Cold Outreach Compliance DACH: Combining TKG, UWG, DSG and BDSG

Cold Outreach Compliance DACH refers to complying with the national rules for B2B cold outreach via email, telephone and LinkedIn in Austria, Germany and Switzerland. The governing frameworks are the UWG (unreasonable harassment), the TKG (Austria) or Section 7 UWG (Germany) for email and telephone, plus the GDPR in conjunction with the DSG, BDSG and revFADP for the underlying data processing. Anyone working with AI-driven outbound workflows is thereby combining two legal regimes at once: marketing law and data protection law.

Three quick answers up front:

• Email to companies generally requires consent in AT, DE and CH. The 'presumed consent' often invoked in B2B is narrow and contested - not a reliable free pass.
• Telephone cold outreach to companies is governed in Germany by Section 7 UWG (presumed consent), in Austria by the TKG, and in Switzerland by the UWG.
• The underlying data processing - lists, enrichment, personalisation - requires its own GDPR legal basis in AT/DE and a justification under the revFADP in CH. This is a second, separate assessment alongside marketing law.

Two legal regimes that apply independently of each other

The most common mistake in DACH outbound is the assumption that a single legal basis covers everything. In reality, two layers apply in parallel:

1. Marketing and harassment law governs whether and how you may make contact at all - this is the UWG/TKG layer.
2. Data protection law governs whether you may process the personal data required for it - this is the GDPR/DSG/BDSG/revFADP layer.

Both must be satisfied. An email that is permissible under marketing law remains unlawful if the data processing has no robust basis - and vice versa. Consent-based personalisation is structurally narrower in the DACH region than in the US model, which noticeably limits generative personalisation use cases.

The ePrivacy foundation: one directive, three implementations

Email and telecommunications marketing are rooted across Europe in Directive 2002/58/EC (the ePrivacy Directive). Its successor, the planned ePrivacy Regulation, has been stuck in trilogue since 2017; until it enters into force, the directive applies in its respective national implementation. This implementation differs from country to country - and this is precisely where the TKG and UWG come in:

• Germany: Section 25 TDDDG (formerly TTDSG) implements the ePrivacy requirements; the central harassment provision for marketing remains Section 7 UWG.
• Austria: implementation via the TKG 2021.
• Switzerland: implementation via the FMG (Telecommunications Act), with marketing harassment covered by the UWG.

For outbound, this means: the basic idea that 'unsolicited electronic marketing generally requires prior consent' is anchored in all three countries, but the specific provision and its design differ.

Email, telephone, LinkedIn: what agents may and may not do

Email cold outreach

In all three countries, unsolicited marketing email to companies generally requires consent. 'Presumed consent' is often used as a bridge in B2B - but it is regarded as narrow and contested. In practice, this means: mass outbound without documented consent or without a tightly limited existing-customer constellation is risky. There is also an operational finding from practice: DACH B2B inboxes quickly recognise templated AI emails, which causes deliverability to collapse - a reputation problem, not just a legal one.

Telephone cold outreach

Telephone cold outreach to companies is governed in Germany by Section 7 UWG and tied to presumed consent, in Austria by the TKG, and in Switzerland by the UWG. Voice outbound via AI voice agents almost never works in DACH B2B - because of call-protection provisions, formal communication culture and RFP-driven procurement; voice remains a fringe channel there, at most for inbound qualification.

LinkedIn

LinkedIn is the dominant channel in DACH B2B - but mass automation risks account suspensions. LinkedIn cracks down hard on automation tools: at the end of 2025, several accounts of a well-known outbound provider, including the founders, were restricted. Beyond the law, then, the LinkedIn terms of use apply here as a separate, contractual constraint.

What AI agents may do - and what humans must be responsible for

The robust recommendation is: rep-in-the-loop rather than fully autonomous. Autonomous outbound SDR agents (e.g. Artisan Ava, 11x Alice, AiSDR, Rox.com, Regie.ai - as of 2026) have a strong vendor marketing presence but very mixed results; the founder of one provider himself conceded 'extremely bad hallucinations' and 'relatively high churn' for the first generation.

