Compliant enrichment comes down to four things: a lawful basis (usually legitimate interests for B2B, consent where PECR applies), due diligence on whoever supplied or enriched it, and a working process for objections and erasure. Get those three right, and most enrichment activities will fall within GDPR.
Enrichment is treated as a marketing activity under GDPR the moment the enriched data is used to support direct marketing, which means both GDPR and the ePrivacy Directive apply. Article 14 GDPR sets the transparency deadline: when personal data is obtained from a source other than the individual, you have one month to provide a privacy notice, or earlier if you contact them before that. The EDPB’s Guidelines 1/2024 on legitimate interests (adopted in October 2024 following CJEU Case C-621/22) confirmed that commercial interests can qualify as legitimate, but warned, at paragraph 110, that Recital 47 doesn’t give direct marketing an automatic pass under Article 6(1)(f). A balancing test is still required on a case-by-case basis. National rules add a second layer. Germany’s UWG, for example, requires consent for electronic B2B marketing regardless of the GDPR basis. Managed-research providers handle the lawful-basis paperwork and Article 14 notices end-to-end. Self-serve tools push that work back to the buyer.
Before your next enrichment run, write down four things: your lawful basis under Article 6, where the data’s coming from, how you’ll issue an Article 14 notice within 30 days, and how a recipient would object. If any one of those is unclear, pause and fix it. EU regulators look at documentation first.
Related Questions
Learn more
Get started with DataBees
We offer free data audits and samples, allowing you to evaluate whether our services are a good fit and whether the data we curate meets your expectations.
