GDPR Compliance Guide
How Trust Leads handles GDPR, your obligations as a data controller, and best practices for compliant B2B enrichment.
Controller vs Processor Roles
Under GDPR, the key distinction is between data controllers (organisations that determine the purpose and means of processing) and data processors (organisations that process data on behalf of a controller). When you use Trust Leads to enrich your lead data, you are the data controller and Trust Leads is the data processor.
As the data controller, you are responsible for ensuring that you have a lawful basis for processing the personal data in your lead list, that data subjects were informed their data might be used for B2B marketing purposes, and that you honour any data subject rights requests (access, erasure, etc.).
Warning
Do not upload lead lists that contain sensitive personal data (health information, financial data, religious beliefs, political opinions) to Trust Leads. Our processing is designed for standard B2B contact data only. Processing special category data without appropriate safeguards is a significant GDPR violation.
Lawful Basis for B2B Enrichment
GDPR requires a lawful basis for every processing activity. For B2B lead enrichment, the most commonly applicable bases are Legitimate Interest (Article 6(1)(f)) and Contract (Article 6(1)(b)). Legitimate interest is appropriate when you have a genuine business reason to process contact information for outreach, and that interest is not overridden by the data subject's rights.
To rely on legitimate interest, document a Legitimate Interest Assessment (LIA): identify the legitimate interest (e.g. marketing your product to relevant professionals), assess the necessity of the processing, and balance the interest against the data subject's reasonable expectations. Business email addresses obtained from public sources (company websites, LinkedIn profiles, conference attendee lists) generally pass the LIA test for B2B outreach.
Data Processing Agreement
GDPR Article 28 requires that a formal Data Processing Agreement (DPA) be in place between data controllers and their processors. Trust Leads's standard DPA is available at trustleads.ai/legal/dpa and is automatically incorporated by reference into the Terms of Service upon account creation.
Enterprise customers requiring a custom DPA, specific sub-processor disclosures, or legal review of processing terms should contact privacy@trustleads.ai. Custom DPA negotiations are available for Agency and Enterprise plan customers.
Data Retention and Deletion
Trust Leads retains your uploaded files and enriched output files for 30 days after job completion. After this period, files are automatically and permanently deleted from our storage systems. You can also trigger immediate deletion of any file from the Job History page at any time.
When data subjects exercise their right to erasure (Article 17 GDPR), you must remove their data from your own systems. If the data was enriched via Trust Leads, the enrichment output file is stored in your systems (downloaded CSV), and it is your responsibility as the data controller to delete it from your CRM, marketing automation tools, and any other systems where you stored it.
Tip
Implement a data subject rights workflow in your organisation: when you receive an erasure request, check your enriched lead files, CRM, email marketing lists, and any backups containing the person's data. Trust Leads will handle deletion of the input/output files stored on our platform.
Cross-Border Data Transfers
Trust Leads processes data in data centres located in the European Economic Area (EEA) by default. US-based customers can opt into US-based processing. Data is not transferred outside the selected region without explicit configuration.
For EU customers, all sub-processor data transfers that cross EEA borders are covered by Standard Contractual Clauses (SCCs) as required by GDPR Chapter V. The sub-processor list, including SCCs, is maintained at trustleads.ai/legal/sub-processors and is updated whenever a new sub-processor is engaged.
Was this guide helpful?