Spanish data protection authority orders business data firm to delete €1.8 million worth of records

The Spanish Data Protection Authority (AEPD) has imposed €1.8 million in fines on Informa D&B for violating GDPR requirements when processing personal data of business owners. The AEPD ordered the company to cease processing personal data obtained through a contract with CAMERDATA until establishing a valid legal basis under Article 6.1 of the GDPR.

According to the AEPD ruling dated January 2025, Informa D&B processed personal data from over 1.6 million individual business owners through a data-sharing agreement with CAMERDATA. The data included names, tax identification numbers, addresses, telephone numbers, and business activity codes originally collected by Spain's tax authority for creating the public business census.

Major implications for B2B marketing data acquisition

The Spanish DPA's decision has profound implications for organizations that acquire B2B personal data from third parties for direct marketing purposes. This ruling fundamentally challenges the industry's assumption that business contact information enjoys relaxed regulatory oversight compared to consumer data.

The AEPD found that CAMERDATA obtained business registration data from Spain's Chamber of Commerce, which received the information from the tax authority under strict confidentiality requirements. According to the ruling, the data was intended solely for creating the public business census and fulfilling administrative functions, not for commercial exploitation by third parties.

The Spanish decision establishes that purchasing data from seemingly legitimate sources provides no protection if the original collection lacked proper legal basis. Organizations can no longer rely solely on vendor assurances about compliance status. According to the AEPD's analysis, "the treatment of data carried out by INFORMA exceeds the limits legally and does not conform to the bases of legitimation of article 6.1 of the RGPD".

Marketing departments across Europe are reassessing their vendor relationships following this precedent. The ruling clarifies that legitimate interest cannot overcome legal restrictions on data usage. When source data comes with statutory limitations—as occurred with the Spanish business census information—no amount of legitimate business need can justify circumventing those restrictions.

According to the AEPD's determination, "INFORMA has not demonstrated that it has carried out the weighting of the legitimate interest as a cause to legitimize the treatment of data of individual entrepreneurs with commercial purposes". This finding directly impacts B2B marketing strategies that rely on legitimate interest justifications for processing purchased contact lists.

Technical violations expose widespread compliance gaps

Informa D&B's revenue model centers on providing business intelligence services to clients across multiple industries. The company generated €65.1 million in revenue during 2023 through services including credit risk assessment, marketing databases, and commercial reports. During the investigation period, Informa D&B received 141 requests from business owners to delete or correct their personal information.

The data processing arrangement involved systematic commercial exploitation of the business registry information. CAMERDATA provided Informa D&B with a database containing NIF numbers, business names, complete addresses, economic activity classifications, and telephone numbers for autonomous workers. The contract authorized Informa D&B to distribute this database to other companies, including Bureau Van Dijk Editions Electroniques.

The AEPD determined that the treatment violated both data processing and transparency requirements. According to the ruling, "INFORMA has not provided documentation that justifies that it has made the weighting of legitimate interest as a cause to legitimize the treatment of data of individual entrepreneurs for commercialization purposes".

Informa D&B formalized over 30 separate contracts during 2022-2024 to supply the business owner data to third-party clients. The company marketed this information through multiple products including credit scoring tools, marketing lists, and risk analysis platforms targeting financial institutions and other businesses.

Information transparency failures compound violations

The Spanish authority determined that Informa D&B lacked valid consent from the affected business owners. The AEPD also found information transparency violations under Article 14 of the GDPR. According to the decision, "INFORMA has not credited having adopted alternative measures that supplement its lack of direct communication".

The company claimed informing 1.5 million business owners individually would constitute "disproportionate effort" but failed to implement adequate alternative notification measures. The AEPD rejected this justification, stating that "the mere concurrence of a presumed disproportionate effort does not automatically exempt from compliance with the information obligation".

Modern B2B marketing relies heavily on automated lead generation and nurturing sequences powered by third-party databases. The Spanish ruling affects fundamental economics of B2B lead generation, with potential GDPR penalties reaching €20 million or 4% of global revenue—amounts that far exceed typical campaign budgets.

Industry-wide compliance transformation required

The ruling carries significant implications for the business data industry across Europe. According to PPC Land analysis, European data protection authorities have intensified enforcement against companies processing personal data for marketing purposes without clear legal justification. Recent enforcement actions demonstrate authorities' focus on ensuring transparent data processing practices.

Marketing professionals frequently rely on business contact databases for lead generation and customer acquisition campaigns. Industry reports show that data protection violations in marketing contexts have resulted in substantial penalties across multiple European jurisdictions.

The AEPD's decision establishes important precedents for distinguishing between public registry access and commercial data exploitation. While public business census information remains accessible through official channels, the ruling clarifies that systematic commercial processing requires independent legal justification.

Sales organizations must now implement consent verification systems before initiating outreach campaigns. Recent enforcement actions demonstrate authorities' willingness to penalize companies for delays in responding to data subject requests, adding operational complexity to sales processes.

Enforcement precedent signals regulatory shift

The fine structure included €900,000 for lacking valid legal basis under Article 6.1 GDPR and €900,000 for failing to provide adequate information under Article 14 GDPR. The AEPD required Informa D&B to delete all affected personal data within three months of the decision becoming final.

According to the Spanish authority's conclusion, "the treatment carried out by INFORMA does not comply with the requirements and exceeds the limits legally established for the use of information from the public business census". This determination directly impacts third-party data vendors who must now provide detailed provenance documentation and assume liability for compliance failures affecting their clients.

Data protection authorities across Europe continue expanding enforcement activities targeting business data processing. German authorities recently established unified fine procedures to standardize GDPR enforcement, while Dutch regulators have increased scrutiny of companies processing personal data for marketing purposes.

The ruling affects organizations that acquire personal data from third-party providers for direct marketing, lead generation, or customer acquisition purposes. Companies must verify that data suppliers possess valid legal bases for sharing personal information and ensure compliance with transparency requirements when processing such data.

Timeline

• December 27, 2022: Initial complaint filed against data processing practices
• April 13, 2023: AEPD initiates preliminary investigation procedures
• October 17, 2023: Investigation confirms data processing without valid legal basis
• April 12, 2024: AEPD launches formal sanctioning procedure
• March 3, 2025: AEPD issues final resolution with €1.8 million penalty
• January 2025: Decision published requiring data deletion within three months
• September 8, 2024: Swedish DPA fines pharmacy chains for Meta data transfers
• December 26, 2024: Dutch DPA fines Coolblue for cookie violations

Summary

Who: The Spanish Data Protection Authority (AEPD) sanctioned Informa D&B, a business intelligence company with €65.1 million annual revenue that processes personal data of over 1.6 million individual business owners.

What: €1.8 million in GDPR fines for processing personal data without valid legal basis and failing to provide adequate transparency information to affected individuals, plus mandatory deletion of all affected data within three months.

When: The AEPD announced the final decision in January 2025, following an investigation that began in April 2023 and formal proceedings initiated in April 2024.

Where: Spain, with implications for European businesses that process personal data from public registries or third-party data providers for commercial purposes across EU member states.

Why: The company violated GDPR by systematically processing business owner personal data for commercial exploitation without establishing valid legal basis, despite legal restrictions on how tax authority data can be used for purposes beyond public administration.