B2B data enrichment sits at the heart of modern sales pipelines. But between the promises of enrichment tools and the realities of GDPR, most commercial teams are flying blind — exposing their company to fines of up to €20 million or 4% of annual global turnover.
The good news: enriching B2B data is completely legal. You just need to know which legal basis applies, what obligations come with it, and how to build a compliant process without killing your pipeline performance.
This guide breaks down exactly what GDPR allows, what it prohibits, and the practical steps you need to take — no legal jargon, just actionable guidance.
Enrich your B2B data directly in Google Sheets
Find verified professional emails and phone numbers for your prospects — straight from LinkedIn, without leaving your spreadsheet.
B2B Enrichment and GDPR: Clearing Up the Confusion
Let’s start by addressing the most common misconception: GDPR does not apply the same way to all data in a B2B context.
GDPR protects personal data — any information that can directly or indirectly identify a living individual. In a B2B setting, this means:
- Nominal email addresses (e.g.,
mike.johnson@acme.com) - Direct or mobile phone numbers
- Individual names and surnames
By contrast, data that relates exclusively to a legal entity (the company itself) falls outside GDPR’s scope. A generic info@company.com, a company registration number, a publicly filed revenue figure — none of these identify a natural person and can be used without GDPR obligations.
This distinction is foundational. It determines which data requires a legal basis — and which can be freely enriched and used. Keep it in mind throughout this guide.
The 6 GDPR Legal Bases: Which One Covers B2B Enrichment?
Article 6 of GDPR identifies six lawful bases for processing personal data. Every processing activity must rest on at least one of them. Here’s how each applies to B2B data enrichment.
1. Consent (Article 6.1.a)
Consent requires the individual to have explicitly agreed to the processing — freely, specifically, and informedly. In B2B enrichment, this basis is rarely practical for externally sourced data, because it demands opt-in before any enrichment takes place. That’s technically unfeasible when you’re working with purchased lists or scraped profiles.
It does apply, however, to progressive enrichment through gated content or forms where users voluntarily submit their details.
2. Contract (Article 6.1.b)
This covers processing that is necessary to perform a contract with the individual, or to take pre-contractual steps at their request. Think enriching an existing customer’s record to issue an invoice or deliver a service.
It does not cover enriching cold prospects you haven’t engaged yet.
3. Legal obligation (Article 6.1.c)
Regulated industries — finance, insurance — sometimes impose KYC (Know Your Customer) checks or other statutory verifications. These are the only scenarios where enrichment can be grounded in a legal obligation. It remains marginal for standard commercial prospecting.
4. Vital interests (Article 6.1.d)
Not applicable to B2B enrichment.
5. Public interest (Article 6.1.e)
Reserved for public authorities and bodies carrying out tasks in the public interest. Not applicable in commercial B2B contexts.
6. Legitimate interest (Article 6.1.f) ← The key legal basis for B2B enrichment
Legitimate interest is the most commonly invoked basis for B2B data enrichment. It allows processing when your business interest is real, proportionate, and does not override the fundamental rights and freedoms of the individual.
For B2B prospecting, this translates to: you can enrich contact data and reach out to professionals without their prior consent, provided you meet specific conditions detailed in the next section.
With those six bases in hand, let’s dig into how legitimate interest actually works in practice.
Legitimate Interest in Practice: What You Can (and Can’t) Do
Legitimate interest is a flexible but bounded concept. It is not a blanket permission to process any data for any purpose. Two cumulative conditions must be met for it to apply.
Condition 1: A genuine, legitimate interest
Your business purpose must be clearly defined. Enriching a contact database to improve prospecting quality, personalize outreach, or score leads falls squarely within scope. Building detailed profiles on individuals without a specific commercial project — or collecting data beyond what you actually need — cannot be justified under legitimate interest.
Condition 2: Balancing test against individual rights
The processing must not disproportionately override the rights and interests of the people involved. In practice, this means targeting professionals whose job function is directly relevant to your offer. If you’re selling an HR software, reaching out to a CFO requires a clear functional justification. Targeting an IT manager at a bakery? The link simply isn’t there.
