GDPR & B2B Data Enrichment: The Complete Legal Guide 2026

Data enrichment is at the core of any effective B2B sales strategy. But one question keeps coming up across sales and marketing teams: are we actually allowed to collect, complete, and use prospect data without explicit consent?

The short answer: yes, under strict conditions. The full answer is what this guide covers.

The GDPR (General Data Protection Regulation) has been in force since May 25, 2018, and applies to any organization processing personal data of individuals residing in the European Union — regardless of where the company is based. Whether you’re in London, New York, or Berlin, if you’re targeting EU prospects, GDPR applies to you. In 2026, data protection authorities across Europe are ramping up enforcement, and fines have hit amounts that make even large enterprises uncomfortable. Ignoring these rules is no longer an option.

This guide gives you everything you need to enrich B2B data legally — without slowing down your pipeline.

Enrich your B2B leads directly in Google Sheets

Find professional emails, phone numbers, and LinkedIn data for your prospects in a few clicks — no CSV export, no friction.

Try for free →

Chapter 1: The Fundamentals — What GDPR Actually Covers in B2B

What counts as personal data in a B2B context?

This is the most common misconception: many sales teams assume GDPR only applies to consumer data (B2C). That’s partially wrong.

GDPR protects natural persons — not companies as legal entities. In practice, in a B2B context:

The rule is simple: as soon as a piece of data makes it possible to identify a living individual, GDPR applies. An email like mike.johnson@acme.com directly identifies Mike Johnson — even when used in a purely professional context.

Why data enrichment is particularly exposed

B2B data enrichment means completing prospect records with additional information: job title, professional email, direct phone number, company size, tech stack, and so on.

The moment you append a named email or a mobile number to a profile, you’re processing personal data under GDPR. That processing needs a valid legal basis — and that’s the starting point for everything else in this guide.

Key point to remember: Just because information is publicly available (on LinkedIn, for example) doesn’t mean it can be used freely. Public visibility doesn’t exempt you from GDPR obligations.

Chapter 2: The Legal Bases That Apply to B2B Enrichment

GDPR defines six legal bases for processing personal data (Article 6). In a B2B enrichment and prospecting context, two of them are relevant.

Legal basis #1: Legitimate interest (Article 6.1.f)

This is the most commonly used legal basis in B2B prospecting, and the one that data protection authorities across Europe recognize explicitly for this type of activity. It allows you to process data without obtaining prior consent, provided three cumulative conditions are met:

1. The interest must be real and legitimate Your business objective must be clearly defined and legitimately pursued. Prospecting a VP of Sales to offer a sales automation tool = legitimate. Emailing a CFO to sell them a gym membership on their work address = not legitimate.

2. The processing must be necessary Enrichment must directly serve your declared purpose. Collecting 50+ attributes when you only ever use 5 goes against the data minimization principle.

3. The individual’s interests must not override yours This is the “balancing test.” Your commercial interests must not create a disproportionate impact on the fundamental rights of the prospect. This analysis must be documented.

The UK’s ICO and European data protection authorities confirm that commercial prospecting between businesses generally falls within the scope of legitimate interest — provided it targets professionals in a context related to their professional role.

Concrete example: Mike, an SDR at a B2B SaaS startup, enriches a list of Sales Directors with their professional emails to pitch a sales automation tool. This processing is grounded in legitimate interest: the target is directly relevant to the offer, in a purely professional context.

Legal basis #2: Consent (Article 6.1.a)

Consent is the most demanding legal basis but also the most solid. It must be freely given, specific, informed, and unambiguous — which rules out pre-ticked boxes, vague wording, or bundled consent across multiple purposes.

In practice, consent in B2B applies notably when:

• You’re targeting professionals for products or services unrelated to their job function
• You’re enriching data via web forms
• You’re purchasing data from third-party providers

Important: In B2B, unlike B2C, consent is NOT mandatory if you rely on legitimate interest and meet the associated conditions. This is what gives B2B a slightly more flexible framework than B2C.

B2B vs B2C: the key differences

Chapter 3: What You Can Do — and What You Can’t

What’s allowed

Enriching profiles from LinkedIn Consulting public LinkedIn profiles to complete prospect records is legal. You can note down job titles, company information, and publicly visible contact details. What you do with that data next — storing it in a CRM, using it for outreach — must then comply with GDPR.

Using B2B enrichment tools Tools like Derrick let you enrich your lists directly inside Google Sheets with professional emails, phone numbers, and LinkedIn data. This type of enrichment is legal as long as you fulfill your information and opt-out obligations in your outreach.

Buying B2B databases Purchasing prospect databases is permitted, provided the vendor collected the data legally and you comply with your Article 14 information obligations when making first contact.

Enriching your existing CRM Completing records for existing contacts with updated information (new job title, new company, direct line) is allowed within the scope of your commercial relationship, subject to the minimization principle.

What’s not allowed

Automated mass extraction from LinkedIn LinkedIn’s Terms of Service prohibit automated scraping. Beyond this contractual restriction, mass extraction of personal data without a valid legal basis violates GDPR. Data protection authorities have sanctioned companies for exactly this.

Using data outside its declared purpose If you collected data to prospect IT Directors and then use it to target HR Managers, you’ve changed the purpose — which requires either a new legal basis or new consent.

Keeping data indefinitely Retention periods are capped. Data protection authorities recommend a maximum of 3 years from the last contact for a prospect who has never responded to your outreach.

Prospecting outside the professional scope Legitimate interest only holds if your offer is relevant to the professional role of the person you’re contacting. Emailing a Head of Engineering about a meal delivery service on their work address isn’t legitimate B2B prospecting — B2C rules kick in, and consent becomes mandatory.

Chapter 4: A Compliant Enrichment Process, Step by Step

Step 1: Define your legal basis before enriching

Before launching any enrichment campaign, document your legal basis in your records of processing activities. For each data flow, answer these questions:

• What is the specific purpose of the enrichment?
• Is the legal basis legitimate interest or consent?
• If legitimate interest: have you completed the balancing test?
• Is the target audience directly relevant to your offer?

Expected outcome: A documented processing record, ready to present to a data protection authority if needed.

Step 2: Choose reliable enrichment sources

The quality and legality of your data depends entirely on its sources. Prioritize:

• LinkedIn (public data, manual review or compliant tooling)
• Company websites (“About” pages, contact pages)
• Certified professional databases (industry directories, chambers of commerce, Companies House in the UK, SEC EDGAR in the US)
• GDPR-compliant enrichment tools that generate data on the fly rather than storing massive personal data warehouses

Always require a signed Data Processing Agreement (DPA) from your enrichment vendors before sharing any personal data.

Step 3: Apply the data minimization principle

Only collect what you strictly need. For a typical B2B outbound campaign, you need:

• First name, last name
• Professional email (named)
• Job title
• Company
• Optionally: direct phone number if you run cold calls

Enriching 50+ attributes when you use 5 doesn’t comply with the minimization principle (Article 5.1.c GDPR).

Tools like Derrick let you enrich specific B2B data points without over-collecting — pulling precisely what your workflow requires.

Step 4: Inform prospects on first contact

This is the most frequently forgotten obligation — and one of the most common reasons for regulatory action. Article 14 of GDPR requires you to inform any person whose data you obtained from a third-party source (enrichment tool, purchased database, LinkedIn) at the time of first contact.

Mandatory information in your first outreach email:

• Your company’s identity and contact details
• The purpose of the processing (commercial prospecting)
• The legal basis (legitimate interest or consent)
• The data source (“Your contact details were sourced from LinkedIn” or “from a professional database”)
• The prospect’s rights (access, rectification, objection, erasure)
• Your DPO contact details if applicable
• A working one-click unsubscribe link

Example of a GDPR-compliant email footer:

Data controller: Acme Inc., 123 Market St, San Francisco, CA 94105
Purpose: B2B commercial prospecting
Legal basis: Legitimate interest (Article 6.1.f GDPR)
Data source: LinkedIn
Retention period: Maximum 3 years with no engagement
Your rights: access, rectification, objection, erasure — dpo@acme.com
Unsubscribe: [unsubscribe link]

Step 5: Handle opt-out requests in real time

As soon as a prospect exercises their right to object — by clicking the unsubscribe link or sending a direct request — you must:

1. Immediately stop all contact with that person
2. Delete or anonymize their data across your systems
3. Process the request within 30 days maximum (24–48h recommended)
4. Document the request and action taken

Best practice: maintain a centralized suppression list, synchronized across all your prospecting channels (email, LinkedIn, phone). This prevents re-collecting data for someone who already opted out.

Keeping your email lists clean and verified is both a deliverability best practice and a core part of sustainable GDPR compliance.

Step 6: Respect retention limits

Set up automatic purge processes in your CRM or Google Sheets. Sarah, Head of Marketing at a B2B industrial company, runs a quarterly database review: any prospect with no interaction in 36 months is automatically deleted or anonymized. Result: a cleaner list, better engagement rates, and documented compliance.

Chapter 5: Key Obligations — Records, DPO, Security

Records of processing activities (mandatory)

Any organization processing personal data must maintain a record of processing activities (Article 30 GDPR). In practice, this document lists all your data processing operations, covering for each one:

• The purpose
• Categories of data processed
• Recipients (enrichment vendors, CRM platforms…)
• Retention periods
• Security measures in place

You don’t proactively submit this to your supervisory authority, but it must be immediately available during an audit or inspection.

