How does GDPR position them to buy databases with contacts?

Maybe you plan to reach brand new contacts from a database you've purchased as part of your marketing campaigns. Or are you in the process of purchasing such a database? What should you be careful of so that the regulatory authorities don't get the drop on you?

If you are buying a database of contacts from a third party that contains an email address and you want to send a marketing message or a specific offer for your product or service to that database, you still have a obligation to secure the consent of the individuals concerned for this activity.

It is therefore necessary for the seller of the database in question to assure you that they have previously obtained the consent of the persons listed in the database, or you will need to obtain it yourself. At that point, you become the controller of their personal data, and under one of the articles of the GDPR you are explicitly obliged to do so. It is therefore solely up to you to contact the individuals who are listed in the database to tell them the source of their email and the purpose for which you want to handle it.

If you get a "great" idea and decide to hand over the contacts to an agency in order to absolve yourself of liability, we'll disappoint you - with GDPR, this ploy doesn't hold up. Even in this case, as the provider, you are the data controller and will still be the one subject to any potential sanction or fine.

Are you unsure how to handle the contact database you have acquired? Feel free to get in touch. Our experts will discuss everything with you in detail and help you with GDPR issues.