What legitimate interest allows you to do:
- Enrich professional profiles with emails, phone numbers, and firmographic data
- Contact prospects without prior consent (opt-out model applies, not opt-in)
- Use third-party databases or enrichment APIs — provided the vendor is GDPR-compliant
What it does NOT allow:
- Enriching B2C consumer data without explicit consent
- Processing sensitive categories of data (health, political opinions, ethnic origin)
- Building detailed profiles without a specific, documented commercial purpose
- Targeting individuals with no functional relevance to your offer
Practical note: GDPR supervisory authorities (including the ICO in the UK) recommend documenting your Legitimate Interest Assessment (LIA) — a written record of why your interest outweighs the individual’s rights for that specific processing activity. Keep it on file; it’s your first line of defense in any audit.
The Practical Obligations: What You Must Do to Stay Compliant
Invoking legitimate interest is the starting point, not the finish line. GDPR layers several concrete obligations on top of it.
Obligation 1: Inform contacts on first outreach (Article 14 GDPR)
This is the most commonly overlooked requirement. When you use data you didn’t collect directly from the individual — purchased lists, scraped profiles, or data enriched via a third-party tool — you must inform that person on your very first contact. The notice must include:
- Your company’s identity (data controller)
- Where the data came from (the source)
- Why you’re processing it (commercial prospecting)
- The legal basis you’re relying on (legitimate interest)
- What rights they have (access, rectification, erasure, objection)
In practice, this means adding a short footer to your outreach emails: “Your professional contact details were sourced via [origin]. Under GDPR, you can object to this processing at any time: [unsubscribe link].”
Obligation 2: Provide a simple, free opt-out
Every commercial communication must include a working unsubscribe link. Once someone objects:
- Stop all contact immediately
- Remove or suppress their data
- Log the request in your records
Obligation 3: Maintain a Record of Processing Activities
Any organization processing personal data should maintain a register detailing each processing activity: the data enriched, its purpose, legal basis, retention period, and sub-processors involved. This register is mandatory for companies with 250+ employees and strongly recommended for smaller teams.
Obligation 4: Work only with GDPR-compliant sub-processors
If you use a third-party enrichment tool — whether an API, a Chrome extension, or a data platform — you are responsible for that vendor’s compliance. This requires signing a Data Processing Agreement (DPA) with every supplier who processes personal data on your behalf.
A vendor who can’t explain where their data comes from or who refuses to sign a DPA is a serious red flag.
Company Data vs. Personal Data: Where to Draw the Line
For B2B database enrichment, the distinction between company data and personal data directly determines your compliance workload.
| Data type | Example | Subject to GDPR? |
|---|---|---|
| Nominal email address | mike.johnson@acme.com | ✅ Yes |
| Direct / mobile phone | +1 415 555 0123 | ✅ Yes |
| Individual name | Mike Johnson | ✅ Yes |
| Generic email | info@acme.com | ❌ No |
| Company name | Acme Inc. | ❌ No |
| Company registration number | 123-456-789 | ❌ No |
| Publicly filed revenue | $4.2M | ❌ No |
| Industry / sector | B2B SaaS | ❌ No |
| Headcount | 28 employees | ❌ No |
| Technologies used | HubSpot, Slack | ❌ No |
A complete enrichment workflow typically combines both types. Firmographic data — industry, size, tech stack — requires no specific legal basis. Individual contact details trigger GDPR obligations.
This tiered approach lets you be proportionate: enrich company-level data freely, and apply a stricter framework when adding individual contact information.
How to Choose a GDPR-Compliant Enrichment Tool
Your enrichment vendor’s compliance is your compliance. As a data controller, you’re accountable for how your sub-processors handle personal data.
Here are the criteria to evaluate before committing to a data provider:
1. Transparency about data sources
The vendor must be able to explain precisely where their data comes from: public sources, opted-in contacts, partnership agreements, professional directory crawling. A vague answer on this point is a dealbreaker.
2. A signable DPA
Any vendor processing personal data on your behalf must offer a Data Processing Agreement. No DPA = direct GDPR violation under Article 28.
3. Rights management mechanisms
The vendor must maintain a suppression list that honors opt-out requests. If someone asks you to delete their data, it shouldn’t reappear the next time your database is refreshed.
4. EU hosting and international transfers
Data should be hosted within the EU or in a country with an adequacy decision from the European Commission. US-based tools without appropriate contractual safeguards (Standard Contractual Clauses or BCRs) carry significant legal risk.
5. Regular data updates
Industry data decays fast — estimates commonly place B2B data obsolescence at around 30% per year due to job changes, company restructurings, and email updates. A vendor who doesn’t refresh their data regularly exposes you to contacting people on outdated details, damaging both your deliverability and your compliance posture.
Cold Emailing and GDPR: The Rules You Need to Know
Learn the exact rules for outbound email prospecting under European data protection law.
Internal vs. External Enrichment: What Changes Legally
GDPR obligations differ depending on whether you’re enriching from within or pulling in outside data.
Internal enrichment uses data you already collected within an existing legal framework — CRM records, email interaction history, form submissions. This is legally the safest path: the original legal basis (consent or legitimate interest) generally extends to subsequent enrichment, as long as you stay within the declared purpose.
External enrichment adds data from third-party sources — B2B databases, enrichment APIs, scraping tools. It’s fully permitted under GDPR, but adds layers of obligation:
- Verify the vendor’s compliance before signing up (DPA, data provenance, hosting)
- Apply Article 14 disclosure obligations to all contacts enriched externally
- Document the legal basis for each enrichment activity
External enrichment is now standard practice for high-performing sales teams. Tools like Derrick let you enrich LinkedIn data — verified emails, phone numbers, firmographic attributes — directly in Google Sheets, keeping a clear audit trail of the data sources used.
For a deeper dive into enrichment methods and best practices, see our guide on B2B database enrichment.
The Most Common Mistakes (and How to Fix Them)
Problem 1: No documented legal basis
Symptom: You enrich and prospect without having formally established which legal basis you’re relying on for each processing activity.
Impact: In a GDPR audit, the absence of documentation is treated as a violation in itself — even if your actual practices are lawful. Supervisory authorities can issue fines of up to €20 million or 4% of global annual turnover.
Solution: Draft a Legitimate Interest Assessment (LIA) for each type of processing. It doesn’t need to be lengthy — a structured internal note describing the purpose, the legal basis, the proportionality analysis, and your safeguards is sufficient. Keep it on file and update it when your practices change.
Problem 2: No Article 14 disclosure on first outreach
Symptom: Your prospecting emails contain no mention of where you got the recipient’s data, no reference to GDPR, no unsubscribe link.
Impact: Direct violation of Article 14 GDPR. Supervisory authorities — including the ICO in the UK and the CNIL in France — can issue formal orders and fines. Beyond compliance, it erodes trust with prospects.
Solution: Add a short, clear footer to every outreach email: the source of the data, a link to your privacy policy, and a one-click unsubscribe. Example: “Your professional details were sourced via LinkedIn. To opt out of future communications: [link].”
Problem 3: Using a non-compliant data vendor
Symptom: Your enrichment provider has no DPA, hosts data outside the EU without adequate safeguards, or can’t explain where their data comes from.
Impact: You become jointly liable for their non-compliant practices. Regulators can sanction the entire processing chain — including you as the data controller.
Solution: Always require a signed DPA, a clear data provenance document, and confirmation of hosting location before onboarding a vendor. If they can’t answer these questions, walk away.
Problem 4: Keeping enriched data indefinitely
Symptom: Enriched records stay in your CRM forever — including contacts who never responded, leads who opted out, or profiles from campaigns years ago.
Impact: Violation of GDPR’s storage limitation principle (Article 5). Beyond compliance risk, stale data degrades your pipeline quality and deliverability.
Solution: Define a clear retention policy. For example: unqualified leads are deleted or anonymized after 18–24 months; opt-out requests are logged in a permanent suppression list and never re-imported.
