How ProspectX ensures compliance with data protection regulations
Last Updated: April 14, 2025
At ProspectX, we take data protection and privacy seriously. As a B2B lead generation company operating in the United Kingdom and serving clients across Europe, we fully comply with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
This document outlines our approach to GDPR compliance, particularly in the context of B2B lead generation and outreach activities. We aim to provide transparency about how we collect, process, and protect personal data while ensuring that our business practices respect the rights of data subjects.
In the context of our services, ProspectX can act as both a data controller and a data processor:
In either role, we are committed to adhering to the principles of the GDPR and implementing appropriate technical and organizational measures to ensure the security and lawful processing of personal data.
The GDPR is built around six core principles. Here's how we apply each principle in our operations:
| GDPR Principle | How ProspectX Applies It |
|---|---|
| Lawfulness, Fairness, and Transparency | We process personal data legally, fairly, and transparently. We clearly inform data subjects about our processing activities through our Privacy Policy and other communications. |
| Purpose Limitation | We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes. Our lead generation activities are focused on business-related purposes. |
| Data Minimization | We limit the personal data we collect to what is necessary for our stated purposes. For B2B lead generation, we focus on professional contact information and relevant business details. |
| Accuracy | We take reasonable steps to ensure that personal data is accurate and up-to-date. We regularly verify and update our databases and promptly correct inaccurate data when identified. |
| Storage Limitation | We retain personal data only for as long as necessary for the purposes for which it was collected. We have established retention periods and regularly review and delete data that is no longer needed. |
| Integrity and Confidentiality | We implement appropriate technical and organizational measures to protect personal data from unauthorized access, accidental loss, and damage. This includes encryption, access controls, and staff training. |
Under GDPR, any processing of personal data must have a valid legal basis. For our B2B lead generation activities, we primarily rely on the following legal bases:
For most of our B2B lead generation activities, we rely on legitimate interest as our legal basis for processing personal data. We have conducted legitimate interest assessments to ensure that:
For B2B communications, legitimate interest is often the most appropriate legal basis, as recognized by data protection authorities. However, we always ensure that our assessment considers the specific context and the reasonable expectations of the data subjects.
When processing data of our existing clients, we typically rely on the legal basis that the processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract.
In situations where legitimate interest or contractual necessity are not applicable, we may seek consent as the legal basis for processing. When we rely on consent, we ensure that it is:
Our B2B lead generation services involve collecting and processing personal data of business professionals. We ensure GDPR compliance in this area through the following practices:
We collect business contact information from legitimate sources, including:
We do not use data scraped from websites without proper consideration of legal requirements and the rights of data subjects.
We work with our clients to establish targeting criteria that are appropriate and proportionate for B2B lead generation. These criteria focus on business characteristics (industry, company size, etc.) and professional roles rather than personal attributes.
For cold email outreach to business contacts, we ensure compliance with both GDPR and ePrivacy regulations:
While we personalize our outreach to make it more relevant and effective, we do so in a way that respects privacy and does not involve extensive profiling or invasive data collection. Our personalization is based on professional and business information that is directly relevant to the services being offered.
We respect the rights of data subjects under GDPR and have implemented processes to respond to requests in a timely manner. These rights include:
| Right | How We Facilitate It |
|---|---|
| Right to Be Informed | We provide clear information about our data processing activities in our Privacy Policy and in our communications. |
| Right of Access | Data subjects can request a copy of their personal data that we process. We respond to such requests within 30 days. |
| Right to Rectification | Data subjects can request that inaccurate or incomplete data be corrected. We promptly update our records when such requests are received. |
| Right to Erasure | Data subjects can request the deletion of their personal data in specific circumstances. We have processes in place to erase data when such requests are valid. |
| Right to Restrict Processing | Data subjects can request that we limit how we use their data. We have systems to flag and restrict processing when required. |
| Right to Data Portability | Data subjects can request their data in a structured, commonly used, and machine-readable format. We can provide data in standard formats like CSV or JSON. |
| Right to Object | Data subjects can object to processing based on legitimate interest, particularly for direct marketing. We immediately honor objections to marketing. |
| Rights Related to Automated Decision Making | We do not engage in fully automated decision-making that has significant effects on data subjects. |
To exercise these rights, data subjects can contact us at privacy@getprospectx.com. We verify the identity of the requester before processing any request to ensure data security.
We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include:
We work with carefully selected third-party service providers who process personal data on our behalf. These include:
We have data processing agreements in place with all our processors that require them to comply with GDPR requirements and provide appropriate safeguards for personal data.
As a UK-based company, we primarily store and process data within the United Kingdom and European Economic Area (EEA). However, some of our service providers may be located outside these regions.
When we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place, such as:
We have a documented data breach response plan that includes:
Our team is trained to recognize and respond to potential data breaches promptly and effectively.
We maintain records of our processing activities as required by GDPR. Our data protection governance framework includes:
We regularly assess our compliance with GDPR and other applicable data protection regulations and make continuous improvements to our practices.
If you have any questions, concerns, or requests regarding our GDPR compliance or the processing of your personal data, please contact us at:
ProspectX Ltd
Data Protection Team
128 City Road
London, EC1V 2NX
United Kingdom
Email: privacy@getprospectx.com
We are committed to addressing your concerns and providing transparent information about our data protection practices.