All guides
seller3 min read

What you are ENTITLED to sell (GDPR & Monetization)

Personal or not? Anonymous or pseudonymous? What legal basis for transfer? The 5-question checklist to monetize your data without GDPR risk.

3 min read

What you are entitled to sell

GDPR & Data Monetization

10 slides · swipe or use the arrows
d-nvest.com1/10

Disclaimer

This is not legal advice

This guide simplifies established rules. For your specific case, consult your DPO, the CNIL, or a lawyer.

d-nvest.com2/10

The starting point

Personal, or not?

Everything starts here. Data that identifies a person (directly or indirectly) is 'personal' → GDPR applies.

GDPR, Art. 4(1)

d-nvest.com3/10

The key distinction

Anonymous ≠ Pseudonymous

Anonymous (irreversible) = outside GDPR (Recital 26). Pseudonymous (reversible) = remains personal. The CNIL requires 3 tests: individualization, correlation, inference.

GDPR, Recital 26 + Art. 4(5) · CNIL

d-nvest.com4/10

The condition

A legal basis for transfer

Consent, or legitimate interest (with a balancing test). 'Selling under legitimate interest' is NOT a general rule.

GDPR, Art. 6(1)

d-nvest.com5/10

The pitfall

Reselling = new purpose

Reselling is a different purpose than collection → in practice, new consent is required. Terms of Service accepted 'in bulk' are not sufficient.

GDPR, Art. 5(1)(b) + 6(4) · CNIL

d-nvest.com6/10

The B2B case

B2B is not outside GDPR

'contact@company' = outside GDPR. But 'firstname.lastname@' or an employee's name = personal data. Sole proprietor: often personal.

GDPR, Recital 14 · CJEU C-710/23

d-nvest.com7/10

The checklist

Can I sell? 5 questions

  • 1. Is the data personal?
  • 2. Do I have a legal basis to transfer it?
  • 3. Is it compatible with the initial purpose?
  • 4. Are individuals informed + can they object?
  • 5. Are objectors excluded (with proof)?
d-nvest.com8/10

The proof (sanction)

This is not theoretical

On May 15, 2025, the CNIL fined Solocal Marketing Services (€900,000) and Caloga (€80,000) for using/reselling prospecting data without a valid legal basis.

CNIL, deliberations of 15/05/2025

d-nvest.com9/10

Key takeaway

Compliance is value

Compliant data sells; non-compliant data incurs sanctions.

  • Without a legal basis, data is worthless (and exposes you)
  • Prioritize aggregated / anonymized data
  • Document consent and objections
d-nvest.com10/10

Questions about monetising or buying data?

Talk to an expert — no strings attached.

Book a free 30-min call

The full guide

Before monetizing data, one question takes precedence over all others: do you have the right to sell it? (This guide simplifies established rules and does not constitute legal advice: for your specific case, consult your DPO, the CNIL, or a lawyer.)

Everything begins with a distinction: is the data personal? Data that allows a person to be identified, directly or indirectly, is personal and falls under GDPR (Art. 4(1)). Then comes a decisive nuance: anonymous data—that is, data rendered irreversibly non-identifying—is outside GDPR (Recital 26), while only pseudonymized data remains personal (Art. 4(5)). The CNIL requires three tests to speak of anonymization: impossibility of individualization, correlation, and inference.

To transfer personal data, a legal basis is required (Art. 6(1)): consent, or legitimate interest accompanied by a balancing test. Be aware, 'selling under legitimate interest' is not a general rule—it's case-by-case. Another pitfall: reselling data constitutes a new purpose compared to the collection (Art. 5(1)(b) and 6(4)); in practice, this requires new consent, and Terms of Service accepted 'in bulk' do not constitute consent (CNIL). Regarding prospecting, the electronic channel requires prior consent, while postal or telephone channels can rely on legitimate interest with the right to object.

B2B is not exempt from GDPR: a generic address like 'contact@company' is outside its scope (Recital 14), but a nominative email 'firstname.lastname@' or an employee's name remain personal data (CJEU, C-710/23); for a sole proprietor, 'company data' often identifies the person. Hence, a five-question checklist: is the data personal? Do I have a legal basis to transfer it? Is it compatible with the initial purpose? Are individuals informed and can they object? Are objectors excluded, with proof?

This is not theoretical: on May 15, 2025, the CNIL fined Solocal Marketing Services (€900,000) and Caloga (€80,000) for using and reselling prospecting data without a valid legal basis. The lesson: compliant data sells, non-compliant data incurs sanctions. Prioritize aggregated and anonymized data, and have your data qualified before putting it on the market.

Sources

Educational content — not legal or financial advice. Figures carry their source and year.

What you are ENTITLED to sell (GDPR & Monetization) — d-nvest | d-nvest