If you are looking for a reliable data vendor, you will probably come across the terms “community data”, “community edition” or so-called “data unions”.
Such practices pose significant risks under the General Data Protection Regulation (GDPR). Some data vendors will - in exchange for free or reduced fees or when using certain features of their products - gain access to contact data you store about your customers, prospects and business contacts and sell such data to other customers via their own platform.
When you become part of such community data or data union, you agree to give these data vendors access to personal data in either your email inbox (specifically the personal data contained in email signature blocks you have received), metadata from email headers or even contacts in your email contact book and CRM. The terms governing these data unions or community data editions always differ slightly from each other.
However, they all have in common that the extraction of personal data from CRMs or email signatures and sharing it with an undefined group of recipients is hardly in line with the requirements of the GDPR.
GDPR Requirements
In most cases, the extracted data constitutes personal data, therefore the requirements of the GDPR apply. The GDPR defines personal data as any information that relates to an identified or identifiable natural person. It's any information that tells you something specific about an individual like a name, an email address or a birth date.
In line with the provision of the GDPR, the extraction, transfer and storage of the data requires a legal basis in accordance with Article 6 GDPR. However, the processing of personal data from CRMs or email signatures and its subsequent sharing with an undefined group of recipients raises concerns about the legitimacy of such processing activities.
Lack of Legal Basis
Data vendors relying on so-called community data can hardly ever rely on a proper legal basis for their processing activity.
Consent is one of the six lawful bases to process personal data as set forth in Article 6 GDPR. However, in order for consent to be a legal basis for processing personal data, the data subject in question needs to be presented with a genuine choice and control over their personal data. In addition, the consent must be informed, meaning that the data subject in question must receive sufficient information regarding the processing before giving consent. This ensures that individuals can make informed decisions, comprehend the nature of the agreement, and exercise their right to withdraw consent.
Informed consent requires a clear understanding of the processing activities, purposes, and potential recipients of the data. Without such information, data subjects are unable to make decisions aligned with their preferences and expectations. In the case of community data, the individuals concerned almost never receive any information before their personal data is shared with data vendors. Thus, consent cannot serve as a legal basis for processing the personal data contained in email signatures and sharing it with an undefined group of recipients.
In addition, most data vendors cannot rely on so-called legitimate interest as legal basis under Article 6 (1) lit. f GDPR. Calling upon "legitimate interests" means that a company can collect and process personal data if:
they have a legitimate reason to do so AND
their interest/claim to process the data is stronger than the individuals interest of protecting their own privacy (balancing of interests test).
As part of the necessary balancing of interests test within the meaning of Article 6 (1) lit. f GDPR, the reasonable expectation of the data subject in question and the foreseeability of the data processing must be taken into account. In particular, it must be examined whether a data subject can reasonably foresee at the time of the collection of their personal data and in view of the circumstances that such processing activity may take place (cf. Administrative Court Ansbach, 23 February 2022 - AN 14 K 20.83, para 39). The practice of extracting non-public contact data from email signatures and selling this data as so-called community data means that this personal data ends up in various CRM systems of an undefined group of recipients all over the world. The data subjects cannot expect their personal data to be used in this way, nor are they adequately informed about the use of their personal data.
Consequently, they are also unable to understand with whom their data is being shared. In this respect, there is generally no legal basis for the extraction, processing and transfer of personal data as part of the so-called community data practice.
Lack Of Transparency
The practice of extracting and selling personal data as community data means this information ends up in various CRM systems globally, without informing the data subjects concerned beforehand. This lack of transparency regarding data usage infringes upon GDPR principles. Data subjects are unaware of how their personal information is being used, preventing them from understanding the extent and recipients of the data sharing.
Some data vendors claim that they comply with information requirements under the GDPR by sending out emails notifying individuals shortly before they first appear in the data vendor databases. However, these notification emails usually do not provide all information necessary under Article 13 and 14 GDPR. In addition, in most cases they do not even reach the individuals as they are flagged as SPAM mails by some email providers.
Legal Risk for Users
Users who engage with data vendors that rely on community data face increased legal risks. The origin and legality of the data collection are often uncertain, making it challenging to establish a valid legal basis for processing such data.
This uncertainty exposes users to potential GDPR violations, which can result in substantial penalties. The use of such data entails extreme legal risks, as violations of the GDPR are punishable by considerable penalties both in Germany and throughout the EU. For example, the Berlin Commissioner for Data Protection and Freedom of Information recently imposed a fine of EUR 215,000 on Humboldt Forum Service GmbH for processing personal data without a legal basis.
Choosing Secure and Reliable Data Providers
When selecting sales intelligence providers, it is crucial to prioritize those who adhere to GDPR principles. Dealfront's products and services, for example, are designed taking into account the highest data protection standards. The platform provides visibility into the origin of each piece of data, empowering users to conduct the necessary balancing of interests required to rely on legitimate interest under Article 6(1)(f) GDPR.
--
Questions, comments, feedback? Please let us know by contacting our support team via the chat or by sending us an email at support@dealfront.com.