Process: Prospecting data

It is quite common for a company to purchase prospecting data for e.g. newly started companies in a specific line of business or companies in a specific location. The common thing to purchase is company address and email data and/or contact information to a specific role within the company. The purpose of the data process is to win these companies over, i.e. obtain new clients.

• Communication about a specific service (B2B) directed to a company is exempt of GDPR, since the contact information (personal data) is related to a legal person at that company.

• The information about the owner of a specific company would be considered personal data, and therefore fall under GDPR. But that data is also public (in Sweden), which would mean that it doesn’t fall under GDPR. - this is somewhat a grey zone.

• Data is concerning a specific role at the company should be viewed as personal data. Though this data is usually made public by the person in question, for example on LinkedIn or the company home page.

• Data can be obtained directly from the prospect (data subject). E.g. on a fair, company events or similar, or if the subject initiates contact.

• Data can be obtained from the company where the prospect works or represents. E.g. by calling the company reception asking for contact information to a specific role.

• Data can be obtained via a third party. E.g. through a common professional contact. Here it would be good practice to tell the data subject by first point of contact via whom you’ve obtained the contact information (personal data).

Please be aware that prospecting data which isn’t public is more complicated, in terms of GDPR compliance, than public data.