The General Data Protection Regulation went into effect over two years ago, but there is still a lot of confusion around what that means for a company's valuable data sets. GDPR impacts how companies collect and use data and also how they enrich it.

 Leveraging data sets and building optimized contact lists are essential for marketers promoting products or services, lead generation, and prospecting. 

Okay, so the big question is: can you enrich data and still respect the GDPR?

Yes, to an extent.

GDPR doesn't mean that you can no longer use enriched data lists. You can still use data enrichment to make your data better; you just have to do so strategically (and legally).

About GDPR

GDPR is a set of legal guidelines around how companies can collect, manage, and process the personal data of those who live in the European Union. GDPR applies to all companies which process EU data, regardless of where in the world your company is located. If your website gets European visitors or holds any European contacts in your data lists, you are subject to GDPR compliance.

GDPR guidelines were established to protect customer data and ensure that companies manage their data safely and with their consent. You can check out the full compliance list here, but as a general rule, unless you have someone's permission to use their data, then it's illegal to do so. Permissions need to be clear to save you from hefty fines, and saying someone has given verbal consent is not sufficient.

Image showing when you're allowed to legally process personal data in accordance with GDPR

According to the European Commission, you're legally allowed to process personal data if it falls into one of the following six circumstances:

  • Consent

  • Performance of a contract

  • Legitimate interest

  • Vital interest

  • Legal requirement

  • Public interest

Is data enrichment GDPR compliant?

Data enrichment doesn't directly violate any of the GDPR guidelines. The information that companies use to improve data quality is available to lookup via public sources and is accessible to everyone. Data enrichment serves to build more detailed customer profiles based on the information you already have about them.

As long as everyone involved in the data enrichment process follows the GDPR guidelines, then there is no reason that it shouldn't be compliant. That said, the company whose data needs enriching is ultimately responsible for adhering to GDPR. 

For that reason, you need to be extremely vigilant about who you choose to work with, and what their data enrichment processes are. As long as the way they are collecting data falls into one of the six circumstances listed about, then the process is compliant.

Are you enriching data from people or companies?

Enriching data from people and companies is two different processes. Enriching company details includes identifying whether a company still exists or if they have a new phone number or email address and inputting that information into your CRM. 

As the GDPR specifically only secures personal information of individuals and,  for the most part, company data is public,  there is no concern around GDPR when enriching company data.

Where you have to be careful is enriching the personal data of individuals. While it may be legal to include certain pieces of data, such as if they still work at a company, it would be illegal to include irrelevant personal details, such as if they have pets. It’s key that all information collected is necessary to pursue a legitimate cause.

If you’re doing B2B marketing or email marketing, your sales team doesn’t need information about a prospect’s favorite vacation destination. Irrelevant raw data won’t help your marketing efforts, so why risk collecting it. What's vital here is where the data subject is coming from and why you're collecting it.

Where are you getting the data from, and why?

GDPR comes into play when dealing with people's private and personal information. What measures are you taking to collect their data and what are your data sources? If you're scraping through their social media profiles to find contact details, then you need to be careful. You must be able to prove one of the six circumstances listed above to be GDPR compliant when collecting these details.

When scraping, consent is not possible as you haven't asked permission; otherwise, you'd already have their details. In this circumstance, you also wouldn’t need their details to fulfill a contract, so you would need to prove a legitimate interest.

Legitimate interest is decided on a case by case basis. For instance, if you sell marketing software, it’s probably acceptable to scrape CMO company email addresses from LinkedIn, while scraping information about their marital status from Facebook wouldn’t be okay.

What information are you scraping, and why? When scraping from large platforms like Facebook, you don't always know what you're getting and could end up collecting data that isn't GDPR compliant.

Think of data scraping like fishing with a huge fishing net. There are many rare species of fish in the water that are illegal to catch. It's your responsibility only to catch the fish you're legally allowed to. 

But how is that possible if you throw out a massive fishing net?

