In January 2026, France’s data protection authority (CNIL) hit Free Mobile with a €27 million fine and Free with €15 million — both decisions handed down the same day. A few weeks earlier, France Travail (the national employment agency) was fined €5 million after a massive data breach. GDPR sanctions are no longer reserved for tech giants: they’re hitting businesses of all sizes, across every sector.
If you’re an SDR, Growth Marketer, or Sales Ops professional managing prospect databases, this affects you directly. This guide breaks down what your business actually risks, which B2B prospecting practices get sanctioned most often, and how to reduce your exposure — without overhauling your entire workflow.
Enrich your B2B data from verified professional sources
Derrick finds emails and phone numbers of your prospects directly in Google Sheets, from traceable sources.
What Is a GDPR Sanction? Definition and Scope
The General Data Protection Regulation (GDPR), which came into force on May 25, 2018, gives European supervisory authorities the power to sanction any organization — company, association, or public body — that fails to comply with its obligations around personal data processing.
In France, this role falls to the CNIL (Commission Nationale de l’Informatique et des Libertés). In the UK, it’s the ICO (Information Commissioner’s Office). Across the EU, each member state has its own Data Protection Authority (DPA), and they increasingly cooperate on cross-border cases.
A GDPR sanction doesn’t automatically mean a fine. Regulators have a range of graduated measures at their disposal — from a simple reprimand to a full public fine — with the goal of driving behavioral change. But the financial and reputational cost can be significant even at the lower end.
Key point for sales teams: the moment you process data about individuals — nominative email addresses, phone numbers, LinkedIn profiles — you’re subject to GDPR, even if those people are being contacted in a professional context. B2B doesn’t mean GDPR-free.
Types of GDPR Sanctions a Supervisory Authority Can Issue
Understanding the different types of sanctions matters, because they have very different operational and reputational implications.
Reprimand
The lightest measure. The regulator flags a violation without imposing a financial penalty. It can still be made public, which is enough to cause reputational damage — particularly for regulated sectors like finance or healthcare.
Order to Comply
A formal injunction requiring the organization to bring its processing into compliance within a set deadline. If the deadline is missed, the regulator can open a full sanction procedure. These orders are generally not published unless the organization fails to act.
Order with Daily Penalty
Regulators can attach a daily financial penalty to a compliance order — in France, up to €100,000 per day of delay. This is a powerful pressure tool designed to force rapid corrective action.
Administrative Fine
The sanction most organizations fear. The amount depends on the severity of the violation and the size of the business. Fines issued through the ordinary procedure are published publicly on the regulator’s website — which is often more damaging than the fine itself.
Processing Restriction or Ban
In the most serious cases, the regulator can order the temporary or permanent suspension of a data processing activity. For a business whose model depends on outreach or data-driven sales, this is effectively an operational shutdown. It’s the nuclear option — but it gets used.
GDPR Fine Amounts: What Your Business Is Actually Exposed To
Article 83 of the GDPR sets out two tiers of maximum fines, depending on the nature of the violation.
| Violation type | Maximum fine |
|---|---|
| “Technical” violations (Art. 83.4) | €10 million or 2% of global annual revenue |
| “Fundamental” violations (Art. 83.5) | €20 million or 4% of global annual revenue |
The higher figure always applies. For a startup with €5M in revenue, the theoretical ceiling is still €10M or €20M. For a multinational, it’s the percentage of global revenue — which explains the record fines handed to Meta (€1.2 billion) and Amazon (€746 million).
The Simplified Procedure: An Underestimated Risk for SMBs
Since 2022, the CNIL has run a fast-track “simplified procedure” for less complex cases — typically individual complaints against smaller businesses. Key features:
- Fine capped at €20,000
- Decision not made public
That cap might sound reassuring. But in 2024, the CNIL issued nearly three times more simplified sanctions than in 2023. The most common violation: failure to cooperate with the CNIL (not responding to their inquiries). Smaller businesses are increasingly in scope.
The Real Cost of a Sanction Goes Well Beyond the Fine
A €20,000 fine rarely costs just €20,000. Add legal fees, mandatory compliance remediation, the organizational cost of internal restructuring, and potential reputational damage if the decision is published. Industry estimates put the total cost at 2x to 4x the fine amount.
Real GDPR Fines: Europe and France
GDPR sanctions aren’t theoretical. Here’s a cross-section of real cases at different scales.
