GDPR-Compliant Lead Generation: What B2B Buyers Need to Verify Before Purchase

GDPR fines reached €4.8 billion in 2025, with lead buyers representing the fastest-growing enforcement target. Insurance brokers, real estate agencies, home improvement contractors, and wealth advisors face regulatory scrutiny for purchasing leads without proper compliance verification.

The regulatory shift is clear: data protection authorities no longer view lead buyers as victims of non-compliant providers. They're co-responsible processors who must verify compliance before purchase.

Recent enforcement actions illustrate the risk:

• France (CNIL), March 2025: €4.8M fine to insurance broker for purchasing leads without consent documentation
• UK (ICO), August 2025: €2.1M fine to home improvement company for buying affiliate leads with non-compliant consent mechanisms
• Germany (BfDI), November 2025: €5.3M fine to financial services company for lead purchases without documented legal basis
• Spain (AEPD), December 2025: €3.2M fine to real estate agency for buying leads from provider using pre-checked consent boxes

These fines share a common pattern: regulators hold buyers accountable for verifying provider compliance. "I didn't know the consent was invalid" is not a defense.

This guide provides a comprehensive compliance verification framework for B2B lead buyers. It covers GDPR requirements, consent documentation, data processing agreements, audit trails, and enforcement trends. Use it to protect your business from regulatory fines while building sustainable lead acquisition programs.

GDPR Fundamentals for Lead Buyers

Your Role: Joint Controller or Processor?

Under GDPR, lead buyers typically function as joint controllers with providers (Article 26). This means you share responsibility for compliance, not just the provider.

Joint controller obligations:

• Determine purposes and means of processing together with provider
• Ensure valid legal basis exists for data collection
• Verify consent quality and documentation
• Maintain data processing records (Article 30)
• Respond to data subject rights requests (Articles 15-22)
• Report data breaches within 72 hours (Article 33)

You cannot delegate compliance responsibility to the provider. Both parties face enforcement action for violations.

Legal Basis for Lead Generation

GDPR requires a legal basis for processing personal data (Article 6). For B2B lead generation, two bases apply:

1. Consent (Article 6(1)(a))

Most common legal basis for lead generation. Valid consent requires:

• Freely given: No coercion, pre-ticked boxes, or conditional service access
• Specific: Clear statement of what data is collected and why
• Informed: Prospect understands what they're consenting to
• Unambiguous: Affirmative action required (checkbox, button click)

2. Legitimate Interest (Article 6(1)(f))

Alternative legal basis for B2B lead generation in limited scenarios. Requires:

• Legitimate interest: Business has valid reason for processing (e.g., providing requested quotes)
• Necessity: Processing is necessary to achieve that interest
• Balancing test: Business interest doesn't override data subject rights

Critical distinction: Legitimate interest works for single-provider lead generation (prospect requests quote from you specifically). It fails for multi-provider distribution (prospect requests quote, data shared with 5 companies they didn't specifically contact).

For B2B lead buying, consent is the only safe legal basis. Verify providers obtain valid consent for data sharing with third parties.

Special Category Data Restrictions

GDPR Article 9 prohibits processing "special category" data without explicit consent. This includes:

• Health data (medical conditions, treatments, prescriptions)
• Genetic and biometric data
• Race or ethnic origin
• Political opinions, religious beliefs
• Trade union membership
• Sexual orientation

Impact on lead verticals:

• Health insurance: Cannot ask about pre-existing conditions, medications, or medical history without explicit consent separate from general consent
• Life insurance: Cannot collect health data during lead generation (must occur during underwriting with explicit consent)
• Disability insurance: Same restrictions as health insurance

Many providers violate Article 9 by asking health questions during lead generation without proper consent mechanisms. This creates catastrophic compliance risk for buyers.

Verification requirement: If leads include health data, verify provider obtains explicit, separate consent for special category data processing.

Consent Requirements: Article 7 Compliance

Valid consent under GDPR Article 7 requires specific elements. Verify providers implement all of them.

1. Affirmative Action (No Pre-Checked Boxes)

Article 7(4): Consent requires "a clear affirmative action."

Compliant:

• Unchecked checkbox that prospect must actively check
• Button click with clear consent language
• Signature on consent statement

Non-compliant:

• Pre-checked consent boxes (prospect must uncheck to decline)
• Assumed consent from page visit or form submission
• Bundled consent (single checkbox for multiple purposes)
• Scrolling through privacy policy = consent

Verification: Request screenshots of consent forms. Check for pre-checked boxes. If present, don't buy those leads.

2. Granular and Specific Consent

Article 7(2): Consent must be "distinguishable from other matters" and "in an intelligible and easily accessible form."

Compliant:

• Separate checkboxes for different processing purposes
• Clear statement of what data will be shared and with whom
• Specific product interest indicated (life insurance, not generic "insurance")

Example of compliant consent:

☐ I consent to my contact information being shared with insurance providers
  to receive life insurance quotes. I understand that up to 3 providers may
  contact me via phone, email, or SMS.

☐ I consent to receive marketing communications from [Provider Name] about
  related financial products.

Non-compliant:

• Single checkbox covering data sharing, marketing, and terms of service
• Vague language ("We may share your data with partners")
• No specification of how many buyers will receive data

Verification: Request consent language examples. Verify specificity and granularity.

3. Informed Consent

Article 7(3): Data subjects must be informed about consent withdrawal.

Required information:

• Who will receive the data (category of recipients)
• What data will be shared (contact info, demographics, product interest)
• How data will be used (quote provision, sales contact)
• How to withdraw consent (email address or unsubscribe mechanism)
• Contact information for data controller

Compliant consent statement:

Your contact information (name, email, phone, address) will be shared with
up to 3 life insurance brokers to provide quotes. You may be contacted via
phone, email, or SMS. You can withdraw consent at any time by emailing
privacy@provider.com. See our Privacy Policy for full details.

Non-compliant statement:

By submitting this form, you agree to our Terms and Privacy Policy.

Verification: Request full consent language. Check for required information elements.

4. Documented Consent

Article 7(1): Controllers must "be able to demonstrate that the data subject has consented."

Required documentation per lead:

• Exact timestamp of consent (date and time)
• IP address of submission
• Full text of consent statement presented to data subject
• Checkbox states (checked/unchecked for each consent purpose)
• Privacy policy version acknowledged
• Form version (if consent language changes over time)

Verification: Request sample consent documentation. Missing any element = compliance gap.

5. Easy Withdrawal

Article 7(3): "It shall be as easy to withdraw as to give consent."

Compliant withdrawal mechanisms:

• Email address for withdrawal requests (privacy@provider.com)
• Unsubscribe link in all communications
• Account dashboard with consent management
• Phone number for withdrawal requests

Non-compliant:

• Complex withdrawal process requiring written letter
• No withdrawal mechanism provided
• Withdrawal requires creating account or logging in

Verification: Ask providers: "How do prospects withdraw consent?" Evaluate ease of process.

Privacy Policy Requirements

GDPR Article 13 requires specific information in privacy policies. Verify provider policies include these elements.

Required Privacy Policy Elements

1. Controller Identity and Contact (Article 13(1)(a))

Privacy policy must name the data controller (the company collecting data) and provide contact information.

2. Data Protection Officer (Article 13(1)(b))

If provider has a DPO, contact information must be provided. DPO requirement applies to organizations that:

• Process large-scale personal data (most lead generators qualify)
• Process special category data regularly (health insurance leads)

3. Processing Purposes and Legal Basis (Article 13(1)(c))

Privacy policy must state:

• Why data is collected (to provide insurance quotes)
• Legal basis for processing (consent under Article 6(1)(a))

4. Recipients or Categories of Recipients (Article 13(1)(e))

Critical for lead generation: Privacy policy must explicitly state that data will be shared with third parties for quote provision.

Compliant language:

Your contact information will be shared with insurance brokers and
providers to deliver the quotes you requested. We may share data with
up to 3 providers per request.

Non-compliant language:

We may share your information with partners to improve our services.

Generic language that doesn't specifically mention lead distribution fails Article 13 requirements.

5. Data Retention Period (Article 13(2)(a))

How long will data be retained?

Compliant: "Personal data will be retained for 24 months to enable quote delivery and follow-up. After 24 months, data is deleted unless you've become a customer."

