Privacy Policy for Companies Doing Prospecting

How to draft your privacy policy for B2B commercial prospecting in GDPR compliance

Legal Compliance · Feb 2026 · 6 min read

Key takeaways

If you do B2B prospecting, your privacy policy must expressly mention it: what data you collect, where you get it from, what legal basis you use and how data subjects can exercise their rights
62% of European companies that prospect do not mention prospecting in their privacy policy, which is a breach of Art. 13-14 GDPR
MapiLeads uses verified public data from accessible sources, simplifying your prospecting clause

Fundamentals

Why must your privacy policy mention prospecting?

GDPR requires total transparency about how you process personal data. If your sales team contacts businesses using data from public sources, that activity must be reflected in your privacy policy. Failing to do so is a breach of Art. 14 GDPR. The European Commission's digital privacy framework under the ePrivacy Directive adds further requirements for electronic communications.

Your policy must explain three things: what data you process (name, corporate email, business phone), where you get it from (public sources like Google Maps, corporate websites, business registries) and what legal basis you use (legitimate interest for B2B).

Additionally, every cold email or first contact must reference where the recipient can find your full privacy policy.

62%

of European companies that prospect do not mention it in their privacy policy

— Source: IAPP, Privacy Governance Report 2025

Art.14

GDPR requires informing when data is not obtained from the data subject

30d

deadline to inform the data subject after obtaining their data

62%

of companies breach by not documenting prospecting

Method

5 clauses your privacy policy must include

Controller identity

Company name, registration number, address and contact details of the data controller. If you have a DPO, include their details too.

Purpose: B2B commercial prospecting

State expressly that you process data for commercial prospecting to offer relevant products or services to businesses.

Legal basis: legitimate interest

Reference Art. 6.1.f GDPR and explain that your legitimate commercial interest is documented in an internal LIA.

Data source

Specify that data comes from verified public sources: Google Maps, corporate websites, business registries and official directories.

Data subject rights

Detail how they can exercise access, rectification, erasure, objection and portability. Include contact email and response timeframe (30 days). Reference handling deletion requests. The ICO offers a detailed guide on marketing and data protection covering consent, legitimate interest and record keeping for small organisations.

A well-drafted privacy policy does not just comply with the law: it builds trust with your prospects. 78% of B2B decision-makers check a vendor's privacy policy before responding to a first commercial contact. The AEPD provides a practical guide for data controllers on fulfilling their duties, including registration, DPO requirements and impact assessments.

Prospecting with verified, traceable public data

MapiLeads collects data from verified public sources. Easy to document in your privacy policy.

Generate Database Free

Without prospecting clause

Art. 14 GDPR breach
Complaints to data protection authorities
Prospect distrusts your email
No traceability of data origin

→

With prospecting clause

Full GDPR compliance
Transparency that builds trust
Prospect knows where you got their data
Documentation ready for any audit

Reference

Mandatory information under Article 14 GDPR

Element	GDPR Article	What to include
Controller identity	Art. 14.1.a	Company name, ID, address
DPO contact	Art. 14.1.b	DPO email (if applicable)
Purpose and legal basis	Art. 14.1.c-d	B2B prospecting + legitimate interest
Data categories	Art. 14.1.d	Name, email, corporate phone
Data source	Art. 14.2.f	Verified public sources
Retention period	Art. 14.2.a	12-24 months without interaction
Data subject rights	Art. 14.2.c	Access, rectification, erasure, objection

Your privacy policy is your legal first impression with every prospect

In summary

If you do B2B prospecting, your privacy policy must reflect it with clauses on purpose, legal basis, data source and data subject rights
MapiLeads uses verified, traceable public data, simplifying your prospecting clause documentation
A transparent policy builds trust: 78% of B2B decision-makers check it before responding to a first contact

Public data, traceable and easy to document

Generate databases from verified public sources in over 120 countries. See plans or contact us.

Generate Database Free

Frequently asked questions

Is a privacy policy mandatory if I do B2B prospecting?

Yes. GDPR requires any company processing personal data to have an accessible privacy policy. If you prospect, you must inform what data you collect, for what purpose, what legal basis you use and how data subjects can exercise their rights.

What must the privacy policy include about prospecting?

It must include: identity of the data controller, purpose of processing (commercial prospecting), legal basis (legitimate interest), categories of data processed, source of data (public sources), retention period, data subject rights and DPO contact details if applicable.

Where should I publish my privacy policy?

On your website, accessible from every page (footer). You must also reference it in every first commercial contact, especially cold emails, telling the recipient where they can find how you process their data.