“High standards of professional work.” (IFLR1000, 2017)


Legitimate purchase and use of databases for direct marketing. 4 crucial steps

In order to promote sales, companies consider the possibility to purchase from third persons databases of business contact data and use them to publicise their services i.e. for direct marketing.

In such cases, it should be kept in mind that even business contact details of companies’ managers or employees may be considered as personal data, and processing of such data is subject to the personal data protection requirements (including GDPR). Theoretically, contact details acquired in such way may be used for direct marketing. But very often third persons selling such contact details “stay silent” in respect to the personal data protection aspects related to such sale and leave all the responsibility for legal (including GDPR) compliance to the purchaser.

Therefore, prior to the purchase of the mentioned data, we recommend to make sure that such purchase and further use of contact details will be legitimate, including, inter alia, not forget to:

  1. Make sure that the seller collected contact details and other personal data in good faith and has the right to transfer it to you (e.g. has obtained the consent of the data subject in accordance with the requirements of the GDPR wherein you are clearly indicated as a data recipient), as well as has a possibility to provide the relevant proof.
  2. Consider the legal basis for further processing of acquired personal data for direct marketing purposes. If it will be consent, it is necessary to evaluate possibilities to obtain it in a legitimate way or, if the seller has already obtained it for you, evaluate whether such consent complies with the requirements of the GDPR.
  3. Ensure that persons who are subject to personal data processing for direct marketing purposes are duly informed about their personal data processing.
  4. Use acquired personal data only for the purposes for which you have legal basis and which were communicated to the data subject.

In addition, in order to reduce risks, in all cases, we recommend to conclude a written contract with the seller covering the main personal data protection aspects.

PRIMUS data protection legal team in Lithuania:
Giedrė Dailidėnaitė, Partner, Head of Corporate & Commercial group
Šarūnė Prankonytė – Segen, Senior Associate
Augustė Linauskaitė, Associate


Follow us: