GDPR

Business email addresses and GDPR: may you use contact information from the CBE for B2B marketing?

Joris Deene
3 weeks ago
186 views
6 minutes reading time

Many companies live under the assumption that business contact information, such as that of company executives in the Crossroads Bank for Enterprises (CBE), may be freely used for commercial purposes. A ruling of the Brussels Market Court of December 17, 2025), however, makes it clear that this assumption is dangerous. An e-mail address such as voornaam.achternaam@bedrijf.be does constitute personal data, and the mere fact that this data is publicly available does not give a free pass to direct marketing.

The facts and procedure

The case revolves around a so-called ‘data broker,’ a company specializing in collecting and renting business data for marketing purposes. The company obtained data from Belgian companies via a supplier/parent company, including that of a director of a private limited company.

This director suddenly received commercial emails from third parties (clients of the data broker) on his business email address that contained his full name. The director filed a complaint with the Data Protection Authority (DPA) because he had never given consent and did not know how these parties obtained his data.

The Litigation Chamber of the DPA imposed on April 22, 2025 (No. 72/2025) heavy penalties on the data broker, including a total fine of 20,000 euros, for violations of the lawfulness of processing, the obligation of transparency and the right of inspection. The company appealed this to the Market Court.

Market Court decision

The Market Court, in its Dec. 17, 2025 ruling, upheld the core principles of the DPA, but nuanced the transparency requirement and reduced the fines. The main points of the ruling are:

  • Business e-mail address is personal data: Het Hof bevestigt onomwonden dat een e-mailadres dat een natuurlijke persoon identificeert (bv. jan.janssens@bedrijf.be), een persoonsgegeven is in de zin van artikel 4.1 General Data Protection Regulation (GDPR). That this is a professional context is irrelevant.
  • No legitimate interest in marketing: The data broker invoked the ‘legitimate interest’ (Art. 6.1.f GDPR) to process the data without consent. However, the Court ruled that the interests of the director outweighed the interests of the data subject. The fact that data is public in the CBE does not mean that the data subject can reasonably expect that this data will be resold for direct marketing.
  • Right of access requires specific names: When a data subject asks to whom their data has been transferred (right of access), it is not sufficient to name “categories of recipients” (e.g., “marketing partners”). The controller must disclose the specific identity of the recipients.
  • Nuance transparency duty: The Court did annul the fine for violating the duty to inform (Art. 14 GDPR). The Court held that the DPA was too strict by not investigating whether individually informing thousands of data subjects would require a “disproportionate effort” (exception Art. 14.5.b GDPR).

The court reduced the final fine from 20,000 euros to 10,000 euros, but upheld the conviction for unlawful processing and violation of the right of inspection.

Legal analysis and interpretation

This ruling provides rich ground for interpreting the GDPR in a B2B context.

The qualification of company data

The Market Court adheres to the settled case law of the EU Court of Justice (including the recent ruling L.H., C-710/23 of April 3, 2025 and Manni, C-398/15). The claim that the GDPR would not apply to data of legal persons does not hold up as soon as a natural person is identifiable. Recital 14 of the GDPR, which states that the regulation does not cover legal persons, should not be read to mean that contact data of directors are outlawed.

The balance in legitimate interest

Crucial is the interpretation of the ‘reasonable expectations’ of the data subject. The Court rules strictly: disclosure in the CBE serves legal purposes (transparency of trade), but does not imply an “opt-in” for commercial exploitation by third parties. Without a relevant relationship (such as an existing customer relationship), the balance of interests often fails the data broker.

Right of access and the Österreichische Post ruling

The Court strictly applies the doctrine from the ruling Österreichische Post (C-154/21). The right of access (Art. 15.1.c GDPR) implies that the data subject must be able to verify whether his data has been provided to bona fide parties. The choice between ‘categories’ or ‘specific recipients’ lies with the data subject, not the data controller. If the data subject asks “who has my data?”, you must name names.

Proportionality in indirect collection

The DPA's slap on the wrist regarding Article 14 GDPR is striking. When data are not collected from the data subject themselves (e.g. via scraping or purchasing), the data subject must normally be proactively informed. However, the Court recognizes that for large-scale databases this may be materially impossible or disproportionately burdensome (Art. 14.5.b GDPR). The DPA may not simply override this exception without examining the actual effort and cost.

What this means for your company in concrete terms

This ruling has direct implications for three groups:

  1. For data brokers and marketers:
    • You may not simply scrape the CBE or purchase lists to use for cold calling or e-mail marketing to personalized addresses.
    • The legal basis ‘legitimate interest’ is very shaky for data that you have not collected yourself.
    • If you purchase data, you must contractually ensure that the individuals in question are properly informed.
  2. For companies processing B2B data:
    • Adjust your privacy policy and internal procedures for requests for access. If someone asks who you shared their data with, you should be able to provide specific company names. “Our partners” is no longer a valid answer.
    • Do you keep lists of who received what data? Without these loggings, you cannot comply with Article 15 GDPR.
  3. For directors and self-employed persons:
    • You have control over your business contact information. You can object to its use for direct marketing.
    • You have the right to know exactly which companies your data has been sold on to.

Frequently asked questions (FAQ)

Is a general email address such as info@bedrijf.be also personal data?
No, usually not. If an email address does not refer to a specific natural person (such as info@, sales@, GDPR and this ruling.

May I use data from the CBE if I first inform the individuals themselves?
This is complex. Article 14 GDPR requires you to inform them within a reasonable time after acquisition. However, even if you inform, you still need a legal basis (such as consent or a strong legitimate interest) for the processing itself. Merely informing does not in itself make the processing lawful.

What if I can't remember to whom I passed the data?
That's a problem. The Market Court states that you must share “available information.” If you don't know who the recipients are due to poor data management, you risk penalties for breach of accountability.

Conclusion

The December 17, 2025 Market Court ruling is a clear warning: business privacy does exist. Corporate executives are not outlaws to data traders in Belgium. While the Court shows some leniency for the administrative burdens of the duty to disclose, the core rules around legality and access remain strict.

Are you dealing with a complex data protection case, a DPA audit or want to legally test your marketing strategy? Our attorneys specializing in privacy law, IT law and GDPR compliance are ready to analyze your case and defend your interests. Contact us for an initial consultation.

Joris Deene

Attorney-partner at Everest Attorneys

View all posts

You might also like this

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics