GDPR-Compliant Direct Mail in Germany: A Practical Guide
How to run handwritten direct mail campaigns in Germany and the EU while staying compliant with GDPR, BDSG, and Β§7 UWG.
Handwritten direct mail is one of the few outbound channels that remains straightforward to run under GDPR β but "straightforward" is not the same as "no rules." This guide walks through what German and EU law actually requires when you post physical mail to a list of recipients.
This is a practical operator's guide, not legal advice. For specific campaigns β especially B2C β consult a qualified data-protection lawyer.
Why postal mail is a privileged channel under GDPR
Unlike email and phone, postal advertising in Germany has a distinct legal framework:
- Β§7 UWG (the German Unfair Competition Act) restricts unsolicited email, SMS, and cold calls. Postal advertising is not subject to the same prior-consent rule.
- Under GDPR Art. 6(1)(f), processing a name and postal address for direct mail can be justified on legitimate interest grounds, provided a balancing test is documented.
- Recital 47 of the GDPR explicitly names direct marketing as a potential legitimate interest.
That makes physical mail the lowest-friction outbound channel for businesses reaching new contacts in Germany.
Best-fit campaigns for compliant postal outreach
The safest campaigns are usually the most targeted ones:
- B2B prospecting to relevant roles β especially when the offer is clearly related to the recipient's business function.
- Existing customers and warm leads β where the relationship context is already documented in your systems.
- Event follow-up or industry-specific outreach β where the commercial relevance is easier to justify.
What GDPR still requires
1. A lawful basis, documented
For B2B direct mail, legitimate interest (Art. 6(1)(f)) is the standard basis. You must:
- Document the purpose (e.g., "acquisition of new B2B customers in the Mittelstand").
- Complete and file a balancing test weighing your interest against the recipient's rights.
- Only send to contacts whose interests are plausibly aligned (a CFO at a 200-person firm is fair; a random private individual is not).
For B2C postal marketing, legitimate interest is still possible but the balancing test is stricter. Many operators rely on an existing customer relationship (Β§7(3) UWG) or opt-in.
2. A transparent privacy notice
Recipients of your mail need a way to understand who processed their data and why. This is typically handled by:
- A short privacy notice on your website, linked from the card or landing page.
- Including your Impressum (company details) on any business mailer β required by Β§5 TMG.
- Providing a contact for data-subject requests (access, deletion, objection).
3. Honoring objections (Widerspruch)
Under Art. 21 GDPR, recipients have an absolute right to object to direct marketing. You must:
- Stop mailing them immediately on request.
- Keep a suppression list of opt-outs so future campaigns don't re-add them.
- Never require a reason or charge a fee for opting out.
A single email to support is enough β you don't need to build a preference center on day one.
4. Data minimization
Collect only what the campaign needs: name and postal address, plus any field you actually personalize against. Don't import extra columns "just in case."
Retention should be tied to purpose: if you run one annual campaign, you don't need to keep the list live year-round.
Where the address list comes from
This is where most compliance issues arise. Legitimate sources for B2B lists include:
- Your own CRM β existing customers, free-trial users, event leads.
- Publicly available business registries β Handelsregister, company websites.
- Licensed B2B providers with documented lawful basis and data-processing agreements (AV-Vertrag).
Avoid:
- Scraped LinkedIn data without a lawful basis.
- Consumer lists sourced without consent.
- "Enriched" address lists from providers who cannot evidence how the data was collected.
Our role as a processor
When you run a campaign through Handwrite, you remain the controller of your recipient data. We act as a processor β we handle names and addresses solely to produce and dispatch your cards, and we delete working data after fulfillment retention periods expire.
We're set up to sign a standard Auftragsverarbeitungsvertrag (AVV / DPA) on request, and our infrastructure is hosted within the EU.
Practical campaign checklist
Before you hit send on a larger mailing:
- Purpose and balancing test documented internally.
- Recipient list sourced lawfully, with a written basis for each source.
- Privacy notice on your site covers postal marketing.
- Impressum present on any business-branded mailer.
- Opt-out address (email or postal) visible on the card or landing page.
- Suppression list in place and cross-referenced against the new list.
- DPA signed with any data processors, including us.
GDPR direct mail FAQ
Is handwritten direct mail allowed without prior consent in Germany?
Often yes for postal mail, especially in B2B scenarios, but only when you can document a legitimate interest and your balancing test supports it.
Is B2B easier than B2C for GDPR direct mail?
Usually yes. B2B legitimate-interest cases are generally easier to justify than broad B2C prospecting, where the balancing test is stricter.
Why this matters for response rates
Compliance isn't just a legal box. A recipient who feels respected β one address, one relevant note, an easy way to say "no thanks" β is measurably more likely to respond positively. Aggressive list-buying and spray-and-pray mailings damage both your legal exposure and your brand.
Handwritten mail rewards a smaller, better-targeted list. That happens to also be the list most likely to stand up to scrutiny.
Ready to run a GDPR-friendly campaign? Upload your list or contact our team if you'd like to discuss a DPA before you start.