Unsolicited B2B cold emails are unlawful processing of personal data under the General Data Protection Regulation. SpamBounty is the legal pipeline that turns that breach into a recoverable claim under Articles 15 and 82 GDPR. Under a Polish-law cesja assignment, the claim is consolidated at Block Ventures Sp. z o.o., so your name never appears on a demand letter or a public docket.
The average business professional with a publicly listed email address receives between forty and one hundred twenty unsolicited commercial messages per working week. Each of these emails is sent to an address that identifies a natural person, and each one counts as processing of personal data under Article 4(1) GDPR.
Under Article 6 GDPR, any processing of personal data needs a lawful basis. A cold commercial email with no prior contract, no prior professional relationship, and no legitimate interest meets none of them. The sender is in breach from the first transmission.
Under Article 82 GDPR, the recipient has a direct right to compensation for material and non-material damage. That right is assignable under Polish civil law, and almost no one ever exercises it. SpamBounty exists to close that gap.
Each phase produces its own record. You are notified when a phase changes, and that is all you are asked to do. No drafting, no negotiation, no litigation on your part.
Each step is a visible handoff. Scroll the ledger on the left and the adjacent panel shows the instrument for that step. Your involvement ends the moment you forward the email.
The mechanism behind the platform is the cesja wierzytelności, a Polish-law assignment of claims. It lets enforcement happen centrally and professionally, without putting any individual claimant on the record.
OLG Hamm
11 U 69/23Jurisprudential Precedent · Oberlandesgericht Hamm“The unauthorised transmission of electronic mail for direct marketing purposes constitutes an infringement of the general right of personality. Assignment of such claims for collective enforcement is permissible.”
Operative paragraph, judgment of 19 September 2024. Cited in the SpamBounty demand-letter annex alongside CJEU C-300/21 and CJEU C-655/23.
A short index of the rulings that the SpamBounty model stands on. Every demand letter issued by Block Ventures Sp. z o.o. ships with the relevant authorities attached, in the original language and with a certified translation.
Each guarantee is written into the Terms of Service, the Deed of Assignment, and our published lawful-basis register. Each one is independently verifiable. Hover any card to isolate its clause.
You authorise the assignment when you accept the Terms. At Day 31 the claim transfers automatically. You are notified, not prompted. You may revoke the pre-authorisation in writing before the audit fires.
Every settled controller is re-audited 60 days after settlement. Any new unlawful email in that window is treated as a breach of the Declaration of Release. Repeat offenders are referred to UODO.
Every Article 15 access request ships with an Article 17 erasure request attached. The €150 Declaration of Release carries binding deletion obligations across the controller and its downstream processors.
Tier I is the €150 out-of-court demand. If the matter is not resolved at Tier I, Block Ventures decides how to escalate. Tier II is referral to the supervisory authority under Articles 77 and 83 GDPR, where administrative fines can reach 4% of global turnover. Tier III pools similar claims into coordinated civil proceedings. The path is chosen on the merits of each file.
We propose a fixed €150 out-of-court settlement for each verified breach against a single controller. The figure is deliberately modest. It stays inside the proportionality range for non-material damages set out by the CJEU in Quirin Privatbank (September 2025), which is what makes it hold up against frivolous-claim and abuse-of-rights defences.
This is a per-claim figure, not a forecast. We do not publish annualised recovery estimates. Every settlement is priced on its own facts.
Early access is limited to the first pan-European cohort. Registering here does not start any audit, and creates no obligation on you until you explicitly authorise an Article 15 request. The cesja pre-authorisation is included below and can be revoked in writing at any time before an audit is triggered.