Landmark European Fines
Meta Platforms (Ireland, 2023) — €1.2 billion. The Irish DPA sanctioned the transfer of EU user data to the United States without adequate safeguards. Still the largest GDPR fine ever issued in Europe.
Uber (Netherlands, 2024) — €290 million, in cooperation with the French CNIL. Reason: over two years of EU driver data transfers to the US without a valid transfer mechanism.
Amazon (Luxembourg, 2021) — €746 million for non-compliance in its advertising targeting system. A reminder that behavioral advertising is firmly in regulators’ sights.
Recent French Fines
| Company | Amount | Reason | Year |
|---|---|---|---|
| Free Mobile | €27M | Multiple personal data violations | Jan 2026 |
| Free | €15M | Multiple personal data violations | Jan 2026 |
| France Travail | €5M | Security breach, job seekers’ data | Jan 2026 |
| Anonymous (loyalty program) | €3.5M | Sharing loyalty program data with a social network | Dec 2025 |
| NEXPUBLICA FRANCE | €1.7M | Insufficient security measures on PCRM software | Dec 2025 |
| Google (cookies) | €90M | Advertising cookies without prior consent | 2022 |
| Amazon (cookies) | €35M | Same reason | 2022 |
Sanctions That Directly Affect B2B Sales Teams
Two documented cases illustrate the risks specific to commercial prospecting:
Digital services company (2024): issued a formal compliance order after purchasing a prospecting database from a data broker without verifying the lawfulness of the original collection. The CNIL ruled that the buyer, as data controller, was co-responsible for the full data collection chain.
Professional training company (2023): received a public warning for collecting email addresses at trade shows without adequately informing attendees of how their data would be used. The CNIL clarified that a professional setting does not exempt an organization from its transparency obligations.
The takeaway: company size is no shield, and common B2B prospecting practices — buying lists, collecting at events, scraping without documentation — are under active regulatory scrutiny.
The Most Sanctioned GDPR Violations in B2B Prospecting
If you’re running cold email campaigns, LinkedIn imports, or managing CRM databases, here are the violations that most commonly trigger a complaint or an inspection.
1. Missing Opt-Out Link
In B2B, prior consent is not required: you can contact a professional without their explicit agreement, provided your message is relevant to their role and activity. But every prospecting email must include a visible, functional unsubscribe link — one that works in a single click, with no justification required.
Missing opt-out is one of the most frequent grounds for CNIL complaints. Unsubscribe requests must be processed within 24 to 48 hours.
2. Retaining Data Beyond 3 Years
The CNIL recommends a maximum retention period of 3 years after the last active contact. Beyond that, data must be deleted or anonymized. CRM databases that have never been cleaned, holding contacts from 5 or 7 years ago with no recent interaction, represent a direct legal risk.
In 2023, a recruitment firm was sanctioned for retaining CVs for more than 5 years without justification. The same logic applies to commercial prospect lists.
3. Buying Lists Without Verifying the Compliance Chain
Purchasing a “GDPR-compliant” database from a vendor does not transfer liability. As the data controller, you must verify:
- How the data was originally collected
- Whether individuals were informed their data could be shared with third parties
- Whether compliance documentation can be provided on request
If a vendor refuses to document the data’s origin, that’s a major red flag. Walk away.
4. Prospecting Outside the Recipient’s Professional Scope
The legitimate interest legal basis only applies if your message is directly related to the recipient’s professional role. Contacting an HR Director to pitch a recruitment tool is compliant. Sending them a holiday deal or an unrelated product switches the contact into a B2C scenario — which requires explicit prior consent.
This is a commonly overlooked nuance in broad-targeting campaigns.
5. No Transparency on Data Origin
Every prospect has the right to know where their data came from. GDPR Article 14 requires your prospecting emails to mention the data source (LinkedIn, professional directory, event X, etc.) and the recipient’s rights. This is frequently missing from cold email templates — and it’s a recurring ground for CNIL sanctions.
6. Sole Traders and Freelancers: a Critical Exception
The lighter B2B rules do not apply to sole traders and self-employed individuals. They’re treated as natural persons under GDPR, meaning the B2C regime applies. You need their explicit prior consent before any commercial contact.
