Buying email lists and GDPR

Buying prospect lists is legal. The chain of basis has to be clean.

GDPR doesn't ban purchased B2B prospect lists. What it requires is that the chain of legal basis runs unbroken from the original data collection through the provider's processing and into your use. The list you buy is only as lawful as how it was built. Most enforcement actions in this space turn not on whether buying lists is legal in principle, but on whether the controller — you, the buyer — can produce documentation showing the basis holds at every link in the chain. This guide explains what that chain looks like, what to demand from a provider before you buy, and where most purchased lists fail.

Try for free Read the chain-of-basis requirements

You probably came here because

You've been told buying email lists is illegal under GDPR and you want to know if that's actually true.
You've bought a list before and a prospect asked where you got their details, and you didn't have a clean answer.
You're evaluating a data provider and want to know what documentation they should be providing.
Your DPO is asking whether your current prospecting data has a traceable basis and you're not sure.

If any of that lands, the rest of this page is for you.

Free trial, no card

Ten prospects with a traceable basis per contact.

Every Hooklyne package includes the source citation per contact — KVK entry, Companies House record, or named data partner under their own Article 6 basis. Citable on demand, free to try.

Try for free

What the chain of basis requires

What makes a purchased B2B list lawful under GDPR.

The lawfulness of your use depends on the lawfulness of every step before it. Here's what each link in the chain has to hold.

The original collector needs a lawful basis for the initial collection.

Every record in a B2B prospect list was originally collected from somewhere — a public registry, a professional directory, a company website, a data partner network. The entity that collected it must have had a lawful basis under Article 6. For publicly available data from KVK, Companies House, or sector directories, that basis is typically the public nature of the data and the professional context. A provider that can't tell you the original collection source and basis for each record category has a documentation problem — and that problem becomes yours when you buy the list.

The provider's processing needs its own basis and Article 30 entries.

The data provider is a controller in their own right when they compile, curate, and sell contact lists. They need their own Article 6 basis for the processing they do — selecting, matching, verifying, and transferring records — and they must document it in their Article 30 processing register. What to ask: Can you share your Article 30 entries for the processing operations relevant to this data product? If the answer is 'we don't have those' or 'that's confidential,' that's a red flag. A compliant provider can share their processing register categories without exposing commercial IP.

The transfer to you requires a verwerkersovereenkomst or controller-to-controller agreement.

When you buy a B2B contact list, the legal relationship between you and the provider matters. If the provider processes data on your behalf, you need a verwerkersovereenkomst (Article 28 DPA). If you're both independent controllers of the same records, you need a controller-to-controller agreement documenting respective responsibilities. A compliant provider will have a standard DPA ready; if they don't offer one, that tells you something about their compliance maturity.

Transfers to third countries require SCCs and — for US providers — a TIA.

If the data provider processes data on US infrastructure, you inherit the transfer compliance question. Post-Schrems II, Standard Contractual Clauses are the minimum contractual requirement, but they must be accompanied by a Transfer Impact Assessment evaluating whether US surveillance law creates a real risk. The EU-US Data Privacy Framework provides a route for DPF-certified processors, but you must verify the specific provider's certification status — it doesn't apply automatically to sub-processors. 'EU-hosted' on a US-owned platform does not solve the transfer problem.

Your use requires its own Article 6 basis — and the source has to travel with the record.

Even if the chain holds from collection to purchase, you still need your own legitimate interest basis for the use you're making. That means an LIA covering your direct marketing campaign, a suppression list preventing re-contacting opted-out individuals, and a way to answer an Article 13/14 transparency obligation if a prospect asks where you got their details. 'A B2B data provider' is not enough — you need to name the specific source and date. When you buy a list, each record needs to come with its source, not just a vendor name.

Where to actually look

The primary sources, in case you want to read them yourself rather than trust a vendor blog post:

- GDPR Articles 13 and 14 on transparency when data is obtained from a third party.
- GDPR Article 28 on data processor agreements (verwerkersovereenkomst).
- GDPR Article 30 on records of processing activities.
- EDPB Recommendations 01/2020 on supplementary measures for international data transfers.
- Autoriteit Persoonsgegevens guidance on data broker and list vendor compliance.
- ICO guidance on buying and selling personal data.

Where most purchased lists fail

Four failure modes that a regulator or prospect can surface immediately.

None of these require a formal investigation to find. A single Article 14 transparency request from a prospect exposes most of them within the first reply.

No verwerkersovereenkomst with the provider.

Article 28 GDPR requires a written agreement when a controller uses a processor. Many B2B list purchases happen via checkout and download with no formal agreement. The buyer assumes the terms-and-conditions checkbox covers it. It doesn't. A compliant provider will have a standard DPA ready; if they don't offer one or don't know what you're asking for, that tells you something about their compliance maturity.

'Our proprietary database' is not a source.

If a provider can't tell you where a specific record came from — public registry, professional directory, named partner network, consent-based collection — then you can't answer an Article 14 transparency request either. GDPR Article 14 requires you to inform data subjects about the source of their data when you didn't collect it directly. The AP's enforcement on OLVG and Booking.com both demonstrated that 'we use a reputable vendor' is not a defence.

Using a list after its stated validity window.

Most B2B contact data has a shelf life. Job roles change, companies merge, people leave. A good data provider will tell you when each record was last verified. Using contact data verified 18 months ago in high-churn sectors produces high bounce rates and contacts that may already have suppression entries. Holding stale personal data longer than necessary also breaches the GDPR Article 5(1)(e) storage limitation principle.

Buying without asking about the suppression register.

Compliant B2B data providers maintain suppression lists — people who have objected to marketing from their network of clients. If a provider doesn't maintain one, any opted-out individuals who land on your list could generate complaints from someone who already told the provider's network they don't want contact. Ask for the suppression mechanism before you buy.

When this approach works (and when it doesn't)

A purchased list is defensible when the documentation chain is complete before you send.

Works when

- The provider has documented source lineage per record and can share it.
- A verwerkersovereenkomst or controller-to-controller agreement is in place before you use the data.
- You have your own LIA covering the campaign motion, separate from the provider's basis.
- The provider maintains a suppression register and cross-checks it before delivering your list.

Doesn't work when

- The provider can't tell you the original collection source or basis for the records.
- No DPA or controller agreement was signed before you used the data.
- The list includes records that have exceeded reasonable storage limitation periods.
- You can't answer an Article 14 transparency request with a specific source.

Honest steelman

The honest position is that many B2B data providers operate in a documentation grey zone — their data is genuinely useful, their collection is probably legitimate in practice, but the paperwork trail GDPR requires isn't consistently maintained at the contact level. Buying from a large, well-established EU provider is lower risk than buying from an unknown vendor, but 'lower risk' isn't 'no risk.' The AP and ICO have shown willingness to hold buyers responsible for documentation they should have demanded from providers. If you can't produce the chain of basis, the exposure sits with you.

How Hooklyne is built for this

Source lineage at the contact level, not the vendor level.

Hooklyne doesn't sell lists — it builds individual prospect packages. Each package is constructed from sources that travel with the record: a KVK registration for Dutch companies, a Companies House entry for UK companies, a named sector directory, or a registered data partner with their own Article 6 basis on file. The source citation is included in every package you receive, so the Article 14 transparency answer is ready before the prospect asks.

The verwerkersovereenkomst is available before you sign anything — not as a terms-and-conditions checkbox but as a named document you can review with your DPO. Article 30 entries for Hooklyne's processing operations are maintained and available on request. Suppression is handled at the package level and persists across refreshes. The compliance architecture is the same as what this guide recommends you demand from a list vendor.

For teams evaluating multiple providers: the questions this guide recommends you ask — source lineage per record, Article 28 agreement, Article 30 entries, suppression register, TIA for US-infrastructure providers — are the same questions we'd want you to ask us. If a provider won't answer them or can't, the documentation gap is a preview of what happens when a regulator or prospect asks.

Simple pricing.

Simple credit system. Every action priced transparently. Switch plans or cancel anytime.

Start

from€39/mo

100credits / month

Solo rep. Test and validate your outbound. Self-serve.

Recommended

Growth

from€129/mo

400credits / month

1-2 reps. Full pipeline. Setup call included.

Scale

from€239/mo

800credits / month

Small sales team. Volume outbound. Up to 5 reps.

See full pricing Request pilot access

FAQ

Buying email lists and GDPR: questions answered.

Is buying email lists illegal under GDPR?

No. GDPR doesn't prohibit purchasing B2B contact lists. What it requires is that the chain of legal basis is clean at every step: the original collection, the provider's processing, the transfer to you, and your use. Many purchased lists fail the documentation test even when the underlying data was probably legitimately collected — because the paperwork trail isn't maintained at the record level.

What documentation should I demand from a data provider before buying?

At minimum: the source of each record category, the date of last verification, a verwerkersovereenkomst or controller-to-controller agreement, their Article 30 processing register entries for this data product, and a suppression mechanism or file. If they can't produce all of these, the documentation gap is yours to manage when a regulator or prospect asks.

What's the difference between a processor DPA and a controller-to-controller agreement?

If the provider processes data on your behalf under your instructions, you need a processor DPA (verwerkersovereenkomst) under Article 28. If you and the provider are independent controllers of the same records, you need a controller-to-controller agreement. For most list purchases, you'll need both: a controller-to-controller agreement for the ongoing relationship, and a DPA for any service processing the provider does.

How do I answer 'where did you get my details?' if the data came from a list?

With the source cited in the record, not the vendor brand. If your provider supplies source lineage at the record level — 'sourced from KVK registration, verified [date]' or 'sourced from [named directory], [date]' — you can paste that into a reply and satisfy Article 14. If all you have is the vendor's name, you can't give a specific answer.

What happens if a prospect demands erasure after I bought their data?

Article 17 GDPR gives the right to erasure when data is no longer necessary, when they've objected under Article 21 to direct marketing, or when processing was unlawful. For a prospect asking to be removed: suppress them immediately, note the date and basis, and ensure they don't re-enter via a future data provider refresh. Keep the suppression record to prevent re-adding.

Is Hooklyne a list vendor?

No. Hooklyne builds individual prospect packages — a specific contact at a specific company, with a specific buying signal and a drafted message — not bulk contact lists from a database. The distinction matters for compliance: a list vendor exports rows; Hooklyne builds targeted packages for the specific ICP you define, with source citations at the contact level.

Is this legal advice?

No. Plain-language guidance based on GDPR text, AP and ICO published enforcement decisions, and EDPB guidance on data transfers. Your specific supplier relationships should be reviewed by a qualified DPO or data protection counsel.

Plain-language guidance, not legal advice. Your specific supplier relationships and data motion should be reviewed by a qualified DPO or data protection counsel.