The DPA with your enrichment vendors

When you share personal data with an external provider (enrichment tool, lead gen agency…), you must sign a Data Processing Agreement. This contract defines:

• The role of each party (data controller vs processor)
• The permitted purposes for data processing
• Security measures the vendor has in place
• Data return or deletion conditions at the end of the contract

Watch out: Many SaaS tools include a DPA in their terms or offer one on request. Always verify your enrichment provider has signed a DPA with you — the absence of a DPA is a direct compliance gap.

DPO: required or not?

A Data Protection Officer (DPO) is mandatory in three cases:

1. You’re a public authority
2. Your core activity involves large-scale processing of sensitive personal data
3. Your core activity involves large-scale, systematic monitoring of individuals

For most B2B sales and marketing teams, a DPO isn’t legally required. Designating an internal GDPR lead (even without the formal DPO title) is still a solid practice that simplifies compliance and reassures partners.

Data security requirements

Article 32 GDPR requires appropriate technical and organizational security measures. For enriched prospect data, this means:

• Access limited to those who need it (least privilege principle)
• Strong authentication on CRM tools and Google Sheets holding personal data
• Encryption of data in transit and at rest for larger volumes
• A data breach notification process: you must notify your supervisory authority within 72 hours if a breach poses a risk to individuals

Chapter 6: Edge Cases — LinkedIn, Phone Numbers, Purchased Data

LinkedIn and GDPR: where the line is

LinkedIn is the number-one source of B2B data. Manual review of public profiles is legal. But several practices cross the legal line:

Automated scraping LinkedIn’s Terms of Service explicitly prohibit automated data extraction. Beyond this contractual restriction, mass scraping of personal data without a valid legal basis is a GDPR violation. Regulators across Europe have sanctioned companies for this.

Transferring LinkedIn data to a CRM The moment you export data from LinkedIn profiles (via Sales Navigator or a third-party tool) into your CRM or Google Sheets, you’ve created a personal data processing activity subject to GDPR. You must inform the individuals on first contact (Article 14) and specify the source: “Your contact details were sourced from LinkedIn.”

Using public LinkedIn data to enrich Many enrichment tools use public LinkedIn profile information to provide associated emails or phone numbers. This is acceptable if the vendor itself complies with GDPR — and if you inform prospects of the data source in your first message.

Derrick lets you find a prospect’s phone number directly from their LinkedIn profile via Phone Finder. Disclosing the source in your first contact remains mandatory.

Phone numbers: TPS and beyond

Phone prospecting in B2B is subject to specific rules depending on your market:

• Direct office landline : Legitimate interest applicable
• Professional mobile : GDPR applies; check against TPS (UK) or equivalent national list if there’s any doubt about whether it’s a personal number
• Personal mobile : Opt-out/TPS check required in most European markets

When enriching prospects with phone numbers, confirm you’re working with verified professional numbers. Enrichment services that specify number type (direct, mobile, landline) reduce your compliance exposure significantly.

Purchased data from third-party providers

Buying prospect databases is legal, but it comes with obligations:

1. Verify the vendor’s GDPR compliance: The seller must be able to demonstrate lawful collection
2. Sign a DPA with the vendor before any data transfer
3. Inform individuals at first contact (Article 14 GDPR): explicitly mention the data source (“Your contact details were sourced from [vendor name]”)
4. Verify data freshness: Stale data drives bounces, harms sender reputation, and creates a compliance risk (accuracy principle, Article 5.1.d GDPR)

Emma, Growth Manager at a B2B SaaS scale-up, experienced this firsthand: after purchasing a 10,000-contact database without verification, her bounce rate climbed above 8%, triggering email deliverability penalties. She now runs systematic email verification before every campaign — bringing her bounce rate below 2%.

Chapter 7: Real Enforcement — What Actually Gets Sanctioned

Fine levels in 2025–2026

GDPR fines can reach €20 million or 4% of global annual turnover (whichever is higher). Enforcement is intensifying across Europe — in France alone, the CNIL conducted more than 340 audits in 2024 and issued dozens of fines, some exceeding €1 million. The UK’s ICO, Germany’s BfDI, and other national authorities are on a similar trajectory.

The most common triggers for sanctions in B2B prospecting:

• Missing unsubscribe link (opt-out) in prospecting emails
• Excessive data retention (beyond 3 years)
• Failure to mention the data source in first contact
• Prospecting outside the professional scope of the target
• No DPA with enrichment or lead gen vendors

Real-world example: A French company was fined €20,000 for emailing professionals with offers that had no connection to their professional activity (workplace meal delivery). Legitimate interest didn’t apply because the offer wasn’t relevant to their job function.

The mistakes that expose you most

Problem 1: Email with no GDPR footer Impact: One of the most common grounds for complaints and regulatory action. Every prospecting email without mention of legal basis, data source, and opt-out link exposes your company to a formal notice. Solution: Build a standardized GDPR footer into all your cold email templates. Make it a non-negotiable element of your sending setup.

