What are data-broker transparency requirements under GDPR?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you're buying contact data from a data broker to use in your email program, GDPR applies. And it creates obligations for both the broker and you. Understanding who is responsible for what matters before you start sending.

What data brokers must do under GDPR:

Data brokers are data controllers in their own right. That means they need a lawful basis to collect and sell personal data. Under Article 14 of GDPR, when a data broker collects information about someone through indirect means (not directly from the person), they must inform that person within one month of collection, or at the latest, when they first communicate with them, about what data they hold and how it's being used.

Individuals have the right to ask a broker where their data came from, what it's being used for, and to have it deleted. Brokers need to be able to answer these requests.

What you're responsible for as the buyer:

Buying data from a broker doesn't transfer GDPR responsibility to them. You're a data controller too, and you need your own lawful basis for the data you hold and the emails you send. "The broker said it was GDPR compliant" doesn't hold up to regulatory scrutiny if you can't demonstrate your own lawful basis.

Before using broker data for cold email under GDPR, ask: what lawful basis did the broker use to collect this, and does that lawful basis cover your use of it? Can the broker provide documentation? If they can't answer clearly, that's a risk signal.

The practical safeguard: use enrichment providers with clear GDPR documentation, validate the data before sending with an email validation tool to catch outdated or invalid contacts, and ensure your emails provide easy opt-out. High complaint rates from poorly sourced data damage your domain reputation regardless of legal status. Our SOS line can help if you're trying to evaluate a specific broker's compliance claims.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Know your obligations when buying from data brokers.

I'm considering purchasing contact data from a data broker for my B2B cold email program targeting EU prospects. My situation: [describe your business location, the broker you're considering, and your planned use of the data]. What questions should I ask the broker to verify GDPR compliance? And what am I personally responsible for regardless of what the broker tells me?

Edit the yellow boxes, then send to the AI of your choice.