software
Sell smart; sell better

Inform your sales strategy with data-driven insights, improve your sales processes, and always stay compliant with sales intelligence software.

Never miss a post.

Subscribe to keep your fingers on the tech pulse.

By submitting this form, you are agreeing to receive marketing communications from G2.