Problem 2: No opt-out management Impact: If a prospect unsubscribes and you contact them again, you risk a direct complaint to the supervisory authority. At scale, this can trigger a formal audit. Solution: Maintain a centralized suppression list, synchronized across all prospecting channels (email, LinkedIn, phone).

Problem 3: Keeping prospect data beyond 3 years Impact: Direct violation of the storage limitation principle. Regulators regularly sanction this. Solution: Set up automatic purge rules in your CRM. Flag prospects at 30 months for re-engagement or deletion.

Problem 4: No DPA with your enrichment vendor Impact: If your vendor suffers a data breach, you may be jointly liable if no contract defined each party’s obligations. Solution: Require a signed DPA before sharing any personal data with a vendor. Any serious SaaS tool will offer one.

Problem 5: Failing to disclose the data source Impact: Article 14 GDPR requires you to tell individuals where their data came from. Missing this is a frequent enforcement trigger. Solution: In your first email, always mention where the prospect’s details came from: “Your contact details were sourced from LinkedIn / a professional database.”

Chapter 8: GDPR Compliance Checklist for B2B Data Enrichment

Before enriching

• [ ] Legal basis defined and documented (legitimate interest or consent)
• [ ] Balancing test completed if using legitimate interest
• [ ] Enrichment vendor selected based on GDPR criteria
• [ ] DPA signed with the vendor
• [ ] Enrichment purpose clearly defined
• [ ] Data minimization principle applied (collect only what you need)
• [ ] Records of processing activities updated

During prospecting

• [ ] First email compliant with Article 14 (source, purpose, rights, opt-out)
• [ ] GDPR footer present in all emails
• [ ] Functional one-click unsubscribe link
• [ ] Offer directly relevant to the prospect’s professional role
• [ ] TPS or equivalent check for mobile numbers where required

On an ongoing basis

• [ ] Centralized suppression list, synchronized across channels
• [ ] Automatic 3-year purge for inactive prospects
• [ ] Rights requests handled within 30 days
• [ ] Annual data processing audit
• [ ] Records of processing updated for any new data flow

Key Takeaways

• GDPR applies as soon as data identifies a living individual — including first.last@company.com
• In B2B, legitimate interest allows prospecting without prior consent, but requires transparency and the right to object
• The Article 14 information obligation applies at first contact: disclose the source, purpose, and prospect’s rights
• Maximum retention for an inactive prospect is 3 years
• Automated scraping of LinkedIn violates both its Terms of Service and GDPR
• Always sign a DPA with enrichment vendors
• Fines can reach €20M or 4% of global revenue

Conclusion: GDPR Compliance as a Competitive Advantage

GDPR compliance in B2B data enrichment isn’t a blocker — it’s a framework that makes your prospecting more durable and more effective. Teams that build it in from the start end up with cleaner databases, higher engagement rates, and a sender reputation worth protecting.

The golden rule: enrich only what you need, always inform your prospects, and document every processing activity. These three habits cover the vast majority of your legal exposure.

For your B2B lead generation and contact database management, compliant enrichment means using tools that generate data on the fly — without warehousing massive personal data stores — which directly reduces your legal risk profile.

Enrich your B2B data the GDPR-compliant way

Derrick runs natively in Google Sheets: find professional emails and phone numbers for your prospects, with no manual export and no compliance headaches.

Try for free →

FAQ

Does GDPR apply to professional B2B emails? Yes. A named email like first.last@company.com is personal data under GDPR because it identifies a natural person — even when used in a professional context. Generic emails like contact@company.com fall outside GDPR’s scope.

Can you enrich data without consent in B2B? Yes, under conditions. Legitimate interest (Article 6.1.f GDPR) allows processing without prior consent if your offer is relevant to the prospect’s professional role, you inform them on first contact, and you offer a simple right to object.

How long can you keep prospect data? Data protection authorities recommend a maximum of 3 years from collection or last contact for a prospect who has never engaged. Beyond that, data must be deleted or anonymized.

What are the real risks of non-compliance? Fines can reach €20 million or 4% of global annual turnover. In practice, fines for SMBs tend to range from €10,000 to €200,000 — but regulatory investigation, public disclosure of sanctions, and reputational damage can be equally costly.

Is LinkedIn data enrichment legal? Manual review of public LinkedIn profiles is legal. Automated scraping is prohibited by LinkedIn’s Terms of Service and creates GDPR exposure. Using enrichment tools that source data from public profiles is acceptable if you disclose the data source to prospects at first contact.

Do you need a DPO to run B2B enrichment? Not necessarily. A DPO is only legally required in specific high-risk processing scenarios. For most sales and marketing teams, an internal GDPR lead is sufficient — though naming one is strongly recommended if you manage significant data volumes.