Can you still carry out prospecting and marketing under the GDPR? Many entrepreneurs are racking their brains about this question. Discover the answer below.

Legal processing of personal data

According to the regulation, any processing of personal data must be done legitimately. Processing legitimately is processing that is done on a legal basis. The GDPR foresees six legal bases. These are:

  • defence of the vital interests of the data subject;
  • execution of a task of general interest or public order;
  • compliance with legal obligations;
  • obtaining permission;
  • executing a contract; and
  • legitimate interest of the controller.

Marketing and/or prospecting versus GDPR

Marketing and/or prospecting are often deemed to be almost impossible within the new obligations of the GDPR. This is not the case. The two are perfectly compatible if you take a few precautions.

The biggest problem is legitimacy, namely having the right legal basis to do marketing or prospecting. From the permissible legal bases of the regulation there are only two which you could possibly use. The defence of the vital interests of the data subject, the execution of a task of general interest or public order or the compliance with legal obligations are not applicable legal bases.

In most cases, you will not be allowed to invoke the execution of a contract as a legal basis. This legal basis only covers the processing operations that are necessary for the execution of the contract. Marketing or prospecting are not included here.

Therefore, only two possible legal bases remain. In principle, they can both be used. If you obtain permission from the data subject in a correct manner to process his/her personal data with the objective of marketing, you have a legal basis. Although this is the “safest” way, in practice this is not always achievable. Certainly, in the context of prospecting, obtaining permission will not provide a way out.

Another possible legal basis is the legitimate interest of the controller. This legal basis can be called upon for marketing or prospecting. However, you will need to make sure that the rights of the data subjects are not more important than your legitimate interest. You will always have to perform a balancing exercise, where you’ll need to critically contrast your interest with that of the data subject.

Privacy Statement

In addition to the obligation of legitimate processing, you must inform the data subject about his rights and how these can be exercised. If a data subject exercises these, you must react according to the rules of the regulation. Informing the data subject about this can be done via a privacy declaration.


Regarding the question about marketing and prospecting being compatible with the GDPR, the answer is positive.

If you so wish, aternio can assist you with the implementation of the obligations imposed by the GDPR.