Spanish data protection authority orders business data firm to delete €1.8 million worth of records

The Spanish Knowledge Safety Authority (AEPD) has imposed €1.8 million in fines on Informa D&B for violating GDPR necessities when processing private knowledge of enterprise homeowners. The AEPD ordered the corporate to stop processing private knowledge obtained by way of a contract with CAMERDATA till establishing a sound authorized foundation below Article 6.1 of the GDPR.

In keeping with the AEPD ruling dated January 2025, Informa D&B processed private knowledge from over 1.6 million particular person enterprise homeowners by way of a data-sharing settlement with CAMERDATA. The info included names, tax identification numbers, addresses, phone numbers, and enterprise exercise codes initially collected by Spain’s tax authority for creating the general public enterprise census.

Main implications for B2B advertising and marketing knowledge acquisition

The Spanish DPA’s choice has profound implications for organizations that purchase B2B private knowledge from third events for direct advertising and marketing functions. This ruling essentially challenges the business’s assumption that enterprise contact info enjoys relaxed regulatory oversight in comparison with shopper knowledge.

The AEPD discovered that CAMERDATA obtained enterprise registration knowledge from Spain’s Chamber of Commerce, which acquired the data from the tax authority below strict confidentiality necessities. In keeping with the ruling, the information was supposed solely for creating the general public enterprise census and fulfilling administrative features, not for industrial exploitation by third events.

The Spanish choice establishes that buying knowledge from seemingly professional sources supplies no safety if the unique assortment lacked correct authorized foundation. Organizations can not rely solely on vendor assurances about compliance standing. In keeping with the AEPD’s evaluation, “the therapy of information carried out by INFORMA exceeds the bounds legally and doesn’t conform to the bases of legitimation of article 6.1 of the RGPD”.

Advertising and marketing departments throughout Europe are reassessing their vendor relationships following this precedent. The ruling clarifies that professional curiosity can’t overcome authorized restrictions on knowledge utilization. When supply knowledge comes with statutory limitations—as occurred with the Spanish enterprise census info—no quantity of professional enterprise want can justify circumventing these restrictions.

In keeping with the AEPD’s dedication, “INFORMA has not demonstrated that it has carried out the weighting of the professional curiosity as a trigger to legitimize the therapy of information of particular person entrepreneurs with industrial functions”. This discovering instantly impacts B2B advertising and marketing methods that depend on professional curiosity justifications for processing bought contact lists.

Technical violations expose widespread compliance gaps

Informa D&B’s income mannequin facilities on offering enterprise intelligence providers to shoppers throughout a number of industries. The corporate generated €65.1 million in income throughout 2023 by way of providers together with credit score danger evaluation, advertising and marketing databases, and industrial experiences. In the course of the investigation interval, Informa D&B acquired 141 requests from enterprise homeowners to delete or right their private info.

The info processing association concerned systematic industrial exploitation of the enterprise registry info. CAMERDATA supplied Informa D&B with a database containing NIF numbers, enterprise names, full addresses, financial exercise classifications, and phone numbers for autonomous staff. The contract approved Informa D&B to distribute this database to different corporations, together with Bureau Van Dijk Editions Electroniques.

The AEPD decided that the therapy violated each knowledge processing and transparency necessities. In keeping with the ruling, “INFORMA has not supplied documentation that justifies that it has made the weighting of professional curiosity as a trigger to legitimize the therapy of information of particular person entrepreneurs for commercialization functions”.

Informa D&B formalized over 30 separate contracts throughout 2022-2024 to provide the enterprise proprietor knowledge to third-party shoppers. The corporate marketed this info by way of a number of merchandise together with credit score scoring instruments, advertising and marketing lists, and danger evaluation platforms focusing on monetary establishments and different companies.

Data transparency failures compound violations

The Spanish authority decided that Informa D&B lacked legitimate consent from the affected enterprise homeowners. The AEPD additionally discovered info transparency violations below Article 14 of the GDPR. In keeping with the choice, “INFORMA has not credited having adopted various measures that complement its lack of direct communication”.