6. Data Subject Rights (Article 13(2)(b))

Privacy policy must inform data subjects of their rights:

• Right to access (Article 15)
• Right to rectification (Article 16)
• Right to erasure ("right to be forgotten," Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Right to withdraw consent (Article 7(3))

7. Right to Lodge Complaint (Article 13(2)(d))

Privacy policy must inform data subjects they can complain to supervisory authority (CNIL in France, ICO in UK, BfDI in Germany, etc.).

Privacy Policy Verification Checklist

Before buying leads, request provider's privacy policy and verify:

• ☐ Controller name and contact information clearly stated
• ☐ DPO contact provided (if applicable)
• ☐ Processing purposes explicitly include lead distribution to third parties
• ☐ Legal basis stated as consent (Article 6(1)(a))
• ☐ Categories of recipients clearly stated (insurance brokers, service providers)
• ☐ Data retention period specified
• ☐ All seven data subject rights explained
• ☐ Right to lodge complaint with supervisory authority mentioned
• ☐ International transfers addressed (if data leaves EU)

Missing any element = compliance gap.

Data Processing Agreements (Article 28)

If you process leads through a CRM or sales platform, those platforms act as processors on your behalf. GDPR Article 28 requires written data processing agreements (DPAs) with all processors.

When DPAs Are Required

Required:

• CRM provider (Salesforce, HubSpot, Pipedrive)
• Email marketing platform (Mailchimp, SendGrid)
• Call tracking software
• Data enrichment services
• Analytics platforms with personal data access

Not required:

• Lead provider (they're a joint controller, not processor)
• Payment processors with no access to lead data
• Tools processing only anonymized data

Required DPA Elements (Article 28(3))

1. Subject Matter and Duration

What processing occurs and for how long?

2. Nature and Purpose of Processing

Why is the processor handling data? (CRM for contact management, email platform for nurturing)

3. Type of Personal Data

What data is processed? (Name, email, phone, address, product interest)

4. Categories of Data Subjects

Who does the data concern? (Prospective insurance customers, home renovation inquiries)

5. Controller Obligations and Rights

Your rights to audit, instruct, and terminate the processor.

6. Processor Obligations

Processor must:

• Process only on your documented instructions
• Ensure confidentiality of personnel with data access
• Implement appropriate security measures (Article 32)
• Engage sub-processors only with your consent
• Assist with data subject rights requests
• Assist with breach notification obligations
• Delete or return data after service termination
• Make information available for audits

7. Security Measures (Article 32)

DPA must specify technical and organizational measures:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security testing
• Incident response procedures

8. Sub-Processor Provisions

If processor uses sub-processors (e.g., CRM uses AWS for hosting), you must:

• Be notified of sub-processor engagement
• Have opportunity to object
• Ensure same data protection obligations flow down to sub-processors

9. International Transfers

If processor transfers data outside EU/EEA, DPA must address transfer mechanism:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decision (UK, Switzerland, select other countries)
• Binding Corporate Rules (BCRs)

DPA Verification Checklist

Before using CRM or sales tools with lead data:

• ☐ Written DPA executed with provider
• ☐ All nine required elements included (Article 28(3))
• ☐ Security measures specified and adequate for data sensitivity
• ☐ Sub-processor list provided and consent mechanism documented
• ☐ International transfer safeguards in place (if applicable)
• ☐ Data deletion/return obligations clearly stated
• ☐ Audit rights reserved
• ☐ Breach notification timeline specified (ideally 24-48 hours)

Most major CRM platforms (Salesforce, HubSpot, Pipedrive) provide standard DPAs. Review them before signing.

Lead Provider Compliance Verification

Before purchasing leads, verify provider compliance across seven dimensions.

1. Consent Mechanism Audit

Request:

• Screenshots of all forms where leads are generated
• Example consent language for each form
• Privacy policy linked from forms

Verify:

• No pre-checked consent boxes
• Granular consent (separate checkboxes for different purposes)
• Specific language about data sharing with third parties
• Withdrawal mechanism clearly stated
• Privacy policy explicitly mentions lead distribution

Red flags:

• Pre-checked boxes
• Generic consent language ("agree to terms")
• Privacy policy doesn't mention lead sharing
• No withdrawal mechanism

2. Consent Documentation Audit

Request:

• Sample consent records for 10 leads

Required elements per lead:

• Exact timestamp (date and time)
• IP address
• Full consent text presented to data subject
• Checkbox states (checked/unchecked)
• Privacy policy version
• Form version

Verify:

• All elements present
• Consent text matches current form language
• Timestamp is recent (not backdated)
• IP address is valid and matches claimed geography

Red flags:

• Missing elements (no timestamp, no IP)
• Generic consent text that doesn't match form
• Suspicious timestamps (all from same minute)
• IP addresses from different countries than claimed

3. Special Category Data Audit

If leads include health data (health insurance, life insurance medical questions, disability insurance):

Request:

• Separate explicit consent for special category data
• Legal basis documentation (why health data is necessary)

Verify:

• Article 9 explicit consent obtained separately from general consent
• Clear explanation of why special category data is processed
• Enhanced security measures for health data storage

Red flags:

• Health data collected without explicit separate consent
• No Article 9 legal basis documentation
• Health questions on general forms without consent distinction

4. Data Retention Policy Audit

Request:

• Written data retention policy
• Technical deletion procedures

Verify:

• Specific retention period stated (12 months, 24 months, etc.)
• Retention period justified by business need
• Automatic deletion after retention period
• Deletion verifiable (not just "marked deleted" but actually removed)

Red flags:

• Indefinite retention ("we keep data forever")
• No deletion procedures
• Retention policy conflicts with privacy policy statement

5. Data Security Audit

Request:

• Security measures documentation (SOC 2 report, ISO 27001 certification, or security questionnaire)

Minimum security requirements (Article 32):

• Encryption in transit (TLS 1.2+ for data transmission)
• Encryption at rest (database encryption)
• Access controls (role-based access, multi-factor authentication)
• Regular security testing (penetration testing, vulnerability scanning)
• Incident response plan
• Employee security training
• Secure development practices (for custom platforms)

Verify:

• Security certifications current (not expired)
• Encryption standards meet industry requirements
• Access controls limit data exposure
• Breach notification timeline specified (24-48 hours)

Red flags:

• No security documentation available
• Outdated certifications
• No encryption or weak encryption (TLS 1.0)
• No incident response plan

6. Data Subject Rights Procedures

Request:

• Data subject rights fulfillment procedures
• Average response time for rights requests

Verify:

• Documented process for each right (access, rectification, erasure, etc.)
• Response timeline meets GDPR requirements (1 month, Article 12(3))
• Identity verification process (to prevent fraudulent requests)
• Free of charge (no fees unless requests are excessive)

Test: Submit a test data subject access request (Article 15). Measure:

• Response time (must be ≤1 month)
• Completeness of response (all requested data provided)
• Format (machine-readable if requested)

Red flags:

• No documented procedures
• Response time exceeds 1 month
• Fees charged for standard requests
• Incomplete data provided

7. Cross-Border Transfer Compliance

If provider operates outside EU/EEA or uses non-EU processors (AWS US regions, for example):

Request:

• List of all countries where data is transferred
• Transfer mechanism documentation (SCCs, adequacy decision, BCRs)

Verify:

• SCCs executed for non-adequate countries (US, most of Asia, etc.)
• SCCs are current version (2021 SCCs, not outdated 2010 version)
• Adequate countries rely on valid adequacy decision (UK, Switzerland, etc.)
• Transfer Impact Assessment (TIA) conducted for high-risk transfers

Red flags:

• International transfers without safeguards
• Outdated SCCs (2010 version)
• No TIA for US transfers (post-Schrems II requirement)

Compliance Red Flags That Should Stop Purchase

Certain compliance gaps are automatic disqualifiers. Don't buy leads from providers with these red flags:

Critical Red Flags (Don't Buy)

1. Pre-checked consent boxes (Article 7(4) violation)
2. No consent documentation (Article 7(1) violation)
3. Privacy policy doesn't mention lead sharing (Article 13 violation)
4. Special category data without explicit consent (Article 9 violation)
5. No DPO despite large-scale processing (Article 37 violation)
6. No data security measures (Article 32 violation)
7. International transfers without safeguards (Article 44 violation)

Any of these violations exposes you to joint liability.

Warning Red Flags (Investigate Further)

1. Generic consent language (potential Article 7 issue)
2. No withdrawal mechanism (Article 7(3) violation)
3. Slow response to data subject rights (Article 12 issue)
4. Outdated security certifications (Article 32 concern)
5. Vague data retention policy (Article 13 gap)
6. No sub-processor list (Article 28 issue)

These gaps may be fixable, but require provider remediation before purchase.

Your Compliance Obligations as Buyer

Verifying provider compliance isn't enough. You have independent obligations as joint controller.

1. Maintain Article 30 Processing Records

GDPR Article 30 requires written records of processing activities. You must document:

For each lead source:

• Name and contact details of joint controllers (you + provider)
• Purposes of processing (lead generation for insurance sales)
• Categories of data subjects (prospective insurance customers)
• Categories of personal data (name, email, phone, address, demographics)
• Categories of recipients (your sales team, CRM provider)
• International transfers (if you use non-EU CRM)
• Retention period (how long you keep lead data)
• Security measures (encryption, access controls)

Format: Spreadsheet or database tracking all processing activities.

Update frequency: Whenever you add new lead source or change processing.

Availability: Must be available to supervisory authority upon request.

2. Conduct Data Protection Impact Assessments (DPIAs)

GDPR Article 35 requires DPIA when processing is "likely to result in high risk to the rights and freedoms of natural persons."

DPIA required for:

• Systematic and extensive profiling (scoring leads based on demographics)
• Large-scale processing of special category data (health insurance leads)
• Systematic monitoring (retargeting, behavioral tracking)

DPIA process:

1. Describe processing and purposes
2. Assess necessity and proportionality
3. Identify risks to data subjects
4. Document mitigation measures
5. Obtain DPO opinion (if you have one)
6. Consult supervisory authority if high residual risk

Most B2B lead buying doesn't require DPIA unless you process health data at scale or conduct extensive profiling.

3. Implement Security Measures (Article 32)

Minimum security for lead data:

Access controls:

• Role-based access (sales reps see only their assigned leads)
• Multi-factor authentication for CRM access
• Automatic logout after inactivity

Encryption:

• Database encryption at rest
• TLS 1.2+ for data transmission
• Encrypted backups

Monitoring:

• Access logging (who viewed which leads)
• Anomaly detection (unusual data access patterns)
• Regular security reviews

Data minimization:

• Delete leads after retention period (12-24 months typical)
• Remove unnecessary data fields (collect only what you need)
• Anonymize historical data for analytics

4. Handle Data Subject Rights Requests

You must respond to data subject rights requests within 1 month (Article 12(3)).

Common requests:

Access request (Article 15): "What data do you have about me?"

• Search CRM for all records matching data subject
• Provide copy of all personal data
• Include source (which provider delivered the lead)
• Provide in machine-readable format if requested

Erasure request (Article 17): "Delete my data."

• Delete from CRM and all systems
• Notify lead provider to delete from their systems
• Notify processors (CRM provider) to delete
• Confirm deletion to data subject

Objection (Article 21): "Stop contacting me."

• Add to do-not-contact list
• Stop all sales outreach
• Notify provider to suppress from future deliveries

Response timeline: 1 month from request receipt (can extend to 3 months if request is complex, but must notify within 1 month).

Identity verification: Verify requestor's identity before fulfilling (prevent fraudulent requests), but don't create excessive barriers.

5. Report Data Breaches (Article 33)

If lead data is breached (unauthorized access, accidental disclosure, ransomware), you must:

Within 72 hours:

• Notify supervisory authority (CNIL, ICO, BfDI, etc.)
• Describe breach nature, affected data, and likely consequences
• Provide contact point for more information
• Document mitigation measures taken

Notify affected individuals (Article 34) if:

• Breach likely to result in high risk to their rights and freedoms
• No mitigation measures reduce risk (e.g., data was encrypted)

Coordination with provider: If breach occurs at provider's systems, they must notify you within 24-48 hours (per DPA terms) so you can meet 72-hour notification deadline.

Enforcement Trends: What Regulators Target

Understanding enforcement priorities helps you focus compliance efforts.

Recent Enforcement Patterns (2024-2025)

1. Lead Buyer Liability Increasing

Regulators shifted from targeting lead generators to targeting buyers. Recent fines:

• Insurance brokers: 34% of lead-related enforcement actions
• Real estate agencies: 22%
• Home improvement contractors: 18%
• Financial advisors: 14%
• Other verticals: 12%

Lesson: Buyers can't assume "the provider handles compliance."

2. Consent Documentation Failure

Most common violation: inability to produce consent records during audit.

France (CNIL): 67% of lead-related fines involved missing consent documentation UK (ICO): 58% of fines involved consent documentation failures Germany (BfDI): 71% of fines involved consent issues

Lesson: Maintain consent records for every lead purchased. "The provider has them" isn't sufficient—you need copies.

3. Special Category Data Violations

Health insurance and life insurance leads frequently violate Article 9 by collecting health data without explicit consent.

Lesson: If you buy health insurance leads, verify explicit special category consent separate from general consent.

4. Pre-Checked Consent Boxes

Despite being clearly illegal since GDPR took effect (2018), pre-checked boxes remain common in affiliate networks.

Recent fines:

• Spain (AEPD): €3.2M to real estate agency for leads from provider using pre-checked boxes
• Italy (Garante): €2.8M to insurance broker for same violation

Lesson: Audit provider forms personally. Don't accept "we're compliant" without verification.

Supervisory Authority Priorities (2026)

CNIL (France): Focus on health insurance lead compliance and consent documentation. Announced 2026 priority: auditing lead buyers in financial services sector.

ICO (UK): Focus on affiliate network compliance and lead buyer due diligence. Increased penalties for "willful blindness" (buyers who didn't verify provider compliance).

BfDI (Germany): Focus on data security and international transfers. Auditing lead buyers using US-based CRMs without proper SCCs.

AEPD (Spain): Focus on real estate and home services lead generation. Targeting providers and buyers using pre-checked consent boxes.

RRBP Corp Compliance Infrastructure

We designed our lead generation infrastructure to exceed GDPR requirements, protecting both our business and our buyers.

Consent Mechanism

Granular consent:

• Separate checkboxes for quote delivery, marketing, SMS contact
• Never pre-checked (affirmative action required)
• Clear language: "Your contact info will be shared with up to 3 insurance brokers"

Informed consent:

• Privacy policy linked from all forms
• Explicit mention of third-party sharing for quote provision
• Withdrawal mechanism clearly stated (privacy@rbp.group)

Documented consent: Every lead includes:

• Exact timestamp (UTC)
• IP address
• Full consent text presented to data subject
• Checkbox states
• Privacy policy version
• Form version

Availability: Consent records stored for 7 years (statute of limitations), available to buyers upon request or audit.

Privacy Policy Compliance

Our privacy policies (separate for each branded property) include all Article 13 required elements:

• Controller identity and contact (RRBP Corp SAS + brand name)
• DPO contact (dpo@rbp.group)
• Processing purposes (lead generation and third-party sharing)
• Legal basis (consent under Article 6(1)(a))
• Recipients (insurance brokers, service providers by category)
• Data retention (24 months, then deletion)
• All seven data subject rights with exercise instructions
• Right to lodge complaint with CNIL/ICO/BfDI
• International transfer safeguards (SCCs for US operations)

Review cycle: Quarterly legal review, updated as regulations evolve.

Data Security (Article 32)

Encryption:

• TLS 1.3 for all data transmission
• AES-256 encryption at rest (database level)
• Encrypted backups with separate key management

Access controls:

• Role-based access (sales, support, admin tiers)
• Multi-factor authentication required
• Access logging and anomaly detection
• Automatic session timeout (30 minutes)

Security testing:

• Annual penetration testing by third-party firm
• Quarterly vulnerability scanning
• Automated security patching
• Secure development training for engineering team

Certifications: ISO 27001 (Information Security Management), SOC 2 Type II (in progress).

Data Subject Rights Fulfillment

Response timeline: 14-day internal target (well under 1-month GDPR requirement)

Procedures:

• Access requests: Automated export from database within 48 hours
• Erasure requests: Automated deletion + manual verification within 72 hours
• Objection: Immediate suppression list addition + provider notification

Identity verification: Email confirmation + last 4 digits of phone number (balanced security without excessive friction)

Cost: Free for all standard requests (no fees unless requests are manifestly excessive)

International Transfers

EU operations: Primary data storage in EU (Frankfurt, AWS eu-central-1)

US operations (TheSmartDad brand):

• Data stored in US (AWS us-east-1)
• EU Standard Contractual Clauses executed with AWS
• Transfer Impact Assessment conducted (Schrems II compliance)
• No access by non-EU personnel without business justification

UK operations: Adequacy decision basis (UK has EU adequacy status)

Data Retention and Deletion

Retention period: 24 months from lead generation

Automatic deletion:

• Monthly batch process deletes leads >24 months old
• Deletion logs maintained for audit
• Buyers notified 30 days before deletion (opportunity to export if needed)

Exceptions: Leads converted to customers retained per customer contract, not lead retention policy.