Problem 5: Targeting without functional relevance
Symptom: You enrich and contact professionals whose role has no connection to your offer — a sales tool pitched to a restaurant’s logistics manager, for instance.
Impact: Legitimate interest cannot be invoked without a genuine functional link between your offer and the recipient’s role. The processing becomes unlawful. High complaint rates from irrelevant outreach also increase the likelihood of regulatory attention.
Solution: Define your ICP (Ideal Customer Profile) rigorously before enriching any list. Use scoring and segmentation to ensure every contact enriched has a direct, documented connection to what you’re selling.
B2B Enrichment and GDPR: The Quick-Reference Table
| Action | Applicable legal basis | Key conditions |
|---|---|---|
| Enrich firmographic data (sector, size, revenue) | None required (company data) | No specific GDPR obligation |
| Enrich nominal emails from an external source | Legitimate interest | Article 14 disclosure, opt-out, functional targeting |
| Use data from a completed form or gated content | Consent or legitimate interest | Stay within the declared purpose |
| Contact an existing customer | Contract performance | Limit to contractual purposes |
| Contact a B2C consumer | Consent mandatory | Active opt-in required before contact |
| Use a third-party enrichment tool | Legitimate interest + sub-processing | Signed DPA, GDPR-compliant vendor |
Key Takeaways
- GDPR allows B2B data enrichment — legitimate interest (Article 6.1.f) is your legal basis, no prior consent required.
- Only data that identifies an individual is subject to GDPR — firmographic data (company, sector, revenue) is out of scope.
- Article 14 requires you to inform every contact on first outreach: data source, purpose, legal basis, opt-out link.
- Using a non-compliant vendor is your risk — always require a signed DPA and clear data provenance documentation.
- Document your Legitimate Interest Assessment (LIA) for each processing activity — it’s your shield in any regulatory audit.
- Internal enrichment (existing CRM data) carries less compliance overhead than external enrichment, but both are lawful under the right conditions.
Conclusion: Enrich Smartly, Prospect Confidently
GDPR compliance isn’t a barrier to B2B data enrichment — it’s a framework that protects both your prospects and your business. By grounding your enrichment in legitimate interest, informing contacts on first outreach, and partnering with transparent data vendors, you can build a high-performing enrichment process that holds up to scrutiny.
Sales teams that have built compliance into their workflow treat it as a competitive edge: cleaner data, better-targeted outreach, lower complaint rates, and stronger deliverability metrics.
To verify and clean your email lists after enrichment, or to find professional emails for your prospects directly in Google Sheets, Derrick gives you full traceability of data sources at every step.
Enrich your B2B data — compliantly, at scale
Derrick enriches your leads directly in Google Sheets: verified emails, phone numbers, LinkedIn data — with documented, transparent sourcing.
FAQ
Can you enrich B2B data without consent under GDPR? Yes. In B2B, prior consent is not required if you rely on legitimate interest (Article 6.1.f of GDPR). You must, however, inform the contact on first outreach about the source of their data and give them a clear way to opt out.
What’s the difference between opt-in and opt-out in B2B prospecting? Opt-in means the individual must actively agree before any contact — this is mandatory in B2C. Opt-out (the B2B standard) means you can initiate first contact, but must give the recipient an immediate and easy way to object to further processing.
Are work emails like “mike.johnson@acme.com” covered by GDPR? Yes. A nominal email address identifies a natural person and is therefore personal data under GDPR. Generic emails like “info@acme.com” don’t identify a specific individual and fall outside GDPR’s scope.
What are the fines for non-compliance? GDPR fines can reach €20 million or 4% of annual global turnover — whichever is higher. Supervisory authorities (the ICO in the UK, CNIL in France, and national equivalents across the EU) can also issue formal orders requiring you to stop a processing activity entirely.
Do I need a DPA with my enrichment tool? Yes — as soon as that tool processes personal data on your behalf, it qualifies as a data processor under GDPR (Article 28). A Data Processing Agreement is mandatory. Operating without one is a GDPR violation in itself.
Jonathan Maurin