The corporate claimed informing 1.5 million enterprise homeowners individually would represent “disproportionate effort” however didn’t implement enough various notification measures. The AEPD rejected this justification, stating that “the mere concurrence of a presumed disproportionate effort doesn’t routinely exempt from compliance with the data obligation”.

Fashionable B2B advertising and marketing depends closely on automated lead technology and nurturing sequences powered by third-party databases. The Spanish ruling impacts basic economics of B2B lead technology, with potential GDPR penalties reaching €20 million or 4% of worldwide income—quantities that far exceed typical marketing campaign budgets.

Business-wide compliance transformation required

The ruling carries vital implications for the enterprise knowledge business throughout Europe. In keeping with PPC Land analysis, European knowledge safety authorities have intensified enforcement in opposition to corporations processing private knowledge for advertising and marketing functions with out clear authorized justification. Recent enforcement actions exhibit authorities’ concentrate on guaranteeing clear knowledge processing practices.

Advertising and marketing professionals often depend on enterprise contact databases for lead technology and buyer acquisition campaigns. Industry reports present that knowledge safety violations in advertising and marketing contexts have resulted in substantial penalties throughout a number of European jurisdictions.

The AEPD’s choice establishes vital precedents for distinguishing between public registry entry and industrial knowledge exploitation. Whereas public enterprise census info stays accessible by way of official channels, the ruling clarifies that systematic industrial processing requires unbiased authorized justification.

Gross sales organizations should now implement consent verification techniques earlier than initiating outreach campaigns. Recent enforcement actions exhibit authorities’ willingness to penalize corporations for delays in responding to knowledge topic requests, including operational complexity to gross sales processes.

Enforcement precedent indicators regulatory shift

The effective construction included €900,000 for missing legitimate authorized foundation below Article 6.1 GDPR and €900,000 for failing to supply enough info below Article 14 GDPR. The AEPD required Informa D&B to delete all affected private knowledge inside three months of the choice turning into last.

In keeping with the Spanish authority’s conclusion, “the therapy carried out by INFORMA doesn’t adjust to the necessities and exceeds the bounds legally established for using info from the general public enterprise census”. This dedication instantly impacts third-party knowledge distributors who should now present detailed provenance documentation and assume legal responsibility for compliance failures affecting their shoppers.

Knowledge safety authorities throughout Europe proceed increasing enforcement actions focusing on enterprise knowledge processing. German authorities recently established unified fine procedures to standardize GDPR enforcement, whereas Dutch regulators have increased scrutiny of corporations processing private knowledge for advertising and marketing functions.

The ruling impacts organizations that purchase private knowledge from third-party suppliers for direct advertising and marketing, lead technology, or buyer acquisition functions. Corporations should confirm that knowledge suppliers possess legitimate authorized bases for sharing private info and guarantee compliance with transparency necessities when processing such knowledge.

Timeline

Abstract

Who: The Spanish Knowledge Safety Authority (AEPD) sanctioned Informa D&B, a enterprise intelligence firm with €65.1 million annual income that processes private knowledge of over 1.6 million particular person enterprise homeowners.

What: €1.8 million in GDPR fines for processing private knowledge with out legitimate authorized foundation and failing to supply enough transparency info to affected people, plus necessary deletion of all affected knowledge inside three months.

When: The AEPD introduced the ultimate choice in January 2025, following an investigation that started in April 2023 and formal proceedings initiated in April 2024.

The place: Spain, with implications for European companies that course of private knowledge from public registries or third-party knowledge suppliers for industrial functions throughout EU member states.

Why: The corporate violated GDPR by systematically processing enterprise proprietor private knowledge for industrial exploitation with out establishing legitimate authorized foundation, regardless of authorized restrictions on how tax authority knowledge can be utilized for functions past public administration.