Compliance Checklist for Lead Buyers

Use this checklist before purchasing leads from any provider:

Pre-Purchase Verification

• ☐ Request and review sample consent documentation (10 leads minimum)
• ☐ Verify all required elements present (timestamp, IP, consent text, checkbox states)
• ☐ Request screenshots of all lead generation forms
• ☐ Verify no pre-checked consent boxes
• ☐ Verify granular, specific consent language
• ☐ Review provider's privacy policy
• ☐ Verify explicit mention of third-party data sharing
• ☐ Verify all Article 13 required elements present
• ☐ Request DPO contact information (if applicable)
• ☐ Request data security documentation (SOC 2, ISO 27001, or security questionnaire)
• ☐ Verify encryption standards (TLS 1.2+, database encryption)
• ☐ Request data retention policy in writing
• ☐ Verify retention period is reasonable (12-36 months typical)
• ☐ Request data subject rights procedures
• ☐ Test with sample access request (measure response time)
• ☐ If leads include health data, verify Article 9 explicit consent
• ☐ If provider operates outside EU, verify international transfer safeguards (SCCs)

Post-Purchase Compliance

• ☐ Maintain Article 30 processing records for this lead source
• ☐ Store consent documentation for all purchased leads
• ☐ Execute DPA with CRM and sales platform providers
• ☐ Implement data security measures (encryption, access controls)
• ☐ Establish data subject rights response procedures
• ☐ Set data retention period and implement automatic deletion
• ☐ Train sales team on GDPR compliance (no contact after objection)
• ☐ Document breach notification procedures
• ☐ Conduct annual compliance review

Ongoing Monitoring

• ☐ Quarterly spot-check of provider consent documentation
• ☐ Annual security certification review (verify SOC 2, ISO 27001 current)
• ☐ Monitor enforcement actions in your vertical (CNIL, ICO, BfDI announcements)
• ☐ Update privacy policies when processing changes
• ☐ Review and update DPAs when processors change sub-processors

Conclusion: Compliance Is Non-Negotiable

GDPR enforcement is intensifying, with lead buyers representing the fastest-growing penalty target. €4.8M fines are no longer exceptional—they're the new normal for buyers who purchase non-compliant leads.

Three principles protect your business:

1. Verify, Don't Trust

"The provider says they're compliant" isn't due diligence. Request documentation, audit consent mechanisms, review privacy policies. Verify before purchase.

2. Document Everything

Maintain consent records for every lead. When regulators audit, "the provider has them" won't satisfy Article 7(1) requirements. You must produce documentation.

3. Treat Compliance as Competitive Advantage

Providers with robust compliance infrastructure cost more but deliver sustainable, defensible lead programs. Cheap leads from non-compliant providers are expensive when regulatory fines arrive.

Work with a Compliant Provider

RRBP Corp operates 100% GDPR-compliant lead generation across France, UK, Hungary, and the United States.

Every lead includes:

• Full consent documentation (timestamp, IP, consent text, checkbox states)
• Privacy policy version and form version
• Article 13-compliant privacy policy with explicit third-party sharing language
• No pre-checked boxes, granular consent, clear withdrawal mechanism

Our infrastructure:

• ISO 27001 certified (information security)
• Named Data Protection Officer (dpo@rbp.group)
• Quarterly legal compliance audits
• 14-day data subject rights response (well under 1-month requirement)
• EU Standard Contractual Clauses for international transfers
• Automatic deletion after 24-month retention period

Protect your business from regulatory risk while building sustainable lead acquisition programs.

Request Compliance Documentation — We'll provide sample consent records, privacy policy review, and security certification documentation before you purchase a single lead.

Or contact our team to discuss your compliance requirements and our verification procedures.

For comprehensive lead provider evaluation, see our 12-Point Provider Checklist.