If you end up with people's personal data that you don't have a legitimate reason to, then you're violating GDPR because you've already processed their details without any permission.

How to check if a data enrichment company respects data privacy

If you're contracting data enrichment services, you need to make sure they follow GDPR compliance guidelines, as the blame falls on you if they don't. So, how do you know if they respect data privacy?

First of all, you need to identify how the company plans on enriching the data. Will they be scraping for data? Do they have their own database that they use for validation, or are they using third-party data?

Secondly, they need to have the necessary technical requirements in place. They should either be certified or present you with a document as part of the DPA that outlines their practices. The DPA, or data processing agreement, is a contract between the company requiring the enrichment, and the data enrichment providers, which breaks down all the processes they use.

Some important things to look out for on the DPA include:

  • Where the data processing is to be carried out

  • Which data enrichment tools are being used

  • That the processor will not engage with another processor without your consent

  • They will only process personal data on documented instructions from you

  • All those who will have access to the data have committed themselves to confidentiality

  • Any additional processors used are subject to the same data protection obligations set out in your contract

Make sure you also find out if your data enrichment company is working with other companies located in the United States or other countries outside of the EU. If so, it could compromise the security of your data.

Important questions to ask a #dataenrichment company: How do they plan on enriching the data? Do they have all the necessary technical requirements in place? Is the company committed to confidentiality? More on #GDPR & #DataEnrichment:

Click to Tweet

Who is responsible for the data you enrich?

The company who wants their data enriched is always responsible for GDPR, even if they hire another company to do the enrichment. That means you are responsible for the data, not the company you hire to enrich it.

You must have a system in place to ensure your data is not breached, leaked, stolen, or accessed by people who should never have access to it. When working with a data enrichment company, a thorough data processing agreement is the best way to ensure that your data is secure and that they remain GDPR compliant.

How does tye comply with data privacy?

To enrich data, we use external databases and algorithms to cross-check the information in client datasets to determine its validity and how it can be enriched. The only data we enrich is first names, last names, country, gender, and anything else that can be enriched statistically, without invading personal data.

For example, we have a German name database that will help detect whether the names given are likely first names or last names. Sometimes the first and last names are switched, so using external databases like this will help determine the correct configuration. 

We can then use this information to create enriched data by making strategic assumptions based on the names. 

For example, if the contact information on the data list reads "Müller Hans," then it is more likely that the first name is Hans, and the last name is Müller. We can then correct the configuration and prefix it with "Mr." since 99.9% of Hans would be male. In this instance, there is no concern with data privacy or GDPR compliance since the information you need is found within the data.

For circumstances where complete data is missing a first name, last name, or both, tye uses the available data to extract the additional information required to complete the contact data from external sources. The client is responsible for collecting contacts in a way that is GDPR compliant. Each contact must fit one of the six reasons listed above.

We do data enrichment on the premise that each contact is in the database for a legitimate reason. In terms of company data, we extract the details needed to enrich contact data from public sources, like LinkedIn or company websites. If you're legally allowed to have the email address, then in almost every case, you're legally allowed to have their first name too.


Data enrichment is the best way to optimize your contact lists and ensure your sales and marketing efforts are personalized. It doesn’t violate GDPR as long as you follow the guidelines when sourcing and scraping for data. When outsourcing your data enrichment, ensure that you work with a reputable company who is committed to compliance and following GDPR when enriching your datasets.

Clean your email list with this 15-point email hygiene checklist

Casper Schulenburg

Casper Schulenburg - October 27, 2020

As the Chief Legal Officer and a tye co-founder, Casper has a fascination for processes & privacy. Licensed Data Protection Officer who was the DPO for a €4B energy provider. Casper spent most of his youth in Iran and Austria. He studied Law and Economics in Bayreuth, Heidelberg and Mannheim. His biggest interests are history, politics and the development of societies. His ultimate goal is to achieve data sovereignty of individuals.