Skip to main content

Beyond Legal #37: The sales director who worked around blockers

·6 mins
Beyond Legal Sales Lawful Basis Data Accuracy GDPR Article 5 Article 6 Purpose Limitation GDPR at 10

Beyond Legal #37: The sales director who worked around blockers

Data protection is a blocker. I work around blockers. — Ingrid L., out of work Sales Director

I have worked with sales teams long enough to know that the commercial instinct and the data protection framework are not naturally aligned. Sales focus on speed, on volume, on finding the path of least resistance to a closed deal. Data protection runs on documented lawful bases, purpose limitation, and data accuracy. The tension is real. The question is not whether it exists — it is who is responsible for managing it, and what happens when nobody is.

Ingrid’s story #

Ingrid is a Sales Director at a pan-European B2B software company. She runs a team of over 40 people across 6 territories. Her targets are large, her timelines are aggressive, and her reputation is built on delivery. She has hit her targets in seven of the eight years she has been in sales leadership. She does not miss twice.

The Data Protection Leader — we’ll call him Lars — had flagged a concern about the sales team’s use of third-party contact databases. The company had purchased access to two commercial databases of business contact data, which the sales team used to build prospect lists and run outreach campaigns. Lars had reviewed the data sources and concluded that neither database provided adequate documentation of the lawful basis on which the contact data had been collected, and that using the data for outbound sales without verifying that basis put the company in breach of Article 6 and potentially Article 5(1)(d), which requires that personal data be accurate and, where necessary, kept up to date.

Ingrid’s response was direct. The databases were industry standard. Every competitor used them. The data protection concerns were theoretical. Lars was a blocker, and she had a Q3 target to close.

She continued using the databases. She did not inform Lars. The campaigns ran.

What the investigation found #

Six months later, three separate complaints reached the Supervisory Authority from individuals who had received outreach from the company despite having no commercial relationship with it and having registered objections with the database provider. The Supervisory Authority’s investigation found that the company had processed the personal data of over 8.000 individuals without a documented lawful basis, using data from providers who could not demonstrate the conditions under which that data had been collected, and that the company had continued to use data that had been flagged as inaccurate or out of date without any verification process.

Lars had documented his concerns and the advice he had given. Ingrid had not documented anything — because she had not consulted anyone. The company’s liability was clear, and so was where it had originated.

Ingrid was let go before the regulatory process concluded. Lars retained his role and was given formal authority over all external data sourcing decisions.

What does the GDPR require from sales teams using purchased contact data? #

Using third-party contact databases for outbound sales is one of the highest-risk processing activities a commercial organisation can run, and it is one of the most poorly governed in practice. Under Article 6 of the GDPR, every processing activity requires a valid lawful basis. For outbound commercial contact using data sourced from third parties, legitimate interests under Article 6(1)(f) is the most commonly relied-upon basis — but it requires a documented balancing test that takes account of the reasonable expectations of the individuals concerned and the nature of the data being used. A business contact database that cannot demonstrate how its data was collected, or what lawful basis the original collector relied upon, is not a database that transfers a clean compliance position to the purchaser. Article 5(1)(d) further requires that personal data be accurate and, where necessary, kept up to date — which means using databases with known accuracy issues, or without any verification process, is itself a violation of the data protection principles.

Two enforcement decisions from Italy show what this looks like when it reaches a Supervisory Authority. In September 2023, Italy’s Garante fined energy company Axpo Italia €10 million after finding that the company had activated electricity and gas supply contracts using inaccurate and outdated customer data — processed through a network of approximately 280 vendors without any verification that the data entered into the system matched the actual customers. Over 5.000 people had contracts activated in their names without their knowledge, and many only discovered this when they received payment reminders for bills they had not incurred.

In May 2025, the Garante fined Acea Energia €3 million — with a further €850.000 in fines spread across associated sales agencies — for aggressive telemarketing using illicit contact lists of recent energy switchers without consent or proper transparency notices. The investigation revealed direct ties between Acea’s commercial operations and the agencies running the campaigns, and found that the company had taken no effective steps to ensure that the data being used by its sales network had been collected lawfully. In both cases, the sales operation had momentum and a commercial rationale. In both cases, the data protection framework was treated as an obstacle rather than a governance requirement. In both cases, the Supervisory Authority disagreed.

What does purpose limitation mean for a sales team under the GDPR? #

Article 5(1)(b) of the GDPR requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. For a sales team using third-party contact databases, purpose limitation has a specific operational meaning: the data can only be used for the purpose for which it was originally collected and on the lawful basis that supported that collection. If a business contact was added to a database under a specific consent for a specific use, using that contact for outbound sales under a different company’s commercial campaign is a new processing activity that requires its own lawful basis — which cannot be assumed from the existence of the contact in the database. A sales director who does not know the provenance of the data their team is using is not managing a sales risk. They are managing a data protection liability that is already live.

The challenge for today: Identify every third-party contact database or data source your sales team is using for outbound activity. For each one, find the documentation showing the lawful basis on which the data was originally collected and whether your use of it is consistent with that basis. If that documentation does not exist, the processing is already at risk.

For more on how third-party data creates controller liability, see Beyond Legal #27 on marketing data sourcing, and Beyond Legal #35 on managing the data chain beyond the first relationship.

Article references: Article 5(1)(a) (lawfulness), Article 5(1)(b) (purpose limitation), Article 5(1)(d) (accuracy), Article 5(2) (accountability), Article 6 (lawful basis), Article 6(1)(f) (legitimate interests), Article 21 (right to object), Article 83(5) (fines for principles violations).

Series: This is post 17 in the Beyond Legal series — 20 roles, 20 days, real consequences. Ingrid, Lars and the story are fictitious - the two Italian cases are real.

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get a sense of what we do.

Author
Tim Clements

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board reporting case law change management cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design direct marketing dora dpia education employee data employee engagement eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts