What you are ENTITLED to sell (GDPR & Monetization)
Personal or not? Anonymous or pseudonymous? What legal basis for transfer? The 5-question checklist to monetize your data without GDPR risk.
What you are entitled to sell
GDPR & Data Monetization
10 slides · swipe or use the arrowsDisclaimer
This is not legal advice
This guide simplifies established rules. For your specific case, consult your DPO, the CNIL, or a lawyer.
The starting point
Personal, or not?
Everything starts here. Data that identifies a person (directly or indirectly) is 'personal' → GDPR applies.
┌ GDPR, Art. 4(1)
The key distinction
Anonymous ≠ Pseudonymous
Anonymous (irreversible) = outside GDPR (Recital 26). Pseudonymous (reversible) = remains personal. The CNIL requires 3 tests: individualization, correlation, inference.
┌ GDPR, Recital 26 + Art. 4(5) · CNIL
The condition
A legal basis for transfer
Consent, or legitimate interest (with a balancing test). 'Selling under legitimate interest' is NOT a general rule.
┌ GDPR, Art. 6(1)
The pitfall
Reselling = new purpose
Reselling is a different purpose than collection → in practice, new consent is required. Terms of Service accepted 'in bulk' are not sufficient.
┌ GDPR, Art. 5(1)(b) + 6(4) · CNIL
The B2B case
B2B is not outside GDPR
'contact@company' = outside GDPR. But 'firstname.lastname@' or an employee's name = personal data. Sole proprietor: often personal.
┌ GDPR, Recital 14 · CJEU C-710/23
The checklist
Can I sell? 5 questions
- 1. Is the data personal?
- 2. Do I have a legal basis to transfer it?
- 3. Is it compatible with the initial purpose?
- 4. Are individuals informed + can they object?
- 5. Are objectors excluded (with proof)?
The proof (sanction)
This is not theoretical
On May 15, 2025, the CNIL fined Solocal Marketing Services (€900,000) and Caloga (€80,000) for using/reselling prospecting data without a valid legal basis.
┌ CNIL, deliberations of 15/05/2025
Key takeaway
Compliance is value
Compliant data sells; non-compliant data incurs sanctions.
- Without a legal basis, data is worthless (and exposes you)
- Prioritize aggregated / anonymized data
- Document consent and objections
Questions about monetising or buying data?
Talk to an expert — no strings attached.
The full guide
Before monetizing data, one question takes precedence over all others: do you have the right to sell it? (This guide simplifies established rules and does not constitute legal advice: for your specific case, consult your DPO, the CNIL, or a lawyer.)
Everything begins with a distinction: is the data personal? Data that allows a person to be identified, directly or indirectly, is personal and falls under GDPR (Art. 4(1)). Then comes a decisive nuance: anonymous data—that is, data rendered irreversibly non-identifying—is outside GDPR (Recital 26), while only pseudonymized data remains personal (Art. 4(5)). The CNIL requires three tests to speak of anonymization: impossibility of individualization, correlation, and inference.
To transfer personal data, a legal basis is required (Art. 6(1)): consent, or legitimate interest accompanied by a balancing test. Be aware, 'selling under legitimate interest' is not a general rule—it's case-by-case. Another pitfall: reselling data constitutes a new purpose compared to the collection (Art. 5(1)(b) and 6(4)); in practice, this requires new consent, and Terms of Service accepted 'in bulk' do not constitute consent (CNIL). Regarding prospecting, the electronic channel requires prior consent, while postal or telephone channels can rely on legitimate interest with the right to object.
B2B is not exempt from GDPR: a generic address like 'contact@company' is outside its scope (Recital 14), but a nominative email 'firstname.lastname@' or an employee's name remain personal data (CJEU, C-710/23); for a sole proprietor, 'company data' often identifies the person. Hence, a five-question checklist: is the data personal? Do I have a legal basis to transfer it? Is it compatible with the initial purpose? Are individuals informed and can they object? Are objectors excluded, with proof?
This is not theoretical: on May 15, 2025, the CNIL fined Solocal Marketing Services (€900,000) and Caloga (€80,000) for using and reselling prospecting data without a valid legal basis. The lesson: compliant data sells, non-compliant data incurs sanctions. Prioritize aggregated and anonymized data, and have your data qualified before putting it on the market.
Sources
- RGPD — Règlement (UE) 2016/679 (EUR-Lex)
- CNIL — Anonymisation, bases légales, vente de fichiers
- CNIL — Sanctions Solocal / Caloga (15/05/2025)
- CJUE — affaire C-710/23
Educational content — not legal or financial advice. Figures carry their source and year.