This catches many sales teams off guard when targeting freelancers, independent consultants, or one-person LLCs. Mike, an SDR at a SaaS startup, learned this the hard way when a series of cold emails to independent contractors generated three CNIL complaints in a single week.
Cold Emailing and GDPR: What the Law Actually Says
The full breakdown of what's allowed in B2B email prospecting — and what isn't.
How Does a Regulatory Investigation Get Triggered?
Understanding what kicks off a CNIL inquiry helps you assess your actual risk level.
Individual Complaints
This is the most common trigger. In 2023, the CNIL received more than 16,000 complaints. An annoyed prospect who can’t unsubscribe, a former client who can’t get their data deleted, a contact frustrated by irrelevant emails — any of them can file a complaint online in minutes.
The CNIL has up to three years from the date of the violation to investigate.
Programmatic Investigations
Each year, the CNIL targets specific sectors for proactive audits — no complaint needed. In 2024, cookies and employee monitoring were the focus. In 2025, e-commerce, healthcare, and local authorities were prioritized. No business is too small to appear on the radar: inspections increased by 300% between 2023 and 2024.
Data Breach Notifications
Any data breach — leak, unauthorized access, data loss — must be reported to the relevant DPA within 72 hours. If sensitive data or large numbers of individuals are involved, the breach itself triggers a formal investigation. France Travail experienced this in January 2026: a security vulnerability exposing millions of job seekers’ records resulted in a €5 million fine.
How to Reduce Your GDPR Risk: Practical Steps
Here are the concrete actions that protect your B2B prospecting operations — without requiring a legal overhaul.
Step 1: Document the Origin of Every Contact
For each lead in your database, you need to answer: “Where did this data come from?” LinkedIn, contact form, trade show, purchased list — every source must be documented. A simple “Source” field in your CRM or Google Sheets is enough to start.
Expected outcome: In the event of an inspection or a complaint, you can justify the origin of your data in under 10 minutes.
Step 2: Add Mandatory Legal Mentions to Your Email Templates
Every B2B prospecting email must include, at minimum:
- Sender identity (name, company, address)
- Purpose of the processing (commercial prospecting)
- Data origin (“We found your contact details on LinkedIn”)
- Right to object, with a functional unsubscribe link
- Intended retention period (maximum 3 years)
This block fits in a standard email footer. Once written, it adds less than 30 seconds to each template you create.
Step 3: Clean Your CRM Regularly
Schedule a quarterly data cleanup. Delete contacts with no interaction in over 3 years, hard-bouncing addresses, and unsubscribers who haven’t yet been removed from active sequences. A clean database reduces your legal risk and improves your deliverability at the same time.
Database enrichment can help here — identifying outdated contacts and filling in missing fields so you’re not storing stale, incomplete data in your CRM.
Step 4: Verify Emails Before You Send
Invalid email addresses generate hard bounces, which damages your sender reputation and signals poor list hygiene — a negative indicator in any regulatory review. Run your lists through an email verification tool before every campaign.
Target: Keep your bounce rate below 2% across all outbound campaigns.
Step 5: Maintain a Record of Processing Activities
Article 30 of the GDPR requires most organizations to maintain a Record of Processing Activities (RoPA). For each data processing operation — prospect database, CRM, customer files — document: the purpose, data categories, recipients, retention period, and security measures.
This record is the first thing a regulator asks for during an inspection. Its absence is itself a sanctionable violation.
Step 6: Train Your Sales Team
SDRs and BDRs are typically the ones building and manipulating prospect data. A short training session (2 hours) covering GDPR basics in B2B — legal basis, opt-out, retention limits — is enough to significantly reduce the risk of inadvertent violations.
For a deeper dive into compliant B2B lead generation practices, check our dedicated guide.
Common Mistakes and How to Fix Them
Problem 1: Buying a List Without Compliance Documentation
Symptom: Your data vendor can’t provide documentation on data origin, consent records, or the information notices shown to individuals at collection.
Impact: You’re co-responsible for the entire data collection chain. If the original collection was unlawful, your use of the data is too — regardless of good faith.
Solution: Always require a contract specifying data origin, compliance evidence, and an indemnification clause in the event of regulatory action. If the vendor refuses, don’t use the list. Stick to traceable sources: LinkedIn, public professional directories, documented enrichment tools.
Problem 2: Unsubscribed Contacts Still Receiving Emails
Symptom: Contacts who clicked “Unsubscribe” are still receiving your prospecting sequences.
Impact: Every email sent after an opt-out request is a violation. These individuals can — and do — file complaints with the CNIL. This is one of the most common complaint grounds.
Solution: Automate unsubscribe suppression in your CRM within 48 hours of the request. Make sure your sending tools (Lemlist, Instantly, etc.) sync opt-outs back to your master database in real time.
Problem 3: Contacts Retained Beyond 3 Years
Symptom: Your CRM contains contacts created 4 or 5 years ago, with no recent interaction and no deletion request received.
Impact: Unlawful data retention — sanctionable if flagged during an inspection or by one of those contacts filing a complaint.
Solution: Set an automated alert at 36 months after the last active contact. Send a final re-engagement email: if no response, delete or anonymize the record. Document this process in your Record of Processing Activities.
Problem 4: Targeting Sole Traders with B2B Rules
Symptom: Your prospect list includes freelancers or self-employed individuals, and you’re contacting them without prior consent.
Impact: These individuals are legally treated as natural persons under GDPR. The B2C regime applies — explicit prior consent is required before any commercial contact.
Solution: Segment your database by legal entity type. Companies (Ltd, Inc, GmbH, SAS, etc.) fall under the B2B regime. Sole traders and self-employed individuals fall under B2C. Adjust your approach accordingly — or build your prospect list from the start by filtering on entity type.
Key Takeaways
- GDPR fines can reach €20 million or 4% of global annual revenue — whichever is higher
- In 2024, European authorities issued record penalties; CNIL inspections of SMBs increased by 300% between 2023 and 2024
- In B2B, prior consent is not required — but a functional opt-out link in every email is mandatory
- Prospect data cannot be retained for more than 3 years after the last active contact
- Buying a contact list makes you co-responsible for the lawfulness of the entire collection chain
- Sole traders and freelancers are treated as consumers under GDPR — the B2C regime applies
- A missing Record of Processing Activities is itself a sanctionable violation
Conclusion: GDPR Compliance Is a Competitive Advantage
GDPR sanctions are no longer a theoretical risk. In January 2026 alone, French regulators issued over €47 million in fines. The trend is accelerating: more inspections, higher fines, and a sharper focus on commercial prospecting practices.
For B2B teams, the good news is that compliance doesn’t require rebuilding your entire operation. It comes down to a handful of operational habits: documenting where your data comes from, adding legal notices to your templates, cleaning your database regularly, and honoring unsubscribe requests within 48 hours.
A clean, current, and well-documented database isn’t just a legal obligation — it’s a competitive edge. Teams working with quality data prospect more efficiently, generate fewer bounces, and build a sender reputation that holds up over time.
For a deeper understanding of key GDPR concepts as they apply to sales and enrichment workflows, check out our GDPR Compliance glossary page.
Clean, traceable B2B data — built for compliant prospecting
Derrick enriches your prospects in Google Sheets from LinkedIn and public professional sources. Less stale data, less legal risk.
FAQ
Do GDPR sanctions apply to small businesses? Yes. Regulators sanction businesses of all sizes, including SMBs and startups. The simplified procedure allows fines up to €20,000 without a public hearing, and the number of SMB inspections increased by 300% between 2023 and 2024. Size is not a shield.
Do you need prior consent to send cold emails in B2B? No — not if the recipient is an employee of a company and your message is relevant to their professional role. In B2B, the applicable legal basis is legitimate interest (opt-out model). But every email must contain a functional unsubscribe link, and opt-out requests must be honored within 48 hours.
How long can you retain B2B prospect data? The standard recommendation is a maximum of 3 years from the last active contact. After that, data must be deleted or anonymized. A database holding contacts with no interaction for more than 3 years is a sanctionable violation if flagged during an inspection.
What is the simplified GDPR sanction procedure? A fast-track process for straightforward cases, handled by a single member of the sanctioning body. Decisions are not published, and fines are capped at €20,000. The CNIL issued three times more simplified sanctions in 2024 than in 2023 — a sign that smaller organizations are increasingly targeted.
Can you be sanctioned for a list you bought from a third party? Yes. By purchasing a contact database, you become a data controller. If the original collection was non-compliant, your use of the data is too — even in good faith. Several recent CNIL decisions have confirmed this principle. Always request compliance documentation before any list purchase.
Jonathan Maurin