In short: the agent is a research, enrichment and writing machine. The legally delicate moment - actually making contact without consent - must be the responsibility of a human who knows the consent status, objections and transparency obligations. Before any productive autonomy step comes a compliance/legal sign-off on Section 7 UWG (DE), the TKG (AT), the revFADP/UWG (CH), plus a LinkedIn ToS review.

Comparison table: email, telephone, data basis in AT/DE/CH

Note: This is an editorial classification by subject-matter experts and does not replace legal advice. The names of statutes and the citation of articles/sections follow the available sources; the specific admissibility must always be assessed on a case-by-case basis.

A Swiss particularity of high practical relevance: the revFADP has no corporate fines but criminal sanctions against natural persons of up to CHF 250,000 for intentional breaches of certain obligations (Art. 60-63 revFADP). The risk thereby shifts onto management and data protection officers personally.

The data protection layer in detail: Art. 6(1)(f) and the three-step test

For AT/DE, the outreach list is almost always a GDPR processing activity. The typical basis is the legitimate interest under Art. 6(1)(f) GDPR, which, according to EDPB Guidelines 1/2024, requires a documented three-step test:

1. Purpose test: the interest must be lawful, real, present and specifically named - 'improving sales' is not enough, whereas 'qualified initial B2B contact with suitable target customers in segment X' comes closer.
2. Necessity test: can it be done with less or pseudonymised data? For enriched profiles, this means: only the fields actually required.
3. Balancing test: against the reasonable expectations of the data subjects. 'Publicly available' expressly does not mean 'freely usable' - the standard from Meta v Bundeskartellamt (C-252/21) applies.

Also relevant for outbound:

• Transparency obligations (Art. 13/14 GDPR): anyone who collects contact data not from the data subject directly but via B2B data brokers or enrichment tools is subject to Art. 14 - the 'disproportionate effort' exception (Art. 14(5)(b)) is narrower than often assumed.
• Right to object (Art. 21 GDPR): for processing under (f), objection must be easily, prominently and effectively possible. The CJEU line in the SCHUFA-related proceedings reads Art. 21 in these cases as a general right.
• Processing on behalf (Art. 28 GDPR): every enrichment tool and every MCP/API endpoint that processes contact data needs a robust data processing agreement (DPA) - one of the most common gaps in AI-driven outbound stacks.

In Switzerland, the justification under Art. 31 revFADP takes the place of (f), with a more narrowly worded balancing test - so the documentation must be framed more tightly than a GDPR LIA.

Practical example: a 5,000-contact campaign, set up correctly

A Viennese B2B agency is planning an outbound campaign for a client targeting 5,000 decision-makers in AT (3,000), DE (1,500) and CH (500). Set up cleanly, the workflow looks like this (pseudocode):

```text
for each contact:
country = determine_country(contact)
# 1. Data protection gate (before everything else)
if not legal_basis_documented(contact, country):
discard # AT/DE: Art. 6(1)(f) LIA | CH: Art. 31 revFADP
if on_objection_list(contact):
discard
# 2. Marketing-law gate per channel
if channel == "email" and not consent_or_tightly_justified(contact, country):
channel = "linkedin_personalised" # no mass mailing without a basis
# 3. AI agent: research + enrichment + draft (no sending)
draft = agent.generate_personalised_draft(contact)
# 4. Human: sign-off + sending trigger
to_approval_queue(draft, responsible_human)
```

The data protection gate sits before the marketing-law gate, because without a legal basis no processing may take place in the first place. The agent handles research, enrichment and drafting; sending remains in a human approval queue. For CH contacts, bear in mind that in the event of an error it is not the company but the responsible individuals who are exposed to criminal liability.

For agencies and B2B teams

For agencies, Cold Outreach Compliance DACH is a differentiator: anyone who delivers outbound campaigns with a documented legal basis per country, a clean DPA stack and a rep-in-the-loop architecture protects the client from cease-and-desist warnings, account suspensions and deliverability collapse. For B2B teams, the rule is: treat AI agents as research, enrichment and writing tools, and keep the legally relevant sending trigger in human hands. Before any autonomy step, obtain a compliance sign-off on UWG/TKG/revFADP and LinkedIn ToS - and document the legal basis, balancing test and objection logic so that they will withstand scrutiny.